[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
U.S. DEPARTMENT OF EDUCATION:
INVESTIGATION OF THE CIO
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
FEBRUARY 2, 2016
__________
Serial No. 114-131
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
________
U.S. GOVERNMENT PUBLISHING OFFICE
25-501 PDF WASHINGTON : 2017
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio ELEANOR HOLMES NORTON, District of
TIM WALBERG, Michigan Columbia
JUSTIN AMASH, Michigan WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee JIM COOPER, Tennessee
TREY GOWDY, South Carolina GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida TED LIEU, California
MICK MULVANEY, South Carolina BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina MARK DeSAULNIER, California
ROD BLUM, Iowa BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama
Jennifer Hemingway, Staff Director
Katie Bailey, Government Operations Subcommittee Staff Director
Michael Flynn, Counsel
Sharon Casey, Deputy Chief Clerk
David Rapallo, Minority Staff Director
C O N T E N T S
----------
Page
Hearing held on February 2, 2016................................. 1
WITNESSES
Mr. Danny A. Harris, Chief Information Officer, U.S. Department
of Education
Oral Statement............................................... 6
Written Statement............................................ 9
Ms. Sandra Bruce, Deputy Inspector General, U.S. Department of
Education
Oral Statement............................................... 13
Written Statement............................................ 15
Ms. Susan Winchell, Assistant General Counsel for Ethics, U.S.
Department of Education
Oral Statement............................................... 21
Written Statement............................................ 23
Mr. John B. King, Jr., Acting Secretary, U.S. Department of
Education
Oral Statement............................................... 29
Written Statement............................................ 31
APPENDIX
RESPONSE from Mr. King ED to Questions for the Record............ 90
RESPONSE from Ms. Winchell ED to Questions for the Record........ 92
U.S. DEPARTMENT OF EDUCATION: INVESTIGATION OF THE CIO
----------
Tuesday, February 2, 2016
House of Representatives,
Committee on Oversight and Government Reform,
Washington, D.C.
The committee met, pursuant to call, at 10:02 a.m., in Room
2154, Rayburn House Office Building, Hon. Jason Chaffetz
[chairman of the committee] presiding.
Present: Representatives Chaffetz, Mica, Walberg, Amash,
DesJarlais, Farenthold, Lummis, Meadows, DeSantis, Mulvaney,
Buck, Walker, Blum, Carter, Hurd, Palmer, Maloney, Norton,
Clay, Connolly, Kelly, Lawrence, Lieu, Plaskett, and Lujan
Grisham.
Chairman Chaffetz. The Committee on Oversight and
Government Reform will come to order. Without objection, the
chair is authorized to declare a recess at any time.
This is a follow-up to our November 17, 2015, hearing, and
as part of my opening remarks, I would actually like to yield
to the gentleman from Texas, Mr. Hurd.
Mr. Hurd. Thank you, Mr. Chairman.
Last November, I said in my opening remarks that the
challenges facing the Department in the area of cybersecurity
were not only technical in nature. The tools to address these
issues already exist, whether it be continuous monitoring,
EINSTEIN, or multifactor authentication. The list goes on. The
technology is here.
Cybersecurity for the Federal Government is a matter of
quality management and effective leadership, not just tech, and
I am pleased to see not only Mr. Harris back before this
committee today but also Acting Secretary King.
Because cybersecurity and information technology are issues
that must be addressed not only by the CIO's office but also by
the agency head. Implementation of FITARA and ensuring FISMA
compliance are issues agency heads need to know about.
Agencies can't treat data centers, multifactor
authentication, and legacy technologies as something just for
the CIO staff. Cybersecurity and IT management are mission-
critical infrastructure. They are as much a part of the
agency's mission as student aid.
And who is ultimately accountable for IT and cybersecurity
issues? The answer isn't only Mr. Harris and his team in the
OCIO shop. It is also you, Mr. King.
My amendment was included in the Student Success Act, which
restated the intent of Congress that students' PII was of the
utmost importance to protect. This committee will continue to
hold agencies responsible for the state of our agencies'
information technology and cybersecurity posture.
The good news for the Department of Education and really
the American people is that we aren't here today to discuss a
massive data breach involving millions of Americans' PII. We
are here today, however, to examine whether we have the
management in place at the Department of Education to handle
this crucial challenge. We need to ensure that this is the
leadership team that can put the tools and processes in place
to ensure that we aren't back here again in a month or two
talking about a data breach at the Department of Education.
Thank you, Mr. Chairman, and I yield back.
Chairman Chaffetz. I thank the gentleman.
This is a very important hearing. In the IT sector, it is
absolutely critical that we secure our data. We have seen the
data breaches of huge proportions in the private sector; we
have seen them at the White House, the Department of State,
Internal Revenue Service, and certainly the Office of Personnel
Management.
Like these agencies, the Department of Education is a prime
target. It houses the personal information of more than 139
million Americans. The data breach at the Office of Personnel
Management was something like 22 million, but there are 139
million Americans that would be affected by a data breach at
the Department of Education.
We also need to remember that the Department of Education
also oversees a student loan portfolio of more than $1.2
trillion. This puts it on the proportion of Citibank and other
major financial institutions. It is critical because taxpayers
deserve the best in our chief information officer, and they are
not getting the best at the Department of Education.
The inspector general testified recently the Department
continues to be vulnerable to security threats and has
repeatedly failed to implement the recommendations and failed
to detect friendly hacks into their system. The Department
scored a negative--it was one of just a handful of agencies--
but a negative 14 percent on the Office of Management and
Budget's cyber sprint. Cyber sprint was intended to get
government-wide, get them up to speed, put more security in
place, and yet the Department of Education was one of a handful
of agencies that actually scored negative on that. And they
received an F in the FITARA scorecard. This is a self-reported
score, and they scored an F.
Mr. Harris has served as the chief information officer
since 2008, and by virtually every metric, he is failing to
adequately secure the Department's systems.
The committee's concerns were further amplified after
learning Mr. Harris was investigated for possible criminal and
administrative misconduct. The IG closed its investigation a
few months ago, finding that the CIO potentially broke 12
Federal laws, regulations, and/or agency directives. But the
Department of Justice refused to prosecute. That is a mystery
to us. We don't understand why they would not prosecute such
wide use and abuse of the system.
Mr. Harris was running two side businesses he intentionally
failed to disclose on federally required ethics forms--a home
theater installation business, a car detailing business--and
inappropriately used agency resources and most likely agency
time. Mr. Harris also admitted to the inspector general he did
not report the income to the Internal Revenue Service. Now,
most Americans would get in trouble for this type of situation,
basically hiding information from the IRS.
Additionally, the inspector general raised serious
allegations that Mr. Harris influenced a government contract.
As a high-ranking public official, Mr. Harris played a role in
awarding and oversight in contracts to a close friend's
company.
Equally disconcerting are the anonymous tips that the
inspector general described Mr. Harris's leadership as
intimidating. This investigation started because people within
the Department of Education expressed concern as
whistleblowers, and the morale in the office of the CIO is an
all-time low due to a dysfunctional environment that Mr. Harris
has cultivated.
Let me put up the first--the chart. There we go.
[Slide.]
Chairman Chaffetz. We rely heavily upon a disinterested
third party to come in and evaluate. These are 14 metrics in
the Office of the CIO at the Department of Education. Every
single score is going down. Every single one of those is
negative. And the Office of the Chief Information Officer at
the Department of Education scored 285 out of 320, near the
very bottom of his class.
You can take that chart down.
Look at the turnover rate for the IT staff within the
Department of Education. Fiscal year it was down--it was 5
percent. Turnover rate in fiscal year 2014 was 6 percent.
Turnover rate in 2015 was 10 percent. It is a key metric in an
understanding that maybe things aren't very good in that
department. Every key metric is down. They are scoring an F on
their scorecard.
You have got an IG who is making a recommendation for
criminal prosecution with the Department of Justice, and what
does the Department of Education do? They give him bonuses.
More than $200,000 in bonuses Mr. Harris got over the last 10
years. And I want to know why. We have got good quality people
working at the Department of Education, and we have got
something wrong going on in that department and we are bonus-
ing him up? That makes absolutely no sense.
Mr. Harris came and testified before this committee in
November. I asked him a basic question about IT. Are you using
COBOL? COBOL was instituted in the 1960s. The answer was no, we
are not using it. It ends up they have more than 1 million
lines of code in the Central Processing System, also in the
National Student Loan Database. So he is off with these other
businesses getting subordinates to do the work, taking bonuses,
has three other jobs, and we are giving him bonuses.
Every single metric is going down, scoring an F on the
scorecard, there is a vulnerability, and there is 139 million
people who are at risk. We don't have time to play these kind
of games. This is exactly what the Oversight and Government
Reform Committee is all about.
Mr. Harris has had roles as an adjunct professor at Howard
University, consulting for the Detroit public schools. He does
IT consulting services for the city of Detroit.
Congratulations. You don't have time to do that stuff.
Simply put, when the CIOs fail to bring high management and
ethical standards to their work, institutions suffer, systems
are weakened, and the data of millions of Americans are in
danger.
For all the wrongdoing here, I am telling you there are a
lot of good people who rely on the Department of Education.
They work there. There are people at home in every State and
every corner of our country who rely on this. But you know
what? There are 10, 10 senior officials at the Department of
Education under investigation right now. Mr. Harris is one of
them. Bob Shireman is another one. Who are the other ones?
Because this is an agency that has to function. If we are going
to pour the billions of dollars in it, they have got to deal
with it ethically. But we are looking at a situation here that
is not going well, and that is why we have the hearing here
today.
Chairman Chaffetz. With that, I will now recognize the
ranking member. We are glad to have Ms. Plaskett filling that
role today. And we will now recognize her. Thank you.
Ms. Plaskett. Thank you very much, Mr. Chairman. Thank you
all for being here this morning.
It is critical that all Federal employees meet the highest
ethical standards and avoid even the appearance of impropriety.
It is therefore essential that agencies take swift and
appropriate action upon learning that one of their employees
has engaged in either misconduct or exercised poor judgment in
their work.
In this instance, the Department of Education's inspector
general conducted a thorough investigation into allegations of
wrongdoing involving the Department's chief information
officer, Mr. Danny Harris. In doing so, the IG dismissed some
of those allegations as unsubstantiated and suggested that
others ``may have violated Federal laws, regulations, and
departmental directives.''
Now, while the IG's report of investigations indicated that
the CIO, Mr. Harris, may have violated Federal laws, it appears
that law enforcement authorities who examined the alleged
misconduct did not find any criminal wrongdoing after their
investigation. That being said, the IG reports a series of
errors in judgment by the CIO that raised valid questions about
his ethical conduct.
For example, though the IG did not find that the CIO
influenced the Department's contracting process, the IG did
find that the CIO had ``participated in awarding Department
contracts to a company while having a personal relationship
with the company's owner.'' We definitely need to ask you about
that.
The IG also found that, for a period of time, the CIO used
his subordinate staff to help him run a home theater
installation and car detailing business. While the IG did not
identify anything prohibiting the CIO from running these
businesses during non-work hours, the CIO's decision to use
both subordinate employees and failure to report the earned
income from that work shows, at a bare minimum, poor judgment
on his part.
While the Department cannot identify any specific policies
or procedures that the CIO had violated, it took corrective
action, including mandating that he undergo at least four in-
person counseling sessions, as well as receive formal written
ethical guidance going forward.
Since those counseling sessions, the CIO has reportedly
taken the necessary steps to correct the deficiencies the IG
found, and most importantly, since 2012, the CIO has not
engaged in any of the ethically questionable behavior that the
IG raised in the investigation.
The fact that the CIO is no longer engaged in questionable
conduct is nothing to celebrate. As a senior official in the
Department, the CIO holds a critical leadership role, and as
such, is expected to set a positive tone and example for the
employees he supervises. If the Department employees cannot
trust their CIO is guided by the highest ethical standards at
all times, what message does that send in the Department of
Education? It must be made clear that even borderline ethical
conduct will not be tolerated by your department.
I look forward to hearing directly from the Acting
Secretary of the Department, Mr. King, John King, and the CIO
himself, Mr. Danny Harris, who is here, on what steps they have
taken to ensure that an appropriate tone is set for all
employees at the department and what specific policies have
been put in place, along with procedures to assure that these
types of actions will not occur again.
Given the critical role of the CIO in the Department's IT
security, valid questions may be raised today about his
effectiveness in light of not only the IG's report but prior
audits the IG conducted on the adequacy of the Department's IT
security. Those audits were examined at length by this
committee during a hearing it held this past November on the
state of the Department's cybersecurity. I expect that we will
hear today from the CIO not only on an update of any
improvements and progress the Department has made in
cybersecurity since the hearing, but also his vision, your
vision, Mr. Harris, and plan for strengthening Department's
overall information system.
Thank you, Mr. Chairman.
Chairman Chaffetz. Thank you. And we will hold the record
open for 5 legislative days for any members who would like to
submit a written statement.
We will now recognize our witnesses. Mr. Danny Harris
currently serves as the chief information officer of the United
States Department of Education, a role he has served in since
2008. Prior to his current position, Mr. Harris served as
deputy chief financial officer for 5 years. In his capacity, he
was responsible for contract administration, grant management,
accounting, risk management, internal controls, internal
travel, and financial management systems.
Ms. Sandra Bruce currently serves as the deputy inspector
general of the United States Department of Education, and she
has more than 30 years of experience directing, overseeing, and
managing complex audit inspections and investigative-related
programs.
Ms. Susan Winchell has served as the assistant general
counsel for ethics at the United States Department of Education
since 2007. Ms. Winchell previously served as the deputy
assistant general counsel and is the associate general counsel
at the U.S. Office of Government Ethics.
Mr. John King currently serves as the Acting Secretary of
Education, a position he assumed in January of 2016. Before
becoming Acting Secretary, Mr. King had served since January of
2015 at the Department as the principal senior advisor. This is
Mr. King's first time testifying before our committee, and we
welcome you here today. Thank you for joining us.
Pursuant to committee rules, all witnesses are to be sworn
before they testify. If you will please rise and raise your
right hand.
[Witnesses sworn.]
Chairman Chaffetz. Thank you. Please be seated. Let the
record reflect that the witnesses all answered in the
affirmative.
In order to allow time for discussion, we would appreciate
if you would please limit your oral testimony to 5 minutes, and
your entire written statement will be made part of the record.
Mr. Harris, you are now recognized for 5 minutes.
WITNESS STATEMENTS
STATEMENT OF DANNY A. HARRIS
Mr. Harris. Thank you. Chairman Chaffetz, Ranking Member
Plaskett, and members of the committee, thank you for giving me
the opportunity to share with you my response to the
allegations raised and investigated by the Department's
inspector general.
I've been proud to serve the public for the last 32 years
at the Department of Education. However, in light of the IG's
investigation and the counseling I received from the Office of
the Deputy Secretary and the Office of the General Counsel at
the Department, I fully understand and I take full
responsibility for how some of my actions could allow questions
to arise about my judgment. I view my behavior as unacceptable
and I have learned from this experience.
Before I address the topic of this hearing, I'd like to
provide the committee with an update on the progress on
cybersecurity since the last time I sat before you in November.
Since that time, the Department has enhanced its progress by
standing up an Integrated Project Team that will be tracking
all corrective action plans tied to FISMA or financial
statement audits. The team is made up of the general counsel,
myself, the deputy CIO, FSA chief operating officer, and the
FSA CIO. I believe focusing this level of attention by senior
members of the agency will help ensure we meet our targets.
The team will meet on a weekly basis to ensure that all
corrective actions are resolved based on the dates provided to
and agreed upon by the IG. The team will be paying particular
attention to any items associated with the Department's high
value assets, as well as items listed as repeat findings.
With respect to the IG's investigation, I have promptly and
fully cooperated with the investigation. While I was not
provided with a list of specific accusations against me, based
on the questions during the investigation and the counseling I
received, I understand that some concerns were expressed about
my interactions with subordinate employees.
My management style is to make an--take an interest in and
care about my colleagues and subordinates. I've been blessed
with the opportunity to work with many outstanding individuals
and even more blessed to have formed a friendship with some of
the employees at the Department.
Again, based on questions during the investigation and the
counseling I received, I believe that concerns were raised
about my conduct with respect to my hobbies. This is, in my
personal time, I enjoy detailing cars. Additionally, prior to
the investigation, I had also enjoyed installing audio/video
equipment. My staff members at the Department were aware of
these hobbies, and two of these individuals in particular were
interested in learning more about these activities. I now
realize that by including them in my hobbies, for which they
were compensated, I used poor judgment.
With regard to helping others on my team with home
projects, I now understand that that could be misconstrued.
Each request by staff was predicated by them approaching me and
expressing an interest in benefiting from my experience.
I think it is important to note that while I did not view
these activities as a business, I nevertheless understand how
it could be perceived. Therefore, I have ceased to install any
audio/video equipment or engage in activities with staff where
there is compensation. The last time I performed work related
to installing audio/video equipment for anyone and accepted
compensation was in 2012.
The IG investigators also asked me questions related to the
employment of a relative. My relative used the standard process
to apply for a vacant position, and I had no part in the
application process. The relative did not report to me or
anyone working in my supervision. As I confirmed for the IG
investigator, I did inquire with some colleagues whether they
had openings in their office, and my relative is no longer
working at the agency.
With respect to my relationship with the owner of a vendor
that performed work with the agency, I acknowledge that I did
develop a personal relationship with the vendor around 2008. As
CIO, I did not and do not have a role in determining who will
be awarded contracts. At no time did I advocate for this vendor
or ask staff to treat this vendor any differently than other
vendors. I have also ended my personal relationship with the
vendor effective February 2013.
After cooperating with the IG investigators, I was
counseled by then-Deputy Secretary Tony Miller in 2013, and
later counseled by the ethics attorney Susan Winchell and
Deputy Secretary Shelton and King. I also received a written
counseling memo. I took each of these sessions very seriously,
and immediately following my initial counseling, consulted any
records I had with respect to my hobby and amended my tax
returns to the IRS for 2008 through 2010. I determined I had no
additional income for 2011 and reported the additional income
on my 2012 tax returns and my form 278. The updated returns
reflected a nominal increase, of which was roughly 1 to 2
percent increase of my total household income.
I have benefitted from the counseling of three deputy
secretaries, as well as by the agency's lead attorney for the
ethics division, Susan Winchell. While, at the time, I did not
view my actions to be in violation of any laws, regulations, or
policies, I do appreciate, however, that others viewed my
conduct as questionable. I have severed my personal
relationship with one vendor which I had developed a
friendship. I no longer participate in activities related to
installing audio/visual equipment, and I do not accept funds
for detailing cars.
I appreciate the opportunity to answer any questions you
may have about the testimony. Thank you.
[Prepared statement of Mr. Harris follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. Thank you.
Ms. Bruce, you are now recognized for 5 minutes.
STATEMENT OF SANDRA BRUCE
Ms. Bruce. Chairman Chaffetz, Ranking Member Plaskett, and
the members of the committee, thank you for inviting me here
today to discuss the Department of Education Office of
Inspector General investigation of Dr. Danny Harris, the
Department's chief information officer.
