United States General Accounting Office GAO Testimony Before the Subcommittee on Social Security Committee on Ways and Means House of Representatives For Release on Delivery Expected at 3 p.m. SOCIAL SECURITY Tuesday May 6, 1997 ADMINISTRATION Internet Access to Personal Earnings and Benefits Information Statement of Joel C. Willemssen Director, Information Resources Management and Keith A. Rhodes Technical Director, Office of the Chief Scientist Accounting and Information Management Division GAO/T-AIMD/HEHS-97-123 Mr. Chairman and Members of the Subcommittee: We appreciate this opportunity to participate in the Subcommittee’s hearing on privacy and security concerns relating to the Social Security Administration’s (SSA) recent experiences in providing personal benefits estimates to individuals via the Internet. Mr. Chairman, both you and the Ranking Minority Member have expressed concerns about whether SSA’s interactive benefits estimates service adequately protects the privacy of Americans and whether unauthorized access to confidential information is taking place over the Internet. Such concerns are understandable. SSA, as administrator of the nation’s largest federal benefits program, touches the life of almost every American. It is essential that citizens be able to trust that the agency is safeguarding the personal information it collects. While we have just initiated a review of SSA’s use of the Internet to disseminate benefits estimates, we have, however, reported on computer and Internet security and on the risks facing agencies in providing electronic access to data.1 Our remarks today will, therefore, focus on general privacy and security considerations that federal agencies should address to safeguard any sensitive information made available as a public service via the Internet. As you know, Mr. Chairman, for just under 10 years, SSA has been Providing Personal providing a Personal Earnings and Benefit Estimate Statement (PEBES) to Earnings and Benefits any individual requesting it. The statement includes a yearly record of Information Via the earnings, estimates of Social Security taxes paid, estimates of retirement and disability benefits, and potential survivor benefits should the Internet individual die. Legislation2 mandated that beginning in fiscal year 1995, PEBES be sent to all eligible U.S. workers aged 60 and over; beginning October 1, 1999, it is scheduled to be sent annually to all eligible workers aged 25 and over—an estimated 123 million people.3 As we reported last year, the public has found PEBES to be a useful financial planning tool.4 1 See our report entitled Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/AIMD-96-84 and GAO/T-AIMD-96-92, May 22, 1996) and our testimony entitled Information Security: Computer Hacker Information Available on the Internet (GAO/T-AIMD-96-108, June 5, 1996). 2 Public laws 101-239 (December 19, 1989) and 101-508 (November 5, 1990). 3 Besides the age requirement, eligibility entails having a Social Security number, having wages or net earnings from self-employment, not presently receiving Social Security benefits, and having a current address obtainable by SSA. 4 See SSA Benefit Statements: Well Received by the Public but Difficult to Comprehend (GAO/HEHS-97-19, December 5, 1996). Page 1 GAO/T-AIMD/HEHS-97-123 SSA has recently tried to educate the public about the importance of its programs and availability of information, such as the PEBES statement; this initiative to provide “world class service” was—at least in part—in reaction to surveys showing public confidence in SSA programs at a low level. While much of this perception may relate to continual discussion about SSA’s financial viability, officials at the agency have stated that they are attempting to be more responsive to customer desires. As part of this initiative, the agency last year began permitting individuals to request PEBES through the Internet, with the document being sent by mail. This was seen as a new alternative to visiting an SSA office in person or using its toll-free telephone number. In March of this year, in an effort to be as responsive as possible, SSA began permitting on-line dissemination of the statement to individuals. Using the Internet for this purpose was a planned part of the agency’s electronic service delivery project, a component of its business plan for fiscal years 1997-2001. According to this plan, the project would ensure that among other items, “integrity and confidentiality of client data are safeguarded.”5 According to SSA officials, before taking the step of transmitting PEBES data over the Internet, they spent a year testing and consulting with outside experts, including those in the areas of privacy and computer security. Among the security features intended to preserve individual privacy was the requirement for an individual to enter five authenticating elements into the system in order to access the data. These elements were name, Social Security number, date and place of birth, and mother’s maiden name. In early April, press reports of privacy concerns over the availability of this information via the Internet sparked widespread reaction—including the fear that those not entitled to the information could access it without difficulty. Experts also questioned the adequacy of the five key pieces of information needed to obtain the data, pointing out that three of the five are available in public databases. With this publicity, according to SSA officials, attempts to access the data at SSA’s web site6 escalated from about 10 to 80 per second. 5 Business Plan, Fiscal Years 1997-2001, SSA publication no. 01-008, April 1996. 