GAO ducks SSA's Internet security issue
- By Bureaucratus
- Jun 15, 1997
For just less than 10 years the Social Security Administration has been providing a Personal Earnings and Benefit Estimate Statement (PEBES) to any individual requesting it. The statement previously provided by mail includes a yearly record of earnings estimates of Social Security taxes paid and expected benefits. Useful to individuals attempting to plan their retirement SSA recently began permitting dissemination of the PEBES to individuals over the Internet. According to SSA officials before transmitting PEBES data over the Internet they spent a year testing and consulting with outside experts including those in the areas of privacy and computer security. Providing security for sensitive information transmitted on the Internet is a requirement that many private firms have mastered. An overnight success is the internet book firm Amazon.com which recently became a publicly traded organization. In order to succeed this firm must take book orders and process credit card information in a secure fashion. Failure to do so would result in the firm's demise. Similarly many brokerage firms such as e-Trade take orders for stock and mutual fund purchases over the Internet.
As a security measure SSA required individuals seeking information on their account to enter five authenticating elements into the system in order to access the data. These elements were name Social Security number date and place of birth and mother's maiden name. Despite these measures public concern over privacy mounted resulting in political pressure. "How could a government agency be trusted to safeguard confidential information?" the public asked.
On April 9 after public outcry and concerns about the privacy of sensitive information reached unacceptable levels the acting commissioner of SSA suspended dissemination of PEBES data over the Internet. In other words he "caved."
Immediately thereafter the General Accounting Office was asked to render an opinion on SSA's ambitious project. Needless to say officials responded in typical bureaucratic fashion. "The Internet has inherent security risks " GAO said "because of the way it was designed. The Internet is a complex network that has evolved over the last decade from an initially limited and experimental link of interconnected computers. The relative insecurity of the Internet makes using it as a vehicle for transmitting sensitive data - such as personal Social Security information - a decision requiring careful consideration."
No kidding. What did GAO cite in support of its statement? The fact that some computer hackers have for years exploited the security weaknesses of systems connected to the Internet. That may be true but what about Amazon.com? Or e-Trade? Instead of citing these success stories GAO chose to duck this issue. In its testimony it said that "absolute computer security is not possible" and that officials must consider what level of risk is acceptable. Who can argue with that statement? Does it address the question of whether SSA failed to adequately safeguard the information in its files? Not to my satisfaction! GAO then cited an example of a government agency's handling of electronic data in the "steward" role rather than the "owner" role when the Internal Revenue Service introduced the proposal of electronically filing tax returns. In this case the IRS left the decision of whether to put one's sensitive data into cyberspace with the individual the owner. It would appear that what GAO is saying is that government agencies shouldn't take risks. Risk taking is reserved for those in the private sector. That's probably a true statement but for GAO to take this position is reprehensible.
Bureaucratus is a retired federal employee and a regular contributor to Federal Computer Week.