Identity

Can government stop using Social Security numbers?

Shutterstock image. Copyright: Dgrilla. 

Agencies are having trouble reducing their reliance on Social Security numbers as identifiers because of outdated systems, insufficient funding and a lack of coordinated guidance coming from the executive branch.

While the numbers serve as a unique identifier for Americans, the system was never intended to be used as a proxy ID, and their widespread use potentially exposes citizens to risks of identity theft and financial fraud.

Agencies have struggled with attempts to move off using Social Security numbers as a universal identifier since at least 2007, when the Office of Management and Budget issued guidance mandating agencies to develop plans to cut back on the collection of and reliance on the numbers due to concerns about identity theft.

The 2015 Office of Personnel Management breach, which exposed some 22 million personnel records, renewed the urgency for agencies to move off the number.

At a recent joint hearing for the House of Representatives' Ways and Means Subcommittee on Social Security and the Oversight and Government Reform IT Subcommittee, lawmakers raised concerns that the lack of progress on developing alternative identifiers and stronger protections could lead to a similar breach.

Greg Wilshusen, director of the Government Accountability Office’s Information Security Services, testified that agencies have trouble eliminating Social Security numbers from their IT systems and records "in part because no other identifier offers the same degree of awareness and utility."

Mariana LaCanfora, the acting deputy commissioner of the Social Security Administration’s Office of Retirement and Disability Policy, said that while Social Security numbers are critical for her agency’s ability to provide benefits, "the SSN and SSN card were never intended, nor do they serve, as identification."

"We strongly encourage other agencies and the public to minimize their use," she added.

Wilshusen also pointed to weak oversight from OMB as part of the problem.

"Reduction efforts in the executive branch have also been hampered by more readily addressable shortcomings," he said. "OMB has not required agencies to maintain up-to-date inventories of [Social Security] number collections, and has not established criteria for determining when the number’s use or display is unnecessary."

Some agencies have tried to develop their own identifiers to move off relying on Social Security numbers. For example, the Centers for Medicare and Medicaid Services will replace the numbers’ use as the primary identifier with a new number, the Medicare Beneficiary Identifier.

Karen Jackson, CMS' deputy chief operating officer, said this new identifier will replace the Social Security numbers for beneficiaries by April 2019.

Rep. David Schweikert (R-Ariz.), however, raised concerns that each agency creating a new identifier may merely create “a cascade of numbers” that will encounter similar cybersecurity risks.

IT Subcommittee chair Will Hurd (R-Texas) proposed the adoption of a secure, tokenized system to handle and connect the new numbers, pointing to the one used by the Estonian government as proof of concept.

However, Wilshusen said that another hurdle agencies face is limitations posed by their legacy tech.

"Legacy systems often may not be able to handle newer numbers," he said. "In order to be able to do that, it requires significant system change or modification."

OPM CIO David DeVries testified that OPM has now encrypted its collection of Social Security numbers, "with the exception of one database that resides in the mainframe, which is now sitting behind other security controls and detection systems, and that is scheduled to be completed… this calendar year."

However, on a scale of one to 10 in terms of the modernity and efficiency, DeVries said he would give his agency's equipment, “from an overall architecture and operating perspective… about a 0.3 or 0.4.”

About the Author

Chase Gunter is a former FCW staff writer.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected