Amid Cybersecurity Concerns, House Republicans Blast Education CIO Misconduct

House Republicans on Tuesday grilled Education Department officials on their inability to properly secure a database containing 139 million Social Security numbers from cyberattacks, especially after recent ethics investigations into the behavior of the agency's chief information officer.

The House Oversight and Government Reform Committee delved into CIO Danny Harris’ tenure at Education, including allegations that he operated side businesses detailing cars and installing home theaters without disclosing the income on tax forms, and that he improperly involved subordinate employees from the agency in those businesses.

Following an investigation by the Office of the Inspector General, and after receiving counseling from other department officials about appropriate and ethical behavior, “I fully understand and I take full responsibility for how some of my actions could allow questions to arise about my judgment," Harris said. The IG investigation dates back to 2012.

Today's hearing comes after a committee examination in November of the security of the agency's IT systems and Education's compliance with the Federal IT Acquisition Reform Act. The hearing also indicates growing congressional interest in the accountability of agencies’ technology leadership.

During Tuesday’s hearing, Harris said he has ceased activity that could cause potential conflicts of interest, and no longer accepts compensation for his side operations, which he said were “hobbies” instead of “businesses.”

But Committee Chairman Rep. Jason Chaffetz., R-Utah, lampooned Harris for behaving unethically, and other department officials -- Deputy Inspector General Sandra Bruce; Assistant General Counsel for Ethics Susan Winchell; and Acting Secretary John King -- for attempting to protect Harris.

“Taxpayers deserve the best in our chief information officers and they’re not getting the best at the Department of Education,” Chaffetz said. He argued that “by virtually every metric, [Harris] is failing to adequately secure the department’s systems,” pointing to the department’s 10 percent turnover rate for IT staff, and its poor performance in a federal “cyber sprint” intended to shore up cyber practices following a massive data breach of Office of Personnel Management records.

“The fact that the CIO is no longer engaged in questionable conduct is nothing to celebrate,” said Stacey Plaskett, a Democrat, who represents the Virgin Islands. “He is expected to set a positive tone and example for employees he supervises.”

Frustrated by repeated statements from King, the acting secretary, that he trusted the opinion of the general counsel -- who concluded Harris’ behavior exhibited nothing more nefarious than poor judgment -- Rep. Ted Lieu, D-Calif., argued: “Your job is not to protect Mr. Harris. You have sent the message that you can operate business venture[s] . . . and that does not violate a law or regulation."

Congress and citizens might think “CIO” stands for “‘Chaos, Ineptness and Outrage'" said Rep. John Mica, R-Fla., "after what we’ve learned this morning.”

Committee members also analyzed in minute detail whether Harris was friends with the president of a technology company selling services to the department. Harris denied the friendship created a conflict of interest, though he admitted to having a close personal relationship with that vendor, even taking joint vacations with him.

The Wall Street Journal published an op-ed Monday outlining Chaffetz's fear Education could be “Washington’s next cyber-disaster.”

During the hearing, Harris told the committee that Education has been improving its cybersecurity posture since the hearing in November, including an “integrated project team” that meets weekly to track corrective action plans for shoring up recommendations under the Federal Information Security Management Act. King also noted Education has moved from 11 percent compliance for two-factor authentication for privileged users to about 95 percent as of Jan. 31.

Harris added that the department has been consulting with the U.S. Digital Service and is working with the Department of Homeland Security to implement phase two of the Continuous Diagnostic and Mitigation program, which uses sensors to identify cyberthreats.