Republican lawmakers warned the Department of Education’s chief information officer Tuesday that his failure to improve cybersecurity at the agency is setting up the possibility of a major data breach, like the one the Office of Personnel Management was forced to admit last year.
Danny Harris, the departments CIO, testified before the House Oversight Committee, where he was grilled over his failure to improve a cybersecurity system that was given the grade of “F” on a cybersecurity scorecard. The agency also saw cyber standards fall further during a period last year when agencies were supposed to be ramping up their protection from hackers.
That failure could put at risk the 139 million unique Social Security numbers that it oversees as part of its oversight of $1.18 trillion in outstanding student loans. Last year’s massive data breach against OPM affected 22.1 million people, and lawmakers said the Department of Education doesn’t appear to have learned anything from OPM.
“Reminiscent of OPM’s dangerous behavior, DoEd is not heeding repeat warnings from the Inspector General that their information systems are vulnerable to security threats,” said a briefing paper prepared by the committee.
Rep. Will Hurd, R-Texas, who chairs the House Subcommittee on Information Technology, added to the criticism in an opening statement. “This is completely unacceptable,” Hurd said. “This is the kind of issue that the American people are completely frustrated with.”
Harris said that he had learned from his mistakes and was working to improve the agency’s situation.
“I know that as the CIO, others look to me to demonstrate the best behavior possible,” Harris told the committee. “I am sorry if I have given any of my coworkers or supervisors or anyone else a reason to doubt my integrity.”
But Harris himself is under attack from lawmakers who are calling into question personal relationships that the has failed to disclose.
“By virtually every metric he is failing to adequately secure the Department’s systems,” Oversight Committee chairman Jason Chaffetz, R-Utah, said of Harris. “The committee’s concerns were further amplified after learning Mr. Harris was investigated for possible criminal and administrative misconduct.”
“The Inspector General closed its investigation a few months ago, finding that the CIO potentially broke 12 federal laws, regulations, and/or agency directives,” Chaffetz added.
In its report, the IG found that Harris had participated on a panel that awarded a contract to a company owned by a friend, but failed to disclose the relationship. He also assisted a relative in obtaining a job with the department, improperly loaned $4,000 to a subordinate, and failed to report as much as $10,000 in outside income, which he earned from doing home theater installations and detailing cars.
Pressed on whether that was a violation of law, regulation or policy, the department’s acting secretary, John B. King, would say only that Harris had received corrective counseling, and that his behavior had since improved.
“I’m asking you if it was a violation, not if he went through counseling, which didn’t do crap,” Chaffetz replied. “The Department of Justice refused to prosecute. That is a mystery to us. We don’t understand why they would refuse to prosecute.”
