Social Security numbers: a security risk with serious staying power
- By Chase Gunter
- May 30, 2017
Despite the risk of fraud and identity theft posed by the use of Social Security numbers, agencies continue to use them as universal identifiers because of outdated systems, insufficient funding and a lack of coordinated guidance coming from the executive branch.
In 2007, the Office of Management and Budget issued guidance mandating agencies develop plans to cut back on the collection of and reliance on the numbers due to concerns about identity theft. And when the Office of Personnel Management was breached in 2015, exposing some 22 million personnel records, the urgency for agencies to move off the number increased.
At a recent joint hearing for the House of Representatives' Ways and Means Subcommittee on Social Security and the Oversight and Government Reform IT Subcommittee, lawmakers raised concerns that the lack of progress on developing alternative identifiers and stronger protections could lead to a similar breach.
Greg Wilshusen, director of the Government Accountability Office’s Information Security Services, testified that agencies have trouble eliminating Social Security numbers from their IT systems and records "in part because no other identifier offers the same degree of awareness and utility."
Mariana LaCanfora, the acting deputy commissioner of the Social Security Administration’s Office of Retirement and Disability Policy, said that while Social Security numbers are critical for her agency’s ability to provide benefits, "the SSN and SSN card were never intended, nor do they serve, as identification."
"We strongly encourage other agencies and the public to minimize their use," she added.
Wilshusen also pointed to weak oversight from OMB as part of the problem.
"Reduction efforts in the executive branch have also been hampered by more readily addressable shortcomings," he said. "OMB has not required agencies to maintain up-to-date inventories of [Social Security] number collections and has not established criteria for determining when the number’s use or display is unnecessary."
Some agencies have tried to develop their own identifiers to move off relying on Social Security numbers. For example, the Centers for Medicare and Medicaid Services will replace the numbers’ use as the primary identifier with a new number, the Medicare Beneficiary Identifier.
Karen Jackson, CMS' deputy chief operating officer, said this new identifier will replace the Social Security numbers for beneficiaries by April 2019.
Rep. David Schweikert (R-Ariz.), however, raised concerns that each agency creating a new identifier may merely create “a cascade of numbers” that will create similar cybersecurity risks.
IT Subcommittee chair Will Hurd (R-Texas) proposed the adoption of a secure, tokenized system to handle and connect the new numbers, pointing to the one used by the Estonian government as proof of concept.
However, Wilshusen said that another hurdle agencies face is limitations posed by their legacy tech.
"Legacy systems often may not be able to handle newer numbers," he said. "In order to be able to do that, it requires significant system change or modification."
OPM CIO David DeVries testified that OPM has now encrypted its collection of Social Security numbers, "with the exception of one database that resides in the mainframe, which is now sitting behind other security controls and detection systems, and that is scheduled to be completed … this calendar year."
However, on a scale of one to 10 in terms of the modernity and efficiency, DeVries said he would give his agency's equipment, “from an overall architecture and operating perspective… about a 0.3 or 0.4.”
This article was first posted to FCW, a sister site to GCN.
Chase Gunter is a former FCW staff writer.