As part of a recent audit, inspector general employees playing the role of hackers made their way into the Department of Education’s main enterprise IT system and gained unfettered access to the network without anyone noticing, and from there, burrowed their way into other Education systems.
That particular defensive failing is just one factor behind a new and unfavorable annual review of the department’s cybersecurity posture.
The system, called EDUCATE, handles core business functions like email, printers, telephone systems and data routing for the entire department. The IG says because of misconfigurations on Education’s network, its penetration testers were able to get full access to the system and use it as a toehold to launch other cyber attacks against several other department systems.
They roamed the network for hours – completely undetected by Education employees or by Dell, the prime contractor which operates the system, said Kathleen Tighe, the Education Department’s inspector general.
“It shows that there are risks to the department’s data,” she told a hearing of the House Oversight and Government Reform Committee on Tuesday. “We could have done anything we wanted in there. The fact that we were able to gain access means that outsiders who have bad intentions could have gone in through the same way we did. It puts the department’s systems, its employees and everyone who’s involved in our systems at risk.”
Overall, the IG’s annual audit of Education’s compliance with the Federal Information Security Management Act, released last week, found that the department has significant weaknesses in four out of the five metrics federal agencies report to the Office of Management and Budget: continuous monitoring, configuration management, incident response and reporting and remote access.
This year’s FISMA report also included 10 findings that were repeats from previous years, including ongoing failings to ensure Education’s internal networks were protected against potential attackers on the public Internet.
For example, when auditors asked the department how many different virtual private networking portals it maintained to let employees and contractors perform work from offsite, department officials identified four.
“But when we scanned their systems from the outside, we found two more that they didn’t even know about, and those two didn’t have two-factor authentication,” Tighe said. “We understand that they’ve now put two-factor authentication on those remote access points, but we still have outstanding recommendations related to remote access, and if you don’t have proper controls on that you open up the department to attacks from the outside.”
Education officials agreed with all of the IG’s assessments and said they are implementing corrective actions to address each of them, but members of Congress didn’t seem reassured by the department’s response, especially given the vast trove of sensitive information held within Education department systems.
“The Department of Education holds roughly 139 million Social Security numbers, and that doesn’t count all the parents who submitted their data when they requested student aid,” said Rep. Jason Chaffetz (R-Utah), the chairman of the House Oversight and Government Reform Committee. “We’ve been talking a lot about the breach at the Office of the Personnel Management, where we lost data on 22 million people. Here, we’re talking about more than $1 trillion in student loans and data on more than 100 million Americans, and it’s not secure by any definition.”
Danny Harris, Education’s chief information officer, said the department has never suffered a significant data breach despite what he acknowledged as its past vulnerabilities, and he told Congress Tuesday that many of the problems identified in the audit have been fixed or remediated.
As part of OMB’s recent cyber sprint, Harris said the department implemented two-factor authentication at the government’s highest level of assurance and is also leveraging the Homeland Security department’s Einstein and Continuous Diagnostics and Mitigation programs to ward off cyber intruders and detect any that do make their way into the department’s systems.
On a scale of one to ten, he said he would rate the department’s current cybersecurity protections at seven.
“We’ve actively engaged with DHS to obtain continuous monitoring solutions as part of task order two of CDM,” he said. “For incident response and reporting, the department is using additional capabilities to identify and block attacks, including by adding web application firewalls.”
And independently, he said the department has implemented its own network access control (NAC) and data loss prevention (DLP) systems to detect unauthorized devices on Education networks, a process that took several years because of a shortage of cybersecurity professionals within the federal workforce.
“With the limited talent pool that that we have, we’ve spent multiple years implementing NAC and DLP this year,” he said. “But with the implementation of those programs, we will actually resolve 90 percent of the IG’s repeat findings this year.”
At several turns in Tuesday’s hearing, Harris wasn’t able to speak for the Education Department on key IT questions raised by the IG audit.
That’s because the CIO role within that department is something of an anachronism: Congress created a separate organizational structure for the Federal Student Aid program, which handles the overwhelming majority of the department’s funding and much of its attendant IT spending. FSA has its own chief information officer, who was not called to testify on Tuesday.
The Federal Information Technology Acquisition Reform Act was supposed to centralize IT decision making under a single CIO, but Rep. Gerry Connolly (D-Va.), one of the bill’s co-authors, said at least in the case of the Education Department, Congress may have some followup work to do.
“Congress set FSA up as a performance-based organization on a bipartisan vote in 1997, acknowledging at the time that FSA was siloed from the rest of the department,” he said. “We now need to square those two pieces of legislation. I think the current Congress would favor the current FITARA approach and look a little bit askance at siloing anything in light of technology progressing and the threat we’re facing.”