GAO ducks SSA's Internet security issue

For just less than 10 years the Social Security Administration has been providing a Personal Earnings and Benefit Estimate Statement (PEBES) to any individual requesting it. The statement previously provided by mail includes a yearly record of earnings estimates of Social Security taxes paid and expected benefits. Useful to individuals attempting to plan their retirement SSA recently began permitting dissemination of the PEBES to individuals over the Internet. According to SSA officials before transmitting PEBES data over the Internet they spent a year testing and consulting with outside experts including those in the areas of privacy and computer security. Providing security for sensitive information transmitted on the Internet is a requirement that many private firms have mastered. An overnight success is the internet book firm which recently became a publicly traded organization. In order to succeed this firm must take book orders and process credit card information in a secure fashion. Failure to do so would result in the firm's demise. Similarly many brokerage firms such as e-Trade take orders for stock and mutual fund purchases over the Internet.

As a security measure SSA required individuals seeking information on their account to enter five authenticating elements into the system in order to access the data. These elements were name Social Security number date and place of birth and mother's maiden name. Despite these measures public concern over privacy mounted resulting in political pressure. "How could a government agency be trusted to safeguard confidential information?" the public asked.

On April 9 after public outcry and concerns about the privacy of sensitive information reached unacceptable levels the acting commissioner of SSA suspended dissemination of PEBES data over the Internet. In other words he "caved."

Immediately thereafter the General Accounting Office was asked to render an opinion on SSA's ambitious project. Needless to say officials responded in typical bureaucratic fashion. "The Internet has inherent security risks " GAO said "because of the way it was designed. The Internet is a complex network that has evolved over the last decade from an initially limited and experimental link of interconnected computers. The relative insecurity of the Internet makes using it as a vehicle for transmitting sensitive data - such as personal Social Security information - a decision requiring careful consideration."

No kidding. What did GAO cite in support of its statement? The fact that some computer hackers have for years exploited the security weaknesses of systems connected to the Internet. That may be true but what about Or e-Trade? Instead of citing these success stories GAO chose to duck this issue. In its testimony it said that "absolute computer security is not possible" and that officials must consider what level of risk is acceptable. Who can argue with that statement? Does it address the question of whether SSA failed to adequately safeguard the information in its files? Not to my satisfaction! GAO then cited an example of a government agency's handling of electronic data in the "steward" role rather than the "owner" role when the Internal Revenue Service introduced the proposal of electronically filing tax returns. In this case the IRS left the decision of whether to put one's sensitive data into cyberspace with the individual the owner. It would appear that what GAO is saying is that government agencies shouldn't take risks. Risk taking is reserved for those in the private sector. That's probably a true statement but for GAO to take this position is reprehensible.

Bureaucratus is a retired federal employee and a regular contributor to Federal Computer Week.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.