White House, Equifax agree: Social security numbers must go
(Bloomberg) -- The Trump administration is exploring ways to replace the use of Social Security numbers as the main method of assuring people’s identities in the wake of consumer credit agency Equifax Inc.’s massive data breach.
The administration has called on federal departments and agencies to look into the vulnerabilities of employing the identifier tied to retirement benefits, as well as how to replace the existing system, according to Rob Joyce, special assistant to the president and White House cybersecurity coordinator.
“I feel very strongly that the Social Security number has outlived its usefulness,” Joyce said Tuesday at a cyber conference in Washington organized by the Washington Post. “Every time we use the Social Security number, you put it at risk.”
Joyce’s comments came as former Equifax CEO Richard Smith testified before the House Energy and Commerce Committee, the first of four hearings this week on Capitol Hill. Lawmakers from both parties expressed outrage over the size of the breach as well as the company’s response and grilled Smith on the timeline of the incident, including when top executives learned about it.
Smith said the rising number of hacks involving Social Security numbers have eroded its security value.
“The concept of a Social Security number in this environment being private and secure -- I think it’s time as a country to think beyond that,” Smith said. “What is a better way to identify consumers in our country in a very secure way? I think that way is something different than an SSN, a date of birth and a name.”
Joyce said officials are looking into “what would be a better system” that utilizes the latest technologies, including a “modern cryptographic identifier,” such as public and private keys.
“It’s a flawed system that we can’t roll back that risk after we know we’ve had a compromise,” he said. “I personally know my Social Security number has been compromised at least four times in my lifetime. That’s just untenable.”
Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology in Washington, said one possibility could be giving individuals a private key, essentially a long cryptographic number that’s embedded in a “physical token” that then requires users to verify that the number belongs to them. It could work like the chip in a credit card that requires the owner to enter a pin allowing use. He pointed to Estonia where they have deployed such cards that people use to validate their identity.
“Your pin unlocks your ability to use that big number,” he said. The challenge is how to create the identifiers and how to distribute the keys. “It’s very promising” and “it’s possible to technically design something like this” but it could be expensive to design and disseminate such material to each American, he said. “This is a pretty big endeavor.”
The administration is also participating in discussions Congress is having about the requirements of protecting personal data and breach notifications for companies.
“It’s really clear, there needs to be a change, but we’ll have to look at the details of what’s being proposed,” Joyce said. In the response to the Equifax hack, though, he said, “we need to be careful of Balkanizing the regulations. It’s really hard on companies today” facing local, state and federal regulators as well as international rules, he added.
The U.S. government began issuing Social Security numbers in 1936. Nearly 454 million different numbers have been issued, according to the Social Security Administration. Supplanting such an ingrained apparatus would not happen over night. The original intent was to track U.S. workers’ earning to determine their Social Security benefits. But the rise of computers, government agencies and companies found new uses for the number, which gradually grew into a national identifier.
Over the decades, the Social Security number became valuable for what could be gained by stealing it, said Bruce Schneier, a fellow at Harvard’s Kennedy School of Government. It was the only number available to identify a person and became the standard used for everything from confirming someone at the doctor’s office to school.
Akin to Infrastructure
“They appeared at an age when we didn’t have other numbers,” Schneier said in an interview. “Think of this as part of our aging infrastructure” from roads and bridges to communications. “Sooner or later we as a society need to fix our aging infrastructure.”
He pointed to India’s wide-scale rollout of the Aadhaar card, a unique number provided to citizens after collecting their biometric information -- fingerprints and an iris scan -- along with demographic details, to almost 1.2 billion people. In the U.S., a more secure system could be designed, “but magic math costs money,” he said.
Making any chances to the current system, including replacing numbers entirely or restricting who can use them, would likely require an act of Congress, according to Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, which advocates for limiting the use of Social Security numbers.
“You’d need to change a lot of existing public law," Rotenberg said. “There would need to be extensive hearings and study about the consequences. It’s a complicated issue."
The government’s own record of protecting Social Security numbers has its blemishes. Medicare, the federal health-care program for senior citizens, has long used the numbers on identification cards recipients must carry. After years of criticism by the agency’s inspector general for the risks that creates, new cards with different numbers are currently being rolled out.
The failure of the Social Security number is that there’s only one for each person, “once it’s compromised one time, you’re done,” Bob Stasio, a fellow at the Truman National Security Project and former chief of operations at the National Security Agency’s Cyber Operations Center.
Public and private keys -- long strings of code -- could help validate identities. For instance, the government could issue each person a public key and private key. If people were to open a bank account, for instance, they could provide their public key -- instead of a Social Security number -- and the bank would send a message that could only be decrypted using their private key. If the private key gets compromised, the government could easily issue another one.
Saved by Math
Stasio also cited emerging blockchain technology as another potential tool. It could create a kind of digital DNA fingerprint that’s “mathematically impossible” to duplicate. In place of a Social Security number, each person could receive a blockchain hash -- a kind of algorithm unique to an individual -- that is stamped on every digital transaction or action.
That type of technology “could be used as a much more efficient and mathematically sound method of transaction, identification and validation,” Stasio said.
While lawmakers were unanimous in criticizing Equifax’s response to a breach that compromised information on 145.5 million U.S. consumers, they were divided on how to fix the underlying issue. Democrats on the panel have reintroduced legislation imposing requirements for when companies have to report data breaches, while Oregon Republican Greg Walden noted the company’s human errors, saying “you can’t fix stupid.”
Smith said the Equifax employee responsible for communicating that the vulnerable software needed to be patched didn’t do so. That failure was compounded when a scan of the company’s systems didn’t find that the vulnerability still existed, the former CEO said.
Joyce’s comments helped take some of the focus off Equifax’s blunders, analysts at Cowen Inc. said in a note Tuesday.
The “White House may be indirectly coming to Equifax’s rescue,” they wrote. “This reduces the risk of business-model-busting legislation such as a requirement that consumers opt-in to a credit bureau collecting their data.”
--With assistance from Jenny Surane and Hannah Levitt