Is Social Security concealing IT risk?
The agency charged with maintaining some of the nation's most sensitive information is vulnerable because of its antiquated IT, and lawmakers say its leaders are downplaying the danger and sidestepping their inspector general.
The Social Security Administration presents an inviting target for hackers. But IT officials maintain that so far at least, outsiders have not been able to find their way in.
As a precaution, SSA employs penetration testers -- outsiders who try to hack into agency systems -- and those efforts have identified some weaknesses that required mitigation. Marti Eckert, the agency's chief information security officer, told lawmakers during a May 26 hearing of the House Oversight and Government Reform Committee that an August 2015 test resulted in nine security recommendations that were addressed.
SSA Deputy Inspector General Gale Stallworth Stone said that when she was verbally briefed on those penetration tests in September 2015, she came away with the impression that the testers had not been able to access or exfiltrate personally identifiable information.
But just ahead of the May 26 hearing, House staffers alert her to the existence of a written report on the testing.
"Congress shouldn't be the one to tell the inspector general that there's a report," said Chairman Jason Chaffetz (R-Utah). "It just comes across as if you're hiding something from the inspector general."
Stone said she hadn't been able to take an extensive look at the report, but it seemed to paint a more serious picture than her oral briefing had.
Penetration testers "were able to exfiltrate personally identifiable information," Chaffetz said of the document's findings. "There is a problem."
Agency officials downplayed the danger to the information housed in SSA systems.
"No one has penetrated in and exfiltrated out" without help from SSA, CIO Robert Klopp said. He added that the penetration testers owed their success to SSA granting them some user account privileges, which they were then able to escalate
"We try to hack our own systems every day," SSA Acting Commissioner Carolyn Colvin said.
But as Chaffetz noted, SSA has 96,000 user accounts, each one a potential insider threat.
Compromised user credentials played a crucial role in the catastrophic Office of Personnel Management breach.
"Because our legacy systems are so old, we are at risk," Colvin acknowledged. "We need to make changes."
But she said any improvements are hampered by tight budgets and the need to keep money flowing through the agency's systems.
In 2015, SSA doled out some $930 billion to 67 million Americans, nearly all of it via electronic payments. For comparison, the entire federal IT budget in fiscal 2015 was around $80 billion.
Lawmakers hammered SSA leaders for failing to adequately protect the databases that house information -- more than 19 petabytes -- on every American citizen.
"This is the treasure trove, and it should be protected with the best tools," said Rep. Will Hurd (R-Texas).
"We're very worried that the federal government is so vulnerable," agreed Rep. Gerry Connolly (D-Va.).
He urged SSA leaders, who spent a chunk of the hearing engaged in debate over the definition of a "hack" versus "fraud," to be more forthright.
"It's not a sign of weakness to identify weakness," Connolly said. "It's a sign of weakness when you ignore the weakness."