The Social Security Administration did little to ease Congress’ concerns that its IT systems are up to the task of protecting personal data for nearly every American.
In August 2015, SSA brought in the Homeland Security Department to perform a penetration test of the agency’s systems. When testers were inside, they were able to gain access to personally identifiable information (PII), according to DHS’ final report on the penetration exercise.
“Homeland Security team members were apprehensive about scanning or other rigorous testing of the main frame due to its fragile operating posture,” House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah) said as he read from DHS’ report during a May 26 hearing on SSA’s IT systems. “The DHS team decided to forgo testing of the main frame in an effort to reduce the operational risk of bringing it down. It should be noted that the fragile state of the main frame is a major vulnerability on its own and should be addressed as soon as possible.”
The committee was hardly thrilled with the SSA’s response as it described how the agency addressed those vulnerabilities.
SSA Chief Information Officer Robert Klopp attempted to assure the committee: no one’s personal data was at risk.
“As far as we know, no one — without help from us — has ever come into the agency, entered and penetrated in and exfiltrated data out,” he told the committee.” No one — without help from us or knowledge in advance of the way we have our cybersecurity systems set up — has been able to do that.”
But SSA didn’t share the results and nine recommendations that came from the DHS report with its inspector general, a fact the committee finds particularly suspicious.
SSA’s Office of Inspector General was verbally briefed about the DHS test in September 2015, but it received a copy of the report two days ago, said Gale Stallworth Stone, the agency’s IG. The OIG only learned that a report existed after members of the committee’s staff told the IG about it, she added.
“It just seems to us, it comes across, that you were hiding something from the inspector general,” Chaffetz said.
For Rep. Will Hurd (R-Texas), the chairman of the Oversight and Government Reform Subcommittee on Information Technology, SSA’s records, which he called “the treasure trove” of personally identifiable information, need special attention.
“It should be protected with the best tools,” he said. “I’ve said this 100 times. This is not an issue of technology. This is an issue of leadership. You have information on every single American in the United States of America and your [Chief Information Security Officer] doesn’t even know from the last report how many critical vulnerabilities there were?”
Though Hurd praised SSA for bringing on a third-party to test its systems, he said the agency is still taking the wrong approach.
“You guys have saved $300 million in IT savings by doing things properly,” he said. “Good work. But the reality is, use the money that you actually have in the right way. You’re not giving a team that’s coming in here to test your digital infrastructure … all the information from the previous test. Not once have you all come in here and said there [are] these significant vulnerabilities, critical vulnerabilities that we’ve fixed. The DHS team was able to escalate privileges once they were inside the system and take control of your entire system. That’s a big deal.”
SSA CISO Marti Eckert wouldn’t describe the critical vulnerabilities that DHS found after its penetration test. She said the agency was taking “an integrated, holistic approach” as it responded to the nine recommendations DHS made after it tested SSA systems last summer.
Social Security isn’t so concerned that DHS could gain access to PII during its penetration test, because SSA purposefully invited testers further and further into its systems, Klopp said.
“We want them to find these exposures, we are looking for them to find these exposures,” he said. “In both of the cases of the August DHS exercise, as well as our exercise with our other auditors, they were not able to penetrate our system from the outside, so we let them in. When we let them in, sometimes they can move around a little bit, and they declare the fact that they can move around as a vulnerability. But they can’t get things out.”
SSA allowed DHS further into its systems, specifically because the agency wanted to find those vulnerabilities, Klopp said.
The agency is working with DHS now on another, similar test.
“As a result of activities we’ve taken, we’re now more secure than we were the last time in,” Klopp said. “They’re having a harder time doing some stuff. They’ve also found some new stuff.”
“It scares me to death that you think that,” Chaffetz said in response.
The committee’s concerns come one day after it heard from members of the administration and the Government Accountability Office, which said agencies use more than $3 billion worth in outdated hardware and software that will soon be obsolete.
“The frustration you’re hearing is not only about Social Security,” Rep. Gerry Connolly (D-Va.) said. “We’ve had a series of hearings where we hear the same story, and we’re very worried that the federal government is so vulnerable.”
The administration, along with at least 20 members of Congress, said the $3.1 billion IT Modernization Fund will provide much-needed solutions.
SSA also voiced its own support for the fund.
Carolyn Colvin, acting commissioner of SSA, reiterated several times that her agency needs sustained resources to begin developing new IT systems and deal with competing priorities.
“We’re constantly balancing between our services to the public and our program integrity efforts, which include cybersecurity,” Colvin said. “Because of the activity in fraud and the activity in cybersecurity, we have had to continually shift resources to program integrity. Just in three years, we’re gone from spending $74 million in cybersecurity to $96 million, that cuts away from, of course, our customer service activities.”
When the agency shifts its resources, wait times for the SSA customer service line increase, said Colvin, who estimated that members of the public are waiting on average for about 30 minutes this year. Those wait times will continue to go up if funding remains an issue, she said.
Sustained IT funding is also Klopp’s biggest concern.
“If we try to modernize in small increments, we will progress at a pace that is slower than the pace that technology advances and actually lose ground,” he said. “The time to rebuild is now while the legacy systems are still supported by the staff who developed it.”