As detailed in my written testimony, in 2011 and 2012, the
OIG received two anonymous complaints concerning allegations of
criminal and administrative misconduct by Dr. Harris. The
complaints included allegations that Dr. Harris improperly
awarded contracts to a company owned by his personal friend,
operated a home theater installation business with a
subordinate employee, and solicited other Department employees
to perform work for this business.
During our investigation, we learned of additional
complaints alleging that Dr. Harris operated a business
detailing cars where he employed subordinate employees to
assist with the detailing work and also accepted payments from
subordinate employees for detailing their cars; instructed a
subordinate employee to purchase products from eBay for his
home theater business and sold items on eBay using the
subordinate's account, splitting the proceeds with the
subordinate, and further used his Department email account to
conduct these transactions; appeared to have advocated for a
relative's employment within the Department; and appeared to
have made a $4,000 personal loan to one of his subordinate
staff.
By April 2013, our investigation had substantiated most of
these allegations. Our investigation determined that Dr. Harris
operated outside business ventures involving home theater
installation and car detailing with members of his subordinate
staff; had business cards and received payments from
subordinate employees for services provided by those ventures.
Dr. Harris informed us that the home theater installation
venture generated at least $10,000 in income, which exceeded
the $200 annual threshold that required reporting on the Public
Financial Disclosure Report, Office of Government Ethics form
278. Dr. Harris admitted that he did not report the income on
the required forms during the relevant time periods.
The Department's designated ethics official informed the
OIG that Dr. Harris not reporting the income on his ethics
forms was a problem that needed to be referred to the U.S.
Attorney's Office. Dr. Harris also advised that he did not
report this income on his taxes and acknowledged that he
probably should have done so.
Our investigation also determined that Dr. Harris used his
Department email account to conduct his outside business
ventures.
Participated on a panel that awarded a contract to a
company owned by someone he had a personal relationship with.
His participation, however, did not result in that contract
being improperly awarded
Took actions to help a relative secure employment within
the Department. The relative was employed at the GS-4 level
from 2010 to 2013.
Made a loan--a $4,000 loan to one of his subordinate staff.
We received conflicting information regarding the
allegation that Dr. Harris instructed a subordinate employee to
purchase products from eBay for his home theater business. Dr.
Harris stated that the purchase was for his personal use. The
employee stated the purchase related to the home theater
installation business.
As our criminal investigation into the allegations against
Dr. Harris continued, we provided a report of our initial
findings to the Department so that it could take appropriate
administrative action against Dr. Harris. The OIG also made a
referral to the Internal Revenue Service regarding Dr. Harris's
failure to report all of his income on his income tax returns.
In February 2015, the U.S. District Attorney's Office for
the District of Columbia declined prosecution of all issues
based on the availability of administrative remedies. In March,
we submitted another report to the Department noting the U.S.
attorney's decision.
In June 2015, the acting deputy secretary responded to our
report stating that, overall, the Department found no violation
of law or regulation. Instead, the acting deputy secretary said
that he believed Dr. Harris displayed certain lapses in
judgment, which were addressed through counseling provided by
the two prior deputy secretaries and the acting deputy
secretary, and also guidance provided by the Department's
ethics official.
We closed our investigation administratively in September
2015.
This concludes my remarks, and I am happy to answer your
questions.
[Prepared statement of Ms. Bruce follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. Thank you.
Ms. Winchell, you are now recognized for 5 minutes.
STATEMENT OF SUSAN WINCHELL
Ms. Winchell. Chairman Chaffetz, Representative Plaskett,
members of the committee, thank you for the opportunity to
appear before you today and discuss the matter regarding the
Department's chief information officer, Danny Harris.
As the designated agency ethics official at the Department,
I am responsible for running the Department's ethics program. I
believe a successful and effective ethics program must ensure
that all employees have enough information about the rules to
either know how to comply with them or to know when to ask
questions and who to ask. I take this responsibility very
seriously.
I first became aware of the IG's investigation in February
of 2013. At that time, in developing recommendations for deputy
secretary, I took into consideration that no ethics rules had
been violated, that the activities had already ceased, and that
the matter had been referred to the U.S. attorney.
I subsequently participated in conversations regarding a
question from the deputy secretary about whether it would be
appropriate to reassign Dr. Harris from the OCIO position to
another position. Based on the information provided in the
report, we concluded that that would be a drastic action under
the circumstances and was neither reasonable nor required.
According to information provided in the IG's report, the
kinds of financial relationships Dr. Harris engaged in with
subordinates are not covered by the criminal conflict of
interest statute, but they do raise potential concerns under
the standards of ethical conduct. I believe that paying a
subordinate to provide services outside of work and providing
personal services to--for a fee to a subordinate does create a
``covered relationship'' with those subordinates. However,
under the rules, the determination about whether a recusal is
required rests with the employee first.
While the ethics official may make a binding and
independent determination about the necessity of a recusal,
that determination may not be applied retroactively under the
rules. Dr. Harris has now been counseled that he may not have
outside financial relationships with any subordinate because
the--as the ethics official, I have determined that such
relationships could give rise to the appearance of a lack of
impartiality.
With respect to his friendship with the owner of a vendor,
information in the IG's report suggests that Dr. Harris formed
a close personal friendship with the vendor in approximately
2010. However, in my reading of the IG's report, I concluded
that the information presented did not support a conclusion
that a close personal friendship existed at the time Dr. Harris
participated in the selection of the vendor or the
implementation of the resulting contract.
According to the IG's report, Dr. Harris failed to report
income he received from his outside activities on his public
financial disclosure report. Dr. Harris has reported--did
subsequently report income on his report covering calendar year
2012. He has not reported any such income in subsequent years.
The IG's report does not contain information to support a
conclusion that the omissions were willful.
The IG's report states that Dr. Harris advocated for a
relative to be hired at the Department. From an ethics
perspective, I reviewed the information provided in the report
to determine whether Dr. Harris misused his government position
in attempting to obtain employment for a relative. I concluded
that he did not, as there is no information showing that he
participated in or attempted to influence the hiring process.
In my view, a simple inquiry about job openings that might be
suitable for a relative is not, without more, a misuse of
position under the rules.
Finally, I reviewed the allegation that Dr. Harris misused
Department equipment and resources by using Department email
and other electronic resources in connection with his outside
activities. However, the IG's report did not clearly establish
whether the outside activities were a business or a hobby. If
the activities were a business, personal use of government
equipment is prohibited under the Department's policy. However,
if they are a hobby, the Department policy does permit a
certain amount of personal use of such equipment.
I met with Dr. Harris in his office on March 21, 2014. I
reviewed the ethics laws and rules regarding conflict of
interest and appearance of lack of impartiality. This
discussion focused, to a large extent, on how to handle friends
in the workplace and appearance issues that arise when
supervisors and subordinates have financial relationships
outside of work. I also discussed gifts between employees and
misuse of government equipment.
Chairman Chaffetz, Representative Plaskett, and the members
of the committee, this concludes my statement, and I am happy
to answer any questions you may have.
[Prepared statement of Ms. Winchell follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. Thank you.
Mr. King, you are now recognized for 5 minutes.
STATEMENT OF JOHN B. KING, JR.
Mr. King. Thank you. Chairman Chaffetz, Representative
Plaskett, and members ----
Chairman Chaffetz. Your microphone doesn't appear to be on
there.
Mr. King. Chairman Chaffetz, Representative Plaskett, and
members of the committee, thank you for the opportunity to
appear before you today.
In January of 2015, I joined the Department as senior
advisor delegated the duties of deputy secretary, and I became
Acting Secretary on January 1 of this year when Secretary Arne
Duncan stepped down.
I firmly believe that providing our children with a great
education is not just about subject matter knowledge, but also
about instilling the values that will help them become faithful
contributors to our communities and democracy. I expect all
Department employees to adhere to the highest standards of
ethical conduct.
Before I address the actions taken by the Department with
respect to the report by the inspector general in this matter,
I'd like to provide you with a brief update of what the
Department has achieved to enhance our cybersecurity since the
agency last testified before this committee, as I believe we
have made meaningful progress.
Specifically, we have moved from a rate of 11 percent
compliance for two-factor authentication of all privileged
users at the conclusion of the cybersecurity sprint to an
overall compliance rate of 95 percent as of January 31, 2016.
We continue to work aggressively with a single external vendor
to accelerate implementation of two-factor authentication for
the remaining privileged users at that vendor and project to
achieve 100 percent compliance during March 2016.
I view cybersecurity as a responsibility of the entire
agency, not just that of any one individual. And although we
have made and are continuing to make progress, I am not
satisfied with where we are as an agency. I've notified my team
that we must do better, and I've directed my team to
immediately undertake additional actions to strengthen our
cybersecurity.
These steps include using a focused and disciplined
approach to systematically resolving and addressing the root
causes behind any cybersecurity-related findings from both our
2015 FISMA audit and the 2015 financial statement audit.
I have also directed the team to take additional steps to
increase end-user cybersecurity awareness, to strengthen our
incident response capabilities, and to continue to build the
capacity of our internal team through hiring of additional
professionals with expertise on these issues who can assist us
in implementing best practices and improving the Department's
cybersecurity program.
Returning to the IG's investigation and report issued to me
in March 2015, I considered very seriously the allegations.
Ultimately, my response to those allegations closed a several-
years-long investigation and confirmed and supplemented the
work of two prior deputy secretaries at the Department there
and my staff and our Office of the General Counsel.
I considered this matter in the overall context of Dr.
Harris's more than 30-year career with the Department. Dr.
Harris has been steadily promoted under administrations of both
parties to roles of increasing responsibility. He was promoted
to the Senior Executive Service in 1998 and was appointed to
his current role as CIO during the prior administration under
Secretary Spellings in 2008. He has been widely recognized for
his work in the CIO role.
Given that history of service and my commitment to ethics,
I was therefore troubled to learn of the IG's investigation.
However, I was also informed that Dr. Harris had been counseled
by former Deputy Secretary Tony Miller on this matter, as well
as my immediate predecessor, former Deputy Secretary Jim
Shelton and the agency's lead career ethics attorney Susan
Winchell.
Upon receiving the IG's addendum in 2015, I again consulted
with the general counsel's office. The synopsis of the addendum
stated that the U.S. Attorney's Office in the District of
Columbia had declined prosecution. After reviewing the
addendum, the Office of General Counsel and Ms. Winchell
advised that the additional information included in the
addendum served to confirm the conclusions reached by the
Office of General Counsel and two prior deputy secretaries
following receipt of the initial report, namely, that the OIG
investigative materials did not include information that could
support a finding that Dr. Harris had violated any law, rule,
or regulation.
I considered all of these factors, along with the fact that
the actions in question had occurred several years earlier, had
since ceased, and that Dr. Harris took immediate responsibility
for his actions and, where appropriate, included the relevant
income on his financial disclosure forms and took other
corrective actions.
Based on these facts, I determined the appropriate course
of action was to supplement the actions already taken with
counseling of my own for Dr. Harris on these serious matters. I
also asked Ms. Winchell to confirm her prior oral counseling to
Dr. Harris in writing.
As I stated at the outset, ensuring that the public's
business and our work of expanding educational opportunity for
all students are carried out according to the highest standards
of ethical conduct is vitally and personally important to me. I
believe the Department took appropriate actions to address the
issues raised by the investigation and ensure that they are not
repeated as we continue to work to rapidly strengthen our
cybersecurity posture, an area of critical need and a top
management priority for me over the coming year.
Thank you for the opportunity to testify, and I look
forward to answering any questions you may have.
[Prepared statement of Mr. King follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. Thank you.
I will now recognize the gentleman from Florida, Mr. Mica,
for 5 minutes.
Mr. Mica. I think Congress and the American people have to
think that a CIO position, chief information officer position,
stands for chaos, ineptness, and outrage after what we have
learned this morning. The CIO is an important position to
protect the integrity of information data. I think you have
what, Mr. King, 139 million records that you possess, personal
information, $1.2 trillion of information on people who have
student loans, and anyone who has applied, I guess, has all
that background information.
At the very least, Ms. Bruce, Mr. Harris was acting
improperly according to your investigation. I think there has
been some hairsplitting here on whether it was a business or a
hobby. You found information that it was a business, I think,
in your investigation, did you not, Ms. Bruce?
Ms. Bruce. That's correct.
Mr. Mica. Yes. And I guess also if you don't report the
income on your disclosure--that is financial disclosure--that
is also a violation, Ms. Bruce?
Ms. Bruce. Yes, according to 5 U.S.C. at 104.
Mr. Mica. Yes.
Ms. Bruce. Although the Department has decided that,
because it was not done knowingly and willfully, it doesn't
pursue a civil action. Knowingly only has to be established to
do administrative ----
Mr. Mica. And it was corrected after the fact, is that not
correct? That is ----
Ms. Bruce. That's correct.
Mr. Mica. Yes. Well, Mr. Harris, you are a senior executive
service position, is that correct?
Mr. Harris. That is correct, sir.
Mr. Mica. Yes. And you have been the CIO since 2008, is
that correct?
Mr. Harris. That is correct, sir.
Mr. Mica. And every year since 2008--we will take you to
2011--the FISMA audit contains findings of failure of the
protection of the records and all of the information you are
charged with, according to what we have. That is correct. And
in that time, you received bonuses of $116,000, according to
our report. That is just part of the record, right, Mr. Harris?
Mr. Harris. That's correct, sir.
Mr. Mica. This whole investigation started in December
2011. In the meantime, he received bonuses in 2012 of $17,000;
2013, $17,000; 2014. During all that time period, the
information I have is your performance, the job you were hired
for as the chief information officer, you had failing
evaluations. Is that correct?
Mr. Harris. That is not correct, sir.
Mr. Mica. It is correct to the information that we have.
The only information we had just now is Mr. King mentioned that
since January they have done better. But it appears you have
actually failed in your mission.
First, your ethics--Ms. Winchell gave you as much cover as
she possibly could, but your ethics were questionable. Ms.
Bruce also said that your activities were not proper. There is
no reason, Mr. King, why Mr. Harris shouldn't be fired. He is a
senior executive service officer. He has failed continually
since he took the position. I don't think you could find more
ineptness or misconduct with any senior employee that has come
before us and then rewarded for it. It is so offensive.
And Ms. Winchell says, well, maybe we should discuss moving
him to another position. Well, that is what is wrong with this
whole system is he can fail every time, getting huge salaries,
plus he has got his little businesses or hobbies or whatever
you want to call it on the side, all the ethical questions that
have been raised, and you leave him in that position. The worst
thing would be to put him in another position and continue to
get the high salaries and bonuses.
Mr. King?
Mr. King. Congressman, respectfully, what I can attest to
is the dramatic progress since I arrived at the Department ----
Mr. Mica. Dramatic progress?
Mr. King.--in January 2015.
Mr. Mica. Who approved the bonuses for him when he was
failing? Were you involved? You were a deputy, weren't you?
Mr. King. I was not present at the Department. I joined --
--
Mr. Mica. You were not--who ----
Mr. King. I joined ----
Mr. Mica. Then it would be the Secretary that approves the
bonuses? Who approved the bonuses? Even while he is under
investigation, there should be at least a suspension of the
bonuses.
Mr. King. He was previously supervised by deputy ----
Mr. Mica. But he failed every time, every single time since
2008. The only time we have had any success reported is what
you reported from January, and that is only because the
chairman conducted a hearing and we hammered you last year.
I yield back the balance of my time.
Chairman Chaffetz. I thank the gentleman.
I now recognize Ms. Plaskett for 5 minutes.
Ms. Plaskett. Thank you, Mr. Chairman. Good morning. Good
morning, Mr. Harris.
As a CIO, you are the senior official at the Department and
that your division is looking for for leadership and guidance.
The IG reported in her investigation into the alleged
misconduct that you used subordinate staff to run an outside
business and failed to properly report this business on a
mandatory financial disclosure form. Do you dispute that report
at this time?
Mr. Harris. I do dispute that as articulated.
Ms. Plaskett. Okay. But do you dispute that you failed to
report the income?
Mr. Harris. I do not dispute that.
Ms. Plaskett. Okay. And although neither the Department or
any law enforcement authorities, the law enforcement did not
elect to prosecute, even the Acting Secretary stated in a 2015
memorandum to the IG that you ``displayed certain lapses in
judgment.'' Knowing that and not disputing that you failed to
report that income and you agree with some portions of the
report, what specific steps have you taken to earn back the
trust of not only the Department but in particular the
employees that you supervise?
Mr. Harris. Well, thank you for the question. I want to say
categorically that these were hobbies that I've enjoyed for the
greater part of my life, and the employees that wanted to
engage me, two of them actually wanted to learn from me. And I
am a teacher. That's one of the things I love to do.
Since 2012, I have severed my relationship with the vendor
in question, and I'd like to also say that in 2004 when I sat
on a panel, not selecting the vendor but providing a review for
the panel, I was not a personal friend of that vendor. That
friendship did not occur until 2008, and at that point I am
completely removed from the acquisition process.
Ms. Plaskett. So what have you done to earn back the trust
of the people that you supervise?
Mr. Harris. I have communicated with them, explained to
them, providing transparency, and that's pretty much what I've
done.
Ms. Plaskett. And do you believe that that alone is
sufficient to allow you to effectively serve as the CIO of the
Department of Education?
Mr. Harris. I'm sorry. Would you ask that question again?
Ms. Plaskett. So you said that what you have done to earn
back their trust is communicate with them about severing your
ties with the contractor. Do you think that is sufficient to
make you an effective CIO at the Department of Education?
Mr. Harris. I think working hard and actually demonstrating
that I'm passionate about the job and I'm providing not only
the direction but the time to do the job right.
I'd also like to put my job as CIO in context if I may.
Cybersecurity is absolutely critical to the Federal Government.
However, it is only one of the mission-critical
responsibilities under my leadership. For example, I run the
entire financial management platform. We have received 13 clean
audit opinions. We have an incredible IT investment management
program. We have the best grants management system in the
Federal Government. One, I think, should look at the totality
of my leadership, not just cyber, even though I agree that the
Department had a poor record in improving cybersecurity. But
again, it is only one aspect of my job, though it is a critical
aspect.
Ms. Plaskett. Thank you. Acting Secretary King, both the
IG's report of the investigation in 2013 and the addendum to
that report in 2015 raise not just concerns about this specific
issue here with your CIO but the general culture at the
Department of Education. Are you at all concerned that the IG's
concerns indicate a broader cultural problem in your department
when it comes to employees meeting ethical standards?
Mr. King. Certainly, I have sent a clear message to the
entire Department that we are committed to ethical conduct, as
did my predecessor, Secretary Duncan. And with respect to this
specific issue, it was taken seriously. Counseling was
provided. They conduct that was of concern in the IG report
ended by 2013. And cybersecurity is a top management priority
for the Department. We've made substantial progress since last
January when I joined the Department, but there is clearly much
more work to do to ensure that we're ----
Ms. Plaskett. So how are you instilling to your employees
that this is not something that will be tolerated in the
Department if all you have done is given him counseling
sessions? Where is the stick as opposed to just, you know, the
pat to him telling him don't do it again and it hasn't occurred
again? How do people know that they cannot be involved in this
kind of behavior? Is there anything procedurally that you have
done with Mr. Harris or moving forward put in place that will
demonstrate that to people?