6 The World Wide Web (www), as its name implies, is a vast collection of interconnected computers spanning the world. A web site refers to any computer on the web and its particular web address. SSA’s web site, then, is the location at which its PEBES data can be found. Page 2 GAO/T-AIMD/HEHS-97-123 SSA officials believed the situation was well in hand, that the security measures taken were sufficient. They pointed out that, as of April 7, security screening denied access to about 9,000 of the 27,000 requests for on-line PEBES data. SSA officials stated that while they monitored many attempts to break into the system, none succeeded. On April 9, after public outcry and concerns about the privacy of sensitive information, the Acting Commissioner of Social Security suspended on-line receipt of PEBES data. Mr. Chairman, we see this issue as one of balance. While SSA has attempted to be responsive to the needs of its customers, the question is how—and, given the risks involved, whether—to do this via the Internet. If the decision is made to use the Internet in this way, the question is whether SSA is doing everything possible to ensure that sensitive information is not compromised. Convenience with undue risk to security is no bargain. This is especially important because the interactive PEBES project is just one of many initiatives planned for the next few years that are intended to make greater use of technology. Other SSA efforts under the electronic service delivery umbrella include third-party access (using technology to allow others, such as state or local government employees or advocacy-group members, to assist individuals in dealing with SSA), dial-up bulletin boards, touchtone telephone access (for less sensitive customer records), and even interactive cable television.7 In the last few years, the use of the Internet has grown tremendously and Information Security has placed a vast array of information at the fingertips of millions of users. on the Internet This is due primarily to the availability of tools that have made the Internet much easier to use. As a result, we have witnessed a rush to connect to the Internet; today there are over 40 million users worldwide. Despite this growth and leap in ease of use, the Internet has inherent security risks because of the way it was designed. The Internet is a complex network that has evolved over the last decade from an initially limited and experimental link of interconnected computers. The network, developed for the most part by scientists and engineers, was initially designed to test how a military command and control system could get messages through in a post-nuclear environment without regard to security. To do this, the network was built so that a message would use 7 These projects are described briefly in SSA publication no. 01-008, April 1996. Page 3 GAO/T-AIMD/HEHS-97-123 any available path to its destination, regardless of how many “dead ends” it encountered. The most important element of the network was, therefore, its robustness, or tenacity—not security. The relative insecurity of the Internet makes using it as a vehicle for transmitting sensitive data—such as personal Social Security information—a decision requiring careful consideration. In such an environment, one must weigh added convenience against the potential compromise and misuse of such information—and the potential damage to the database itself. In considering such trade-offs, it is important to remember that, whether on-line or not, Social Security benefits information is available through means other than electronic. Computer hackers8 have for years exploited the security weaknesses of systems connected to the Internet.9 The growing number of people having access to the Internet—any one of whom is a potential hacker—coupled with the rapid growth of and reliance on interconnected computers, has made cyberspace a dangerous frontier. Informal groups of hackers openly share information on how to break into computer systems. Despite security features that boast ever-increasing sophistication, hackers have more tools and techniques than ever before, and the number of attacks on systems is growing each day.10 As a result, the need for secure information systems and networks has never been greater. This problem is directly affecting federal systems. Interconnectivity, combined with poor security management, is placing billions of dollars’ worth of assets at risk of loss, and vast amounts of sensitive data at risk of unauthorized disclosure. While greater use of interconnected systems offers significant benefits, such systems are much more vulnerable to malicious attack by anonymous intruders—an increasing threat to our national welfare. Consequently, information security has been added to our list of government programs designated as high-risk because of vulnerabilities to waste, fraud, abuse, or mismanagement.11 8 The term hacker refers to any individual who, though unauthorized, attempts to penetrate a computer information system; browse, steal, or modify data; deny access or service to others; or cause damage or harm in some other way. 9 See GAO/AIMD-96-84 and GAO/T-AIMD-96-92, May 22, 1996, and GAO/T-AIMD-96-108, June 5, 1996. 10 Testimony of Richard Pethia, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, before the Permanent Subcommittee on Investigations, Committee on Governmental Affairs, United States Senate, June 5, 1996. 11 High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997). Page 4 GAO/T-AIMD/HEHS-97-123 Making information systems more secure is complicated, not only by the Implementing huge numbers of people having access to them, but also by the complexity Computer Security: of most systems themselves. Most large organizations have, along with Protect, Detect, React personal workstation computers, mainframes, software applications, servers, routers, and external connections. These systems use a variety of products from a number of different vendors. Fully understanding the security weaknesses caused by the complex interrelationships of these products is a difficult task. Accordingly, absolute computer security is not possible. In developing effective systems security, officials must, then, consider what level of risk is acceptable. Such a decision will hinge on issues such as the type and sensitivity of the information, how vulnerable to attack the computers and networks are, where potential threats might come from, available countermeasures, and costs. For most organizations, a prudent approach involves determining an appropriate level of protection, then ensuring that any security breaches that do occur can be effectively detected and countered. This generally means establishing (1) a comprehensive program with top management commitment, sufficient resources, and clearly defined roles and responsibilities, (2) clear, consistent, and up-to-date security policies and procedures, (3) periodic vulnerability assessments to identify security weaknesses, (4) security awareness training, (5) sufficient time and training for systems administrators and information security personnel, (6) efficient