Like the Office of Personnel Management before it, the Department of Education has failed to heed repeated warnings that its systems contain multiple weaknesses.
In a House Committee on Oversight and Government Reform hearing held this week, Congressman and committee chair Jason Chaffetz (R-Utah) excoriated Danny Harris, the department’s Chief Information Officer, over some of those weaknesses for nearly two hours.
Chaffetz cited a handful of issues that the DoED has neglected to address over the years, including several weaknesses that could open the department up to man-in-the-middle attacks and jeopardize department resources.
Most of the hearing was based around a report released last Friday by the Office of Inspector General’s (OIG) Kathleen Tighe. In it, Tighe claims there are 10 recommendations and six findings that her office has previously identified that still haven’t been addressed by the department. Tighe says the DoED needs a lot of help, but mostly when it comes to continuous monitoring, configuration management, incident response and reporting, and remote access management.
To illustrate just how poorly protected the department’s systems are, Tighe claims in one part of the report that OIG testers “were able not only to gain full access to the Department’s network, but also to use this access to pivot from this entry point and launch attacks on other systems connected to the Department, all undetected.”
Chaffetz was baffled by a lot of things during the hearing, but especially when he learned that Harris reportedly only meets with Arne Duncan, the United States Secretary of Education, once a month. This was compounded when Chaffetz learned the sheer amount of information the department is responsible for.
The department maintains 184 systems in total, but 120 of those are managed by outside contractors. On those systems? Roughly 139 million Social Security numbers are stored in its Central Processing System. The department is also in charge of processing data on more than 40 million federal student loan borrowers and an additional 8.3 million students who send the department their sensitive personal information in order to apply for grants.
That boils down to about $1.18 trillion in debt obligations.
“Here they’re managing more than $1 trillion dollars in assets, liability for the United States, it’s basically the size of Citibank and the CIO meets with the Secretary maybe 12 times a year. That’s absolutely stunning,” Chaffetz said, “And looking at the vulnerability of almost half of the population of the United States of America has their personal information sitting in this database which is not secure.”
Another member of the Committee, Congressman Will Hurd (R-Tex) found it “completely unacceptable” that it took four years for the department to come up with a system to keep track of the 6,000 devices on its systems, telling Harris that he “could probably do that over the weekend.”
“To implement controls on 6,000 users should not take four years… This is completely unacceptable. This is the kind of issue that the American people are completely frustrated with,” Hurd said.
While he claimed he wasn’t satisfied with the department’s overall cybersecurity plan, Harris did point out areas where the DoED has excelled this year, including three initiatives it carried out over the summer. In May, the department stopped allowing students to use Social Security numbers to set up Federal Student Aid PINs, in June it enacted a new security division – SecOps – to handle incident response, and in July it implemented a two factor authentication system for all employees who check email remotely, or via mobile device.
Harris claimed those activities satisfied a collection of FISMA Audit findings and recommendations for 2014.
Earlier this month the committee released a scorecard of sorts that judged how each Executive Branch agency adhered to rules set in last year’s Federal Information Technology Acquisition Reform Act, or FITARA.
The DoED was one of three agencies, along with NASA, and the Department of Energy to score an “F.”
Even though the Department of Education hasn’t yet suffered a breach, in many ways the oversight hearing resembled those held following the disclosure of the Office of Personnel Management hack. That agency has reportedly only notified a third of the 21.5 million victims who were implicated in the hack earlier this summer. The OPM is sending out different notification letters over the course of 12 weeks – some which indicate that victims fingerprints were compromised, some which don’t.