Mr. King. We provide ethics training to all new employees
and annual ethics training to all employees. Ms. Winchell runs
a strong department-wide ethics program. In the specific case
of Dr. Harris, as I indicated previously, after the IG report,
Deputy Secretary Miller and then Deputy Secretary Shelton
reviewed the IG report with the general counsel, who advised
that there were no violations of law or regulations or policy,
but nonetheless, both took the step of providing counseling,
which I think was humbling for Dr. Harris, made clear that the
conduct needed to end. All of the activities cited ended by
2013.
When I joined the Department in 2015, the outstanding issue
was the addendum resolving the referral to the Department of
Justice. The Department of Justice also found there was no
justification for further action in terms of a violation of
law.
I again consulted with the general counsel. Again, she
advised that there was no violation of law or regulations.
However, because I was concerned about sending a clear message
about the importance of ethical conduct, I counseled Dr. Harris
again and asked the general counsel to provide written guidance
to Dr. Harris on all these matters.
Ms. Plaskett. Has anything been sent out to the employees
or anything letting people know how this conduct was not being
tolerated? I mean, personally, I don't think that counseling is
humbling for an individual that then allows them--that is just
a way to keep your job. But I am just trying to see if you
believe that what has been done will keep your department on
track in the areas that the CIO is responsible for, and that
you believe--do you believe that Mr. Harris can effectively
continue in the position that he has now?
Mr. King. I believe that the evidence is clear that the
activities have stopped. It is clear that Dr. Harris
understands the gravity of the impression that was created by
his activities. His remorse is evident. We have made
significant progress on cybersecurity over the last year that
I've been at the Department, and Dr. Harris has been a key
participant in that. He also is performing ably in other areas
of his work as CIO in terms of infrastructure, planning for the
continued upgrades to technology at the Department.
The message around ethical conduct is clear from me and
certainly from the training that is provided to all employees.
We make clear that not only do we need ethical conduct, but we
can't even have the appearance of any impropriety.
Ms. Plaskett. Thank you.
Chairman Chaffetz. Thank you. I am now going to recognize
myself for 5 minutes.
Mr. Harris, when did you first get to know William Hall?
Mr. Harris. I ----
Chairman Chaffetz. Your microphone, please.
Mr. Harris. Thank you, sir. I met him about 15 or so years
ago.
Chairman Chaffetz. Which year did you meet him? 2000?
Mr. Harris. I would say 2002 is what I recall.
Chairman Chaffetz. In your testimony you said, ``My
personal relationship with the individual developed several
years after the date and occurred when I moved in 2008 to a new
neighborhood and discovered the individual lived nearby.''
Mr. Harris. That is correct, sir. I met him, but we did not
form a friendship. He actually worked at the Department and I
knew of him, but we never spent time together. I wasn't a
friend. It wasn't until I ----
Chairman Chaffetz. You didn't spend time with him in 2005?
E Source was awarded a sole-source contract, and you were
designated the program manager for that contract, correct?
Mr. Harris. But I did not lead that project. I was just --
--
Chairman Chaffetz. You were the program manager, correct?
Mr. Harris. But I did not select that vendor.
Chairman Chaffetz. But did you interact with them? You were
the program manager.
Mr. Harris. I did interact with him, but I was not a
friend. It's no different than the vendors--the other vendors
that I interact with that hold contracts with the Department.
Chairman Chaffetz. 2006 E Source was awarded another
contract, and you are again made program manager for that,
correct?
Mr. Harris. I don't recall, sir. I don't have that in front
of me.
Chairman Chaffetz. Okay. The point is, based on your
testimony, your written testimony, you said you really got to
know him in 2008, but it is clear that you had known him since
2001. There was somebody that had--they had recommended--Mr.
Hall had recommended to come work for you, who then you hired
and then she oversaw those contracts, correct?
Mr. Harris. That is not true.
Chairman Chaffetz. Okay. We are going to explore that a
little bit more, and be careful about how you answer that one.
Mr. King, you said that you saw no violation of law,
regulation, or policy, correct?
Mr. King. That was what was advised by our general counsel.
Chairman Chaffetz. Okay. So let's go through this. Mr.
Harris, we know that you were friends with this William Hall.
We know that you interacted with him. During 2008 to 2011, you
had had some 700 phone calls with Mr. Hall, correct?
Mr. Harris. They were not phone calls. I'm not a phone
talker. They were probably text messages. But he was a friend.
I make no excuses for that. He was a friend.
Chairman Chaffetz. Yes, we have the phone records. These
are the 700 calls, 700 during that time frame. There are two
contracts that get awarded during that time, correct? One was a
renewal, one was a new one?
Mr. Harris. I am not involved in the acquisitions process
in any shape, form, or fashion.
Chairman Chaffetz. You are in charge. You are obviously
very good friends with this person. According to the inspector
general, you actually, either you or your company--you call it
a hobby; I don't buy it. When you have revenue, you set up a
company, you don't disclose it on your ethics form, you don't
disclose it to the IRS. This is something you have already
admitted.
So, Mr. King, how is that not a violation of regulation,
policy, or the law? He admitted that he had outside income
above the $200 threshold and he did not report it neither to
the IRS, nor on the ethics form. How is that not a violation of
law, regulation, or policy?
Mr. King. Well, as you know, the general counsel's role is
to review--our chief career ethics officer, her job is to
review the findings from the inspector general and to determine
whether or not there has been a violation of law or regulation
or policy. The general counsel advised ----
Chairman Chaffetz. But you are asked to review that. You
are the one that is supposed to look at that. You are not just
supposed to read it and say, hey, that is what they say. You
still to this day believe that Mr. Harris has done nothing
wrong?
Mr. King. As I indicated previously, the general counsel
made ----
Chairman Chaffetz. No, I want to know what you believe. All
this evidence we have thrown out there, you still believe that
there is nothing he has done wrong?
Mr. King. My responsibility is to rely on the guidance of
general counsel to review ----
Chairman Chaffetz. No, your responsibility is to make a
judgment ----
Mr. King. To review the evidence based ----
Chairman Chaffetz. You are hired for your judgment. You are
the Acting Secretary.
Mr. King. And based on the recommendation of the general
counsel, based on the review that was conducted by Deputy
Secretary Miller when these incidents first occurred, Deputy
Secretary Shelton, after further review of the inspector
general's report, after review of the addendum, which indicated
that the Department of Justice declined further action, based
on all of those recommendations and the recommendations of our
staff, yes, I believe the Department's actions in this case
have been appropriate.
Chairman Chaffetz. I asked you if you believed that he had
done anything wrong. To this day do you believe he has done
anything wrong?
Mr. King. I believe there were significant lapses of
judgment, counseled him to that fact ----
Chairman Chaffetz. In your mind, is that doing something
wrong?
Mr. King. Those significant lapses of judgment, I counseled
him on those, and they ended by 2013.
Chairman Chaffetz. Is it a violation of policy or
regulation or law to have outside income and not disclose it?
Mr. King. The specific determination of whether or not the
evidence ----
Chairman Chaffetz. No, no, no, no, no, Mr. King, with all
due respect, you are smart guy. You are in this position for a
reason. I am asking you, is it appropriate? Because everybody
at the Department of Education is watching you and what you are
doing, and there is a reason why you are scoring near the
bottom of the heap, bottom 10 percent of everybody in
government. Every single key metric we look at is going down,
and it is your leadership that is on the line. I am asking you,
is it appropriate, is it a violation of law, regulation, or
policy to have outside income and purposely not disclose it?
Mr. King. Based on the recommendation of our general
counsel, I do not believe that there was a violation of law,
regulation, or policy.
Chairman Chaffetz. He admitted that he didn't do it.
Mr. King. But I will say--I will say ----
Chairman Chaffetz. He admitted he didn't do it. You don't
think that is ----
Mr. King. Respectfully, Congressman, on the point of
whether or not every indicator is going down, the Department
has made dramatic progress ----
Chairman Chaffetz. No, no, no ----
Mr. King.--with respect to cybersecurity since January of
2015.
Chairman Chaffetz. You got an F. You are one of only a
couple agencies that during the cyber sprint you went down, and
you are here to tell us things are getting better? I don't buy
it. The question before you, again, last time--I don't want to
badger you. This is the last time I am going to ask this. It is
a simple question. Is it appropriate, is it a--or let me put it
another way. Is it a violation of law, regulation, or policy to
have outside income above $200 or more and not report it?
Because he has admitted that he hadn't reported it.
Mr. King. It was a lapse in judgment. As a result of that
lapse in judgment, Dr. Harris was counseled on the point of the
progress made ----
Chairman Chaffetz. I'm asking you if it was a violation,
not did he go through counseling, which didn't do crap. Did he
or did he not violate policy?
Mr. King. Respectfully, Congressman, after the counseling,
the activities ended. I've been very clear that the activities
constituted a lapse in judgment.
I do want to make the point with respect to the
cybersecurity and the topic of the hearing in November, the
Department has made substantial progress. One of the clearest
indicators of that is the issue of two-factor authentication,
which is a significant cybersecurity challenge for all public
and private institutions. We were at 11 percent of the time of
the cybersecurity sprint. We are at 95 percent today with one
vendor that needs to resolve their two-factor authentication
compliance and will do so by March. That is very significant
progress. We are also making progress on resolving the findings
in the FISMA audit.
I joined the Department in January 2015. Like you, I did
not feel that the Department had done adequate work to protect
our cybersecurity. We have, since then, made tremendous
progress.
Chairman Chaffetz. Mr. Harris, what kind of bonus to you
get last year, 2015?
Mr. Harris. Approximately $15,000.
Chairman Chaffetz. All right. So $230,000 in bonuses,
really? You can justify that?
Mr. King. I can't speak to the reviews of performance prior
to my joining the Department. I can say that since I joined the
Department in January 2015, we have made very significant
progress on cybersecurity.
Chairman Chaffetz. There is no metric, with all due
respect--and I appreciate the time here--there is not a single
metric, not one that is positive. Every single metric has gone
down.
With that, my time is more than expired. I will now
recognize the gentlewoman from New York, Mrs. Maloney, for 5
minutes.
Mrs. Maloney. Thank you.
Dr. Harris, cybersecurity, it is a problem. It has been
rated with an F. It is one of the biggest challenges we have
before our government. It is a huge responsibility to address
it. And as the chairman pointed out, you had $230,000 in
bonuses. I understand you are paid $183,000 a year for being a
CIO, is that correct?
Mr. Harris. That is correct.
Mrs. Maloney. And also you are a consultant to the
Department of Education for the city of Detroit. Is that
correct?
Mr. Harris. No longer, but at one time.
Mrs. Maloney. How much were you paid those years when you
were there?
Mr. Harris. Approximately $5,000.
Mrs. Maloney. Approximately $5,000. And then also you teach
at Howard University?
Mr. Harris. That is correct.
Mrs. Maloney. And how much are you paid for that?
Mr. Harris. Fifteen thousand dollars.
Mrs. Maloney. Fifteen thousand. And then on top of that,
you have, I think, three other jobs I have heard today. You
have got your car business with 40 employees, is that correct?
Mr. Harris. That is not correct.
Mrs. Maloney. Do you have a car business?
Mr. Harris. I do not. It is a hobby, and one other
individual who's an enthusiast helps me.
Mrs. Maloney. Do you make money off of it?
Mr. Harris. No, I do not. I get $50 and I pay for supplies.
I make no money off of that.
Mrs. Maloney. And then ----
Mr. Harris. And I've only ----
Mrs. Maloney. Then you have another hobby where you are
putting equipment in people's homes and are compensated for
that, too ----
Mr. Harris. I ----
Mrs. Maloney.--right?
Mr. Harris. I did prior to 2012.
Mrs. Maloney. Well, you are a very, very busy man. I can
understand why there are problems at the cybersecurity and
Education Department when you have so many other outside jobs.
Anyway, on this situation with your friend, what was the
contract for, the E Source contract, and how much was it for?
You are the contract manager. Do you know what the contract
was? Was it $10 or $1 million?
Mr. Harris. Which contract would you be referring to, the
one in 2004?
Mrs. Maloney. All of them, the one in 2004 and the other
two.
Mr. Harris. The one in 2004 I believe was for project
support. The other contracts ----
Mrs. Maloney. Okay. How much was that one for?
Mr. Harris. I have no idea.
Mrs. Maloney. Can you find out and get back to the
committee?
Mr. Harris. I most certainly could.
Mrs. Maloney. Okay. What were the other two for?
Mr. Harris. I believe both were for project management
support, and I can get you ----
Mrs. Maloney. Project support?
Mr. Harris.--the information on that.
Mrs. Maloney. Now, why did this have to be a sole-source
contract? That seems like a business that a lot of people could
be in. I could even go in and get some project support. Why was
that a sole-source contract?
Mr. Harris. Well, if--allow me to put in context how they
Department works in terms of acquisitions. I as the CIO make
general--provide general direction on technologies and
implementations ----
Mrs. Maloney. Okay. Can you get back to me in writing ----
Mr. Harris. I ----
Mrs. Maloney.--why that was a sole-source contract? Because
I think everybody on this panel could go in and do project
support. That should be a competitively bid contract to the
lowest-qualified bidder.
Mr. Harris. I will get back to you. Our contracts division,
which is not in CIO, determines the contract approach. I have
nothing to do with that. But we can certainly get that
information for you.
Mrs. Maloney. I think the contract approach for an agency
that is rated the most mismanaged, that probably has the most
important goal and responsibility of any agency in our
government is education and building our workforce and helping
our young people become good citizens. It is an incredibly
important agency. And I think maybe you are spending too much
time in meetings.
I think all these contracts should not be sole source. They
should go to the lowest-qualified bidder. It would be cheaper
to administrate and it would cut out any threat or all these
ethics meetings on whether or not there is a conflict of
interest. Do you agree that a sole-source contract would work,
Dr. Harris?
Mr. Harris. I'm not a subject matter expert on contracts,
and that's not in my division so ----
Mrs. Maloney. Okay. Ms. Bruce, do you think a sole-source
contract to a qualified bidder--you have to have a panel, make
sure they are qualified, that they can do the work, that they
have a work history, that they are paying their taxes as good
citizens, lowest-qualified bidder. Something like the support
service, do you think that could have been a sole-source
contract or should it be a sole-source contract or
competitively bid?
Ms. Bruce. Ms. Maloney, I would have to defer to the
Department as far as the acquisition process. I do know that
the Federal acquisition regulations and other processes do look
for those things, but I would defer to the Department as to why
they made the decision to use the sole-source contract.
Mrs. Maloney. Yes. I don't understand that. And I think we
should change the law, that you go to the lowest-qualified
bidder. And if you go to a sole source, have to write out in
detail why you need a sole source.
I would just like to respond to Mr. King. I think the point
that the chairman was trying to make is that when you head an
agency, everyone looks at you. You are the leader. And you are
sending messages to employees of how to act. And when someone
violates a regulation or a law, then it tells everybody else
they can violate the same one and go to counseling and it is
okay.
So I think that is the point he was trying to make, that if
we have rules and laws, they are supposed to be followed. That
is why they are there. And if you are going to change it--most
people think you have a rule or law, you follow it. Basically,
what is happening under your leadership is you have a rule or
law, you can violate it, just go to counseling and it is okay.
Is that an appropriate description of what is happening?
Mr. King. No. So to be clear, the Office of General
Counsel, my predecessor's predecessor, and my predecessor all
reviewed the report of the IG and concluded there was no
violation of law or regulation and ----
Mrs. Maloney. But there is a law ----
Mr. King.--his conduct ----
Mrs. Maloney. There is a law that if you have outside
income, you report it, and they didn't report the outside
income. That, in my opinion, is a violation of law.
Mr. King. The general counsel, in reviewing that specific
issue, made a distinction between a hobby and a business and
what knowledge of the application of the disclosure Dr. Harris
had at the time. But I--but to be clear, of the conduct ----
Mrs. Maloney. But I think we should change that, too, and
we should say that a law is a law, and that a hobby is also
covered. Maybe we need to clarify it for your counsel.
Mr. King. The conduct at the time--just to be clear, the
conduct that was described in the IG report ended by 2013. I
had joined the Department in 2015.
Chairman Chaffetz. I thank the gentlewoman.
And I would--as we recognize Mr. Farenthold here, Mr.
Harris, you previously served as the deputy chief financial
officer. We introduced you as being responsible for contract
administration, grant management, accounting. Your ignorance
about contracting is, I think, without merit.
I will now recognize the gentleman from Texas, Mr.
Farenthold, for 5 minutes.
Mr. Farenthold. Thank you very much.
Mr. Harris, I am over here behind the person doing the
transcriptions. I will lean over so you can see me.
So after the breaches at the OPM, the OMB launched the
cyber sprint for 30 days. And you guys actually scored negative
14, which puts you in the worst of the worst. And I have kind
of heard some testimony here that you are trying to improve.
But the Department's performance in that cyber sprint
reinforces the key IG finding that the Department had no
mechanisms to restrict the use of unauthorized devices on its
network. This was a finding from the 2011 fiscal year.
The IG is continually warning that failure to restrict
unauthorized devices on internal network segments could allow
perpetrators to bypass the two-factor authorization, obtain
information about the network, and gain access to the
Department's internal resources.
Obviously, the private sector is moving faster than the
government by banning workers from using portable devices such
as USB drives and wanting employees to be careful what they
post on social media and even discouraging workers from posting
out-of-office replies on their emails.
The IG found you used Department emails to support your
side business--we have talked a lot about that--but also that
you connected various electronic devices like USB thumb drives
and CD-ROMs from home in conflict with your own internal policy
that I guess you wrote. Don't you see a little problem here
with the guys on the top aren't following the rules?
Mr. Harris. We certainly have tools in place now to
restrict all employees from connecting anything. I think it's
standard practice when you travel all the time with your
devices so that you can work to inadvertently put a non-
supported USB or a CD in a drive.
Mr. Farenthold. Yes. My concern is you guys have pretty
much every student Social Security number on file, probably
including both of my daughters. I am old enough that you
probably don't have mine. So this is something that really is
concerning.
Mr. King was testifying that you guys have made some
progress. Do you agree, the progress?
Mr. Harris. Yes, we have.
Mr. Farenthold. All right, but ----
Mr. Harris. Ninety-five percent is a really good number.
Mr. Farenthold. There is still work to be done, though?
Mr. Harris. There is indeed.
Mr. Farenthold. What is stopping you from getting it done?
Mr. Harris. The--we have two small challenges on privileged
and non-privileged. On the privileged, we are 95, and we have
one vendor who is completely re-architecting their data centers
to segment out the Department of Education so that we can
overlay two-factor authentication. That is to happen in March,
and we will be at 100 percent.
In terms of unprivileged users, we're at 86 percent plus,
and we're looking at our assistive technology and disabled
community to provide technology that allows them to use two-
factor, and then we would be 100 percent on unprivileged as
well. And we're looking to achieve that by summer.
