Education CIO in the hot seat on Capitol Hill
The Education Department's long-serving CIO came under fire from members of the House Oversight and Government Reform Committee for past allegations of misconduct and potential conflicts of interest.
Education Department CIO Danny Harris testified before the House Oversight and Government Reform Committee on Feb. 2. (Photo: Zach Noble, FCW)
Rep. Jason Chaffetz (R-Utah), the chairman of the House Oversight and Government Reform Committee, is concerned that the Department of Education could be ripe for the kind of data breach that hit the Office of Personnel Management. And his concerns are exacerbated by the history of investigations into the personal conduct of longtime agency CIO Danny Harris.
At a Feb. 2 committee hearing, the Education Department largely closed ranks around Harris, as lawmakers called for him to be punished or even fired. The members of Congress also questioned whether flagging morale and low cybersecurity marks at the agency could be related to Harris' behavior over the past decade.
"Mr. Harris has been the CIO [at Education] since 2008," Chaffetz said. "By virtually every metric, he is failing to adequately secure the department's systems."
That behavior includes operating home businesses (home theater equipment installation and car detailing) without reporting income to the IRS, helping a relative obtain a low-grade job at the agency, maintaining a close personal relationship with an agency contractor, and loaning money to agency employees.
"I believe there were significant lapses of judgment," testified Acting Secretary of Education John King. But ultimately, King testified that he had "confidence in his leadership."
All of the conduct concerns addressed in the hearing had been previously investigated and closed by the Education Department inspector general and Harris' superiors. Harris was not disciplined, but was put through four counseling sessions.
Still, lawmakers wondered why the consequences weren't more dire.
Rep. Ted Lieu (D-Calif.) said he was disappointed that Education officials chose not to punish Harris, and that King sheltered behind a wall of lawyer-approved statements instead of offering candid remarks.
Beside detailing and installation work, which Harris testified were more in the nature of hobbies than businesses, the CIO has also consulted for the city of Detroit and taught at Howard University at various points in his tenure.
"I can understand why there are problems at the Education Department [in cybersecurity] when you have so many outside jobs," said Rep. Carolyn Maloney (D-N.Y.).
Chaffetz pointed to the dismal employee feedback from within Education's office of the CIO as evidence of Harris' management shortcomings, saying, "There's a reason why you're scoring at the bottom of the heap."
Education also scored near the bottom of the heap on the November 2015 Federal IT Acquisition Reform Act scorecard; it was one of three agencies to earn an ‘F.'
In the Feb. 2 hearing, Harris pledged security improvements.
He said Education should have 100 percent of its privileged users on two-factor authentication by March, once a vendor finishes re-architecting its data center, and non-privileged users should hit 100 percent for two-factor authentication by the summer.
Harris also said he plans to upgrade or retire 90 percent of the 54 software programs the agency is currently using that are no longer supported by their vendors.
Chaffetz, for his part, pledged to continue investigating Harris and Education, stressing that the agency houses sensitive personal information on half of the U.S. population.