Education Department Called Biggest Cyber Risk Since OPM
House lawmakers accused senior Education Department officials Tuesday of incompetence and engaging in ethics violations instead of addressing vital cybersecurity flaws — issues they claim have put the personal and financial data of millions of Americans at risk.
The Department of Education is one of a number of federal agencies identified in years’ worth of inspector general reports as a cybersecurity risk, and one of only three departments to actually drop its percentage of users employing two-factor authentication during the White House’s post-Office of Personnel Management hack “Cyber Sprint” last summer.
The department went from 71 percent before the sprint to 57 percent after. For privileged users, it fell from 14 percent to 11 percent.
According to lawmakers on the House Oversight Committee, those failings are in part due to the actions of Chief Information Officer Danny Harris — accused of numerous ethics violations and the subject of corrective actions at the department for involving subordinates in personal business ventures, neglecting to report outside income, lobbying to give a friend’s business an Education Department contract and backchanneling a job offer at the department for a family member.
“Taxpayers deserve the best in our CIOs, but they are not getting the best at the U.S. Department of Education,” Utah Republican and House Oversight Chairman Jason Chaffetz said of Harris, who has reportedly received more than $200,000 in bonuses from the department. “The morale in the office of the CIO is at an all-time low due to the dysfunctional environment Mr. Harris’ has cultivated.”
Chaffetz, one of the chief critics of OPM leadership in the fallout of a massive hack revealed last year that exposed data on 20 million past and present federal employees, warned weeks ago the diversity of contractors handling student data and weak cybersecurity in OPM systems and servers threatened to put the private information, including Social Security numbers and loan information, of 139 million Americans and $1.2 trillion in loans for 40 million federal student loan borrowers at risk.
“Mr. Harris has served as the chief information officer since 2008, and by virtually every metric he is failing to adequately secure the department’s systems,” Chaffetz said during Tuesday’s hearing.
Deputy Inspector General Sandra Bruce testified Harris convinced subordinates to help him run a home theater installation and automobile detailing service, some of whom were also clients. He neglected to report at least $10,000 in outside income to the agency or on his taxes and used his public email account for private work. Harris also sat on panel that eventually gave a department contract to a business owned by a friend, and made a personal loan to a subordinate of $4,000.
Florida Republican Rep. John Mica quipped “CIO” in Harris’ instance must stand for “chaos, ineptness and outrage.”
“I don’t think you can find any more ineptness or misconduct in any senior official before us,” Mica said, inquiring who was responsible for handing out bonuses while Harris was engaged in such activities.
“You’re a very, very busy man,” Democratic Rep. Carolyn Maloney said. “I can understand how there are cyber problems at the education department.”
Harris apologized for his misconduct in the investigation the department’s inspector general began in 2013, and acting Education Department Secretary of Education John B. King Jr. testified he counseled Harris on his ethics violations. The Justice Department eventually elected not to prosecute Harris in lieu of corrective action from his superiors.
“I view my behavior as unacceptable, and I have learned from this experience,” Harris said, claiming the theater installation and auto detailing were just hobbies he’s since discontinued. The CIO added he’s no longer friends with the head of the company that received the department contract, has updated his financial disclosures and merely inquired about the job for a family member, and had no involvement in the hiring process.
Harris went on to tout his agency’s progress in the realm of cybersecurity, including establishing a new cyber-focused team that meets weekly and boosting the number of privileged users employing dual authentication from 11 percent at the end of the Cyber Sprint to more than 90 percent currently.
“I don’t buy it,” Chaffetz said of Harris’ explanations for his misconduct. “You’re one of the only agencies that during the cyber sprint went down.”
“We need to ensure that this is the leadership team that can put the tools and processes in place to ensure that we aren’t back here again in a month or two months to talk about a data breach at the Department of Education,” Texas Republican and information technology subcommittee chair Rep. Will Hurd said.