By rigorously testing applications that handle biometric data and personally identifiable information (PII), U.S. Customs and Border Protection (CBP) says it can better ensure that these systems operate securely and effectively, thereby protecting sensitive information from potential threats.
CBP says its implementation of automated software testing is integral to its mission and enhances the reliability and security of its applications, particularly those handling biometric data and PII. Still, the process isn’t without problems and will need to keep pace with evolving threats to its IT systems.
Ken Oppenheimer, CBP Executive Director, Passenger Systems Program Directorate, explained in an interview with Federal Monthly Insights that, “We have a portfolio of roughly 90-plus different applications that we operate, support and have out in the field to support the mission, whether it’s land, sea or air entry, whether it be on the primary, the initial entry point into the U.S., or even some of the systems that we deal with on the back end.”
CBP operates primarily within a Java-based environment, utilizing open-source tools for test automation. The agency says this strategy enables efficient and consistent testing across various applications, ensuring that software performs as intended.
CBP believes that its automated testing plays a crucial role in maintaining the security of biometric data by identifying vulnerabilities and ensuring compliance. It says automated tests can detect security flaws in applications that process biometric data, allowing for timely remediation, while regular testing verifies that systems adhere to security standards and protocols, reducing the risk of data breaches.
For instance, in 2019, the Department of Homeland Security’s (DHS) Inspector General found that CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot known as the Vehicle Face System.
A subcontractor working on the pilot, Perceptics, LLC, transferred copies of CBP’s biometric data, such as traveler images, to its own company network. The subcontractor obtained access to this data between August 2018 and January 2019 without CBP’s authorization or knowledge. Later in 2019, DHS experienced a major privacy incident when “the subcontractor’s network was subjected to a malicious cyber-attack.”
The breach compromised approximately 184,000 traveler images, with at least 19 posted to the dark web. The incident highlighted the need for stringent security measures and the role of automated testing in preventing unauthorized data access.
DHS’s Inspector General stated in a September 2020 report that “DHS requires subcontractors to protect personally identifiable information from identity theft or misuse. However, in this case, Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network. Given Perceptics’ ability to take possession of CBP-owned sensitive data, CBP’s information security practices during the pilot were inadequate to prevent the subcontractor’s actions.”
Nevertheless, CBP believes automated testing safeguards PII by validating data handling processes and monitoring data integrity. Tests ensure that applications manage PII according to established privacy policies, preventing unauthorized access or misuse. Automated tests also can detect anomalies or inconsistencies in data processing, ensuring the accuracy and integrity of PII.
CBP says data security is further demonstrated through its Enterprise Analytics initiative, which employs advanced analysis tools to interpret data critical to operations. These tools assist in identifying trends and patterns, enhancing the efficiency and effectiveness of CBP’s mission while ensuring that PII is handled securely.
Still, there are biometric-specific complexities that pose unique challenges when it comes to automated testing. Automated systems must validate the real-time processing capabilities of biometric systems, which adds complexity compared to traditional IT applications. Because many biometric systems involve specialized hardware (e.g., fingerprint scanners, facial recognition cameras), automated testing must simulate user interactions with this hardware, requiring sophisticated testing tools.
CBP also relies on legacy IT systems in some operations, and automated testing frameworks must bridge modern testing tools with older systems, which may lack standardized APIs or documentation.
Further, automating tests handling synthetic or real PII for testing purposes requires robust safeguards to ensure data is anonymized or protected, even during internal test processes.
Despite these hurdles, though, CBP says it is making significant progress in automating its testing processes.
The agency says automated testing ensures biometric systems operate with high accuracy and availability, minimizing errors like false positives or negatives. By automating tests that validate encryption, anonymization, and access controls, CBP reduces the risk of PII exposure, aligning with privacy regulations.
Automated testing accelerates the deployment of new features and security patches, enabling CBP to respond swiftly to evolving threats and operational needs, the agency says. And while the initial setup of automated testing can be resource-intensive, CBP says the long-term reduction in manual testing effort leads to significant cost savings.
CBP’s automated testing strategy will also need to evolve to address emerging challenges like quantum-resistant cryptography. Automated tools will require the ability to validate the integration of post-quantum cryptography algorithms to protect data against future quantum computing threats. AI-driven tools will further optimize test case generation, defect prediction, and system monitoring.
Additionally, CBP is transitioning to cloud environments to leverage benefits such as scalability, flexibility, and improved disaster recovery capabilities, and will necessitat the adoption of cloud-based testing methodologies to ensure that applications function correctly in cloud settings. Cloud-based test automation supports Agile and DevOps practices by providing on-demand test environments, enabling parallel test execution, and reducing testing time.
As part of its cloud migration strategy, CBP is integrating automated testing into its development pipelines. This integration ensures that applications are thoroughly tested during the migration process, maintaining functionality and security in the new environment. Automated testing in the cloud allows for continuous integration and continuous deployment, facilitating rapid development cycles and timely updates.
Automated testing in cloud environments enables CBP to conduct comprehensive security assessments, ensuring compliance with federal standards and protecting sensitive data. By automating security tests, CBP can identify vulnerabilities early in the development process, reducing the risk of security breaches.
CBP plans to expand its use of automated testing tools and frameworks to support its cloud-based applications. This expansion includes adopting AI-driven testing tools to enhance test coverage and efficiency, as well as implementing continuous testing practices to ensure ongoing application reliability and security.
Through these initiatives, CBP is strengthening its automated testing capabilities to effectively address the challenges associated with cloud-based environments, ensuring robust and secure IT systems.
Article Topics
biometrics | CBP | cloud services | cybersecurity | quantum computing | real-time biometrics
