In hearings this week and last fall, members of Congress warned that the U.S. Department of Education, with its databases containing sensitive information on millions of students and parents, is a prime target of hackers. The lawmakers accused top department officials of failing to secure the agency’s vulnerable information systems.
The hearings featured highly technical testimony from government investigators and department officials, along with plenty of finger-pointing and outrage from lawmakers. Yet amid all the anger and acronyms, observers may have been left wondering: Should I be worried? Here are some answers to questions you may have:
We’re sorry, something went wrong.
We are unable to fully display the content of this page.
This is most likely due to a content blocker on your computer or network.
Please allow access to our site and then refresh this page.
You may then be asked to log in, create an account (if you don't already have one),
or subscribe.
If you continue to experience issues, please contact us at 202-466-1032 or help@chronicle.com.
In hearings this week and last fall, members of Congress warned that the U.S. Department of Education, with its databases containing sensitive information on millions of students and parents, is a prime target of hackers. The lawmakers accused top department officials of failing to secure the agency’s vulnerable information systems.
The hearings featured highly technical testimony from government investigators and department officials, along with plenty of finger-pointing and outrage from lawmakers. Yet amid all the anger and acronyms, observers may have been left wondering: Should I be worried? Here are some answers to questions you may have:
What’s really at stake here?
Quite a bit, actually. The department’s Central Processing System — which handles all applications for federal student aid, calculates eligibility for that aid, and notifies students and colleges of the results — contains an astounding 139 million unique Social Security numbers, along with sensitive financial information. The National Student Loan Data System, the central database for federal student aid, and the Common Origination Disbursement System, which delivers and tracks funds to students and colleges, also contain sensitive financial information and “personally identifiable information” about millions of students and families.
According to the Office of Inspector General, the department has experienced “sophisticated attacks on its IT systems” in recent years, with hackers using hostile websites, phishing campaigns, and stolen credentials to gain access to the systems.
ADVERTISEMENT
So far, none of the attacks has exposed students’ or families’ personal or financial information, at least not that the department has acknowledged. But it could happen — and it already has at other agencies. Last summer the Office of Personnel Management reported that intruders had retrieved the personnel records of about 4.2 million current and former federal employees, along with background-investigation files for 21.5 million people. Around the same time, the Internal Revenue Service said third parties had gained access to 330,000 tax accounts using its Get Transcript application.
The IRS breach led to a temporary shutdown of that system, creating hurdles for some Pell Grant recipients last summer. The personnel-management agency also shut down key systems for a few weeks, and is paying for credit, fraud, and identity monitoring for millions of people.
What were those “F” acronyms — Fisma and Fitara — that lawmakers at the hearing kept bandying about? And who gave the Ed Department an “F” on information management?
Let’s tackle Fisma first. Fisma is short for the Federal Information Security Management Act, a 14-year-old law that requires each federal agency to have an information-security plan for all of its data systems, including those provided or managed by another agency or contractor. It also requires agencies’ inspectors general to annually evaluate their plans and practices.
The Education Department’s inspector general has consistently found weaknesses in the department’s oversight, with many of the same deficiencies appearing across multiple years’ audits. In 2015 the inspector gave the department the lowest rating — one out of five — for its efforts at “continuous monitoring” and found the agency was “not generally effective” in three other areas. During a “friendly hack” of one of the department’s major systems, investigators were able to gain full access to the network undetected by the agency or its contractor.
ADVERTISEMENT
In testimony before the House of Representatives Committee on Oversight and Government Reform in November, the inspector general, Kathleen S. Tighe, said the department and the Office of Federal Student Aid “remain vulnerable to attacks” and “must work harder to address existing weaknesses.”
Department officials said they were making progress in all four areas identified as weak, including replacing the aid office’s student-identification system with a more rigorous one.
Fitara — the Federal Information Technology Acquisition Reform Act — is a newer piece of legislation that became law as part of a defense authorization in 2014. It requires chief information officers to approve technology budget requests, categorize IT investments by risk, and develop plans to consolidate their agencies’ data centers, among other things.
Last fall the Government Accountability Office rated 24 agencies on their compliance with the law. Most agencies performed poorly, but only three received an F overall — the Departments of Education and Energy and the National Aeronautics and Space Administration.
What’s this about the department bombing on a “cybersecurity sprint,” too?
ADVERTISEMENT
Last summer, in the wake of the security breaches at other government agencies, the federal chief information officer started a 30-day “cybersecurity sprint” aimed at improving information security governmentwide. The exercise called for agencies to patch critical vulnerabilities and speed up a switch to “multifactor authentication” for users seeking access to systems, among other things.
By the end of the 30-day effort, most agencies had drastically increased the number of users subject to multifactor authentication. Education was one of only four agencies to regress, with the share of users with strong authentication declining to 57 percent from 71 percent.
But the department has improved since then. At this week’s hearing, the acting secretary, John B. King Jr., said that 87 percent of users now have two-factor authentication. The agency expects to be fully compliant in March, he said.
Aren’t a lot of these data in the hands of government contractors?
Right you are. According to the inspector general, more than 120 of the department’s 184 information systems are operated by contractors or subcontractors. Not all of them contain personally identifiable data, but many do.
ADVERTISEMENT
Government employees and contractors have access to those systems, as do colleges and their third-party servicers. A recent audit by the inspector general found that the department isn’t doing enough to ensure that debt collectors and guarantors are safeguarding sensitive student-loan information.
Meanwhile, many colleges aren’t notifying the department when they contract with outside servicers to administer student aid. That lapse has made it difficult for the department to determine whether the companies are following federal laws and security protocols.
This past fall the Education Department held a series of webinars offering colleges guidance on protecting personal student information. One presenter urged participants to weigh what a privacy breach could cost their college — in credit-monitoring fees, time offline, and reputational damage. “Consider how much confidence would students and parents have in the security of your data after a breach,” she urged.
What about my institution? Is it a prime target, too?
Yet colleges are no more at risk of an attack than businesses in the financial sector, retail, or health care, said Kim Milford, executive director of the Research and Education Networking Information Sharing and Analysis Center, at Indiana University at Bloomington.
“People love to say we’re targeted, and there are some instances, especially around intellectual property for research,” where that’s true, she said. “But for the most part we’re a microcosm.”
The biggest risks for colleges continue to be phishing scams and denial-of-service attacks, she said.
Ms. Milford likened information security on college campuses to the Whac-A-Mole game. “The bad actors will try something; we’ll run in that direction, and patch that hole. We’re constantly playing catchup,” she said.
But she said universities were becoming more proactive, particularly when it comes to multifactor authentication and the encryption of sensitive data.
ADVERTISEMENT
Still, “these are expensive solutions that require not just the technology, but the education of end users,” she said. “The folks at universities are super-busy, so they can’t always just drop everything and get training.”
Correction (2/4/2016, 10:19 p.m.): This article originally provided an incomplete rendering of what the acronym Fitara stands for. It’s the Federal Information Technology Acquisition Reform Act, not the Federal Information Technology Acquisition Act. The article has been updated to reflect this correction.
Kelly Field is a senior reporter covering federal higher-education policy. Contact her at kelly.field@chronicle.com. Or follow her on Twitter @kfieldCHE.
Kelly Field joined The Chronicle of Higher Education in 2004 and covered federal higher-education policy. She continues to write for The Chronicle on a freelance basis.