ICE CIO gives Zoom the cold shoulder

Immigration and Customs Enforcement's CIO advised the agency's employees to curb their use of the free commercial Zoom teleconferencing service because of growing security concerns.

In an April 9 internal agency memo obtained by FCW, ICE CIO Rachelle Henderson told agency employees and contractors not to install the public-facing Zoom video application's client software on any of the agency's equipment or use it for internal agency conversations.

Zoom has become a wildly popular telework tool because of its ease of use and its support of large-group video-conferencing.

Henderson cited public reports indicated that "vulnerabilities with the Zoom client showed that it can install client and server software on its host without the host's approval."

That client software vulnerability, said the memo, "puts shared mission or sensitive data, the video feed, and audio feeds in jeopardy of eavesdropping, possibly recording, and defacement."

ICE employees, said the memo, can join Zoom meetings initiated from outside the agency, if they don't share or upload DHS information and the connection is through a browser such as Chrome that doesn't require installing the Zoom client software.

She steered ICE users to use Skype for DHS calls, as well as Microsoft Teams for video calling to both internal and external users. ICE, said the memo, is also implementing the WebEx platform for larger video conferencing needs. ICE plans to roll out that platform in the coming weeks, according to the memo.

ICE is the latest federal agency to warn its users to steer clear of the free Zoom teleconferencing. Federal agencies began to take note of the use of Zoom as the push towards wider use of telework began in March. The FBI cautioned at the end of March that some Zoom teleconferences were being joined and "zoom-bombed" by unauthorized participants. It warned that new users of the services should familiarize themselves with the details of accessing it.

The General Services Administration and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) are pointing feds interested in using Zoom away from the free version and to to obtain the FedRAMP approved Zoom for Government service, which is available through GSA's acquisition schedules.

"The Zoom for Government (government community cloud) platform is FedRAMP Authorized at the Federal Information Security Modernization Act (FISMA) moderate level," said a joint statement from GSA and CISA emailed to FCW. "CISA and FedRAMP issued joint best practices to federal departments and agencies about the use of the Zoom for Government conferencing software on federal IT systems."

A Zoom spokesperson clarified in an April 10 email that Zoom for Government "is a distinct product and a separate platform not connected in any way to the Zoom Commercial platform" and is housed in a separate Amazon Web Services cloud hosted solely in the U.S. and accessible by the U.S. government and authorized contractors.