The Cybersecurity Risk at the Heart of Federal Immigration Enforcement

In recent weeks, a shift in enforcement activity has drawn enormous attention to U.S. Immigration and Customs Enforcement (ICE). Beyond the agency's physical tactics, which are currently under public debate, another threat is maturing in the shadows: the creation of centralized, unsecured troves of digital data.  

By aggregating the private data of millions of individuals in the United States, ICE has constructed a high-value target for nation-state adversaries. In 2025 and early 2026, this "American dragnet" reached a critical mass. Fueled by a massive infusion of funding from the 2025 "One Big Beautiful Bill" Act, which appropriated $75 billion to ICE over four years, ICE’s enforcement budget has nearly tripled, allowing the agency to shift from reactive enforcement to an "always-on" surveillance pipeline.  

This dragnet surveillance isn’t entirely new; a 2022 report found that ICE collected large swaths of information from the majority of people living in the United States. ICE had scanned the driver’s license photos of 1 in 3 adults, tapped private company and local bureaucracy data to build its surveillance dragnet, and located 3 in 4 adults through their utility records.  

In recent months, ICE’s intentions to continue to collect and store this data seem to have grown. ICE has invested in phone surveillance through an $11 million contract with Cellebrite, internet surveillance through a $5 million contract with Pen Link for location and social media tools, and street-level surveillance through a $10 million contract with Clearview AI for biometric surveillance and facial recognition technologies. 

Taken together, these contracts sketch the outline of a comprehensive surveillance infrastructure that tracks U.S. residents from their phones to their faces to their front doors. The result is an expansive, interlocking web of personal data. 

The Cybersecurity Threat  

There are four distinct risks of the data used and collected by ICE.  

Architectural Risk  

The risk lies not just in the sheer quantity of data being collected, but in its transition from isolated silos to a centralized hub. To search all the data it collects effectively, ICE uses a resource developed by Palantir called the Immigration Lifecycle Operating System, or ImmigrationOS, which aggregates a wide array of data, including license plates, utility records, and biometric scans.  

The consolidation of this data through ImmigrationOS has created an aggregation hazard, in which adversaries are incentivized to attack a pool of data that would otherwise be less valuable if left in individual data points. Unlike older, more fragmented surveillance systems used by the government, a centralized architecture for data means that a single attack or software vulnerability can lead to a total system compromise.  

Considering how comprehensive this collection of data is, potentially summarizing an individual’s whereabouts, biometrics, and associations, exposure of this data is permanent and irreversible. Biometric information, like fingerprints, facial images, and iris scans, all used by the Department of Homeland Security (DHS)’ Homeland Advanced Recognition Technology (HART) system, is the clearest example of irreversibility.  

Governance Risk  

The second risk is the systematic decay of accountability of surveillance systems. Even the most secure architecture is left vulnerable if the legal structure meant to govern it is bypassed. Currently, the speed of data ingestion by ICE has far outpaced the ability to audit it. 

The primary legal friction lies between the executive mandate and statutory privacy requirements. Under the E-Government Act of 2002, federal agencies are required to conduct Privacy Impact Assessments (PIAs) for any new technology that collects personally identifiable information (PII). These assessments serve as an oversight mechanism of surveillance; they force an agency to identify risks before a system goes live. 

However, since the signing of Executive Order 14161 in early 2025, ICE has shifted toward a policy of "Categorical Exclusions." By interpreting the EO’s mandate to "vet to the maximum degree possible" as a national security priority that supersedes administrative hurdles, the agency has effectively sidelined the PIA process. This is part of a longer legacy of non-compliance; a 2023 report revealed that ICE previously waited nearly 20 years to release a PIA for its "Alternatives to Detention" program, using low-tech pilot programs to obscure the invasive technical reality of tools like SmartLINK, a mobile surveillance platform that requires frequent facial-recognition "selfie" check-ins and GPS tracking for hundreds of thousands of individuals. 

