U.S. Department Flunks Data Security … Again
By Vicki Alger • Friday November 20, 2015 4:11 PM PST •
Earlier this week the full House Committee on Oversight and Government Reform blasted the U.S. Department of Education for its lax security surrounding student data. But this isn’t the first time ED’s been taken to the woodshed.
The Government Accountability Office (GAO) reported in 2011 that ED still hadn’t implemented security controls recommend in 2009 by its own Education Office of the Inspector General (IG). And, just this week the GAO again documented ED’s numerous information security weaknesses and deficiencies.
As. Rep. Mark Meadows (R-NC) summed up, “You know, the headline should read: ‘Department of Education Gets an F’.” (Starting at 46:31, first video)
According to the committee website:
The U.S. Department of Education is responsible for managing the portfolio of over 40 million federal student loan borrowers holding over $1.18 trillion in outstanding debt obligations. The Department also manages other student aid programs, such as the Pell Grant program that annually serves 8.3 million students. These programs often require applicants and their parents to provide the Department with their PII [personally identifiable information].
In FY2014, the IG found that, “While the Department made progress in strengthening its information security program, many longstanding weaknesses remain and the Department’s information systems continue to be vulnerable to serious security threats.”
The committee also highlighted many more alarming security deficiencies:
- ED has at least 139 million unique social security numbers in its Central Processing System (CPS).
- ED, however, has ignored the IG, which documented 6 repeat findings and 10 repeat recommendations in its most recent report.
- ED scored NEGATIVE 14 percent on the Office of Management and Budget (OMB) CyberSprint for total users using strong authentication.
- ED earned an “F” on the Federal Information Technology Acquisition Reform Act (FITARA) scorecard.
- ED’s National Student Loan Database (NSLD) gives 97,000 accounts/users access to borrower data, but less than 20 percent have had background checks for security clearance.
- ED’s systems are so vulnerable IG investigators hacked into them and had unfettered access for hours—all without detection.
So committee members’ harsh words should come as no surprise. As Rep. Will Hurd (R-TX) put it:
IG reports show that since 2011 there was no mechanism to restrict the use of unauthorized devices on the network. Having the ability to find devices on your network, does it really take four years to figure that out? … This is completely unacceptable. This is the kind of issue that the American people are completely frustrated with.
A leading reason why is that those of us in the real world would face consequences for such lack of performance. As a result of private-sector security breaches in recent years, chief information officers (CIOs) and other executives resigned or were fired, and their companies have paid tens of millions of dollars in legal settlements and other corrective actions.
No so in the land of Fed ED.
When pressed by Committee Chair Jason Chaffetz (R-UT) to answer the basic question of how many data centers ED is responsible for, Dr. Danny Harris, ED’s CIO, responded, “I don’t know, Mr. Chairman.” (Starting at 43:26, first video)
After hearing Inspector General Kathleen Tighe confirm that her agents had, in fact, breached ED’s systems undetected, an exasperated Rep. Meadows asked Harris: “Are you willing to stake your reputation and your job on the fact that the system is secure?” “I am, sir,” was Harris’ initial reply, until he back-pedaled about resigning if there was ever a breach.
Ultimately, Rep. Meadows asked Harris how confident he is on a scale of one to 10 that there will not be a breach. “Seven,” said Harris. (Starting at 49:31, first video).
In response, Rep. Jody Hice (R-GA) demanded to know, “How in the world can you give yourself a 7 out of 10 when you’re using technology that isn’t even supported?…When can we expect the system to be secure?” (Third video clip; or 101:56 first video).
Harris didn’t have a response, but he promised that he and his colleagues are working really, really hard. So a whole lot of effort but no good answer. Sounds like Common Core math.
* * *
For the authoritative examination of the history and impact of the U.S. Department of Education and the need for innovative reforms based on educational choice and opportunity, see the Independent Institute’s widely acclaimed book, Failure: The Federal Misedukation of America’s Children, by Vicki E. Alger.