CISA Director Pushes to Discontinue Social Security Numbers as Identification

SAN FRANCISCO — Cybersecurity and Infrastructure Security Agency Director Christopher Krebs is embracing the goal of ending reliance on Social Security numbers amid longstanding concerns they make citizens more vulnerable than secure. 

“What are the things we can do down the road to help ensure that we have a more secure identity? Move away from the Social Security number as an identification element,” Krebs said during a keynote interview at the RSA cybersecurity conference Tuesday. 

Krebs was speaking with Heather Dahl, CEO of the Sovrin Foundation, which makes a blockchain-enabled digital identity tool. She was very excited to hear of CISA’s plans. 

In 2015, analysts at Verizon, which produces an annual report of hacking trends, estimated 60% to 80% of Americans’ Social Security numbers are already exposed, leaving individuals open to identity theft and financial loss.   

Efforts to reduce government agencies’ use of the nine-digit numbers as a unique identifier go back to requirements the Office of Management and Budget issued in 2007. But progress has been slow, and more than 10 years and several massive data breaches later, experts were still appealing to Congress to replace or improve the Social Security number as a way to verify individuals are who they say they are.  

In 2022, a law banning federal agencies from printing Social Security numbers on government mail will take effect. Last January, the Social Security Administration announced a search for vendors who could tokenize the Social Security number to comply.

CISA’s effort, in collaboration with industry leaders from a presidential advisory panel that produced a 2018 “moonshot” plan to make the internet safe and secure by 2028, would be more ambitious.

“We work with a range of partners, including the President’s National Security and Telecommunications Advisory [Committee] to look at what are alternative identity management opportunities,” Krebs said.

NSTAC’s moonshot report highlights the need for an “identity paradigm shift.” 

President Trump never publicly acknowledged the report, which advised him to establish a moonshot council, the leader of which would work with Congress to secure the massive investments in technology NSTAC recommended. But CISA has taken up the mantle, leading action items, such as the execution of “grand challenges,” the report outlines.

Bradford Willke, CISA’s acting director of stakeholder engagement and cyber infrastructure resilience, is scheduled to participate in an RSA panel Wednesday to share details about the final concepts for the grand challenges, including on digital identity.   

At an NSTAC meeting last week, Scott Charney, the vice president of security policy at Microsoft who serves as vice chair of the committee, proposed making digitally secure Social Security numbers a future “study topic,” for the group. He distributed a paper to members discussing how “both federal and private transactions, including those related to National Security and Emergency Preparedness, can be made are more secure.” 

But during the meeting, Willke noted, “that work will proceed whether it becomes a study topic or not.”

“The moonshot effort is at least proceeding with several grand challenges around this whole notion of identifiers, identity management,” he said. “So in a number of ways, we've got to tackle the identity issues that we face through the current means we have.”

Willke added he was very excited to see that they were going to “continue to press energy into the Cybersecurity Moonshot at RSA.”