U.S. Department of Education Data System Riddled With Vulnerabilities For Students

REUTERS/Kacper Pempel/Files
REUTERS/Kacper Pempel/Files
Emmett McGroarty and Jane Robbins

The U.S. Department of Education (USED) has been pushing, bribing, and otherwise “incentivizing” states to expand their student data systems to track students from preschool through the workforce. Using this data, USED claims, can transform education to ensure that each child develops into the type of worker and global citizen the government wants him to be.

This worldview presents fundamental philosophical problems, especially in the American system that was built on individual liberty and limited government. This goes to the issue of privacy – does the government have the right to compile this information, even for well-intentioned purposes? But the other, more pedestrian concern is simple data security – is the information the government has being kept safe?

The short answer is no.

At an extraordinary hearing of the House Committee on Oversight and Government Reform held on November 17, Inspector General Kathleen Tighe testified that USED’s so-called “data security” system is riddled with vulnerabilities. The problems encompass both lax controls over the people allowed access to sensitive data, as well as outdated technology and inadequate security to prevent unauthorized access.

USED’s system contains over 139 million Social Security numbers (largely through its office of Financial Student Aid), along with sensitive borrower information about students and families contained in the National Student Loan Database. The Office of the Inspector General (OIG) found that of the 97,000 account/users with access to this information (government employees and contractors), fewer than 20 percent have undergone a background check to receive a security clearance. Parents should be horrified at this casual approach to allowing data access.

But even if USED were scrupulous about limiting authorized access, both OIG and the General Accounting Office (GAO) found that the security mechanisms protecting that data are abysmal. Tighe’s indictment was devastating: “During our testing of the EDUCATE environment, OIG testers were able to gain full access to the Department’s network and our access went undetected by Dell [the vendor] and the Department’s Office of the Chief Information Officer.” Moreover, as the Committee reported, USED “is not heeding repeat warnings from the Inspector General (IG) that their information systems are vulnerable to security threats.”

Let that percolate for a moment.

A federal department that’s using its massive power to increase collection and sharing of sensitive student information – and that wants its hands on as much of this data as possible – has demonstrated its utter inability to protect that data. In fact, it has demonstrated not only incompetence, but actual unconcern about the problem.

Dr. Danny Harris, USED’s Chief Information Officer, defended his department by downplaying the vulnerabilities. Harris led Rep. Will Hurd (R-TX) through a meandering explanation of the bureaucratic maze that he seemed to suggest prevents him from actually protecting student data. He also rationalized the four years it took to detect unauthorized devices on the USED network by claiming the department didn’t have the “talent” to act more quickly (actually, that damning statement is fairly easy to believe).

And under questioning from Rep. Jody Hice (R-GA) about the security risks created by USED’s horribly outdated technology, Harris claimed to be “working hard” to fix the problem. But not to worry, he said – the system is “reasonably secure” as it is.

The Committee posted other key takeaways from the testimony that ought to trouble every American:

  • [USED] scored a NEGATIVE 14 percent on the [Office of Management and Budget] Cybersprint [security program] for total users using strong authentication;
  • [USED] received an “F” on the [Federal Information Technology Acquisition Reform Act] scorecard;
  • [USED] maintains 184 information systems;
  • Twenty-nine [of these systems] are valued by the Office of Management and Budget as “high asset”; and
  • [USED] needs significant improvement in four key security areas: continuous monitoring, configuration management, incident response and reporting, and remote access management.

Chairman Jason Chaffetz (R-UT) summed up the problem: “[A]most half of the population of the United States of America has their personal information sitting in this database, which is not secure.”

It’s bad enough that USED is failing miserably at protecting the sensitive information of American students and their families. It’s even worse that the federal educrats are twisting arms in the state bureaucracies to ramp up data-collection efforts on students. If the feds can’t or won’t protect this data, are parents to believe that states – rushing to build out data systems to qualify for or spend federal money – will do a better job?

At the very least, every state should initiate an independent security audit of its own student data system. Parents have the right to know the truth about government-created risks to their children.

Jane Robbins is senior fellow for education at American Principles Project (APP). Emmett McGroarty is education director at APP.

COMMENTS

Please let us know if you're having issues with commenting.