The Education Department is facing the prospect of a cyber breach that would dwarf what the Office of Personnel Management experienced in 2015, warned a key lawmaker this week.
House Committee on Oversight and Government Reform Chairman Jason Chaffetz (R-Utah) said that a cyber attack on Education would affect almost half of the nation’s population, during a Jan. 7 speech at the Brookings Institute in Washington.
Education’s data centers, which hold personal information on citizens that apply for student loans, are vulnerable to cyber attacks and the United States is not doing enough to protect them, Chaffetz said.
“If you apply for a student loan you are sending this information, not only about yourself, but about mom, about dad and all the investments, all the account numbers, all the assets that you have. They have how many of these records? Almost half of America’s records are sitting at the Department of Education,” Chaffetz said. “I think ultimately that’s going to be the largest data breach that we’ve ever seen in the history of our nation.”
Chaffetz said part of the problem is Education has 184 information systems it uses and 120 different contractors that hold student information.
Chaffetz asked the Government Accountability Office to look into the security of the databases, during a November oversight committee hearing.
“The Department of Education holds roughly 139 million Social Security numbers, and that doesn’t count all the parents who submitted their data when they requested student aid,” Chaffetz said during the hearing. “We’ve been talking a lot about the breach at the Office of the Personnel Management, where we lost data on 22 million people. Here, we’re talking about more than $1 trillion in student loans and data on more than 100 million Americans, and it’s not secure by any definition.”
Chaffetz said Education’s chief information officer said he needed better people to ensure the safety of the databases. The main issue is a management one, he said.
Education’s cyber woes were brought to light in a November year-end review conducted by the Education Department Inspector General.
Education IG employees playing the role of hackers made their way into Education’s main enterprise IT system and gained unfettered access to the network without anyone noticing. From there they burrowed their way into other Education systems.
The system, called EDUCATE, handles core business functions like email, printers, telephone systems and data routing for the entire department. The IG said because of misconfigurations on Education’s network, its penetration testers were able to get full access to the system and use it as a toehold to launch other cyber attacks against several other department systems.
The IG’s 2016 management challenges also noted that IT security audits found a need for improvement in order to adequately protect the department’s systems and data.
Education’s CIO Danny Harris said the department has never suffered a significant data breach despite what he acknowledged as its past vulnerabilities, and he told Congress Tuesday that many of the problems identified in the audit have been fixed or remediated.
As part of OMB’s recent cyber sprint, Harris said the department implemented two-factor authentication at the government’s highest level of assurance and is also leveraging the Homeland Security Department’s EINSTEIN and Continuous Diagnostics and Mitigation programs to ward off cyber intruders and detect any that do make their way into the department’s systems.
“The Department takes very seriously its obligation to ensure that information entrusted to us by the public is safe and secure. We have made significant progress in strengthening our cybersecurity, but we know we have more work to do on this, and we remain committed to that process. The public – and the people we employ – deserve nothing less,” Dorie Nolt, the Education Department’s press secretary said in a statement to Federal News Radio.
Chaffetz also set his sights on the Department of Homeland Security during his speech at the Brookings Institute.
His committee looked into a number of DHS issues including the Transportation Security Administration and the Secret Service in the past year.
Chaffetz said he is working on legislation that would allow the Secret Service to pull staff, training and resources from other agencies.
The legislation stemmed from the committee’s finding that the average Secret Service member spends 25 minutes in training per year. That’s compared to a major metropolitan police department spending 10 percent of its time training its members.
Other problems came from the lack of a model White House for the Secret Service to use when training.
Chaffetz said the Secret Service would go to a field and spray paint a floor plan of the White House to practice drills.
“We found out there were officers that had never, ever been inside the White House,” Chaffetz said. “How come they haven’t come to Congress and said ‘I have to have a mock White House?’ This is an elite force. That’s how I grew up, the Secret Service, the FBI; this was right at the top.”