Lawmakers: After OPM Hack, Social Security Administration Could Be Next Target

Carolyn Colvin, acting SSA administrator

Carolyn Colvin, acting SSA administrator Carolyn Kaster/AP

SSA’s networks show some of the same vulnerabilities as OPM’s.

Lawmakers are concerned the Social Security Administration isn't doing enough to protect personally identifiable information of hundreds of millions of Americans --  both alive and dead.

SSA networks “bear the hallmarks of poor information security similar to those seen at OPM’s networks back in 2014,” House Oversight and Government Reform Committee Chairman Rep. Jason Chaffetz, Rep. R-Utah, said during a hearing Thursday, referring to the massive breach of the Office of Personnel Management’s background check records.

Lawmakers grilled SSA officials about poor management of cybersecurity issues. Officials countered that the organization desperately needs more funding to address vulnerabilities. The agency is also trying to increase the number of virtual transactions it processes, shifting many of the in-person applications to online ones.

“Because of budget constraints, we’re constantly balancing between our service delivery to the public and our program integrity efforts, which include cybersecurity,” Carolyn Colvin, acting SSA administrator,  said during the hearing. Over the past three years, SSA has increased its cyber spending from $74 million to $96 million, and “that comes away from … our customer service activities.”

SSA’s problems aren’t limited to funding, Rep. Will Hurd, R-Tex., argued. He referenced a recent report detailing how Homeland Security Department staff, invited by SSA to test its networks, were able to exfiltrate large amounts of PII. SSA officials did not inform the inspector general’s Office about this incident, a decision Chaffetz called “suspicious.”

“Use the money that you actually have in the right way,” Hurd said. “You have the audacity to say that Social Security meets all of the cross-agency priority cybersecurity goals … [but] somebody was able to sit on your system and take complete control over it … I wouldn’t pat yourself on the back.”

He added, “if I was the Russians, if I was the Chinese, if I were other hackers, I would be licking my chops because these people are not prepared to protect this information.”

During the hearing, SSA’s deputy inspector general, Gale Stallworth Stone, said the organization “did not always resolve systems vulnerabilities in a timely manner” and that “programmers could have unmonitored access to system functions.”

Her office recommended SSA take more steps to authenticate users, and “properly manage its IT investments.”

Still, Chaffetz said he was optimistic about SSA’s efforts to clean up its cyber practices because it had scored relatively well on the Office of Management and Budget’s cybersecurity assessments -- though in 2015 it dropped to 84 from 96 percent.