Agencies are having trouble reducing reliance on Social Security numbers as identifiers because of outdated systems, insufficient funding and lack of coordination from OMB.
Agencies are having trouble reducing their reliance on Social Security numbers as identifiers because of outdated systems, insufficient funding and a lack of coordinated guidance coming from the executive branch.
While the numbers serve as a unique identifier for Americans, the system was never intended to be used as a proxy ID, and their widespread use potentially exposes citizens to risks of identity theft and financial fraud.
Agencies have struggled with attempts to move off using Social Security numbers as a universal identifier since at least 2007, when the Office of Management and Budget issued guidance mandating agencies to develop plans to cut back on the collection of and reliance on the numbers due to concerns about identity theft.
The 2015 Office of Personnel Management breach, which exposed some 22 million personnel records, renewed the urgency for agencies to move off the number.
At a recent joint hearing for the House of Representatives' Ways and Means Subcommittee on Social Security and the Oversight and Government Reform IT Subcommittee, lawmakers raised concerns that the lack of progress on developing alternative identifiers and stronger protections could lead to a similar breach.
Greg Wilshusen, director of the Government Accountability Office’s Information Security Services, testified that agencies have trouble eliminating Social Security numbers from their IT systems and records "in part because no other identifier offers the same degree of awareness and utility."
Mariana LaCanfora, the acting deputy commissioner of the Social Security Administration’s Office of Retirement and Disability Policy, said that while Social Security numbers are critical for her agency’s ability to provide benefits, "the SSN and SSN card were never intended, nor do they serve, as identification."
"We strongly encourage other agencies and the public to minimize their use," she added.
Wilshusen also pointed to weak oversight from OMB as part of the problem.
"Reduction efforts in the executive branch have also been hampered by more readily addressable shortcomings," he said. "OMB has not required agencies to maintain up-to-date inventories of [Social Security] number collections, and has not established criteria for determining when the number’s use or display is unnecessary."
Some agencies have tried to develop their own identifiers to move off relying on Social Security numbers. For example, the Centers for Medicare and Medicaid Services will replace the numbers’ use as the primary identifier with a new number, the Medicare Beneficiary Identifier.
Karen Jackson, CMS' deputy chief operating officer, said this new identifier will replace the Social Security numbers for beneficiaries by April 2019.
Rep. David Schweikert (R-Ariz.), however, raised concerns that each agency creating a new identifier may merely create “a cascade of numbers” that will encounter similar cybersecurity risks.
IT Subcommittee chair Will Hurd (R-Texas) proposed the adoption of a secure, tokenized system to handle and connect the new numbers, pointing to the one used by the Estonian government as proof of concept.
However, Wilshusen said that another hurdle agencies face is limitations posed by their legacy tech.
"Legacy systems often may not be able to handle newer numbers," he said. "In order to be able to do that, it requires significant system change or modification."
OPM CIO David DeVries testified that OPM has now encrypted its collection of Social Security numbers, "with the exception of one database that resides in the mainframe, which is now sitting behind other security controls and detection systems, and that is scheduled to be completed… this calendar year."
However, on a scale of one to 10 in terms of the modernity and efficiency, DeVries said he would give his agency's equipment, “from an overall architecture and operating perspective… about a 0.3 or 0.4.”
NEXT STORY: What the PATCH Act doesn't do