use of automated security tools, and (7) a robust incident-response capability, so that attacks can be detected and a response initiated quickly in order to aggressively track and prosecute the offenders. The first point just mentioned, about roles and responsibilities, is essential. In determining these, a decision must be made on identifying the owners of information versus the stewards of information. Owners are ultimately responsible for the decision on what level of security risk to accept, while stewards manage that risk. A recent example of a government agency’s handling of electronic data in the steward role rather than the owner role was when the Internal Revenue Service introduced the proposal of electronically filing tax returns. In this case, it left the decision of whether to put one’s sensitive data into cyberspace with the individual, the owner. Turning to detection of an attack once one has been made, organizations use two basic methods: system audits and monitoring. These terms are used loosely within the computer security community and often overlap. A Page 5 GAO/T-AIMD/HEHS-97-123 system audit is a one-time or periodic security evaluation. Monitoring, in contrast, refers to an ongoing activity that examines either the system or its users. In general, the more “real-time” an activity is, the closer it is to monitoring. In terms of reaction, an organization should address computer security incidents by developing an incident-handling capability. Commonly referred to as a computer emergency-response team, it is typically used to provide the ability to respond quickly and effectively, contain and repair damage from incidents, and prevent future damage. In developing Internet PEBES service, SSA used both government and private SSA’s Actions to consultants. The Los Alamos National Laboratory provided a detailed Address Security report, including suggested solutions for addressing Internet security risks. Extensive support was also received from the CommerceNet consortium,12 as well as from individual private companies. Along with phased testing of “PEBES-By-Mail” and interactive PEBES, SSA took a number of measures that officials believed would adequately safeguard requesters’ privacy, the system itself, and the data it contains. For example, both the request data and the on-line response utilize a form of encryption; further, according to SSA, requesters cannot directly query, browse, or download SSA records. SSA officials further state that automated transaction information is continually captured electronically, allowing SSA to audit system use and identify potential abuse; multiple attempts to obtain the same data are automatically restricted; and bulk requests are not honored. SSA officials add that individuals are alerted to on-line risks inherent in using the Internet to obtain PEBES data and are offered alternative methods. They are also warned of criminal penalties for the intentional misuse of Social Security data.13 Finally, other measures were taken, whose disclosure by us today could compromise their effectiveness. Despite these measures, however, detection of and action against security breaches is not simple. It is very difficult to track down computer-system abusers and, existing laws notwithstanding, prosecution is rare; one reason is that acceptable electronic evidence is not yet clearly defined. 12 CommerceNet is an industry consortium dedicated to accelerating the growth of the Internet and creating business opportunities for its members. 13 Four laws are cited: 42 U.S.C. 408 (misuse of Social Security number), 5 U.S.C. 552(a) (Privacy Act), 18 U.S.C. 1030 (misuse of computer), and 18 U.S.C. 1001 (false statements or entries). Penalties range from fines with maximums of $5000 or $10,000 and jail terms up to 10 years. Page 6 GAO/T-AIMD/HEHS-97-123 Mr. Chairman, as we stated earlier, we have just initiated our work and therefore cannot yet conclude whether SSA implemented a prudent approach to address the security risks in providing Internet PEBES service. Although the agency took steps it thought would render its data and system secure, we do not know whether they have succeeded. However, we do offer the following observations. We commend the Acting Commissioner’s decision to suspend the service while investigating the adequacy of the security measures that have been taken. We also urge caution before any decision is made to resume the program. The Internet security issue is so large and daunting that SSA, like every other federal organization, will have to rely on commercial solutions and outside expert opinion. This reliance poses hurdles because the commercial sector, experts, and standards-setting bodies have not yet reached consensus on how to best solve Internet security problems. It is important for SSA—and every other agency considering Internet access—to decide whether it will be the steward or owner of the information it holds. Being the steward implies a vast job of making the American public knowledgeable about computer security; being the owner confers upon SSA the responsibility to assess the potential threat to its data with the utmost care and restraint. Regardless of the direction it takes on the owner/steward issue, SSA will need to demonstrate that it has performed a comprehensive risk assessment of the data so that the level of protection required can be clearly defined. Accompanying this task will be the need to provide an adequate training and awareness program that will enable users to understand the risks of Internet access. Mr. Chairman, this concludes our statement. We would be happy to respond to any questions you or other Members of the Subcommittee may have at this time. (511219) Page 7 GAO/T-AIMD/HEHS-97-123 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 6015 Gaithersburg, MD 20884-6015 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (301) 258-4066, or TDD (301) 413-0006. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: firstname.lastname@example.org or visit GAO’s World Wide Web Home Page at: http://www.gao.gov PRINTED ON RECYCLED PAPER United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
Social Security Administration: Internet Access to Personal Earnings and Benefits Information
Published by the Government Accountability Office on 1997-05-06.
Below is a raw (and likely hideous) rendition of the original report. (PDF)