Justice Department Computers Unprotected, GAO Says : Security: Outsiders can penetrate ‘state-of-art’ facility, report claims. Secret identities might be learned by criminals.

A lack of adequate computer security within the Justice Department is endangering highly sensitive information, including identities of undercover operators and confidential informants, congressional investigators have concluded.

Although the department moved its main data center last year to a new “state-of-the-art” facility, unauthorized remote users of computers can still enter and exit the system electronically without being detected, the General Accounting Office said in a report to be issued soon.

“The threat of intrusion into these systems is serious, and there are criminals who could benefit immensely from such covert encroachments,” Rep. Bob Wise (D-W.Va.) said in a letter urging Atty. Gen. Dick Thornburgh to “immediately correct” the security flaws.

Wise, chairman of the House Government Operations subcommittee on government information, justice and agriculture, asked for the study in July after an earlier GAO examination of the Justice Department’s office automation systems turned up security concerns.

The report directed its harshest criticism at the department’s new data center in Rockville, Md. It said the center can be accessed through phone lines and commercial computer networks, making it vulnerable to remote users who could “introduce viruses and other disruptive software . . . into vulnerable computer systems.”

A department official who requested anonymity said he was “dismayed” that the GAO assessment failed to cite “a lot of corrective action already taken and more that is under way.”

The official, who is involved in the work, said the data center was moved from downtown Washington to the Maryland location before security equipment had been installed because of fire and safety concerns at the older facility. A dispute between bidders has held up purchase and installation of security equipment, he said.

But the GAO examination described a broader set of problems, citing “many disturbing weaknesses in existing security which, if not corrected, could severely compromise both the computer systems and the sensitive information they process.”

In a directness unusual for a GAO document, a copy of which was provided to The Times, the report blamed the security weaknesses on “a lack of effective leadership and oversight by the justice management division,” which is headed by Assistant Atty. Gen. Harry H. Flickinger.

“If that reference is meant as a personal attack, there’s no reason for it,” said Daniel G. Eramian, the department’s deputy director of public affairs. “If what they mean is that we lack review or audit (of computer security), we have requested additional resources from Congress for that and have not received them.”

The report covered computer security programs in the department’s litigating units, which include 94 U.S. attorneys’ offices around the nation and six divisions in Washington: antitrust, civil, civil rights, criminal, land and environmental protection, and tax.

Those units “rely on computer systems to process a variety of highly sensitive information,” including “the names of defendants, witnesses, informants and undercover law enforcement officials cited in grand jury proceedings, witness identification programs and criminal investigations,” the report said.

The investigators found that contingency plans to be implemented when computer services are disrupted had either not been prepared or not tested and that no mandatory computer security training was being given all employees.

“Given recent hostile attacks on justice organizations, such as the March, 1990, firebombing of a Drug Enforcement Administration office in Ft. Myers, Fla., Justice needs to establish effective procedures for continuing operations,” the GAO said.

GAO investigators said the new Rockville, Md., center lacks “surveillance devices, such as cameras or motion sensors, to monitor activities in critical areas.” Guards were not stationed to observe activities, and video monitors, where used, lacked the capability to store and record information, should it be needed for a security investigation.

“Systems programmers with extensive knowledge of hardware and operating procedures had unescorted access to the data center and were capable of issuing critical computer commands that should have been limited to computer operators,” the report said.

The security weaknesses at the main data center “reflect long-standing concerns” about similar shortcomings identified by the department’s own audit of its former data center four years ago, according to the GAO.