Mr. Farenthold. All right. And so can you talk a little bit
about your--I mean, you are CIO. Could you talk a little bit
about your IT background and training? Because it looks like
you came up through the financial and contracting segments.
Mr. Harris. Actually, I came up through the IT segment. I
started at the Department as a GS-5 programmer. I did
development work probably for the first 7 years of my career. I
did big database administration work ----
Mr. Farenthold. So you should have--why didn't you see some
of this coming beforehand? I mean, obviously hindsight is 20/
20. So having, you know, worked up in the trenches of the
organization and--you know, you saw the headlines from Snowden
to--I mean, why didn't we see some of this coming and do
something about it before it hit the fan?
Mr. Harris. So as an IT professional, I am not a
cybersecurity subject matter expert. And so it is true that the
Department has been slow in making progress, and we're happy
about the progress we're making now, but we need to make more.
Mr. Farenthold. But, I mean, if you are a former programmer
and have been messing with computers for years, in light of--I
mean, when Snowden came out, didn't something go off in your
head, maybe we ought to, you know, make sure that this doesn't
happen to us?
Mr. Harris. Well, it's a good question. I would like to say
that approximately 6 years ago I met with then-Secretary Arne
Duncan and indicated to him that I was very concerned about our
IT security posture, and I asked him for funding to do the
first-ever Department IT security discovery process. And that
was really, in my opinion, the foundation of the Department
really starting to get really serious about cybersecurity.
Mr. Farenthold. But then how do we come to, you know, just
a few months ago you are an F? I don't understand it. I guess
if--well, I am not going to take a shot. We just have got to
get it fixed. I yield back.
Chairman Chaffetz. I thank the gentleman.
I will now recognize the delegate from the District of
Columbia, Ms. Norton, for 5 minutes.
Ms. Norton. Thank you, Mr. Chairman.
What is concerning here, Secretary King, if you see how
this began, it was uncovered not from the top down but
apparently there were anonymous complaints. That suggests
something that is very troubling. If you are an employee--and
who knows where these anonymous complaints--perhaps they were
peers--but there is a good chance, given that we are talking
about an SES member here, that it was subordinates and that
there may have been resentments. So, you see, that reflects on
the Department itself, and it is very concerning to me since
obviously you look to whoever is in charge to provide the
example so they can reprimand those who do not live up to what
is expected.
Now, I have to tell you, I am unimpressed that the U.S.
attorney did not proceed. I know how U.S. attorneys work. They
have to have a slam dunk. It has to be worth it to them. It has
to be a big enough case because they have so many complaints or
possible cases, so it absolutely means nothing.
I don't even know what the standard is. I don't know if the
standard was intent, which may have made it difficult, was know
or should have known. So, you know, I discard that. But I do
note that Ms. Bruce said that--and I am looking here at your
testimony on page 5--``so that it could take appropriate
administrative action.'' So I want to move to the Secretary.
Would you outline the kinds of administrative action that
was possible to be taken? We know that what happened was
counseling. What kinds of administrative action could have been
taken against this employee to indicate that there had been
issues with what he had been doing?
Mr. King. Well, I will ask Ms. Winchell to expand on this,
but I think for us the key question is, was there a violation
of law or regulation? There are a set of penalties or table of
penalties that are associated with violations of law or
regulation ----
Ms. Norton. So I am asking for the administrative actions
that could have been taken in light of the findings that have
been made. So you don't have to reiterate the findings because
I am going to ask you about no violations next.
Mr. King. Yes.
Ms. Norton. I am simply trying to find out, as someone who
is literally ignorant, when I hear that what happened was
counseling, okay, but what were the possible administrative
actions that could have been taken?
Mr. King. Well, the key thing is the finding here was a set
of lapses in judgment that could lead to ----
Ms. Norton. Okay. What were ----
Mr. King.--here it's ----
Ms. Norton.--the possible administrative actions ----
Mr. King. Right.
Ms. Norton.--that can be taken when there is a lapse of
judgment but apparently no violation of regulations or, as far
as you know, laws?
Mr. King. As an SES employee, an SES can be reassigned.
That was apparently considered by Deputy Secretary Miller
several years ago when ----
Ms. Norton. So what else could be ----
Mr. King.--this first was raised. This could have been
factored into the employee's ratings at the time. Those were
decisions that were made by Deputy Secretary Miller at the time
that these issues ----
Ms. Norton. Pardon me ----
Mr. King.--emerged.
Ms. Norton.--were they factored into the employee's
ratings?
Mr. King. I'm--I don't know. That was--that was 2 years
before--it was more than 2 years before I came to the
Department.
Ms. Norton. You don't have access to what the ratings were?
Mr. King. I do not have personal knowledge of the ratings
and how they were constructed by the--his supervisor at the
time.
Ms. Norton. Mr. Harris, were your ratings affected?
Mr. Harris. Outstanding.
Ms. Norton. Your ratings throughout ----
Mr. Harris. My ratings were outstanding.
Ms. Norton.--all of this was outstanding?
Mr. Harris. Yes, as a result of the entire body of my work,
not just cybersecurity.
Ms. Norton. And that is even though these questions had
arisen? You were given outstanding ratings even though these
questions were known to those who were the raters?
Mr. Harris. Many of them were just allegations, and I've
owned up to those that represent really poor judgment on my
part.
Ms. Norton. So has your ratings suffered at all as a result
of what has now been found to be the facts?
Mr. Harris. No.
Ms. Norton. So you continued to be rated outstanding?
Mr. Harris. Yes.
Ms. Norton. Mr. King ----
Mr. King. Yes, so ----
Ms. Norton.--you see the problem that that may raise. Put
yourself in the position of a Federal employee, and you look at
how the rating apparently has not even been affected, no
violations of regulations, no violations of any kind found.
Could I ask you, in light of the fact that no violations
were found, that apparently there is a finding that it was
unclear whether Dr. Harris's outside work constituted a
business or a hobby, has it not occurred to the Department to
clarify this so employees know what is the difference and so it
will not be unclear for those who may have seen or known about
this particular matter so that--don't you think that is rank
confusion in the Department when they see a high level official
was engaged in outside activity for which there was
remuneration but it was unclear whether it was a business or a
hobby? Doesn't the Department have an obligation now to issue
guidance so that these things are cleared up?
Mr. King. Yes. We do make clear in our ethics training what
employees' responsibilities are ----
Ms. Norton. So what is the answer? In other words, if an
employee wants to know, look, I want to know, I don't want to
be caught in this thing, too, I want to know if I do this,
would it be considered a business by the Department of
Education or would it be considered a hobby? Is there concrete
guidance on that matter, given what has happened here with an
SES employee?
Mr. King. The guidance to employees is to, when there is a
potential issue of appearance of impropriety, to seek guidance
from the ethics officer, and the ethics officer provides that
guidance. In this case--I mean, it's a question of whether or
not Dr. Harris understood at the time that he needed to seek
that guidance. He did not, and this was raised through the IG
report, and then the ethics officer was reviewing the IG
findings.
Chairman Chaffetz. I thank the gentlewoman.
I now recognize the gentleman from Michigan, Mr. Walberg,
for 5 minutes.
Mr. Walberg. Thank you, Mr. Chairman. It is good to have
the testimony in front of us today. I guess I would offer a
point of personal advertising. My SES bill seems to have more
pertinence all the time of trying to deal with concerns that go
on.
Dr. King, I just want to ask you a direct question, and
other questioners kind of waltzed all around it, but the direct
question I want to ask you is do you have faith that Dr. Harris
can effectively lead the OCIO?
Mr. King. I do, based on the progress that we've made since
January 2015 and based on his overall performance in the other
areas of responsibilities, yes.
Mr. Walberg. You have clear faith, certain faith that he
can lead?
Mr. King. I have confidence in his leadership. I have
confidence in the progress that we've made over the last ----
Mr. Walberg. Well, it is important for me to know because
the Department of Education, in its oversight capacity over
national education issues--and brought up the fact that Dr.
Harris has been involved with Detroit school system in trying
to turn a failing school system around, a system that needs to
be turned around for the benefit of its students, the families,
and the city at large.
It is a requirement for any type of growth economically or
otherwise in a community as important as Detroit to have a
school system that we have confidence in. And so when we have
leadership coming from the Department of Education and we have
people from the Department that are working in a consulting,
advisory, leadership, whatever aspect of trying to turn schools
around like that, it is important that integrity reigns and
that confidence is there. And so that is why I wanted to hear
your answer. You said you have complete confidence, faith that
Mr. Harris can carry on his duties.
Let me ask you then, since you began directly receiving
reports of findings from the IG as early as March 23, 2015,
have you personally talked to OCIO staff to better understand
the culture there to try and improve things for the staff but
also the effectiveness of the organization?
Mr. King. I've certainly worked with staff from OCIO as we
have focused on addressing that--the significant need for
improvement around cybersecurity, and I've worked closely with
our staff to make those improvements since I arrived in January
2015.
Mr. Walberg. What specific steps are you taking to improve
the morale at the very least?
Mr. King. Well, I think the ----
Mr. Walberg. Specific steps.
Mr. King. The morale is bound up with the responsibility to
execute on their work for the Department, which is to ensure
that the Department's technology works smoothly for their
fellow employees and to ensure that the personal information
that we have is secure. And we have made substantial progress.
I do think that substantial progress has required folks to
work additional time, to adjust their work processes, but we
are seeing progress. We're seeing progress in terms of our two-
factor authentication. We're seeing progress in terms of the
resolution of FISMA audit findings. I met with the CIO and
members of his team, as well as our Federal Student Aid
Technology Team on a weekly basis for much of last year to
ensure that we made progress, and we're going to continue to do
that going forward.
Mr. Walberg. And I wish you well. During the committee's
November hearing, Dr. Harris, under my questioning, could not
answer my questions during the testimony specifically in the
area of risk rating and the facts/figures that were there and
the contracting issues. Regarding information that he certifies
on the Federal IT dashboard, do you have confidence in Dr.
Harris to provide accurate information to the dashboard?
Mr. King. I do have confidence going forward. Obviously, I
can't comment on information that was provided prior to my
joining the Department.
I will say I share the committee's concern that we need to
rapidly improve our cybersecurity posture. We are making
progress. I think it's clear to everyone that all public and
private institutions are subject to significant cybersecurity
threat, and that threat is ever-evolving, and we've got to
continue to work to ensure that we are positioned to protect
the information that we have.
Mr. Walberg. Well, I again wish you well on that. We expect
to see that in action. It is very concerning that we set in a
place of great responsibility with records, with backgrounds,
Social Security numbers, information on families as well as
students, and there is an expressed concern that we have all
sorts of reason because of the lack of integrity, of
credibility, and now, more importantly, ultimately no
consequences except counseling.
I think I have said probably enough. I yield back the
balance of my time.
Chairman Chaffetz. I thank the gentleman.
I now recognize the gentlewoman from Illinois, Ms. Kelly,
for 5 minutes.
Ms. Kelly. Thank you, Mr. Chair. Good morning.
We all are aware of the constantly evolving cyber threats
to information systems, as seen by the many breaches that have
recently occurred in both the private and public sectors. The
Federal Information Security Management Act is another
important piece of legislation that requires the agency and
inspector general to assess the state of their information
security management.
Dr. Harris, my committee, the IT Subcommittee, held a
hearing in November on the Department's compliance with FISMA
based on the IG audit report. We learned the Department heavily
relies on contractors for its IT systems. We also heard that,
although progress has been made on IT security, continued
improvement is needed. You acknowledged this need for
improvement in your opening statement. Can you tell me what
your top priority is in this space?
Mr. Harris. Well, specifically in the FISMA area, we have
put an integrated project team together to meet weekly to look
at the 51 caps that we have under the 18 findings for FISMA. We
have already completed a number of those, approximately four of
those, and we're looking to complete the vast majority of them
by mid-summer.
Our number one priority is to protect--to correct those
things that impact our HVAs, our high-value assets. A second
priority is to ensure that repeat findings simply don't occur,
not just not occur in individual systems, but occur across our
ecosystems. So those are our two top priorities.
Ms. Kelly. You might have answered this and I wasn't in the
room, but do you feel like you have the staff and the resources
that you need to complete your goals?
Mr. Harris. We don't have the necessary resources that we
need to complete our goals. Everything is based on risk, and so
what we do is look at risk and then we complete those items at
the highest level of risk. There are times--in fact, some of
our repeat findings have to do with the fact that we don't have
the resources to do everything.
Ms. Kelly. And the reason I ask oftentimes people say they
can't find the people to carry out the tasks because everyone
is, public and private sector, looking for experts on
cybersecurity, and of course government doesn't pay what the
private sector pays. So are you finding that also?
Mr. Harris. We are. It's one of our biggest challenges. As
Dr. King mentioned earlier, we are bringing on a couple of
cybersecurity experts to support not just the Department of
Education but specifically Federal Student Aid, and we're
looking for more talent also to bring on board to get at some
of these challenging issues we have in cybersecurity.
Ms. Kelly. Okay. Thank you. And I just ask that you keep
this committee updated as you continue to address the
weaknesses in the Department's security systems identified by
the IG. Thank you.
Mr. Harris. I will.
Mr. Connolly. Would my friend yield?
Ms. Kelly. Yes, I will.
Mr. Connolly. I thank my friend from Illinois.
Just if I could build on that, Mr. King, how well do you
think the Department is implementing FITARA, which is of great
concern to this committee?
Mr. King. We are making progress. We have our FITARA
implementation plan now approved by OMB. We have made good
progress on implementation, continued work to happen through
this spring into the summer. Historically, the work of the
Federal Student Aid CIO and the Department CIO have proceeded
on parallel paths but not always coordinated paths with
Department CIO having full transparency into the activities of
the FSA CIO. That will now change with FITARA implementation,
and we are working through the internal operations to ensure
that that happens.
Mr. Connolly. And how are you doing on data center
consolidation, perhaps one of the most immediate big cost-
savers if done correctly?
Mr. King. We are in the initial stages of implementation. I
would have to ask Dr. Harris to comment ----
Mr. Connolly. Dr. Harris ----
Mr. King.--on the technical side of that.
Mr. Connolly. Mr. Harris?
Mr. Harris. We have approximately 134 systems in our
information systems inventory. More than half of them fall
within our primary data centers, and we are working on those
that fall outside, much of which don't have PII, but we're
working with those vendors to amend contracts and to ensure
that they follow NIST guidance and FISMA guidance.
Mr. Connolly. Well, remember, one of the explicit goals is
consolidation of those data centers. We don't want a huge, you
know, plethora of data centers if we can help it. How are you
coming on that?
Mr. Harris. Well, what we're doing is we're looking at
those things that we can actually consolidate, but we're also
looking at a massive retirement of systems that we simply don't
need to be carrying on our list of systems inventory.
Mr. Connolly. We look forward to seeing that progress.
Thank you. And I thank my colleague from Illinois.
Mr. Carter. [Presiding.] The gentleman yields.
The chair recognizes the gentleman from Alabama, Mr.
Palmer, for 5 minutes.
Mr. Palmer. Thank you, Mr. Chairman.
Dr. Harris, you once said in an interview with FedScoop
that what keeps you up at night are things you don't know, yet
at our last hearing--it is November 17 last year--you couldn't
answer some basic questions asked about the lack of personal
identification, identity verification/authentication and the
vulnerabilities in the Federal Student Aid central processing
system. I would like to direct your attention to some slides if
the staff can put up the first slide.
[Slide.]
Mr. Palmer. This is, if you will notice, a conference. It
is a presentation from a conference on Federal Student Aid that
you did.
Okay. If you would go to slide number 8.
[Slide.]
Mr. Palmer. If you look at slide number 8, you are laying
out all these things that you are doing. Now, this was in 2011.
And what concerns me is when I was asking you just a basic
question about the security measures that are in place to
protect the CPS system, I mean, CPS system processes 22 million
student aid applications a year. There is integration between
the Veterans Administration, Selective Service, Department of
Justice, Department of Homeland Security, Social Security
Administration. I mean, there are 139 million unique Social
Security numbers in this system. And your answer to that
question was to apologize. You said I don't have operational
oversight of that system. I have limited knowledge, but I can
certainly get you more information on that.
Dr. Harris, you know, what you don't know may keep you up
at night, but I can assure you when we get responses like that
from people responsible for keeping our information systems
protected, when you can't answer that, that keeps us up at
night.
What I would like to do is to go back to this question and
ask you, have you had time to learn about this since I asked
you that question?
Mr. Harris. I have, sir. And as a result of implementing
FITARA, there are two significant things that have occurred
that will allow me to engage Federal Student Aid more. I made
no apology if you will about my lack of--my lack and limitation
in the Federal Student area--arena. They have, up unto this
point, independence. But FITARA will allow me 1) to have veto
authority over Federal Student Aid IT activities and spending.
It will also put me on their Investment Review Board, which I
was not on before, to actually have an impact on how they
strategize and plan their IT activities. Now, I can truly get
answers about how their ecosystem actually works.
Mr. Palmer. Well, what is the status of implementing the
personal identification verification?
Mr. Harris. The PIV?
Mr. Palmer. The PIV.
Mr. Harris. We are at 95 percent, and the one vendor that
we talked about is in the Federal Student Aid ecosystem, and
we're hoping to be--our plan is to be 100 percent by March ----
Mr. Palmer. You ----
Mr. Harris.--once that vendor segments their architecture.
Mr. Palmer. You also made a point that you weren't able to
give me an answer on that because you didn't have operational
oversight, and I think you may have mentioned that it was
performance-based organization. Can you describe the
Department's oversight of the PVO's information security
activities under FISMA now?
Mr. Harris. Yes. Under FISMA they followed the same
guidelines that the rest of the Department follows, and that
actually does flow up to me. And that is exactly why we set up
the team, the senior team to actually ensure that all of the
lines are on time and are met.
Mr. Palmer. How many of these--you made all of these points
that things that you said needed to be done. How many of those
have actually been done?
Mr. Harris. I would have to see that again on the screen,
sir, and I can react to that.
Mr. Palmer. Well, you can go back to that. We're down to
the last few seconds here.
Mr. Harris. Okay. But I can respond--I can provide that
information to you, sir.
Mr. Palmer. Okay. That's all the questions I have, Mr.
Chairman. I yield back.
Chairman Chaffetz. I thank the gentleman.
I will now recognize the gentleman from California, Mr.
Lieu, for 5 minutes.
Mr. Lieu. Thank you, Mr. Chair. I have a question for Mr.
King.
A number of times this morning you have said that you
believe Mr. Harris engaged in a hobby rather than a business
venture. When I think of a hobby, I think of someone collecting
stamps or building model airplanes or maybe gardening. I am not
aware of any hobby known as installing home theaters in other
people's homes for a profit. Are you aware that in this case
that there was a business card that said Harris Audio/Visual
Innovation, which included a company logo and listed Danny A.
Harris as owner and operator? Are you aware of that? Yes or no?
Mr. King. Only for purposes of preparation for this
hearing. That was a detail that was in the file that was
reviewed by the Office of General Counsel ----
Mr. Lieu. And you had read it? Were you aware of that fact?
