Cybersecurity

Is Social Security concealing IT risk?

Shutterstock image: shadowed hacker.

The Social Security Administration presents an inviting target for hackers. But IT officials maintain that so far at least, outsiders have not been able to find their way in.

As a precaution, SSA employs penetration testers -- outsiders who try to hack into agency systems -- and those efforts have identified some weaknesses that required mitigation. Marti Eckert, the agency's chief information security officer, told lawmakers during a May 26 hearing of the House Oversight and Government Reform Committee that an August 2015 test resulted in nine security recommendations that were addressed.

SSA Deputy Inspector General Gale Stallworth Stone said that when she was verbally briefed on those penetration tests in September 2015, she came away with the impression that the testers had not been able to access or exfiltrate personally identifiable information.

But just ahead of the May 26 hearing, House staffers alert her to the existence of a written report on the testing.

"Congress shouldn't be the one to tell the inspector general that there's a report," said Chairman Jason Chaffetz (R-Utah). "It just comes across as if you're hiding something from the inspector general."

Stone said she hadn't been able to take an extensive look at the report, but it seemed to paint a more serious picture than her oral briefing had.

Penetration testers "were able to exfiltrate personally identifiable information," Chaffetz said of the document's findings. "There is a problem."

Agency officials downplayed the danger to the information housed in SSA systems.

"No one has penetrated in and exfiltrated out" without help from SSA, CIO Robert Klopp said. He added that the penetration testers owed their success to SSA granting them some user account privileges, which they were then able to escalate

"We try to hack our own systems every day," SSA Acting Commissioner Carolyn Colvin said.

But as Chaffetz noted, SSA has 96,000 user accounts, each one a potential insider threat.

Compromised user credentials played a crucial role in the catastrophic Office of Personnel Management breach.

"Because our legacy systems are so old, we are at risk," Colvin acknowledged. "We need to make changes."

But she said any improvements are hampered by tight budgets and the need to keep money flowing through the agency's systems.

In 2015, SSA doled out some $930 billion to 67 million Americans, nearly all of it via electronic payments. For comparison, the entire federal IT budget in fiscal 2015 was around $80 billion.

Lawmakers hammered SSA leaders for failing to adequately protect the databases that house information -- more than 19 petabytes -- on every American citizen.

"This is the treasure trove, and it should be protected with the best tools," said Rep. Will Hurd (R-Texas).

"We're very worried that the federal government is so vulnerable," agreed Rep. Gerry Connolly (D-Va.).

He urged SSA leaders, who spent a chunk of the hearing engaged in debate over the definition of a "hack" versus "fraud," to be more forthright.

"It's not a sign of weakness to identify weakness," Connolly said. "It's a sign of weakness when you ignore the weakness."

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.