Congress on Tuesday grilled the chief information officer of the Department of Education on glaring holes in the agency’s security system following a blistering Inspector General report, and its flunking score on benchmarks set by the Federal IT Acquisition Reform Act.
In the first of two hearings scheduled, members of the House Committee on Oversight and Government Reform took CIO Danny Harris to task for using outdated technology, failing to detect a test breach by the IG’s office and quibbling about how many data centers the department oversees. The stakes, lawmakers said, are very high, because the department oversees more than 40 million federal student loan borrowers as well as student aid programs that require personally identifiable information.
And an IG report released last week found that the department has weaknesses in continuous monitoring, configuration management, incident response and reporting and remote access management.
“It has become a
monster,” said Rep. Jason Chaffetz, R-Utah, chairman of the committee, of the department’s security systems. “We don’t know who’s in there, we don’t know what they’re doing. We know
there are improper payments the IG can’t even have access to because there are so many
contractors who say no.”
The department has 184 information systems, with 120 of them managed by outside contractors. But Harris insisted that the department only oversees three because he doesn’t count the ones that are overseen by contractors.
“If you’ve got hundreds of data centers under contractors, it’s still in your charge,” said Rep. Gerry Connolly, D-Va., who chided Harris for offering, at times, vague answers.
“The Department of Education is responsible for all the data centers that hold these kids’ [personal information],” added Rep. Will Hurd, R-Texas. “Who is remediating these vulnerabilities? Who is ultimately going to be held responsible?”
Kathleen Tighe, inspector general of the agency, said her office was able to hack the department’s general support system, undetected by either Dell, the contractor that manages the platform, or the CIO’s office.
“We were able to
gain full access to the Educate platform – we really could have done anything in
there,” Tighe testified. “The fact that we could gain access means outsiders who have bad intentions
can also come in the same that way we did and gain access, and that puts department systems and
data and employees at risk.”
Harris said the department, which spends roughly $32 million a year on security services, has added more firewalls to address weaknesses and implemented two-factor authentication long before other agencies did. Still, he added, the agency faced 91 data breaches and 250 “minor” incidents this year.
“While we have
made significant progress, we are not satisfied and have solid plans to increase the
security of our systems,” Harris said.
He also defended the ‘F’ that the agency received on the FITARA scorecard, which exposed several agencies for weak security systems. Of the 24 agencies whose purchasing of IT equipment and services FITARA covers, a majority earned a ‘D’ grade or lower overall. The Energy Department and National Aeronautics and Space Administration also earned failing scores, and only two agencies, the Department of Commerce and the General Services Administration, scored a ‘B’, the highest grade received.
disagree with the rating,” said Harris, adding that he thought his agency should have received a ‘C’. “I am not aware of source of the information, but what
I can tell you is that we have a solid plan in place for FITARA by this
When asked if the office needs more money to better secure the networks, Harris said he would prefer employees well versed in cyber operations.
challenge is cybersecurity talent, even more than money,” Harris said. “You can give me all money in the world,
but if we can’t retain cyber talent, then we are in big trouble.”