Computer Security

The Drug Enforcement Administration's (DEA) lack of an effective computer security program has led to serious fundamental weaknesses that jeopardize the integrity of its computer systems and the highly sensitive data they contain. This information includes the names of drug dealers and informants, intelligence on drug trafficking organizations, and details on counternarcotics operations. Personnel at DEA headquarters and field offices routinely process sensitive data on computers that lack basic security controls, such as passwords and audit trails. When passwords have been used, DEA employees have shared them and, in a few cases, left them taped to computer terminals. DEA personnel often leave computers containing sensitive information unattended and turned on, and floppy disks and other documents containing sensitive drug information are sometimes left unattended in open, unprotected areas. This situation is even more unsettling given DEA's lax controls over access to areas where computers process sensitive data. For example, janitors who had incomplete or unfavorable background investigations were allowed to work unescorted around the computers. In one case, a contractor's employee had a criminal record that included an arrest for drug possession. GAO also found cases in which DEA administration personnel and non-DEA contractor personnel looked up sensitive information about their friends and acquaintances in the DEA computer system. GAO summarized this report in testimony before Congress; see: Computer Security: DEA's Handling of Sensitive Drug Enforcement and National Security Information Is Inadequate, by Howard G. Rhile, Director of General Government Information Systems Issues, before the Subcommittee on Government Information, Justice, and Agriculture, House Committee on Government Operations. GAO/T-IMTEC-92-24, Sept. 30, 1992 (five pages).

GAO found that: (1) DEA has not identified all of its computer systems processing sensitive data nor completed security plans for those systems; (2) DEA has not performed risk analyses to identify and minimize security threats and has not effectively monitored and enforced computer security; (3) DEA has not fully tested and implemented contingency plans for computer systems; (4) computer security awareness training is ineffective and its guidance is either inadequate or poorly communicated; (5) DEA routinely processes sensitive data on microcomputers that lack such fundamental security controls password protection, audit trails for detecting unauthorized access, limited-access controls, and equipment protection; (6) DEA personnel frequently shared passwords or left them, as well as computers, diskettes, and documents containing sensitive information, unattended and easily accessible, and personnel with incomplete or unfavorable background checks were allowed to work unescorted in such areas; (7) DEA cannot conduct an accurate inventory of the several thousand microcomputers that its employees use; and (8) DOJ is taking a more active oversight role and has implemented mandatory computer security training throughout DEA and has begun to perform compliance reviews at DEA offices.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: