Angry lawmakers hammered the Education Department’s chief information officer, Danny A. Harris, at a hearing Tuesday, accusing him of ethical lapses and failing to secure the agency’s “vulnerable” information systems. “Cybersecurity for the federal government is a matter of quality management and effective leadership, not just…
Angry lawmakers hammered the Education Department’s chief information officer, Danny A. Harris, at a hearing Tuesday, accusing him of ethical lapses and failing to secure the agency’s "vulnerable" information systems.
"Cybersecurity for the federal government is a matter of quality management and effective leadership, not just tech," said Rep. Will Hurd, a Texas Republican who is chairman of the U.S. House of Representatives information technology subcommittee. Lawmakers warned that the Education Department, which holds some 139 million unique Social Security numbers, is a "prime target" of hackers.
Mr. Harris, who has been CIO since 2008, was the subject of an investigation concluded in 2013 by the department’s inspector general, which found that he hired subordinates to work on side businesses, failed to report more than $10,000 in income from those ventures, participated in a panel that awarded a contract to a friend, and helped a relative land a job at the agency. He has since taken part in "ethics counseling" provided by the department.
Lawmakers scoffed at the CIO's portrayal of a money-making venture as a 'hobby' and demanded to know why the department hadn't taken tougher action against him.
In his opening remarks, Mr. Harris acknowledged that he exercised "poor judgment" in hiring subordinates to work on his home-theater-installation and car-detailing "hobbies" and failing to pay taxes on the income from those ventures. But he denied that he had steered work to his friend and his relative. He said he has stopped accepting pay for installing audiovisual equipment and detailing cars and has amended his tax returns to reflect past income.
"I fully understand and take responsibility for how some of my actions could allow questions to arise about my impartiality," he said. "This is unacceptable."
Susan Winchell, the department’s assistant counsel for ethics, told lawmakers her office had concluded that while Mr. Harris "exercised poor judgment … he did not violate the ethics rules." She said the agency considered reassigning Mr. Harris, but concluded that such an action "would be drastic, and was neither reasonable, nor required."
The acting secretary of education, John B. King Jr., who took over for Arne Duncan last month, said Mr. Harris had "expressed profound remorse for his actions."
But lawmakers, who have questioned the department’s approach to cybersecurity in the past, weren’t appeased. They scoffed at Mr. Harris’s portrayal of a money-making venture as a "hobby," not a business. And they demanded to know why the department hadn’t taken tougher action against the CIO.
"What are you at the Department of Education teaching our children?" asked Rep. Tim Walberg, Republican of Michigan. "That there are no consequences for our actions?"
After three hours of grilling, Mr. Harris collapsed outside the House office building where the hearing was held, according to news reports. The Education Department did not respond to requests for comment on his condition.
‘Really Dangerous Stuff’
Tuesday’s hearing came less than three months after the same committee held a hearing on the state of cybersecurity at the department. At that hearing, the department’s inspector general testified that "longstanding weaknesses" in the department’s information-security processes had left systems vulnerable to "serious security threats." The inspector said department officials had repeatedly failed to fix problems identified in its security audits.
While those failures provided the backdrop for Tuesday’s hearings, most of the focus was on Mr. Harris’s personal conduct. Still, one lawmaker urged his colleagues not to lose sight of the bigger picture.
"I don’t want us to get distracted on whether this was a business or a hobby and lose in that minutiae the fact that this is really dangerous stuff when it gets into the wrong hands," said Rep. Mick Mulvaney, Republican of South Carolina.
Mr. Harris and Mr. King testified that the department has taken steps to safeguard its systems since the November hearing, hiring two new cybersecurity experts and creating a team to tackle overdue recommendations from the inspector general’s audits. They said the department has dramatically increased the number of users who log in with a security process known as two-factor authentication.
"We have made progress," Mr. King testified, but "I am not satisfied with where we are."
Lawmakers aren’t either. As the hearing closed, they made clear that they weren’t finished with the department.
"While we’re not here today to get anyone fired, lose the data and it’s a whole different story," Mr. Mulvaney warned. "As unpleasant as this hearing has been, it will be a whole different level of unpleasantness."
Click here to view full article