Mr. King. No. I did not review the entirety of the
investigative ----
Mr. Lieu. All right. So you weren't aware ----
Mr. King.--findings.
Mr. Lieu. So you were not aware until now that he had a
business card that listed him as owner/operator?
Mr. King. No. I became aware of that in the process of
preparing for this hearing. That was in the investigative file.
The structure in the Department ----
Mr. Lieu. Okay. All right. Second question ----
Mr. King.--is the general counsel reviews the investigative
findings ----
Mr. Lieu. Are you aware that he paid two employees to do
these installations in other people's homes?
Mr. King. My understanding is that there were two employees
who were involved in this activity ----
Mr. Lieu. Okay. All right. Have ----
Mr. King.--and that received compensation ----
Mr. Lieu. All right.
Mr. King.--as part of that.
Mr. Lieu. Now having known this, do you still believe he
engaged in a hobby rather than a business venture?
Mr. King. The ----
Mr. Lieu. Just a yes or no.
Mr. King.--determination of whether or not it was a hobby
or a business venture was based on the recommendation from our
Office of General Counsel that reviewed ----
Mr. Lieu. Let me just stop you there.
Mr. King.--the entirety of the file.
Mr. Lieu. Let me stop you there. Let me tell you how it
works. And I know something about this because I was an active
duty JAG in the military. I am still in the reserves. I am a
military attorney. The way it works in government, attorneys
give advice. You make the decision. Attorneys don't make the
decision; you do. And in this case, I want to know your view,
now knowing these facts, did he engage in a hobby or a business
venture?
Mr. King. I credit the judgment of our general counsel ----
Mr. Lieu. Okay. All right. You were ----
Mr. King.--and two deputy secretaries that preceded me ----
Mr. Lieu. Let me tell you how it works. You are not a
rubber stamp for you attorney. That is not how it works. And if
you think that is how it works, then you need to reevaluate.
So let me shift to another line of questioning based on
what Chair Chaffetz had mentioned about violating a law, a
rule, or regulation. Outside this bubble of Washington, D.C.,
the rest of America would view what Mr. Harris did as violating
a law, rule, or regulation. For you to not find that was simply
an error. It was a mistake because your job is not to protect
Mr. Harris. It is to send a proper tone, standards of conduct,
and leadership for your agency. And you have now sent the
message that you can operate a business venture, not report
that on your ethics forms, not report the income on your tax
filings, and that does not violate a law, rule, or regulation.
That is simply ridiculous. And you cannot use a shield of
relying on some recommendation of an attorney. It is your
decision. It is your job to make the correct decision. You made
the wrong one.
I now have questions of Mr. Harris. And, Mr. Harris, I am
going to ask you something related to cybersecurity now. You
had mentioned in your testimony this morning that you said
cybersecurity is a critical component of what you do but it is
not the only one. I want to know, do you believe cybersecurity
is the most important aspect of your job, yes or no?
Mr. Harris. I do.
Mr. Lieu. Okay.
Mr. Harris. I think it overlays everything else.
Mr. Lieu. All right. And do you have a chief security
officer ----
Mr. Harris. I ----
Mr. Lieu.--for ----
Mr. Harris. I do, sir.
Mr. Lieu. All right. Does that person report to you or to
the Secretary?
Mr. Harris. He reports to me.
Mr. Lieu. Okay. So some private sector companies have
either reversed the order of having the chief information
officer report to the security officer or had the chief
security officer report directly to the Secretary. What do you
think of those models?
Mr. Harris. I don't feel that there is a conflict of
interest. I have seen the organizational arrangement in both
ways in the CIO organization, as well as outside of it. I
personally don't see a conflict of interest between the CSO
being inside of the CIO organization, but I have seen it, as
you've indicated, arranged differently.
Mr. Lieu. All right. So given the not-so-good ratings of
the Department, you might want to look at those other models in
terms of cybersecurity.
And then I have a sort of general question about the
executive branch's approach on cybersecurity. It does seem to
me that there is no centralized place. You have got different
agencies doing their own thing. You have got the Department of
Homeland Security that has some role in cybersecurity. You then
have the Office of Management and Budget that has some role in
cybersecurity. Then, you have got this White House
cybersecurity czar. Don't you think it would be much better if
we had one agency, one person responsible for cybersecurity
across all the .gov network that can either take responsibility
when things go right or wrong but also have the power to go
make changes when things are not performing as they should be?
Mr. Harris. Though we interact with all of those bodies
that you mentioned, we rely heaviest on DHS and their CDM
program in terms of operationalizing the progress we need to
get made. It's DHS that we work most closely with.
Mr. Lieu. Okay. Thank you. I yield back.
Chairman Chaffetz. Before the gentleman yields back, I ask
unanimous consent to enter two documents into the record. One
is a memorandum from Mr. John King, who is sitting before us
today, to Aaron Jordan, Assistant Inspector General for
Investigations, of June 23 of 2015. This is where he says,
``Overall, we found no violations of law or regulation.''
Further, in finding 1, he said, ``It does not appear to support
the conclusion Mr. Harris violated any law or regulation or any
standard of ethical conduct.'' Any standard of ethical conduct.
You want to get to the heart of why we are here today, it is
that.
I also ask unanimous consent to enter into the record July
9, 2015. This is to Danny Harris from Susan Winchell, follow-up
ethics guidance. And without objection, we will enter these
into the record.
Chairman Chaffetz. This document gives us huge concern
given that Ms. Winchell's conclusion was that it is the
employee's responsibility to ask and really what you should do
is just ask next time. And quite frankly, I don't know, Ms.
Winchell, why we should even hire you if that is just your
advice because there is no enforcement. This is the concern.
I will now recognize the gentleman from North Carolina, Mr.
Walker, for 5 minutes.
Mr. Walker. Thank you, Mr. Chairman.
Last November, Mr. Harris, I believe we had a conversation
and I asked you regarding remote access management and the two-
factor authentication at the Department. And this is an
important point for me, I guess for all of us, because this is
the first time this has happened. Remember, it was a failure in
access management that contributed to the data breach over at
OPM.
It is especially troubling, given the Department's failure
over the summer during the cyber sprint. And I am going to come
back to the cyber sprint in just a few minutes, but I want to
stay on this two-factor authentication. Mr. Harris, you told me
during my previous question back in November that the
Department has 100 percent implemented two-factor
authentication, and that the financial system audits would be
also at 100 percent by December.
However, according to the inspector general--and this is
from the FISMA audit of 2014, end of year, it says, ``In some
instances, although the Department said it completed a
recommendation, we continue to find that the corrective actions
were not implemented.'' Do you or disagree with that finding?
Mr. Harris. Based on my discovery, yes, I have found that
the discipline that should have been in place in terms of some
of the recommendations and--findings and recommendations and
caps were not made, and that's something that the senior team
now is ensuring will never happen again.
Mr. Walker. So what you testified to me in November you are
basically saying today was not accurate or was not true?
Mr. Harris. It was based on my understanding.
Mr. Walker. Well, what was your understanding based on?
Mr. Harris. Based on the facts that my staff had provided
me.
Mr. Walker. So this is the staff's fault? It wasn't yours?
You were just going off what the staff told you? So what you
said in November is not true but what you are testifying today
is?
Mr. Harris. I always base my decisions on the data pulled
by staff, but at the end of the day, it's my responsibility.
Mr. Walker. Okay. Well, I am glad to hear that part. What
about the contractors that we are dealing with? Are you sitting
here testifying under oath today--as I look through these
contractors--that every one of these contractors are also
operating under a two-factor authentication? Are you saying
that is the case as well?
Mr. Harris. We are saying that is the case.
Mr. Walker. So when ----
Mr. Harris. The 95 percent is based on what we are doing
internally, as well as the contractors are doing.
Mr. Walker. You also said the Department's two-factor
authentication is at level 4 in terms of the level of assurance
according to the NIST authentication guidelines. Is that
correct?
Mr. Harris. That is the--correct with the exception of
those that use PIV-I.
Mr. Walker. Okay.
Mr. Harris. I.
Mr. Walker. So if that is the case then, then you are not
employing two-factor authentication but the Department is also
employing the highest level of assurance for 100 percent of all
its users? That is the goal right here ----
Mr. Harris. That is the goal, sir.
Mr. Walker.--is 100 percent? Okay. All right. Well, here is
the issue. In coming back to this cyber sprint, okay, this
summer, 14 percent minus. And then within a few months you have
secured 100 percent. How in the world does that happen over
that short period of time?
Mr. Harris. More times than not it's about configuring the
system, issuing PIV cards, and turning that on.
Mr. Walker. But why didn't you do that earlier then?
Mr. Harris. I think the technical challenge for the vendors
that implemented this and maintained these systems was larger
than we anticipated. In ----
Mr. Walker. Well, it appears to us that it is only when the
light is shone on the deficiencies or you start bringing these
grades of concurrent F's that you are willing to do something.
Mr. King, you are fidgeting over there like you are wanting to
jump in. What do you have to say on this?
Mr. King. Yes, sir. So the Department had previously used a
level 3 goal. That goal was changed to level 4. And in--I
joined the Department in January 2015, began meeting regularly
with the team on how we might improve our cybersecurity. After
the sprint, we began meeting weekly to ensure that we would get
to level 4 across the agency.
In the Federal Student Aid area, we have a number of
external contractors. They use PIV-I. In order to get to 95
percent, we needed to amend nearly 60 contracts, which we did
with external vendors, provided technical assistance to those
external vendors. That's why we're at 95 percent. So I just
want to convey again the urgency that we brought to this matter
throughout my time at the Department.
Mr. Walker. Yes, you have been conveying and almost to me
like you are trying to cover here. I think the Congresswoman
from D.C., Ms. Norton, really brought it to a point here saying
there is no consequences for the actions. The people get
scored. Your grade didn't change at all. You are still getting
high marks. And the irony of this is this is education, so what
in the world are we teaching our children? There are no
consequences for their actions? Mr. King, today, you are still
defending the actions like this is no big deal. I don't
understand that.
I want to ask you right now--I want to come back to this.
Under oath, are you still saying to me and to this panel and to
the American people that you do not believe that any standard
of ethical conduct was breached? Is that your testimony?
Mr. King. My testimony was that I saw significant lapses in
judgment, that I counseled Dr. Harris ----
Mr. Walker. That is what you said. Do you believe that
today or not?
Mr. King. Yes, I believe there were significant ----
Mr. Walker. Do you believe that any ethical standard of
conduct was breached or broken?
Mr. King. I do not believe there was a violation of law or
regulation or policy of the Department. However, I do believe
there were significant lapses in judgment. I counseled Dr.
Harris on those. That was the fourth counseling that he
received ----
Mr. Walker. So let me ----
Mr. King.--on that matter ----
Mr. Walker.--see, lapses of judgment, ethical conduct. Do
those two merge at all or are those two separate things?
Mr. King. That ----
Mr. Walker. You sit here today and you blame it on your
general counsel and lawyers for not taking a position of
leadership and holding the people accountable.
Mr. King. No, sir. I ----
Mr. Walker. Do you understand why the American people are
frustrated with this?
Mr. King. I disagree with that characterization. I took it
very seriously. It's why I engaged in additional counseling of
Dr. Harris. It's why I asked that the counseling that he'd
received from the ethics officer to be put in writing.
Mr. Walker. You took it very serious. What actions did you
take ----
Mr. King. I ----
Mr. Walker.--toward Mr. Harris?
Mr. King. I engaged in counseling ----
Mr. Walker. My time is expired. I am sorry.
Mr. King. Once again ----
Mr. Walker. I have to yield back. Thank you, Mr. Chairman.
Chairman Chaffetz. Don't worry. We are going to keep going.
We are going to be here for a while.
Mr. Clay, you are now recognized for 5 minutes.
Mr. Clay. Thank you, Mr. Chairman.
And let me take a little different tack here and say that,
look, I appreciate Federal employees' service to this country,
and I am sure that Secretary King and Mr. Harris also take
their service to the people of this nation seriously.
Having said that, let me ask Secretary King and Dr. Harris,
the standards of ethical conduct for Federal employees states,
``Public service is a public trust.'' Would you both agree that
Federal employees must be held to the highest ethical
standards, Mr. King?
Mr. King. Yes, absolutely.
Mr. Harris. Yes.
Mr. Clay. Mr. Harris? Okay. Mr. King, in your June 23,
2015, response to the IG's reports of investigation into the
CIO's alleged misconduct you stated, ``We found no violations
of law or regulations.'' Is that correct?
Mr. King. That is.
Mr. Clay. The U.S. Attorney's Office has also declined to
prosecute Dr. Harris and has closed its investigation. Is that
correct?
Mr. King. That is correct.
Mr. Clay. However, there may have been violations of the
standards of ethical conduct, so let's take a closer look at
the IG's findings. Ms. Winchell, the IG found that Dr. Harris
used Department email to conduct his outside business. Wasn't
Dr. Harris's misuse of emails a violation of the ethics code
prohibiting employees from using government property for
nonofficial business?
Ms. Winchell. Yes. The standards of conduct provide that
employees may not use government resources for other than an
authorized purpose. Authorized purpose is not defined by the
rules. In this context, the authorized purpose would be defined
in a department policy that permits a certain amount of
personal use of government equipment and resources.
I reviewed the record, and my review of the record was I
didn't think it was clear whether this activity was a hobby or
a business. It is true that there was a business card, it is
true that there were written proposals for A/V installations,
but it's also true that this was never formed as a business
entity, it never had a business license, it never had a
separate bank account. Several of the people that were familiar
with it referred to it as a hobby, and several people referred
to it as a business.
If it's a hobby or a personal activity, under the policy,
then, a certain amount, a de minimis amount of personal use of
government resources is permitted. My review of the record is
that there were 11 emails related to these businesses over a 3-
year period, and it seems to me that that comes well within the
boundary of de minimis.
If, on the other hand, this was considered a business, it
would be strictly prohibited under that policy to use
government resources. At the time that I gave Dr. Harris the
counseling, I advised him that it was prudent to consider any
activity that would generate income such that it needed to be
reported on a financial disclosure report as a business,
regardless of any other factors.
Mr. Clay. It sounds to me like a hobby.
Let me also say that you also found that Dr. Harris did not
report on his tax return the income he received from his car
detailing and home theater installation businesses. Ms.
Winchell, wasn't Dr. Harris's failure to report income a
violation of the ethics code requiring Federal employees to
satisfy their tax obligations?
Ms. Winchell. Well, of course it concerns me greatly when
information is omitted from financial disclosure reports, but
occasionally, employees omit information inadvertently.
In this particular case, looking at the totality of the
circumstances, I did not--it is a violation to willfully fail
to provide information. But in this case, the record reflects
that his wife actually queried a tax lawyer about whether the
income was reportable on his income taxes, and they received
advice that it was not, which I take to mean he also thought it
didn't need to be reported on his financial disclosure report.
The advice was wrong, although they relied on it, and it was
remedied after they realized it was a mistake.
Mr. Clay. Okay. Fair enough. And they corrected the record.
Secretary King, the ethics code also requires Federal
employees to avoid the appearance of impropriety. Wouldn't you
agree that any appearance of impropriety involving the
Department's officials and employees cannot be tolerated?
Mr. King. Absolutely. And that was the focus of my
counseling with Dr. Harris.
Mr. Clay. Thank you for your response.
And, Mr. Chairman, do I get any extra time?
Chairman Chaffetz. You get two gold stars for concluding on
time.
Mr. Clay. Well, thank you very much. I yield back.
Chairman Chaffetz. Your first two gold stars, I would note,
but two nonetheless.
Mr. Clay. All right.
Chairman Chaffetz. We will recognize the gentleman from
South Carolina, Mr. Mulvaney, now for 5 minutes.
Mr. Mulvaney. I thank the chairman. I thank the panel.
I have been struggling a little bit, folks, with how I
wanted to address this hearing today because the purpose in my
mind--and I only speak for myself, not for any other member and
not the chairman or the ranking member. The purpose in my mind,
Mr. Harris--and, please, several of us have referred to you
today as Mr. Harris. We mean no disrespect. It is on your name
tag, so when we can't remember your name, we look up, it is
sitting there so ----
Mr. Harris. That's quite all right.
Mr. Mulvaney.--I know you have been called--we mean no
disrespect.
I don't think--at least for me personally, the purpose here
is certainly not to try and get you fired. I think that is
important for you to know that. In fact, for me, it is not even
to drill down into the details of your car detailing business/
hobby, the audio/video, as objectionable as I may find that at
a personal level. I think it was a bad decision by you and some
bad judgment.
At some point I think I have to recognize that Congress
cannot be in the job of micromanaging the CIO position vis-a-
vis ethics at the Department of Education. We might not like
it, it doesn't make us happy, but really, not our business.
You start screwing around, Mr. King, it is a different
story, but the folks who work for you, I think we have to rely
on the process. The OIG gets involved, the ethics gets
involved, and we may disagree, disagree with the decision, but
that is not the purpose here is to second-guess, at least in my
mind, whether or not what you did was right or wrong or whether
or not the process of examining was right or wrong.
The purpose of being here is what you are responsible for
doing for the folks that we represent and the taxpayers and the
139 million people's whose records you hold. And as we
discussed last time, Dr. Harris, when you were here in
November, it is not just the ordinary stuff that I give to
Target. You have my bank accounts. That is a whole different
level of serious than when I swipe my card at the gas station
or I buy something at Target.
So I don't want us to get distracted on whether or not it
was a business or a hobby or you reported it on your taxes and
lose in that minutia the fact that this is really dangerous
stuff when it goes into the wrong hands.
So I want to pick up with where you and I were, Dr. Harris,
in November when you said something that caught my attention
and we talked about it briefly when you said it wasn't so much
a money issue that you had dealing with cyber at the DoE as it
was getting the talent. And you said, look, we are a little
tiny agency. It is not very sexy. We can't get the people. And
I asked you, I said, look, we have other good people in other
areas of the Federal Government. In other silos it is sexy. The
Air Force, for example, does a tremendous job on this. DOD
regularly does a really good job on this. There are other
agencies. What have you been able to do since November, Dr.
Harris, to try and draw on the resources available to us as a
Federal Government in order to help protect the data of these
taxpayers?
Mr. Harris. I'm very pleased to announce that, in addition
to becoming a little more aggressive in bringing in our own
talent, we have taken advantage of what digital services has to
offer. They have been in a number of times to talk to us about
best practices and help us strategize. We are moving forward
with the DHS for the CDM phase 2 project that will allow us to
put more sensors and collect more data across our ecosystem
then we've ever been able to do before. So I think from that
perspective ----
Mr. Mulvaney. Collecting data, again, this is not my area
of expertise. I am more worried about you securing the data
than collecting it. So tell me why that is relevant.
Mr. Harris. Collecting it will allow us to secure it.
Mr. Mulvaney. Okay.
Mr. Harris. It's in real time that we're able to use our
network access control and our data loss prevention that will
actually, for example, stop you from sending unencrypted and
specifically PII information outside of our ecosystem, as well
as stopping folks from coming inside.
