House lawmakers are probing whether Education Department Chief Information Officer Danny Harris should remain in his role after almost a decade of cybersecurity and employee morale shortcomings, and now a damaging inspector general report highlighting Harris’ questionable conduct.
House Oversight and Government Reform Committee members spent almost three hours Feb. 2 grilling Harris, acting Education Secretary John King and Susan Winchell, the assistant general counsel for ethics, about the department’s systemic cybersecurity problems and Harris’ behavior concerning operating two outside businesses, not reporting additional income to the IRS and having a personal relationship with an Education Department IT services contractor.
“The Department of Education oversees a student loan portfolio of more than $1.2 trillion. This puts it on the proportion of Citi Bank and other major financial institutions. It is critical because taxpayers deserve the best in the chief information officer and they are not getting the best in the Department of Education,” said Rep. Jason Chaffetz (R-Utah), chairman of the Oversight and Government Reform Committee. “Mr. Harris has served as the chief information officer since 2008, and by virtually every metric, he is failing to adequately secure the department’s systems. The committee’s concerns were further amplified after learning Mr. Harris was investigated for possible criminal and administrative misconduct. The IG closed its investigation a few months ago, finding the CIO potentially broke 12 federal laws, regulations and/or agency directives. But the Department of Justice refused to prosecute. That is a mystery to us.”
The chairman’s comments were part of a grueling appearance on Capitol Hill for Harris. The Associated Press first reported that after the hearing Harris collapsed and was taken to a hospital.
An Education spokeswoman confirmed Tuesday evening that Harris was stable and conscious.
The Education IG’s findings highlight Harris was guilty of at least poor judgment, if not violating agency policy. While the Education general counsel and the DoJ decided criminal or civil prosecution wasn’t warranted, Harris underwent counseling with the agency’s deputy secretaries and ethics officer for how to avoid these same mistakes in the future. He also stopped charging any fees for his two side businesses or hobbies — car detailing and home theater installation. Lawmakers and the IG, and Harris and the department disagreed about whether these were indeed hobbies or a business.
Harris vehemently denied these were side businesses. He said they were just hobbies, and he earned only a few hundred dollars a year. But Harris admitted his judgment was poor and he has learned from his mistakes.
This was the second hearing since November in which members of Congress expressed serious concerns over Education’s ability to protect the data of 139 million Americans.
But with the addition of the IG report about Harris’ questionable behavior, Chaffetz and other members of the committee said their concerns over the department’s systems and data only are growing.
“The purpose of being here is what you are responsible for doing for the folks we represent, the taxpayers and the 139 million people whose records you hold. As we discussed the last time Dr. Harris when you were here, it’s not just the ordinary stuff that I give to Target. You have my bank accounts. That’s a whole different level of serious than when I swipe my card at the gas station or buy something at Target,” said Rep. Mick Mulvaney (R-S.C.). “I don’t want us to get distracted on whether or not it was a business or a hobby or you reported on your tax returns, and lose in that minutia the fact that this is really dangerous stuff when it goes into the wrong hands.”
Mulvaney said he and the committee must see progress in how Education is protecting its systems.
“While we are not here to have anyone fired, at least in my mind, lose the data and it’s a different story,” he said. “Start losing people’s bank records and as unpleasant as this hearing may have been, it’s going to be a whole different level of unpleasant. Lose the data and the next explanation you will have to give to this committee is why you shouldn’t be fired. That’s as plain as I could put it. As reasonable as I’m trying to be today in laying out for you what we are not here to accomplish, you can expect me and others to be fairly unreasonable with our patience next time if you lose the stuff. So please don’t lose it.”
While Chaffetz wouldn’t go as far as calling for Harris to be fired — like he has done twice with Donna Seymour, the Office of Personnel Management’s CIO — he did say the committee would analyze what came from the hearing and decide where to go next.
“I think the problem is bigger than I thought it was. Not only do we have a problem in the CIO’s office, but we have severe ethical challenges throughout the Department of Education because the senior management doesn’t get it,” Chaffetz said in an interview with Federal News Radio after the hearing. “We are going to digest what has happened here. I think we will have people at the Department of Education who are inevitably watching this get back to us. We will let the dust settle a little bit. They need to take action and to the extent they do and get it back on track, hallelujah that’s what we are trying to do. But I worry they are just playing defense and cover up, and not dealing with the underlying systemic problems.”
It was those systemic cyber problems that the committee focused on in the November hearing. Lawmakers heard about how the department’s IG penetrated Education’s networks so easily and other long-standing cyber shortcomings.
Education makes progress
Harris and King came better prepared this time around with a progress report showing specific steps the department has taken to protect its systems and data.
“The department has enhanced its progress by standing up an Integrated Project Team that will be tracking all corrective action plans tied to Federal Information Security Management Act or financial statement audits. The team is made up of the general counsel, myself, the deputy CIO, the Federal Student Aid chief operating officer and the FSA CIO,” Harris said. “I believe focusing this level of attention by senior members of the agency will help ensure we meet our targets. The team will meet on a weekly basis to ensure that all corrective actions are resolved based on the dates provided to and agreed upon by the IG. The team will pay particular attention to any items associated with the department’s high value assets as well as items listed as repeat findings.”
King said as of Jan. 31, 95 percent of all privileged users must now log onto Education’s network using their smart identity card under Homeland Security Presidential Directive-12 (HSPD-12) or another two-factor authentication approach. That’s up from 11 percent in July.
King said he expects to reach 100 percent for privileged users using two-factor authentication by the end of March.
Harris added 86 percent of all non-privileged users are using two-factor authentication as well. He said he expects Education will achieve 100 percent compliance for two-factor authentication for non-privileged users by the summer.
King added Education is hiring more employees with specialized skills.
But the new concerns about Harris’ conduct and more details emerging about Education’s cyber weaknesses overshadowed the department’s efforts.
Rep. Will Hurd (R-Texas) said Education has 54 software applications in use today that are no longer supported by vendors. Additionally, 10 systems don’t have authorities to operate (ATOs), meaning it’s unclear how well Education is protecting the data on those machines.
Harris said one of his main goals for 2016 is by June to get 90 percent of those unsupported software tools upgraded or taken off the network, or require a risk justification by the mission owners.
Additionally, Harris said he’s brought in experts from the U.S. Digital Services Office in the White House to help with cyber challenges and is preparing for Phase 2 of the Homeland Security Department’s continuous diagnostics and mitigation (CDM) program.
Harris said he expects the improvements to continue in part because of the senior level attention, and in part because of the Federal IT Acquisition Reform Act (FITARA)
“We have our FITARA implementation plan approved by OMB,” King said. “We have made good progress on implementation and will continue to work through the spring and into the summer. Historically, the work of the FSA CIO and the department CIO have proceeded on parallel paths, but not always coordinated paths with the department CIO having full transparency of the FSA CIO. That will now change with FITARA implementation and we are working through the internal operations to make sure that happens.”
But Chaffetz and other lawmakers need to see real change. Chaffetz said he has no confidence in Harris and called his office “pathetic and not necessarily getting better.”