Shocking data security violations at govt. agency leading nation's drug war; DEA situation so...

DEA Situation So Serious, Other Agencies

Warned Against Sharing Data With It

The federal Drug Enforcement Administration has been rebuked by congressional investigators for computer security so poor it "could endanger lives, undermine investigations and ultimately jeopardize

The General Accounting Office, in a blistering new report entitled Computer Security: DEA Is Not Adequately Protecting National Security Information, says its auditors who visited DEA offices found classified information displayed on unattended computer screens and store on floppy disks left on desks or sitting in mail trays in areas where literally anyone could have seen or purloined them.

GAO says DEA officials "say they know of no instances where such information has been compromised." But, of course, any drug dealer with access to DEA information on such things as undercover agents, planned ambushes of drug couriers or the location of witnesses to crimes would try to disguise the origin of the information so DEA would not take action to cut off the source.

In fact, West Virginia Democrat Bob Wise, chairman of the House Government Operations Committee panel that instructed GAO to investigate data security at DEA, says that "Unless and until DEA succssfully eliminates its problems with handling classified information, cooperating agencies legitimately should be wary of sharing such information with DEA."

DEA Ignored Justice Dept. Policy

GAO says the "disturbing" situation at DEA exists because DEA "has failed to control and provide needed safeguards for computers handling national security information" despite Department of Justice policy that requires its agencies to identify all computer systems, including microcomputers, that process classified information.

Despite the need and the policy, DEA has not completed an inventory of such machines, GAO says, adding that DEA headquarters office computers were never surveyed and many offices that were surveyed never bothered to respond. GAO says its investigators found many instances of DEA computers processing classified information that were not even mentioned in survey reports.

GAO also found that classified information was being put into DEA's non-secure office automation system network made up of non-Tempest protected workstations operated in open unshielded work areas. And, in clear violation of national security guidelines and Justice policy, the workstations are connected by non-encrypted data communications lines.

"Therefore," GAO says, "unauthorized individuals can intercept or monitor information emanating from and transmitted by the office automation system without being detected."

Also, GAO says DEA personnel were found processing classified information with fixed-disk storage devices which were also in open, unshielded work areas. "Federal guidelines recommend against using this type of equipment because, unknown to the system user, information may be stored on the fixed disk leaving it vulnerable to retrieval by unauthorized persons."

The federal guidelines say that if computer systems are used to process classified information in open areas, computer equipment with removable-media-only should be used. (Editor's Note: The importance of safeguarding against inadvertent storage of information on fixed-disk was graphically illustrated by the sale last year of surplus Justice Department computers which contained sensitive grand jury material and information provided by confidential informants.)

Physical Security A Joke

In sum, GAO says DEA is not complying with federal requirements to protect its classified information and must act quickly to correct the situation. "Lax physical security practices make these weaknesses even more disturbing," GAO says. "Access to sensitive areas is not adequately controlled and non-DEA employees without security clearances (janitors, etc.) are allowed to work unescorted in these areas," GAO says.

The report stresses that DEA must identify all computers processing national security information, perform risk analyses to assess security threats and act immediately to set up appropriate safeguards.

DEA spokesman Roger Guevara says his agency is aware of the problems and is taking steps to correct them.