H-1B requirements could be security nightmare

New rules from the US government on H-1B visas could damage national cybersecurity.

The tech industry faces new Department of Homeland Security (DHS) rules starting Dec. 15 requiring that H-1B visa applicants make their social media activity public. It’s a move that is unlikely to generate much goodwill from overseas workers looking to come to the US and could be detrimental to tech interests in Silicon Valley.

Shake up. As Cecilia Esterline, Niskanen Center senior immigration policy analyst, told IT Brew earlier this month, the new rules mean there is “this uncertainty and unpredictability that has been introduced into an otherwise somewhat predictable program.”

“Right now, we’re not in the normal, in terms of normal H-1B procedures,” Esterline added. “I think not relying on past experiences, or what has worked for a company in the past, but continuing to update those practices to meet the new moment is what will be required.”

But beyond the uncertainty threat, said Malwarebytes Global Consumer Business GM Mark Beare, there’s the danger of cyber insecurity that could come from having so many people connected to a critical industry making so much of their online activity public, even for the limited duration of a visa review.

“We care deeply about our employees and their privacy, and also employees are an attack vector for a company,” Beare said. “We want to try to do what we can to make sure that the employees are not able to be influenced or fall victim to any sort of bad actors who are trying to then target our business.”

Incompatibility. H-1B holders and US citizens in the tech industry alike should take care to protect their information. Among the potential problems with the new government policy? If applicants don’t update their social media profiles, it could result in DHS officials seeing inconsistencies.

“There could lead to a discrepancy between what the employer is reporting to the US government and what is publicly available on LinkedIn, and that could lead to a lot of problems for people who are seen as having misrepresented information to the US government,” Esterline said.

Danger zones. Social engineering attacks often rely on publicly available information; for visa candidates coming from countries with more hostile laws and rules on social issues or speech, opening profiles for scrutiny can be hazardous. Add to that the blackmail potential and you have a perfect storm of threat actor possibilities.

“Anything that can be switched to public and then back off again opens yourself up for scraping,” Beare said. “Anyone who’s trying to actively try to go after individual people that work for specific companies—certainly there’s surveillance on them, and if settings become open and public that they have access to, that can open up a security concern.”

Potential visa applicants are worrying not only about their careers, but their lives and their families. And the example applies to more than applicants.

“H-1B is an example where there are a bunch of people that may need to make something public that they didn’t intend or want to make public, and that’s a concern for them as individuals,” Beare said. “But for consumers at large, people need to be conscious about what they’re putting online, they need to be conscious of the settings.”