The Social Security Administration—the agency that holds personal data on every American citizen, living or dead—is starting to look a lot like the Office of Personnel Management right before foreign hackers pulled off the largest data breach in government history. And that has lawmakers on Capitol Hill worried.
“Year after year, penetration testers have been able to obtain global access privileges on the networks. This year, the agency didn’t even detect the attack until auditors were told about them after sitting in the network for three days,” said House Oversight and Government Reform Committee Chairman Rep. Jason Chaffetz, R-Utah, during a hearing Thursday exploring cybersecurity gaps at SSA.
Congress’ increasing concern about what many members of the committee characterized as a major leadership failure at the agency stems from a penetration test conducted last August by the Department of Homeland Security. According to the SSA inspector general, agency officials failed to share the DHS report on the tests. It was only this week—nearly nine months after the tests—that the IG’s office became aware of the report’s existence.
According to the report, DHS testers had been able to capture and exfiltrate personal identifiable information from SSA systems, which process 150 million transactions every day, and handles billions of transactions involving Social Security numbers, survivor benefits, and Medicare benefits.
Because of the size, scope, and sensitivity of the SSA’s data holdings, lawmakers are increasingly concerned about what they consider to be leadership failures on the part of senior SSA officials. Rep. Will Hurd, R-Texas, who chairs the House IT subcommittee, skewered SSA Chief Information Security Officer Marti Eckert for her inability to answer basic questions about the number of critical vulnerabilities the DHS audit uncovered.
“There were a set of about nine recommendations that were made to us,” Eckert said.
“So you don’t know how many critical vulnerabilities were actually found?” Hurd asked.
Eckert did not answer.
“The DHS team was able to escalate privileges once they were inside your system and take control of your entire system. That’s a big deal,” Hurd said. “And then you have the audacity to say that Social Security meets all of the cross-agency priority cybersecurity goals. I wouldn’t pat yourself on the back. And you’re the CISO and you don’t know how many critical vulnerabilities that there were in a report that was done almost a year ago?”
When pressed for an explanation of what the agency has done to close the gaps identified in the audit, Eckert responded awkwardly.
“We have very many different things that we do,” she said, before being cut off abruptly by Hurd.
“You have very many different things? Ms. Eckert you obviously didn’t read my background before you came here,” Hurd said. “I did this for a living, OK? And saying that you have very many different things is not a strategy on how to mitigate critical vulnerabilities.”
Without pausing, Hurd turned his displeasure on Acting SSA Administrator Carolyn Colvin. “I’ve said this a hundred times. This is not an issue of technology, this is an issue of leadership,” said Hurd.
“You have information on every single American in America and your CISO doesn’t even know from the last report how many critical vulnerabilities there were. This is absolutely ludicrous. The reason we have all of you here is because it stops with you,” Hurd said, pointing a finger at Colvin.
“I hope you have some very uncomfortable conversations with your CIO and your CISO, because this is basic information that they should know,” he said. “As a taxpayer, I’m appalled by this.”
Robert Klopp, SSA’s chief information officer, told the committee that DHS is currently conducting another cybersecurity test and that although the agency is more secure now than it was a year ago, testers continue to find new vulnerabilities. But Klopp emphasized that DHS testers are invited into the SSA network to conduct their vulnerability tests and that they have not been able to infiltrate the network from outside.
“As far as we know, no one without help from us, has ever come in to the agency–entered and penetrated in–and exfiltrated data out,” Klopp said. “No one without help from us or knowledge in advance about how we have our cybersecurity system setup has been able to do that.”
“It scares me to death that you think that,” Chaffetz said. “It really does scare me.”
Chaffetz pointed to a recent case in which a hacker was jailed after being caught using stolen identities to gain access to the SSA’s systems. He then created 900 fraudulent accounts in the SSA network and stole $20 million.
There are 96,000 users who are already on the inside, Chaffetz emphasized in his questioning of SSA leaders. “Their ability to get in, surf around, and exfiltrate data is certainly happening.”
Colvin and Klopp took issue with the example offered by Chaffetz, arguing that cases of cyber fraud are completely different from cases involving network penetration.