Mr. Mulvaney. Mr. King, what have you done since we were
here last? I don't think you were here in November. I may be
wrong. But what have we done in the last couple of months to
make sure--did we get access to the talent that you need to do
this job properly?
Mr. King. We have added a new chief security officer on the
Education Department side who, to your point about military
experience, is a retired military officer who comes to us from
the Department of Defense and brings expertise on
cybersecurity. We are in the process of adding additional
talent on the Federal Student Aid side.
But we have the technology. This is a challenge across the
Federal Government of recruiting adequate talent. And where we
need to continue to invest as a country is in STEM education so
that we have a prepared cybersecurity workforce, not only that
the government needs, but that the private sector needs as
well.
Mr. Mulvaney. Dr. Harris, I will close by saying this.
While we are not here to deal with the details of your personal
situation within the agency, to the extent your activity
impacts on what people feel about working at the DoE, it
certainly is relevant, and that is why I think you are getting
all the attention today, and rightfully so.
But let me close by saying this. While we are not here
today to have anybody fired, at least in my mind, lose the data
and it is a different story. Start losing people's bank
records, and as unpleasant as this hearing may have been, it is
going to be a whole different level of unpleasant. Lose the
data and the next explanation you're going to have to give to
this committee is why you shouldn't be fired. That is as plain
as I can put it. So as reasonable as I am trying to be today in
laying out for you what we are not here to try to accomplish,
you can expect me and others to be fairly unreasonable with our
patience next time if you lose the stuff. So please, don't lose
it. Thanks.
Chairman Chaffetz. I thank the gentleman.
I now recognize the gentleman from Texas, the subcommittee
chairman on Information Technology, Mr. Hurd, for 5 minutes.
Mr. Hurd. Well, thank you, Mr. Chairman. And thank you,
Secretary King, for being with us today.
And I would like to echo some of my colleagues' good work
on the two-factor authentication. I know the difficulty of
that. And, you know, I am confident that you all are going to
get the 5 percent.
And I would also say that using the new authorities in
FITARA to get the FSA CIO under control of your own CIO is
important, and if you think there are additional authorities
that you need in order to have the right management structure
in place, we are here to help.
The one thing I would caution is saying that we are doing
great work. Let's raise our gaze, as Speaker Ryan likes to say,
and we should not be saying just implementing one part of a
larger strategy is good enough. I think we should be talking
about when 95 percent of the recommendations by the IG are
approved, that is going to be great work. When there are not
repeat findings, as you mentioned earlier today, Mr. Harris,
that would be good work.
Secretary King, has Mr. Harris been given a performance
plan since you have been in your new role?
Mr. King. When Dr. Harris was directly reporting to me, we
had a performance agreement around goals that would be
accomplished, and those goals were accomplished over the 2015
year. That is related to the progress that we've seen in many
areas of cybersecurity.
Mr. Hurd. Has he been given a progress review?
Mr. King. We met throughout the year for review of his
progress and an end-of-year conversation about the overall
performance. In each--on each of those occasions, although I
did express appreciation for the progress we were making, I
also conveyed the urgency of continued progress ----
Mr. Hurd. Great.
Mr. King.--on cybersecurity ----
Mr. Hurd. And we already said--he mentioned he got an
outstanding performance. So my question is--this is going to
you, Mr. Harris--what is EDL?
Mr. Harris. EDL, which happens to have PII, is an
investment that is an education locator. It allows the public--
it's public-facing. It allows the public to reach out to anyone
in the Department of Education that they need to reach.
Mr. Hurd. And they are putting PII information in that?
Mr. Harris. It's PII but ----
Mr. Hurd. And this is not FISMA-compliant, is that correct?
Mr. Harris. That is correct, sir. It is PII but we consider
it low level. In other words, with the name and phone number,
we consider it PII, but it certainly doesn't include Social
Security numbers, bank information. So on the one hand it does
not have an ATO, and we are pushing it to get an ATO.
Mr. Hurd. And when will you get it done?
Mr. Harris. We're looking for the end of next quarter.
Mr. Hurd. Great. Fifty-four software programs that you all
are using are no longer supported by the vendor. Why is that?
Mr. Harris. To a large degree, many of these systems owners
of these tools, sometimes it's an OS, sometimes it's an
application or middleware, simply didn't have the funding to
upgrade them or, from a mission perspective, decided that it
wasn't ----
Mr. Hurd. So what do you need to do in order to fix that
problem?
Mr. Harris. We are looking to do three things. We're
looking to either upgrade or retire 90 percent of those by
June. The remaining will have to have documentation that says
the Department of Education accepts the risk. We will
absolutely not allow anyone to sit out there and just say,
well, we'll do it at some point.
Mr. Hurd. Secretary King, if that is accomplished by June,
I would say that is a pretty significant achievement. Secretary
King--and I am not trying to be coy here--do you know what
COBOL is?
Mr. King. Yes.
Mr. Hurd. Okay.
Mr. King. I'm not familiar with the technical details of
the coding language but I ----
Mr. Hurd. It is coding language.
Mr. King.--but I am aware of what COBOL is.
Mr. Hurd. It was old even when I was going through
university in programming.
Mr. Meadows. I take exception to that, Mr. Hurd.
Mr. Hurd. And you all have over one million lines of code
on that. However, we were told at the last hearing on November
17 that the Department of Education does not use COBOL. Is that
correct, Mr. Harris?
Mr. Harris. And I was referring to outside of the FSA
ecosystem, and that is why I said we don't use it. I wasn't
talking about FSA, to clarify.
Mr. Hurd. So now that FITARA is giving you more authorities
in which to oversee FSA, what is your plan with getting rid of
COBOL?
Mr. Harris. It's a good question, and based on the
information I'm provided, COBOL is old; however, the latest
version is considered secure. It has all the patches. From a
business perspective, FSA is indicating--the FSA CIO is
indicating that their business decision is to stay on the
current version of COBOL and continue to keep it updated.
I do want to engage the CIO at FSA about moving away from
COBOL not because the software version is insecure but because
the talent necessary to manage that platform is, as you can
imagine, dwindling.
Mr. Hurd. And I want to echo my colleague from South
Carolina's comments, in months from now if these 54 programs--
we don't have a plan on getting rid of them, if we don't have
100 percent achievement on two-factor authentication, you know,
we should be asking larger questions here. And with great
responsibility comes great accountability, and we are going to
make sure you have all the tools you need to get the job done
and we are going to hold you accountable.
I yield back.
Chairman Chaffetz. I thank the gentleman.
I now recognize the gentleman from North Carolina, Mr.
Meadows, for 5 minutes.
Mr. Meadows. Thank you, Mr. Chairman.
Dr. Harris, let me come to your opening statement. In your
opening statement, and I quote, ``Others viewed my conduct as
questionable.'' So I guess the fundamental question here today
is if others viewed it, did you view your conduct as
questionable?
Mr. Harris. Congressman Meadows, I would not waste any more
of your time suggesting that my behavior represented poor
judgment. After talking with the IG ----
Mr. Meadows. So your action is questionable.
Mr. Harris. Talking with the IG, after all the
interventions with leadership, in hindsight, absolutely, I--
poor judgment.
Mr. Meadows. All right.
Mr. Harris. I make no excuses.
Mr. Meadows. All right. So, Ms. Winchell, I would believe
that you take ethics pretty seriously given your job, is that
correct?
Ms. Winchell. That's correct.
Mr. Meadows. So when you hear a complaint, you get on it
right away, is that correct?
Ms. Winchell. Yes.
Mr. Meadows. And so no time lapses between when you hear
about it and you work towards remedy?
Ms. Winchell. Well, we would evaluate the allegation and
try to obtain as much relevant information before we took
action, but yes ----
Mr. Meadows. Okay.
Ms. Winchell.--we would try to do that as swiftly as
possible.
Mr. Meadows. Sure. Mr. King, is that your testimony as
well, you take it real serious?
Mr. King. Absolutely.
Mr. Meadows. Okay. Can either of you, Ms. Winchell or Mr.
King, explain to me why the inspector general gave you a report
on April of 2013 and they had to do a follow-up 2 years later
and said that they had never heard from anybody? Why would that
be?
Mr. King, you may want to answer since it was directed to
you on March 23 of 2015. In response it says, ``To date, we
have not received a response from the Office of the Deputy
Secretary concerning the findings that they gave on April 2 of
2013.'' Why would they have not had response in 2 years ----
Mr. King. When I ----
Mr. Meadows.--if you take it serious?
Mr. King. When I joined the Department in January of 2015,
the IG explained that there was an addendum to the report that
was forthcoming ----
Mr. Meadows. But that is not what this is saying. I am
going back to the original report when they put in the report
on April 2 of 2013. You know what they heard from you guys?
Crickets, not a single dadgum response.
Ms. Winchell, you want to respond to that?
Ms. Winchell. Well, I can't speak for why the Office of the
Deputy Secretary didn't respond to the IG, but I can tell you
that we met in the Office of the General Counsel to consider
the report I think in--I think we were--in April, in the March/
April time frame in 2013. And at that time we understood from
the IG that the offending conduct had ceased. But we also
understood ----
Mr. Meadows. How did you figure that out?
Ms. Winchell. I don't ----
Mr. Meadows. Who talked to Dr. Harris?
Ms. Winchell. I ----
Mr. Meadows. Because you didn't talk to him, according to
your note ----
Ms. Winchell. Right.
Mr. Meadows.--until a year later, and you take everything
real serious, and yet, according to your memo, you didn't talk
to Dr. Harris until March 12 of 2014, almost a year after the
IG submitted a request. Why would it take a year?
Ms. Winchell. Well, we were--we were waiting for the
feedback from the U.S. Attorney's Office to see what--if any
action that they were going to take on these. We understood
that the conduct had ceased actually in ----
Mr. Meadows. How did you ----
Ms. Winchell.--fall of ----
Mr. Meadows. How did you understand that?
Ms. Winchell. Pardon me?
Mr. Meadows. Did you go and talk to Dr. Harris?
Ms. Winchell. I understood it from the IG.
Mr. Meadows. Well, now ----
Ms. Winchell. I--it was in my notes ----
Mr. Meadows.--hold on, hold on, hold on just a second. You
understood from the IG's report and ----
Ms. Winchell. No, I didn't--I don't--I ----
Mr. Meadows. And they were waiting for a response ----
Ms. Winchell. It's in my notes ----
Mr. Meadows.--from you.
Ms. Winchell. It's in my notes that, at the time that we
had these conversations that the conduct had ceased.
Mr. Meadows. So ----
Ms. Winchell. I did not talk to Mr. Harris personally.
Mr. Meadows. So you are in charge of ethics ----
Ms. Winchell. Yes.
Mr. Meadows.--and you are taking somebody else's word that
the conduct has ceased a year later?
Mr. King. My understanding is that Deputy Secretary Miller,
after receiving the initial IG report, consulted with the
Office of General Counsel and spoke directly with Dr. Harris
giving Dr. Harris counseling.
Mr. Meadows. And said it was okay?
Mr. King. No. Giving him counseling that there was a ----
Mr. Meadows. Now, how is that your understanding? Did you
talk to Tony Miller about that?
Mr. King. That's my understanding from the staff, the
Deputy Secretary's Office ----
Mr. Meadows. Okay. Well ----
Mr. King.--overlapped between Deputy Secretary Miller and
----
Mr. Meadows. Mr. King, let me tell you what is troubling
here. I don't know if Dr. Harris's actions are the most
troubling or your cover-up of it is the most troubling, Mr.
King, because let me tell you the concern I have. Everybody can
make a mistake, but the minute that it was put forth by the IG,
everybody, Ms. Winchell and Mr. King, you should have been all
over this and saying that this is a problem.
And let me tell you the reason why I am so concerned. I
have been visiting Federal employees, and you know what I
constantly hear is that there is a double standard for the
people at the top and the rank-and-file Federal workers. And
today, listening to this testimony, I tell you, I hope they are
not watching because they would use a different word for a
bovine waste than what is used here.
Mr. King. Congressman, I just want to be clear that I took
this incident very seriously. I started with the Department --
--
Mr. Meadows. No, you haven't because your responses ----
Mr. King.--in January of 2015 ----
Mr. Meadows.--I would disagree, Mr. King, because your
responses indicate that nothing has happened in terms of
retribution. No one has been fired. In fact, you approved a big
bonus for Dr. Harris. There has been no consequences so that --
--
Mr. King. I disagree. There's--there have been four
counseling ----
Mr. Meadows. What are the consequences?
Mr. King. There have been four counseling sessions ----
Mr. Meadows. Okay. So his ----
Mr. King.--two with the prior deputy ----
Mr. Meadows.--consequence is that ----
Mr. King.--secretaries ----
Mr. Meadows.--he has had counseling sessions?
Mr. King. Had counseling sessions, corrected the behavior.
The behavior ended in 2013, fully 2 years before I joined the
Department ----
Mr. Meadows. And how do you know that?
Mr. King. Based on the findings of the IG addendum ----
Mr. Meadows. But how do you know that?
Mr. King. The IG--the IG completed the investigation and
provided an addendum ----
Mr. Meadows. But the IG said ----
Mr. King.--in March of 2013.
Mr. Meadows.--it was a business. The IG said it was a
business, and Ms. Winchell disagrees. And with the indulgence
of the chair, I will finish with this. President Obama sent an
Executive order just a few weeks ago on Second Amendment. The
guidance with that said that if you have a business card, you
are in the business of selling firearms. So in light of that,
Ms. Winchell, is the President wrong or are you wrong?
Ms. Winchell. I still think that, according to the
information in the report, it is not clear whether this was a
business or a hobby at the time that I reviewed the report.
Mr. Meadows. Everybody else is very clear.
I yield back.
Chairman Chaffetz. Thank you.
I will now recognize myself.
Ms. Bruce, how long have you been in the Inspector
General's Office?
Ms. Bruce. I've been working--doing this kind of work for
over 30 years. I've been in specific Office of Inspector
General for the last 20.
Chairman Chaffetz. And to the best of your recollection
just in general, how many criminal referrals have you been
involved in and engaged with during that time?
Ms. Bruce. Well, I was an auditor, so I wasn't specifically
in investigations, so I wouldn't have been involved with those
types of things.
Chairman Chaffetz. But since you have become ----
Ms. Bruce. The deputy inspector general?
Chairman Chaffetz.--more senior--yes, how many have you
seen? How many have been coming out of the Office of Inspector
General?
Ms. Bruce. I would definitely have to get back with you on
that. I ----
Chairman Chaffetz. But it is a handful, right? This is not
something that happens week in and week out.
Ms. Bruce. So when you said criminal investigations, you
mean ----
Chairman Chaffetz. Oh, criminal referrals to the Department
of Justice.
Ms. Bruce. Oh, criminal referrals? Well, we have many
criminal referrals to the Department of Justice because we
don't know whether it's going to be tried criminally, civilly,
or administratively. So we have plenty of those.
Chairman Chaffetz. And so when you do that, you have come
to a finding that you believe is fairly serious. If we could
put up the slide of the potential violations here.
[Slide.]
Chairman Chaffetz. So this is the slide of the potential
violations coming out of the IG to the Department of Justice.
Now, the Department of Justice didn't come to a conclusion and
say you are absolutely wrong. They just decided not to
prosecute, correct?
Ms. Bruce. That's correct. The Department of Justice
declined prosecution in favor of administrative remedies.
Chairman Chaffetz. So we can take that slide down.
Mr. King, this is one of the problems. Because the
Department of Justice believes that you as the Acting Secretary
have the ability within your realm to enact the remedies, they
decide not to prosecute. Don't come before this committee, as I
believe you did, to try to infer that because there was no
prosecution, there was nothing wrong there.
Are you telling me, Mr. King, that Ms. Bruce and the
inspector general is wrong on all 12 of those, not even the
standard of breaking the law, but as you said, you have listed
out, ``no violation of law, regulation, policy, or ethics''?
Mr. King. The IG doesn't make a conclusion. They provide
findings. The general counsel then reviews those findings. They
were ----
Chairman Chaffetz. And they make ----
Mr. King. And they made a recommendation ----
Chairman Chaffetz.--a recommendation to?
Mr. King. They make a recommendation to me.
Chairman Chaffetz. Yes.
Mr. King. To--in this case, it'd be my ----
Chairman Chaffetz. And you are the final ----
Mr. King.--predecessor and to my predecessor's predecessor.
In each case we took it seriously. We provided counseling. The
conduct that was in question stopped in 2013.
Chairman Chaffetz. What is it that Mr. Harris did--and I
want to explain the reason why I think this is so vital. We
have thousands--how many people at the Department of Education?
How many people work at the Department of Education?
Mr. King. More than 4,000 employees.
Chairman Chaffetz. Okay. Mr. Harris gets a $15,000 bonus.
You probably didn't hand out a whole lot of those, but a lot of
people didn't get bonuses, and probably most didn't get those
high of bonuses. They work hard, they care, they are doing
things right. They don't need counseling sessions. They don't
need inspectors general to come in and interview them. They
don't need to have a Department of Justice review their file.
And put up the scorecard again.
[Slide.]
Chairman Chaffetz. This is an objective. This isn't
Congress. This is not some Republican or Democratic thing.
``Best places to work'' category is the change between 2014 and
2015, every single key metric is down, every single one. And it
is listed as one of the worst places to work, and your turnover
rate is near 10 percent.
So, Mr. King, what--you can take that slide down--what is
it that Mr. Harris did that justifies pulling money out of the
taxpayers' pocket and giving him a $15,000 bonus?
Mr. King. In the evaluation for 2015 is based on the
totality of performance. Yes, employee morale is very important
to us, but it is also very important that we made progress on
cybersecurity. As I indicated, we went from 11 percent at level
4 two-factor ----
Chairman Chaffetz. Can I stop you right there, please? You
scored an F in what you self-reported. The Office of Management
and Budget put out a cyber sprint. You were one of, I think,
three or four agencies that scored a negative. Everybody else
bolted ahead. So ----
Mr. King. Over the course of the 2015 year we went from 11
percent to 95 percent, making dramatic improvements. We are
also ----
Chairman Chaffetz. And every single metric was negative,
every single one. The problem is Mr. Harris has been in
charge--you can say, well, it was so bad at 11 percent that we
had such great improvement. The problem is he has been in
charge since 2008. It is not like he just inherited this and he
hasn't had a few months to fix it. What specifically did Mr.
Harris do to justify the Congress appropriating people's money,
$15,000?
Mr. King. Again, cybersecurity is one aspect of his
performance, but on cybersecurity he co-led an effort with our
FSA CIO that involved amending nearly 60 contracts in order to
ensure that all of our external vendors are at level 4 two-
factor authentication. We made dramatic progress there. We are
resolving FISMA audit findings, and we're making progress on
cybersecurity. We also have a variety of other technology
efforts: replacing outdated technology systems, improving
services to employees. The overall performance of the CIO in
2015 was strong.
I can't speak to prior evaluations of Dr. Harris's
performance. What I can speak to is the progress that we've
made since I joined the Department in January 2015.