The security consequences of this governance erosion were quantified in the 2025 DHS Inspector General audit (OIG-25-28). The audit found that while ICE and other DHS components have implemented new mobile security policies, they continue to struggle with department-wide execution. Specifically, technical testing of mobile applications revealed "critical and high-risk security vulnerabilities" and misconfigured settings that expose sensitive data. The risk is particularly acute for High Value Assets (HVAs); as of May 2024, DHS components were among those failing to meet the 100% security authorization goal, with five HVAs operating without a current Authority to Operate (ATO). Furthermore, DHS is managing 266 security remediation plans (POA&Ms) for its HVAs that have been past due for over a year, creating a systemic vulnerability that adversaries can exploit without needing to breach a strong perimeter.  

Recent reports of the agency’s hiring and training processes have also indicated a reduction in training time for new agents by almost 10 weeks. If training in core law enforcement functions has been compressed, there is little reason to believe cybersecurity best practices are receiving greater attention.  

Ultimately, the erosion of these oversight mechanisms is illustrative of a broader systemic reality. As federal surveillance mandates expand, they almost inevitably outpace the cybersecurity frameworks intended to contain them. 

Supply Chain Risk  

As of 2026, there is still no federal law requiring commercial data brokers to meet the National Institute of Standards and Technology (NIST) cybersecurity standards. While the Protecting Americans’ Data from Foreign Adversaries Act (PADFA), signed in 2025, began restricting sales to "countries of concern" such as China and Russia, it does not mandate specific internal security protocols for the brokers themselves. This creates a "security gap" where a broker can sell sensitive military or federal employee data to ICE while maintaining a security posture that is wholly inadequate for a high-value national security asset. 

The risk posed by this gap isn’t theoretical. In 2015, the Office of Personnel Management (OPM) lost the sensitive records of 21.5 million federal employees to nation-state actors, demonstrating how centralized repositories of personal data become prime intelligence targets. Today, commercial data brokers increasingly hold similarly comprehensive datasets, but without the security obligations imposed on federal systems.  

Even if ICE and DHS systems maintain perfect cybersecurity, the agencies’ reliance on third-party commercial vendors creates a massive upstream risk. By purchasing access to massive data troves, ICE effectively outsources its security perimeter to private companies that do not share the government’s high-level security mandates. 

This risk is borne out in practice. In February 2021, ICE agreed to pay LexisNexis, a legal database used by firms and academic institutions, more than $17 million to access Accurint, its crime identification database. In May 2025, LexisNexis confirmed a significant breach affecting over 364,000 individuals where attackers gained access through a third-party software development platform. This illustrates how adversaries can compromise sensitive government-used data without ever breaching a government system.  

Strategic Counterintelligence Risk  

Beyond the threat to personal information of U.S. residents, ICE's accumulation of vast, centralized data presents serious counterintelligence risks. At scale, this data does not merely identify individuals. This enables adversarial pattern-of-life analysis, allowing foreign services to map the movements and vulnerabilities of sensitive personnel.  

The data collected and maintained by ICE results in significant incidental collection on populations critical to U.S. national security, including military families, federal contractors and intelligence personnel, who are captured through utility records, license databases, location data, or biometric systems. 

Because personal data underpins national security vetting, its compromise does not just expose individuals to harm but also undermines the integrity of systems designed to assess trust and eligibility for sensitive access. Adversaries gain insight into who holds sensitive positions, where they live, who they associate with, and how they move. 

This risk was underscored through the 2015 OPM breach and the 2024 Salt Typhoon campaign, a Chinese state-sponsored infiltration of U.S. telecommunications infrastructure, which demonstrated that adversaries will specifically target sensitive data on government personnel, gaining counterintelligence advantages that can take years to fully assess. Data collection intended for enforcement could thus become a strategic liability rather than an asset.  

Closing the Security Gap  

Much like the power grid or banking systems, if these massive biometric and location databases are to be used foundationally by federal agencies, they should be governed with the same rigor as our most sensitive national assets. At a minimum, Congress and oversight bodies should act on three fronts: 

• Prioritize cybersecurity protections for immigration systems that aggregate sensitive personal data collected about individuals.
• Close the “security gap” by requiring any private vendor selling data to the federal government to meet NIST high baseline security standards, ensuring third-party breaches, like the LexisNexis breach, do not compromise federal assets.
• Reinstate supremacy of the E-Government Act of 2002, requiring that no new surveillance tool be deployed without a publicly accessible Privacy and Security Impact Assessment, regardless of executive mandates.  

Absent these reforms, data collected in the name of reform risks becoming an enduring national security liability.