The Education Department’s chief information officer is putting the personal information of hundreds of millions of people at risk, lawmakers said during a contentious hearing Tuesday.
“After what we’ve learned this morning,” said Rep. John Mica (R-Fla.), the American people must think CIO stands for “chaos, ineptness and outrage.”
In recent years, Harris has been under investigation for ethics violations at the same time that watchdog reports have found his department’s cyber defenses are dramatically lagging, leaving Social Security numbers and student loan data vulnerable to hackers.
“Mr. Harris has served as the chief information officer since 2008, and by virtually every metric he is failing to adequately secure the department’s systems,” said Rep. Jason ChaffetzJason ChaffetzA guide to the committees: House GOP rep pushes back on Trump's tweet about town hall protests Trump: Protesters at GOP town halls 'planned out by liberal activists' MORE (R-Utah), who chairs the Oversight panel.
Harris acknowledged the agency’s cybersecurity shortcomings, but pointed to a renewed focus on the issue. In November, the department created an “integrated project team” that meets weekly to track all cyber initiatives, Harris said.
These efforts have led to “very significant progress,” he added.
For instance, the department has expanded two-factor authentication for people with access to privileged data from 11 percent last summer to over 90 percent at the end of January.
Lawmakers didn’t give Harris much credit for the improvement, however. The 11 percent ranked Education last among federal agencies at the time.
During last summer’s White House’s directed 30-day “cyber sprint” — intended to speed up the rollout of these type of basic cybersecurity measures — Education was the also only agency that ended the sprint with a lower percentage of its privileged users needing to use two-factor authentication.
“You’re one of the only agencies that during the cyber sprint went down,” Chaffetz said, raising his voice.
Several lawmakers cited the amount of sensitive data the agency protects, including 139 million Social Security numbers and the portfolios of over 40 million federal student loan borrowers holding nearing $1.2 trillion in outstanding debt.
“We need to ensure that this is the leadership team that can put the tools and processes in place to ensure that we aren’t back here again in a month or two months to talk about a data breach at the Department of Education,” said Rep. Will Hurd (R-Texas), who chairs the Oversight panel’s subcommittee on information technology.
Harris was also contrite about the ethics investigations, which included allegations he paid subordinates to assist in an outside car detailing business.
“I view my behavior as unacceptable, and I have learned from this experience,” he said, insisting that the car detailing was not a business, but a hobby from which he made no money.
The inspector general also looked into reports that Harris encouraged favoritism in awarding agency contracts to personal friends, which the CIO denied.
The Justice Department ultimately declined to prosecute Harris on any of the findings, and Harris was counseled on his “lapses in judgement,” said Sandra Bruce, the Education Department’s deputy inspector general, during her testimony.
Many lawmakers were vocally skeptical about these remediation methods.
“I don’t buy it,” Stacey Plaskett (D-V.I.), serving as ranking member in place of Rep. Elijah Cummings (D-Md.), said of the counseling's effectiveness.
Chaffetz was more blunt later.
“[Counseling] didn’t do crap,” he said.