Chairman Chaffetz. Again, you are looking at an inspector
general report that comes out midyear, criminal referrals,
every single metric is down, 10 systems still to this date with
expired authorities to operate, one has PII information, 54
unsupported software systems. You have an inspector general who
can go in there undetected into the system. You have the 139
million Social Security numbers and this guy gets a bonus. This
is why we have zero confidence in you personally, zero.
Now, I want to ask a few more things because I am telling
you, this bothers me to no end. Mr. Harris, you gave a loan to
one of your employees, correct?
Mr. Harris. Correct.
Chairman Chaffetz. Has that been repaid?
Mr. Harris. Yes, it has.
Chairman Chaffetz. When?
Mr. Harris. It was years ago. I don't have the exact date
but I can get you that.
Chairman Chaffetz. You listed two other jobs that you
currently also have, right? You teach, correct?
Mr. Harris. That is correct.
Chairman Chaffetz. How much time does that take?
Mr. Harris. I teach at night and I do it on my own time.
And if I may, in context ----
Chairman Chaffetz. Yes.
Mr. Harris.--talk about my role as CIO. My average day is
12 hours, and my superiors and colleagues and customers call me
all times of the night and weekends. If you look at my leave
balances, I am rarely away from the Department. So, yes, I do
work a lot, but I am very passionate and very serious about my
job.
Chairman Chaffetz. What is the other job that you have that
generates income? There is another one.
Mr. Harris. I just teach. That's it.
Chairman Chaffetz. But you had before. You were working for
the city of Detroit, correct?
Mr. Harris. I did a short consulting stint with Detroit,
both the city and the school system, in a different year.
Chairman Chaffetz. And how much time did that take?
Mr. Harris. Very little. I would be in Detroit maybe once
every other month and then I would work remotely. I was simply
consulting them on their IT strategy, so very little.
Chairman Chaffetz. Ms. Bruce, let's go back to this. Does
the inspector general's office believe that this was a business
or a hobby?
Ms. Bruce. The Office of Inspector General found business
cards, a logo, paid employees. We do believe that it's a
business.
Chairman Chaffetz. And were those paid employees
subordinates of Mr. Harris?
Ms. Bruce. Yes, they were.
Chairman Chaffetz. Is that a violation of policy? I am
asking for your professional opinion here.
Ms. Bruce. So when you say violation of policy, I will
answer it this way. When you speak of 5 C.F.R. 2635, 5012 701,
702, and 704, you have to make sure that you're not giving the
appearance of impartiality or misuse of position.
Chairman Chaffetz. Mr. Harris, who is Christopher
Claiborne?
Mr. Harris. He works in the CIO organization.
Chairman Chaffetz. So he works for you?
Mr. Harris. He is several layers under me, but he works in
the organization. I do not supervise him.
Chairman Chaffetz. He is in your organization. You are the
boss, right? If you came into his office and said do this,
would he do it?
Mr. Harris. I do not supervise him.
Chairman Chaffetz. Come on. Seriously? He works where? His
title, as best I can tell, Christopher Claiborne--and I don't
mean to bring him into this. I am sure he is a nice guy, but I
am sorry to have to invoke his name here, but you are just not
being candid with us. He is an operations manager, Office of
the Chief Information Officer, correct?
Mr. Harris. That is correct. I just wanted to be clear that
I don't supervise him directly.
Chairman Chaffetz. Have you asked him to do work for you?
Mr. Harris. I have not. He has always asked me to be
involved.
Chairman Chaffetz. In what?
Mr. Harris. If I had a project that I was doing and he
wanted to learn, he would ask me.
Chairman Chaffetz. In your outside business was he
involved?
Mr. Harris. I didn't have an outside business. It was a
hobby.
Chairman Chaffetz. So when he sends this email dated
November 6, 2009, saying ``If you have time, I'd like to talk
to you about one. This is a million-dollar home in Beech Tree
I'd like us to complete''--talking about leather chair
recliners for a theater, complete theater, complete bar area. I
can go on. ``I sent you pictures.'' He is doing all that.
You're just telling me--how does that come about? He is just
involved with you in a hobby.
Mr. Harris. Absolutely.
Chairman Chaffetz. Really?
Mr. Harris. It's something we enjoy doing.
Chairman Chaffetz. And you are his boss? You are ultimately
in his office?
Mr. Harris. Yes.
Chairman Chaffetz. Mr. King, do you think this is
acceptable?
Mr. King. Again, after reviewing all of the information --
--
Chairman Chaffetz. Well, I am asking you about ----
Mr. King. Again, after reviewing all of the information
that was provided, there was not a violation of regulation or
law or policy. I was, however ----
Chairman Chaffetz. Or concerned?
Mr. King. I was, however, concerned about the appearance
of--potential appearance of impropriety and counseled Dr.
Harris to that effect, as did my predecessor and my
predecessor's predecessor, as did our ethics officer. And as
we've discussed previously, the activities ended in 2013.
Chairman Chaffetz. Was it unethical when it was happening
at the time if nobody said it and it was continuing today? Is
that unethical?
Mr. King. Again, it was a lapse in judgment, and I
counseled Dr. Harris ----
Chairman Chaffetz. But what ----
Mr. King.--to that effect.
Chairman Chaffetz. So good judgment would have said he
wouldn't have done that. Unethical judgment would have said--
where is the line here? Come on. You have got 4,000 employees.
They are all watching this hearing. Explain to somebody who is
there and says, you know, my boss has a business and a hobby
and, you know what, I bet if I helped them make money, that
might help me. Is that a reasonable conclusion?
Mr. King. Where there's an appearance of impropriety, it is
bad judgment. I counseled Dr. Harris ----
Chairman Chaffetz. What if there is ----
Mr. King.--to that effect.
Chairman Chaffetz. What if there is actual impropriety?
Mr. King. In this case, based on the findings of the IG
report that were provided to our Office of General Counsel and
our review of those findings, the review that was conducted by
Deputy Secretary Miller and then by Deputy Secretary Shelton,
by Ms. Winchell, and then my review of their findings, there
was not a violation here of law or regulation or policy. There
were lapses in judgment. Dr. Harris was counseled on those
lapses of judgment four separate times, and the behavior, the
activities ended.
Chairman Chaffetz. You really think that Ms. Bruce and the
Office of Inspector General need a criminal referral because
they believed there was no violation of law, regulation,
policy, or ethics?
Mr. King. They provided information to the Department of
Justice, and the Department of Justice chose not to proceed
based on the information they received. That's what was
summarized in the addendum that I received in March of 2015.
Chairman Chaffetz. I will now recognize Ms. Plaskett for as
much time as she would like.
Ms. Plaskett. That is very generous of you, Mr. Chairman. I
won't forget that. Thank you.
I just wanted to go back and ask some more questions. And
this is really about the past conduct, the allegations
concerning the past conduct. Ms. Winchell, in your testimony on
today's hearing you stated that in the time you reviewed the
inspector general's 2013 report, your understanding was that
the activities had already ceased and that the matter had been
referred to the U.S. Attorney's Office for investigation. Is
that correct of your understanding at the time ----
Ms. Winchell. That's ----
Ms. Plaskett.--you reviewed the inspector general's April
2013 report?
Ms. Winchell. That's correct.
Ms. Plaskett. Okay. And, Dr. Harris, had you stopped the
activities at issue before the IG issued the April 2013 report?
Mr. Harris. Yes. My last--the last activity I had was 2012.
Ms. Plaskett. Last activity? What would that activity have
been?
Mr. Harris. My hobbies.
Ms. Plaskett. Okay. And that would have been the detailing
and the home technology--the theater ----
Mr. Harris. That is correct. I still detail but I do not
accept compensation. It's still a hobby of mine.
Ms. Plaskett. Okay. And I understand that you had--and then
going back to a contract with E Source Technologies, it is our
understanding that you have a personal relationship with the
president of that company, a contractor for the Department. And
the IG's report references a contract awarded in 2004. What was
your position in 2004 with the Department of Education?
Mr. Harris. In 2004 I was the deputy CFO, and I was not a
personal friend of that vendor then. I knew him. I knew of him,
as I do other vendors, but I was not a personal friend.
Ms. Plaskett. And were you involved in the procurement or
the contracting as the deputy CFO in 2004?
Mr. Harris. I may have sat on the panel, but I did not
select the vendor.
Ms. Plaskett. What does ``sitting on the panel'' mean?
Mr. Harris. You simply review what the vendors provide.
Ms. Plaskett. You are reviewing and then discussing with
the others on the panel your recommendation or ----
Mr. Harris. That is correct.
Ms. Plaskett. Okay. So you were part of the group that made
recommendations to the ultimate contracting, but you say you
were not a personal friend ----
Mr. Harris. That is correct.
Ms. Plaskett.--in 2004?
Mr. Harris. That is correct.
Ms. Plaskett. When did you consider yourself a personal
friend?
Mr. Harris. Approximately 2008 when I moved into the same
area where the vendor lives.
Ms. Plaskett. And did you have any contact with the vendor
between 2004 and 2008?
Mr. Harris. I'm sure I saw him as a result of him having
business at the Department, but I didn't--our families weren't
friends. We didn't travel together. We didn't ----
Ms. Plaskett. So you did that after 2008 when you say you
traveled ----
Mr. Harris. After 2008, yes, we became friends.
Ms. Plaskett. You traveled together ----
Mr. Harris. Absolutely.
Ms. Plaskett.--your families?
Mr. Harris. Absolutely. We were friends.
Ms. Plaskett. And that friendship was started because you
moved into the area or he moved into the same area?
Mr. Harris. I moved into the same area and we realized that
we lived in the same area because we ran into each other in the
area.
Ms. Plaskett. Okay. And then, Ms. Winchell, in your
testimony you stated that ``It's not clear that a close
personal friendship had formed at the time Dr. Harris was
involved in activities relating to the owner's company.''
Ms. Winchell. That's correct.
Ms. Plaskett. Can you elaborate on that? What did you mean
by that?
Ms. Winchell. Well, you know, we all create friendly
relationships at work, and the way the rule works--actually,
the rule doesn't include friendship as the kind of relationship
that necessarily gives rise to a conflict. And OG--the Office
of Government Ethics did that fairly deliberately. They provide
a process that you can go through to evaluate whether the
friendship would give rise to an appearance of a conflict of
interest, basically evaluating whether a reasonable person
would question your impartiality if you were to work on a
matter involving that individual.
So when I'm looking at these questions--and employees do
call me from time to time about whether or not they should work
on something that involves a friend. I'll ask them a series of
questions like have you gone on vacation with this friend? How
long have you known them? You know, sometimes you have people
that meet their significant others, and technically this rule
doesn't apply to them until they're actually sharing a
household. But obviously, that's an important thing to know.
The report of investigation, the only evidence there is in
the report of a close personal friendship is when the vacations
occurred, which was, I believe, in ----
Ms. Plaskett. So ----
Ms. Winchell.--and--in or around 2010.
Ms. Plaskett.--before people go on vacations together,
they're usually eating and socializing ----
Ms. Winchell. Right.
Ms. Plaskett.--and everything else before you to rise to
the occasion that I think ----
Ms. Winchell. Absolutely.
Ms. Plaskett.--I can go on a personal vacation.
Ms. Winchell. That's true. But there's no ----
Ms. Plaskett. So you don't think that there was a personal
relationship before they went on a vacation?
Ms. Winchell. Well, I think there probably was, but there's
no evidence of that except in ----
Ms. Plaskett. Did you ask the questions?
Ms. Winchell. Well, Dr. Harris has said on several
occasions that the close personal friendship started in 2008.
Ms. Plaskett. Did you ask the questions?
Ms. Winchell. I did not ask that question at that time
because I didn't know ----
Ms. Plaskett. So the series of questions that you ask
employees when they call and ask ----
Ms. Winchell. Correct.
Ms. Plaskett.--do I have a personal friendship, when you
were looking into this, did you ask him those personal
questions ----
Ms. Winchell. I ----
Ms. Plaskett.--those series of questions?
Ms. Winchell. I did not ask those questions at the time.
Ms. Plaskett. So you just took his word for when that
personal friendship began?
Ms. Winchell. Yes, I did.
Ms. Plaskett. Did you think in hindsight--does that make
sense now? I mean, I have been an ethics ----
Ms. Winchell. Well ----
Ms. Plaskett.--counsel.
Ms. Winchell. Right.
Ms. Plaskett. I was counsel on the House Ethics Committee
----
Ms. Winchell. Okay.
Ms. Plaskett.--and I think I would have gone back and
looked because I don't want the employee to get into trouble.
Ms. Winchell. Right.
Ms. Plaskett. Not that I am just trying to cover myself,
but that I don't want him to get into trouble.
Ms. Winchell. I certainly appreciate your point, and I
think at the time my thought process was that the friendship
had ended, so I wasn't concerned about the ongoing implications
of that friendship. But I think you are making a valid point.
Ms. Plaskett. And so if you were to ask those questions
now, do you think there may have been some overlap in time
period when there was a personal friendship and he had
involvement with this so that the 2013 date may not be the hard
date that we should be looking at?
Ms. Winchell. Well, I don't--the hard date that I was
looking at for when the friendship became a close personal
friendship was 2008 to 2010, and the activity involved in his
participation in the contract was prior to that time.
Ms. Plaskett. Okay. And why did you say his activity was
prior to that time? Does he not still ----
Ms. Winchell. Because ----
Ms. Plaskett.--have an ongoing contract with the Department
of Education?
Ms. Winchell. He may have--there may be an ongoing
contract, but there's no ongoing friendship at this point. In
order for the appearance problem to exist, there has to be
both, you know--the rules are about--this particular rule is
about whether or not you have a personal interest or friendship
on one hand and an official duty on the other hand. And at this
point in time the friendship doesn't exist. And as I understand
it, he also doesn't participate in these contracts.
Ms. Plaskett. The president of the company no longer
participates in the contracts?
Ms. Winchell. No, Danny--Dr. Harris no longer participates
in the--does not participate--doesn't have a role in the
implementation of the contracts.
Ms. Plaskett. Ms. Bruce, do you--and you know that--Ms.
Winchell, how do you know that?
Ms. Winchell. Well, the only participation that's detailed
in the report is from 2004, 2005, 2006.
Chairman Chaffetz. If I can ----
Ms. Plaskett. Yes.
Chairman Chaffetz. If the gentlewoman would yield, there
are still contracts that this company has that you have a
responsibility for, right? I mean, you are the CIO. They are
contracts with the Department of Education regarding CIO
issues.
Mr. Harris. But I do not have responsibility for the
acquisition process ----
Chairman Chaffetz. How can you claim you don't have a
responsibility when you are the chief information officer?
Those contracts are still outstanding, Ms. Winchell. They are
still there. They are still in place. They still get money from
the American taxpayer via the Department of Education ----
Mr. Harris. Sir, if I ----
Chairman Chaffetz.--correct?
Mr. Harris. If I may, the way the Department is organized,
and most agencies are organized this way, when it comes to
acquisition, not just the selecting of vendors but the payment
of those vendors, that is completely removed from the CIO's
organization. It is purposeful. There is a firewall between me
and any contract activities. And so I can't influence in any
shape, form, or fashion.
Now, as CIO, I do set IT strategy but I do not select
vendors, products, or services.
Chairman Chaffetz. But you did, according to the inspector
general, previously engage in the selection. According to the
inspector general, there was one contract where another
company's proposal was ``significantly greater than the
proposed by other offerers.'' And that the IG writes that the
decision was changed to go to your friend William Hall's
company ``based at least in part on input from Mr. Harris.''
Mr. Harris. That had to have been 2004, and I had no
friendship with that individual.
Chairman Chaffetz. You have gotten promoted since, then,
and the contracts continue. So to say that you have no
interaction, no responsibility, you are the chief information
officer. This is the ethical problem that it then presents
because you did help him get this contract.
Mr. Harris. I'm sorry. I disagree, sir. I'm sorry.
Chairman Chaffetz. You are the CIO, and they are a vendor.
How do you not have responsibility for that?
Mr. Harris. The firewall that is created on purpose with
the contracting organization and the rest of the Department,
including CIO, and especially CIO when it comes to IT
contracts, I am completely removed from and had no authority or
influence on that process. That is the way we are organized,
and most agencies are organized that way.
Ms. Plaskett. So you have no input on whether or not they
are effectively carrying out the contract that involves
information services?
Mr. Harris. That is correct.
Ms. Plaskett. You don't send reports or anything to say
this relationship--this contractor is performing the duties
that I need for my job correctly or incorrectly?
Mr. Harris. That is the contracting officer
representative's job.
Ms. Plaskett. And when does ----
Mr. Harris. That is not my job.
Ms. Plaskett. Where does the contracting officer get that
information from?
Mr. Harris. They get it from the project manager and the
people working with the vendor, but they would not get it from
me.
Ms. Plaskett. And the project manager and the people
working with the vendor would be your employees?
Mr. Harris. That is correct.
Ms. Plaskett. And would any of those employees be the
people who worked for you on your hobby?
Mr. Harris. No.
Ms. Plaskett. Were they people who report directly to you
and give you information about whether the contract was being
performed properly or not?
Mr. Harris. They would provide me briefings on the status
of our various ----
Ms. Plaskett. And you have no input or say into whether or
not that is yea, nay, okay, sounds good ----
Mr. Harris. That is correct.
Ms. Plaskett.--let's continue?
Mr. Harris. From a contractual perspective, that is
correct.
Ms. Plaskett. Wait a minute. So you are saying that when
your employees give you reports, you don't have anything to say
about it?
Mr. Harris. I would provide my input, but I don't make
contractual statements.
Ms. Plaskett. But you provide the input that then goes back
to the contractual people who are determining whether or not
this has been performed properly or not?
Mr. Harris. I think that's an accurate statement.
Ms. Plaskett. So you are in some measure involved in this,
whether it be from you stating that the contractor has
performed or not performed the work of the contracts properly?
Yes ----
Mr. Harris. I would still say that I am removed from the --
--
Ms. Plaskett. Wait, but that is yes or no. That is yes or
no.
Mr. Harris. I would still say I am removed from the
acquisition process.
Ms. Plaskett. I didn't ask you about the acquisition. I am
asking you if, as the CIO and the reports for the contract come
to you, if you have any input in whether or not those are being
performed properly or not.
Mr. Harris. Yes.
Ms. Plaskett. Thank you. So in stating that, are there
additional steps that you believe Ms. Winchell, Secretary King,
that should be taken to ensure that possibly we need to look at
this a little further because it appears that when the IG made
the report, you took it at face value what the IG said and
didn't do your own digging in this, Ms. Winchell.
Ms. Winchell. Well, I do rely on the IG report. That's
true. I assume that they do a full and thorough investigation.
So I did rely on the report. I don't do a separate
investigation. I don't have authority to do investigation and
have actually been instructed not to investigate wrongdoing
because it can interfere with the IG's ability to do their job.
Ms. Plaskett. But when you are counseling, these counseling
sessions ----
Ms. Winchell. I do ask questions.
Ms. Plaskett.--you didn't think it was appropriate to speak
with Danny on a more deeper level about what he was and was not
doing?
