CIOs’ answers on FAFSA breach leave lawmakers unsatisfied
One big question lingered Wednesday after a House hearing about a recent data breach that involved an IRS tool used by the Education Department to help people with student aid applications: Who is accountable when two or more agencies together provide a service that is breached?
Agency CIOs testifying before the Oversight and Governmental Reform Committee hesitated to take accountability for the incident — or even call it a breach — because of the uncommon nature of the situation. In response, lawmakers said the incident will undoubtedly inform how they think about laws governing federal IT.
The intrusions, which exposed the information of about 100,000 taxpayers, started with an Education Department site — the Free Application for Federal Student Aid, or FAFSA.gov. It gave students the option of using the IRS’s data retrieval tool to automatically transmit their parents’ or guardians’ previous tax information to their application.
The IRS took the tool down in early March, citing technical issues. However, it was later revealed the move was actually to address a breach: Tax criminals were using illegally obtained taxpayer information to login to the tool and steal additional personal information, which they then used to file fraudulent tax returns with the IRS. As many as 8,000 were filed, processed and completed, the IRS said, although some of that number could include legitimate returns.
At Wednesday’s hearing, IRS CIO Gina Garza qualified the incident as a breach by definition under the statute known as FISMA, which requires congressional notification within seven days. Lawmakers claim they weren’t notified until weeks later, in April, when IRS Commissioner John Koskinen testified on the matter before the Senate Finance Committee.
On the other hand, when asked whether he saw the incident as a data breach by definition, Education Department CIO Jason Gray responded that “through our analysis, there was no data that was compromised or viewed through this,” speaking about Education Department data only. “This was a case of unlawfully obtained information that was used to go through our system to pull information from the DRT.”
That is — though the malicious activity happened within the online federal student aid application process — the Education Department’s data wasn’t affected directly, so Gray did not see it as his responsibility to report the breach to Congress. He maintained that stance throughout most of the hearing.
Several lawmakers, including Rep. Darrell Issa, R-Calif., did not see it the same way.
“You together are like an automobile, and you’re saying that your right-hand wheel didn’t come off, but the left-hand wheel did or could have,” he said figuratively. “Ultimately the construction of the entire product was brought to a halt as a result of a failure.”
Bringing things back to a practical level, Issa continued: “If we are to do the next level of reforms this committee would be required to, if we’ve given each of you authority and one of you says ‘I’ve got a breach’ and the other says ‘I don’t’… how do we resolve making sure that the failure of the whole is in fact controlled by somebody?” Is the solution a some sort of “super CIO” in these scenarios, he wondered.
It’s also important to note that the IRS and the Education Department knew of the potential vulnerability within the DRT as far back as September 2016. But, as Garza explained in her opening testimony, the agencies decided to keep it running, balancing the risks and benefits, because there wasn’t yet evidence of malicious activity and it was such a valuable tool to students applying for aid in support of the Education Department.
Rep. Gerry Connolly, D-Va., continued where Issa left off.
“It seems to me it was incumbent upon the Department of Education to inform us in a timely fashion … the better part of wisdom would dictate that I would inform them even if I didn’t believe FISMA was triggered,” Connolly said.
After continuous grilling, Gray admitted, in hindsight, “it was important enough to notify Congress.”
Garza said she sees this as part of a larger problem Congress will have to continue addressing as large federal systems grow to be more interconnected, like Issa depicted.
“As the IRS continues to work with other agencies to provide data, it becomes more and more that we actually address the concern that you raise,” she told Issa. “I don’t have an answer for you now, but it’s something that we need to be very thoughtful about, cause I think this is going to start happening more often.”