U.S. lawmakers ripped into the Department of Education’s CIO Tuesday for holding four outside jobs in recent years while the agency has received failing cybersecurity grades.
Members of the House of Representatives Oversight and Government Reform Committee questioned why Danny Harris, the department’s CIO since 2008, was pursuing outside work while the agency has repeatedly received low cybersecurity grades from auditors. The agency holds the personal information of about 139 million U.S. residents.
At the same time as he served as CIO, Harris has worked as an education consultant and an adjunct professor, and he provided auto detailing and home theater installation services, although he told the committee the latter two were “hobbies,” not outside businesses.
“You’re a very, very busy man,” said Rep. Carolyn Maloney, D-N.Y. “I can understand why there are problems with the cybersecurity in the Education Department when you have so many other outside jobs.”
Harris paid two department employees for assisting him with his “hobbies,” and he didn’t report income from those activities to the Internal Revenue Service and on a required Federal ethics form, the department’s inspector general found after an extended investigation.
Rep. Jason Chaffetz, R-Utah, questioned why Harris hasn’t been fired, given the department’s poor cybersecurity record and the questions raised by the IG’s investigation. Instead, Harris has collected more than $200,000 in bonuses from the department in the last decade, Chaffetz noted.
“You don’t have time to do that stuff,” Chaffetz said. “He’s off with these other businesses, getting subordinates to do the work … we’re giving him bonuses, and every single metric is going down.”
After the IG’s investigation, Harris was counseled by superiors on workplace ethics. The IG’s office sent his case to the Department of Justice for potential criminal charges, but that agency declined to prosecute.
Harris acknowledged he engaged in “poor judgment,” even though he did the outside work on his own time. He stopped charging for home theater installation in 2012 and stopped outside business activities with department employees, he said.
“I make no excuses,” he added.
Committee members questioned what message a lack of sanctions for Harris sends to other Federal employees. “You can’t have it both ways,” Chaffetz told Harris. “According to Mr. King, continue on, play on. You’ve had nothing docked in your pay. You got bonused up. I don’t know how you get away with it.”
Harris and John King Jr., the acting secretary of education, defended the CIO’s job performance, however. Harris has several other responsibilities beyond cybersecurity, and he’s done a good job in those roles, and the department is making significant progress on cybersecurity issues, King said.
Since mid-2015, the department has moved from having two-factor authentication on 11 percent of its protected systems to 95 percent of them, with plans to get to 100 percent by March, King said.
King has also redirected resources to address outstanding cybersecurity problems identified in past audits, he said. In addition, the agency plans to update or retire 90 percent of its 54 unsupported software systems by midyear.
“Although we have made and are continuing to make progress, I’m not satisfied about where we are as an agency,” King said.