Ms. Winchell. I did speak to him on a fairly deep level
about how the rules apply to personal friendships, how they
apply to relationships with subordinates, and also misuse of
position and misuse of government equipment. We had quite--
we've actually had two lengthy conversations about that over
the course of the last few years focused specifically on the
concerns raised in the report.
Mr. King. Congresswoman, if I might, I think ----
Ms. Plaskett. Yes.
Mr. King.--what you are raising is exactly the issue of
appearance of impropriety on which Dr. Harris was counseled by
Deputy Secretary Miller, then Deputy Secretary Shelton, and by
me to the reason, my understanding, that he ended the
relationship entirely in 2013 so that there would not be an
appearance of impropriety.
What is clear, though, on the sequencing of the contracting
is that the only findings that the IG had was that the personal
friendship began in 2008. These contract matters occurred in
2004. But again, in order to ensure that there is no appearance
of impropriety, he was counseled on these matters and ended the
relationship in 2013.
Ms. Plaskett. But, Secretary King, you have an enormously
important job. Your job is to educate the American children,
our future. And you don't have time to be dealing with stuff
like this. But what I am finding in this hearing that is really
disturbing is that it has taken all of these other Members of
Congress questioning Dr. Harris and going through this with a
fine-tooth comb to find out that a lot of the statements that
he has made in an IG report really don't cover up the entire
truth of what was going on. To say that he was not involved in
the requisition of the contract is correct after 2004, but to
say he had no say and involvement in the contract is not a true
statement.
And I think--that is not incumbent on you, sir. That is
incumbent on Ms. Winchell, Dr. Harris to be telling us the
complete truth of it and not just concerned about making
himself look like he had a hobby and was not so involved in the
contracting with the personal relationship. That is what is
disturbing to me because this is not your job to do. This is
Ms. Winchell's, this is the IG, this is those counsel that you
relied on to ask these more substantive questions, and
obviously, unfortunately, almost cross examination of Dr.
Harris to get to the truth of the matter.
Chairman Chaffetz. I now recognize the gentleman from North
Carolina, Mr. Meadows.
Mr. Meadows. Mr. King, so let me make sure I am clear. Your
testimony here today is that there has been no ethical breach
by Dr. Harris? That is your testimony?
Mr. King. That there has been no violation of law or
regulation or policy of the Department ----
Mr. Meadows. Yes, you keep going back to that. Is that what
the general counsel told you to respond every time you were
asked a direct question is to respond with that? Is that what
your counsel ----
Mr. King. That's my response to the question I was asked.
Mr. Meadows. So there is no ethical challenge?
Mr. King. Again, there is no violation of the law or
regulation ----
Mr. Meadows. Okay.
Mr. King.--or policy of the Department.
Mr. Meadows. If that is the case, I have got good news for
you, Mr. Harris. You can go back to doing whatever you darn
well please because what he is saying is there is no violation.
Mr. King. Congressman, respectfully ----
Mr. Meadows. No, that is what you are saying.
Mr. King. No, respectfully, what I am saying ----
Mr. Meadows. That is a circular reasoning.
Mr. King.--is that--no. It's ----
Mr. Meadows. You are saying it is not. Why did you stop,
Dr. Harris? If there was no violation of ethical standards, why
did you stop?
Mr. Harris. In hindsight and after getting counseling, I
realized the appearance is not good.
Mr. Meadows. All right. So let me ask you this, Mr. King.
Why did three different Secretaries counsel Dr. Harris? If the
first one took, why was there a need for a counseling of the
second one? Why is there a need for the third one?
Mr. King. The evidence of those activities ----
Mr. Meadows. If it was done on 2013 according to your
testimony, everything was over, why did everybody keep
following up with Dr. Harris? If there is no violation of
ethics or anything else, why would you have embarked to counsel
him again?
Mr. King. The evidence is that the initial counseling was
effective and that the initial counseling was effective and
that the activities ended in 2013.
Mr. Meadows. So why did you waste your time?
Mr. King. But both my predecessor and I believe that high
ethical standards are of the upmost importance and ----
Mr. Meadows. So he did violate ethical standards?
Mr. King.--also the importance--and wanted--no, and wanted
to convey, wanted to convey ----
Mr. Meadows. You can't have it both ways, Mr. King. You
can't have it both ways.
Mr. King. Again, we wanted to convey to Dr. Harris that
there could not even be the appearance ----
Mr. Meadows. Let me tell you what you are conveying ----
Mr. King.--of impropriety.
Mr. Meadows.--to the American people. Let me tell you what
you are conveying to the American people, and more importantly,
to the 4,000 workers at the Department of Education, is that
you can bend the rules; it just is a matter of who you are if
you are bending the rules. And that is a sad commentary here
today because, Ms. Winchell, you said that you go by what the
IG has, is that--that was your testimony, right?
Ms. Winchell. That's correct.
Mr. Meadows. Okay. If the IG said it was a business, which
she did, why did you not go by that? You questioned it there.
Ms. Winchell. Well, in all honesty, I'd have to go back and
see exactly what the report said but ----
Mr. Meadows. I have read it.
Ms. Winchell. I ----
Mr. Meadows. And I am telling you she said it--your
testimony, Ms. Bruce, was it a business?
Ms. Bruce. Correct. We said because income was being
generated, has a business logo and employees were paid ----
Mr. Meadows. It was a business. So why did you not take her
advice--you did on everything else. Ms. Plaskett said that you
should have done your investigation. You said you relied on it,
but yet, on the business part, you didn't rely on it.
Ms. Winchell. Well, I relied on the facts that they
provided and on the breadth of their investigation, but I did
not rely on the conclusions that they reached because I thought
their conclusions were wrong.
Mr. Meadows. But that is not what you said, Ms. Winchell,
in answering Ms. Plaskett. And again, you are using circular
reasoning. You said that it was the IG's assumption that he was
either innocent or guilty, and so what you did was took their
words and then you came to your own conclusion? Is that what
you are saying, without an investigation?
Ms. Winchell. I came to my own conclusion based on the
facts that were provided in the investigation.
Mr. Meadows. All right. So, Ms. Bruce, Mr. Harris paid 11
employees? That was your testimony? I may have missed that.
Ms. Bruce. No, two employees.
Mr. Meadows. Two employees.
Ms. Bruce. Yes.
Mr. Meadows. So he paid two different employees?
Ms. Bruce. Yes.
Mr. Meadows. Mr. Harris, was a 1099 filled out or a W-2
filled out for those two employees?
Mr. Harris. No, sir.
Mr. Meadows. So did they make over $600?
Mr. Harris. I don't believe so.
Mr. Meadows. You are under oath. Neither of them made over
$600?
Mr. Harris. I'll--I'll ----
Mr. Meadows. Were never paid over $600?
Mr. Harris. One may have made over $600. I don't believe
the other did but I would have to look at the record.
Mr. Meadows. So aren't you required to do a 1099?
Mr. Harris. As I ----
Mr. Meadows. I mean, if they are working for you.
Mr. Harris. As I indicated, it was just a hobby.
Mr. Meadows. Okay.
Mr. Harris. In hindsight ----
Mr. Meadows. So you told me it was just a hobby and so now
you are detailing operation is just a hobby, is that correct?
Mr. Harris. Absolutely, and I make ----
Mr. Meadows. Okay. Well, I have two cars. When can I sign
up? If it is a hobby, I mean I would love to bring my cars and
let you detail my cars. Dr. Harris, I think you and I both know
it is not just a hobby.
Mr. Harris. It was a hobby, sir.
Mr. Meadows. Okay. Have you done any personal work for
anybody, Ms. Winchell, Mr. King?
Mr. Harris. I have not, sir.
Mr. Meadows. Ever?
Mr. Harris. Ever.
Mr. Meadows. Okay. How do we go from here, Mr. King,
because it is not over with this hearing. I know a lot of
people like to get prepared for a hearing and say it is all
over and it is not over, I can tell you, because we have a
responsibility to the American people and responsibility to the
Federal workers who were whistleblowers, who are probably
disappointed with your response today. So where do we go from
here?
Mr. King. Again, corrective action was taken. The behavior
ended in 2013. Our focus at the Department is on ensuring that
we move forward on cybersecurity and the other urgent
priorities of the Department. We are making significant
progress on cybersecurity, but we have much more to do and to
ensure that we are responding as best we can to the
cybersecurity threats ----
Mr. Meadows. So let me ----
Mr. King.--that exist.
Mr. Meadows. Let me close with this last question then.
What message does it send to all the Federal workers if we have
someone who has been referred for criminal action by the OIG,
who has been counseled three times for questionable behavior,
and continues to get outstanding performance reviews and
bonuses that would make most of us blush? What message does it
send, Mr. King?
Mr. King. The message is clear. Where there was the
appearance of impropriety ----
Mr. Meadows. I agree the message is clear, but I am ----
Mr. King. Where there was the appearance of impropriety,
the employee was counseled by three deputy secretaries, by our
ethics officer ----
Mr. Meadows. And the checks kept ----
Mr. King.--and the activities ----
Mr. Meadows.--coming. And the checks ----
Mr. King. The activities ----
Mr. Meadows.--kept coming.
Mr. King. The activities ended, and the employee
understands the importance of not even allowing the appearance
of impropriety.
Mr. Meadows. I will yield back. Thank you, Mr. Chairman.
Chairman Chaffetz. Thank you. I have a few things to clean
up.
Mr. Harris, William Hall was the person in question here.
He may be the finest man, offering good services. I hope so. We
are sending him I don't know how many dollars, so I am guessing
millions of dollars. According to the inspector general, you
actually went to his house and installed home theater
equipment, correct?
Mr. Harris. I did.
Chairman Chaffetz. Was that you personally?
Mr. Harris. That was me personally.
Chairman Chaffetz. Who else was involved in that?
Mr. Harris. Just me.
Chairman Chaffetz. And what were you paid by him to do
that.
Mr. Harris. I was not compensated.
Chairman Chaffetz. So this is a person with how many
contracts, six or eight contracts with the Department of
Education, and you go to his house, you have a business--I
disagree. I don't think this is a little hobby. I think this
is--I agree with the inspector general here. And you go to this
person's house and you install a home theater system, and he
paid you how much? Nothing?
Mr. Harris. He was a friend.
Chairman Chaffetz. Mr. King, you don't see any ethical
problem doing that?
Mr. King. Again, Dr. Harris was not involved after 2008
when this relationship began ----
Chairman Chaffetz. No, I am just asking about when it
happened ----
Mr. King.--and the contract ----
Chairman Chaffetz.--at the time.
Mr. King. But what I counseled him on was ----
Chairman Chaffetz. No, he was ----
Mr. King.--that we can't have--we ----
Chairman Chaffetz. That is--but wait, wait, wait. Mr. King,
you are making an assumption that the inspector general says is
not true.
Mr. King. No, they ----
Chairman Chaffetz. They laid out a case where Mr. Harris
was involved--a contract was going to a different vendor. He
got personally involved and at least had some input. I am not
saying the final decision, some input, and that contract was
changed and given to William Hall's company.
Mr. King. There was a contract in 2004 before this
relationship began according to the evidence.
Chairman Chaffetz. But he was the program manager ----
Mr. King. There then was ----
Chairman Chaffetz.--for other contracts.
Mr. King. But again, the personal relationship ----
Chairman Chaffetz. No, wait a second, Mr. King. The initial
contact, the interaction Mr. Harris had with William Hall
started in like 2000, 2001.
Mr. King. As acquaintances ----
Chairman Chaffetz. So it is an acquaintance ----
Mr. King. Based on the evidence ----
Chairman Chaffetz. There is a standard between an
acquaintance and a friend?
Mr. King. Based on the evidence that was presented by the
IG to our general counsel, there was a ----
Chairman Chaffetz. I am tired of hearing about you and your
general counsel, okay? They can give you all the advice you
want. You make the decisions. You are the decision-maker. So
let's just cut that part out and get right to the ----
Mr. King. Again--again ----
Chairman Chaffetz.--chase here.
Mr. King. Again ----
Chairman Chaffetz. Hold on one sec. Hold on one second. You
see no ethical problem with somebody who oversees and
supervises the personnel who have to implement these contracts
with them personally going and installing home theater
equipment to a company that I am guessing makes millions of
dollars from those contracts?
Mr. King. As I indicated, I made clear in my counseling to
Dr. Harris ----
Chairman Chaffetz. Yes, if you are just going to read ----
Mr. King.--that there cannot be ----
Chairman Chaffetz.--the same thing
Mr. King.--there cannot be an appearance of impropriety to
the extent that having this personal relationship ----
Chairman Chaffetz. Well, I want to know if there was any
impropriety, and in your mind, you are saying no ----
Mr. King. What I'm saying is that ----
Chairman Chaffetz.--there is no ----
Mr. King.--the appearance, as a result of the personal
relationship, was a problem. Dr. Harris understood that. The
relationship ended in 2013.
Chairman Chaffetz. I think Mr. Meadows is exactly right.
You can't have it both ways. Either Mr. Harris violated no
regulation, law, policy, or any ethical concern and you should
continue on, sir. According to Mr. King, continue on, play on.
You have had nothing docked in your pay, you have progressed at
every level, you got bonused up. I mean, you have had, what,
almost $250,000 in bonuses over the last 11 years.
Congratulations. And you have side businesses, three other
jobs, you had people that had contracts with you that were
going to their home and installing theaters, over a 2-year
period you exchanged 700 phone calls that were text messages
you say, but you say, hey, there is no relationship. You still
oversee those. I don't know how you get away with it. I really
don't. I am concerned about the other 3,900 and however many
employees are out there. I think you are sending the wrong mix.
And, Mr. King, I hope at some point you do reevaluate and
go through this.
I have got one other thing here. Mr. Harris, what was the--
you had to go back with this unreported income. How much money
are we talking about was the unreported income?
Mr. Harris. It was 1 percent of my household income.
Chairman Chaffetz. Over what period of time?
Mr. Harris. Over a 10-year period.
Chairman Chaffetz. So over a 10-year period you are making
in excess close to $2 million during that time.
Mr. Harris. No, sir. No, sir. It was an average of $4,000 a
year, and that was before expenses. After expenses it was
hundreds of dollars. And that is why--poor judgment, but that
is why I didn't--it wasn't a business. It was just a hobby. But
it was ----
Chairman Chaffetz. So there is $40,000 in revenue? That is
what we are talking about, that wasn't ----
Mr. Harris. Over 10 years, and again, that's before
expenses. With--after expenses, it would have been hundreds of
dollars. There literally was no major profit to be made. It was
insignificant amounts of money.
Chairman Chaffetz. But you had employees, you were
installing home theater equipment, you had people ----
Mr. Harris. I did not have employees.
Chairman Chaffetz. Okay. You had independent contractors
that worked at the Department of Education that also worked for
you, and they had dual income as well. I am just trying to--so
if it is 1 percent of your income, you said 1 to 2 percent of
your income over 10 years.
Mr. Harris. Annually, 1 percent annually.
Chairman Chaffetz. I know but I am taking your salary,
183,000. You haven't always made that much. You multiply that
times 10. That equals how much? One point eight million
dollars. Take what is 1 or 2 percent of that, yes, and you
start ----
Mr. Harris. No, sir.
Chairman Chaffetz.--to come up with tens of thousands of
dollars that I just want to understand the gravity. We will
work on the math with you and the Department of Education soon.
I could continue on, but we have exhausted this. Mr. King,
with all due respect, Ms. Winchell--let me do this before we do
this.
Ms. Bruce, we have talked about several things here over
the last few minutes. You looked like you wanted to make some
sort of comment there.
Ms. Bruce. Only that I know we spent quite a bit of time
talking about business. The OIG at no time never was approached
to get some additional information. We've always been available
for that additional information. Our concern has not been
business. It's been about earned income. So I wanted to make
sure that point was made clear. When you asked me about a
business, it was about earned income in our report and not
necessarily about a business.
Chairman Chaffetz. And, Ms. Winchell, the policy is any
income above $200, correct?
Ms. Winchell. Yes, actually, it's the law that governs the
financial disclosure reporting.
Chairman Chaffetz. Right.
Ms. Winchell. It's $200 from any source. Because Dr. Harris
didn't form a business, that would be over $200 from each
person who paid him to provide a service in a given year. So,
for example, if he installed a home AV system for--and earned
$700, he would need to report that. But if he detailed a car
for $74 or $100 ----
Chairman Chaffetz. Right.
Ms. Winchell.--that would not need to be reported.
Chairman Chaffetz. Yes, and I ----
Ms. Winchell. In other words, they don't have to ----
Chairman Chaffetz. In my mind, it is actually more
understandable. And why do we do that? Why do we get
disclosures of $200 or more?
Ms. Winchell. Well, I can't speak for why the Legislature
set the $200, but the whole point of the system is to help the
government identify and remediate potential--actual and
potential conflicts of interest.
Chairman Chaffetz. Yes, it is an ethical issue.
Ms. Winchell. Exactly.
Chairman Chaffetz. Did he fill out a form for 10 years or
did he fill a form out for just one year?
Ms. Winchell. Mr. Harris actually has filled out his public
financial disclosure form completely and in a timely manner
every year. And when we have had questions that we needed to
address on technical aspects of the form, he's been very
responsive.
Chairman Chaffetz. I don't know how you come to the--it's
kind of laughable almost that after this hearing you still
think he filled it out completely.
Ms. Bruce, what did you find there?
Ms. Bruce. Our evidence showed that for the years in
question, 2008, '09, and '10, there were no disclosures as far
as the $200--in excess of $200.
Chairman Chaffetz. And Mr. Harris admitted that he is
making money every year for 10 years, and there are 3 years
that they didn't complete them. And you just said--this is what
scares us--this is why we got a hearing that is going into hour
4 is because you still--as the ethics officer, you spend
supposedly 8 hours a day working on ethics, hard to believe
that that happens, you still don't understand it. You still
don't know that there is a problem.
And, Mr. King, you are enabling this. You are the decision-
maker. You have been given this mantle of trust from the
President of the United States and you are failing. And it has
got to quit.
You still don't know. He admitted right here just now that
for 10 years he has been having this income and the inspector
general--why are you shaking your head back in the audience
just laughing at us? You are laughing at the American taxpayer.
I don't know who that guy works for. I am telling you, don't
just sit there and laugh at us. I will follow this through. You
didn't think we were taking this seriously. You are making a
fundamental and total mistake. You are misusing American
taxpayer dollars. We have vulnerabilities that are just
unbelievable. And we will continue to pursue this.
You better hope that none of that data gets out there. But
when the inspector general went to penetrate the system, they
got in there unimpeded, never detected, walked back out and
reported it to Congress, as they should.
Ms. Bruce, to the people that work in the inspector
general's office, thank you. Thank you for your good work. We
wouldn't know about this without those good people doing tough,
difficult work. Nobody wants to hear from the inspector
general, but they do some of the most valuable work that we
have before us today. I thank you all for your service, and I
thank you for your testimony today. I thank the men and women
who work in the Department of Education. We are trying to fix
it, but the problem is sitting here with Ms. Winchell and Mr.
King and Mr. Harris.
This meeting is now adjourned.
[Whereupon, at 12:59 p.m., the committee was adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]