COMPUTER SECURITY REVIEW AT EMBASSY PRAGUE

Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100190005-6 United States Department of State Assistant Secretary of State for Administration Washington, D. C. 20520 MEMORANDUM May 31, 1984 M - Mr. Ronald I. Spiers FROM: A - Robert E. Lamb SUBJECT: Computer Security Review at Embassy Prague Representatives of the Information Systems Security Staff (A/ISS), Bureau of European and Canadian Affairs (EUR/EX), and the User Support Staff (A/ISO/USS) visited Prague during the period May 17 through May 20, 1984. A computer system security review of the Post Wang VS-80 minicomputer was conducted by the A/ISS representative. The Ambassador has expressed strong reservations about the propriety.of a Czech national serving as the post computer system manager. The results of the A/ISS computer security review indicate it is very likely that the Czech Intelligence Service (STB) has repeatedly received copies of all data resident on the Post computer system. The facts which support this conclusion are summarized below: - The embassy system has been managed by a Czech national since its installation in 1979. He is clearly overqualified for the position since he holds the equivalent of a Masters Degree in computer science. this individual was recruited specifically for this position by the STB and then placed in an intensive six month English language course before applying for the Embassy position. - The Czech system manager has access to all Data Processing and Word Processing information stored on the system. He has routinely been permitted to operate the system on weekends and after normal duty hours. He has also been observed leaving the Embassy with computer listings and carrying a box large enough to contain a disk pack. 25X1 25X1 Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100190005-6  Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100190005-6 SECRET - The system manager also has been allowed to remove system components (e.g. circuit boards) from the Embassy. He also has installed circuit boards in the system that were obtained from unknown external sources. 6~ - The computer room in Prague shares a common wall with the police station next door. A cable leaves the computer room and disappears into this common wall. The cable is equipped with a standard RS-232 modem connector. This cable could facilitate the transmission of data to a point outside the embassy. - Within the Embassy there are eight (8) archiving workstations, attached to the system. Most of these are available to the FSNs. Use of these workstations permit the unauthorized copying of system data onto a diskette. This diskette could be easily concealed and removed from the Embassy. - There are twelve (12) printers attached to the system, most are available to FSNs. No system controls have been established to prevent the unauthorized printing of system data. - System maintenance is currently being performed by two Eastern Bloc nationals based in Linz, Austria. Attached is a list of applications processed by the system. These are in addition to the word processing application. To reduce our vulnerability several ~eccomendat' for corrective action have been made. The ec system manager will be replaced by an American citizen to provide positive supervision and management of the system. The l ~ eg eplaced by m presen Wang VS-80 system will be r implemented. administrative and op rational security measures will VS-45. The system will be move to Cl more pro ected location within the chancery. Other systemic, SECRET k'~/ ~W'JjQ~ 'f J UCH' e ~ tic Vjt C'ck cocl c Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100190005-6  Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100190005-6 SECRET Office automation has significantly altered the information security environment at post. The aggregation of data on a computer system serves to undermine the security that results from the physical separation and compartmentation characteric of the manual information handling environment. Computerized data also facilitates duplication and manipulation. In the case of Embassy Prague, this data is available to a single individual, the Czech systems manager. Attachment: As Stated. SECRET Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100190005-6  Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100190005-6 Prague VS-80 DP Processing: P/C Distribution & Record System Keeps track of all participants, library members (New Book List), exchanges, who receive what magazine (especially. 'Spektrum' with about 5000 addressees). USED BY: most of P/C section (2+4) NUMBER OF RECORDS USED: 6669 + 2185 Commerical Contacts About 5000 addresses (will be reduced to 3000 - 4000 addresses) - by categories of interests or by companies they work for). USED BY: whole Commercial Section staff (1+2) NUMBER OF RECORDS: 4663 Own version of PPS (called MINIPPS) Allows various reports, mass changes and summaries data and screens identical to original PPS. USED BY GSO Staff (1+3) NUMBER OF RECORDS: 6648 Work Order System Sort of management tool; keeps track of the whole action (since accept of the request to the final billing when completed); computes all cost of work and material (good for budget planning); keeps track of activity of all Embassy workshops. USED BY: GSO Staff (1+3) NUMBER OF RECORDS: 1280 as for now; 2389 last year Representational Contact System The one we sent to A/ISO - now July 4th Reception is the big item. USED BY: all have access rights NUMBER OF RECORDS: 1540 (with a lot of addition pending) + 305 (category/sub-category table) Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100190005-6  Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100190005-6 Stock Control Inventory of all Embassy stock, issuing-receiving,linked with Work Order System helps to find out the cost of material used for particular work (in comparison with cost of material issued for that particular work). USED BY: Storage Assistant NUMBER OF RECORDS: 1193 (Stock Control cards) 723 (Issuing/Receiving Records) Cashier's Programs (5) (1) COIN LIST (to find out exact number of bills needed for local salaries paid in cash); (2) LOCAL CURRENCY CASH PAYMENTS - keeps track of all payments, lists/prints them; (3) ACCOMMODATION EXCHANGE - keeps track of all exchanges made through Embassy Cashier; for tax purposes provides a list of all transactions with the tax statement of all Americans; (4) ACCOUNTABILITY RECORD all cashier's work in one program, saves time to cashierin doing his paperwork (from three hours to one); keeps track on transmittals not yet processed by RAMC etc. (5) COLLECTIONS - all collections registered. USER: Embassy Casher NUMBER OF RECORDS: 658 + 390 + 502 + 632 Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100190005-6