U.S. Department of Ed video, CIO investigation
This is one of those times you must set down the coffee cup, stop doing what you are doing and WATCH THIS SHORT VIDEO CLIP. You simply must. (Keep in mind the astonishing amount of sensitive data that the US Dept of Ed handles. Remember, also, under the weakened privacy law FERPA, personal data can be shared and is encouraged to be shared without de-identification. And, in case you are not aware of the “joint data gathering project” between US Dept. of Defense, and US Dept. of Ed, read here: the Federal Learning Registry partners with vendors who then share student data they have gathered with the Federal Government.)
Thanks go to Diane Ravitch for reporting on this Congressional investigation of Danny Harris, Chief Information Officer for the U.S. Department of Education here and here. As you can see from the video and as also reported in the Washington Post, this is alarming.
“The lawmakers’ concerns centered on an inspector general’s investigation that found Harris ran an after-hours car-detailing and home-theater-installation business that employed two subordinates from his agency and also allegedly accepted payments from other subordinates for the work.
The hearing also examined Harris’s effort to help a relative find work at the department and his close friendship with an agency vendor whose company [Esource] has been awarded about $10 million in contracts to perform work that falls under the purview of his office.
Harris also failed to report an estimated $10,000 in income from his outside activities on federal disclosure forms and to the Internal Revenue Service, according to federal officials…”
Wow. As if that is not shocking enough, remember the failing data security score the U.S. Deparment of Education (USDoE) received, just a few months ago?
- [USDoE] scored a NEGATIVE 14 percent on the [Office of Management and Budget] Cybersprint [security program] for total users using strong authentication;
- [USDoE] received an “F” on the [Federal Information Technology Acquisition Reform Act] scorecard;
- [USDoE] maintains 184 information systems;
- Twenty-nine [of these systems] are valued by the Office of Management and Budget as “high asset”; and
- [USDoE] needs significant improvement in four key security areas: continuous monitoring, configuration management, incident response and reporting, and remote access management.
Chairman Rep. Jason Chaffetz (R-UT) summed up the problem:
“[A]most half of the population of the United States of America has their personal information sitting in this database, which is not secure.”
Speaking of insecure student data…
PowerSchool. This week a high school student in North Carolina was arrested for hacking into the school’s computer system and changing his grade. Certainly he should be reprimanded, but felony arrest? [This student] was charged with felony accessing government computers, felony breaking and entering and misdemeanor accessing government computers. He was released on a unsecured $15,000 bond to the custody of his parents.
The computer system he hacked into was PowerSchool, popular in many school networks. This North Carolina blogger writes about the arrest and goes on to say that Powerschool was hacked into three separate times. She writes:
“I’ve noted a lot of issues with Powerschool since it was implemented both here and in other states. I’ve also noted issues with other Pearson products. Everything from the system going down to wiping out entire gradebooks, and from delayed report cards to DDOS attacks. Now we have a high school student getting into it multiple times to change his grades. But your child’s data is safe, they said… Small wonder Pearson sold Powerschool last year to Vista Equities.”-A.P. Dillon
One has to wonder if PowerSchool, who claims “Impeccable Data Security”, will be investigated or charged with a crime, for falsely promising that its security is sufficient to block sophisticated attacks (or students) and malicious malware from entering the system, potentially doing more damage than changing a few grades. PowerSchool holds sensitive information of 13 million students, information such as staff and student demographics, grades, discipline management, student fees and payment information, special education information, and medical health management. (This non-exhaustive list names only a few data types stored on this powerful K-12 hub.) Surely PowerSchool (and its enormous list of partners accessing the data) are being investigated? It brings to mind the recent case where a hotel chain, Wyndham Worldwide, was recently found liable by the Federal Trade Commission for weak data security that resulted in breaching hundreds of thousands of customers’ credit card information. Comparing the two, PowerSchool holds more records, more sensitive information, of a very vulnerable population: our children.
Back to the U.S. Department of Education debacle
We have the CIO of our US Dept. of Ed, Danny Harris, making nepotistic deals for data handling contracts worth millions of dollars, overseeing BILLIONS of data from students and parents, and the audit of the federal databases he oversees, receive a score of F involving hundreds of data incidents, many of which have been reported for YEARS, and we also have the U.S. Secretary of Education, John King, defending this CIO and his alleged mis-handling of our children’s information. It certainly seems we should be arresting, or at least firing someone, or better yet…stop mandating the student data collection.
Thank you to the members of Congress who brought this investigation forward. Thank you for recognizing the importance of defending the children that the U.S. Department of Education is supposed to serve and protect. Thank you for your quotes to Secretary John King and CIO Danny Harris,
“Simply put, when CIOs fail to bring both high managerial and ethical standards to their work, institutions suffer, systems are weakened and the data of millions of Americans are endangered,” Jason Chaffetz (R-Utah), chairman of the panel
“Let me tell you what you’re conveying to the American people and, more importantly, to the 4,000 employees of the Department of Education,” said Rep. Mark Meadows (R-N.C.). “You can bend the rules — it’s just a matter of who you are.”
“Secretary King, your job is not to protect Mr. Harris. It is to set a proper tone, standards of conduct for your agency.”
“Outside this bubble of Washington, D.C., the rest of the country would view what Mr. Harris did as a violation of law or regulation.” Rep. Ted Lieu (D-Calif.).