The department maintains 184 information systems, with 120 managed by outside contractors, and 29 are valued by the Office of Management and Budget as “high asset,” according to the committee. In 2014, the department’s Inspector General’s Office found in a report that:
While the Department made progress in strengthening its information security program, many longstanding weaknesses remain and the Department’s information systems continue to be vulnerable to serious security threats.
Inspector General Kathleen Tighe testified that serious deficiencies remain. She said that her office had been able to penetrate some department systems without being detected. “We could have really done anything in there,” she said, saying that “outsiders” could find their way in too. She also said, “I am still concerned about the potential for breaches in the department.”
A congressional scorecard issued this month on how well federal agencies were implementing four key areas of the Federal Information Technology Acquisition Reform Act, or FITARA, gave the Education Department three Fs and one D. Harris, asked about the failing grades, said he thinks the department should have received a C — but both Democratic and Republican lawmakers made clear they didn’t agree.
On Tuesday, Harris engaged in some testy back-and-forth with lawmakers about just how secure the systems really are. Asked by North Carolina Republican Rep. Mark Meadows if he would stake his reputation on there not being a breach of department education systems, he said he would, and then said that on a scale of 1 to 10, he would rank his confidence at a 7. Georgia Republican Rep. Jody Hice responded:
“How in the world can you give yourself a 7 out of 10 when you’re using technology that isn’t even supported?…When can we expect the system to be secure?…This is an issue, Mr. Chairman, that hits every district in this country.”
Utah Republican Rep. Jason Chaffetz, the chairman of the committee, said that the department has at least 139 million unique Social Security numbers in its Central Processing System alone, but has not heeded repeat warnings from its own inspector general. He and other lawmakers noted that in its 2014, 10 of the 26 recommendations for improvement were repeated from an earlier report. Harris said that some problems are complex and take time to improve. Tighe agreed, but also said that sometimes long-term solutions take longer to solve than needed.
When Harris testified under questioning that he meets with Education Secretary Arne Duncan about once a month, Chaffetz said:
“Here they’re managing more than $1 trillion dollars in assets, liability for the United States, it’s basically the size of Citibank and the CIO meets with the Secretary maybe 12 times a year. That’s absolutely stunning. And looking at the vulnerability of almost half of the population of the United States of America has their personal information sitting in this database which is not secure, by any standard, any score card, it’s not secure.”
Lawmakers went after Harris for saying that the department only has three data centers for which it is directly responsible for security — even though outside contractors handle data bases for the department. Harris said that “based on OMB’s [Office of Management and Budget’s] guidance on how we count data centers, we don’t count” outside contractors, to which Democratic Rep. Gerald Connolly of Virginia responded:
“Fair enough if you don’t count it. This isn’t a bureaucratic process. What we care about is efficiency, reliability and security, and if you have hundreds or thousands of data centers under the care of contractors — ok, OMB might not count that technically as a Department of Education data center — but it’s still in your charge and our concern here isn’t to consolidate for the sake of consolidation so we feel better.”
Rep. William Hurd, a Republican from Texas, accused Harris of being “disingenuous” for saying the department only has three data centers for which it is responsible.
Harris testified that while many of the information systems need to be upgraded, more needs to be done. He said:
“While Ed has made significant progress over the last several years in strengthening the overall cyber-security program in recent years, we are not satisfied and we have solid plans to continue to increase the security of ed systems.”
But under questioning from Hice, Harris denied that the systems were insecure, saying:
“I would say that we are reasonably secure now. I’m not suggesting that we’re not secure, but we do need to strengthen. That’s very important. I’m not going to suggest that we don’t have a tremendous amount of work to do but I don’t want the general public to think we are not secure.”
Hice responded: “There again, reasonably is not a very secure answer.”
Asked how long it would take to modernize all of its data systems, Harris said he didn’t know across the entire platform, but “I can tell you we are working hard.”
When Hice asked if the department will continue to have vulnerabilities for an indefinite period of time, he said, “I think we will, sir.”
Connolly asked Tighe if she was “reasonably” sure the data systems were secure at the Education Department, and she said:
“I am still concerned about the potential for breaches in the department.”
She also said that weaknesses in the system “really point to the potential for significant vulnerabilities” and that she did not “feel as rosy about the picture as Dr. Harris.”
This hearing was held a day before another House oversight hearing in which government watchdogs skewered the financial arm of the department for what they said was poor, sloppy communication with contractors, colleges and borrowers. You can read about that here.