ICE cautions staff, contractors on Zoom
- By Mark Rockwell
- Apr 13, 2020
Growing security concerns have prompted Immigration and Customs Enforcement officials to advise employees against using the Zoom videoconferencing service.
Agency employees and contractors have been told not to install the client software on any ICE equipment or use it for internal agency conversations, according to an April 9 internal memo from ICE CIO Rachelle Henderson.
Henderson cited public reports indicated that "vulnerabilities with the Zoom client showed that it can install client and server software on its host without the host's approval." That client software vulnerability, she wrote, "puts shared mission or sensitive data, the video feed, and audio feeds in jeopardy of eavesdropping, possibly recording, and defacement."
ICE employees can still join Zoom meetings initiated from outside the agency if they don't share or upload agency information and if the connection is through a browser such as Chrome that doesn't require installing the Zoom client software, the memo said.
Henderson advised ICE staff to use Skype or Microsoft Teams for video calling to both internal and external users. ICE, said the memo, is also implementing the WebEx platform for larger video conferencing needs.
ICE is the latest federal agency to warn its users to steer clear of the free Zoom teleconferencing. Federal agencies began to take note of the use of Zoom as the push towards wider use of telework began in March. The FBI cautioned at the end of March that some Zoom teleconferences were being "zoom-bombed" by unauthorized participants. It warned that new users of the services should familiarize themselves with the details of accessing it.
The General Services Administration and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) are pointing feds interested in using Zoom away from the free version and toward the Zoom for Government service, which has been approved by the Federal Risk and Authorization Management Program and which is available through GSA's acquisition schedules.
"The Zoom for Government (government community cloud) platform is FedRAMP Authorized at the Federal Information Security Modernization Act (FISMA) moderate level," said a joint statement from GSA and CISA. "CISA and FedRAMP issued joint best practices to federal departments and agencies about the use of the Zoom for Government conferencing software on federal IT systems."
A Zoom spokesperson clarified in an April 10 email that Zoom for Government "is a distinct product and a separate platform not connected in any way to the Zoom Commercial platform" and is housed in a separate Amazon Web Services cloud hosted solely in the U.S. and accessible by the U.S. government and authorized contractors.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.