Lawmakers are concerned that the Social Security Administration (SSA) could be vulnerable to the same kind of devastating cyberattack as the one that hit the Office of Personnel Management (OPM).
The SSA networks “bear the hallmarks of poor information security similar to those seen at OPM’s networks back in 2014,” House Oversight and Government Reform Committee Chairman Jason ChaffetzJason ChaffetzCongress's latest hacking investigation should model its most recent Fox News Audio expands stable of podcasts by adding five new shows The myth of the conservative bestseller MORE (R-Utah) said during a Thursday hearing.
The OPM hacks, revealed last summer, exposed the personal information of over 20 million current and former federal employees, contractors and others.
In one recent testing incident at the SSA, an external auditor was able to exfiltrate large amount of information from the agency's networks without its knowledge. The SSA did not inform the Inspector General’s office of the audit report.
Chaffetz called the agency’s failure to disclose the incident “suspicious.”
“It comes across as if you were hiding something from the Inspector General,” Chaffetz said.
Other lawmakers blasted the SSA for security practices that allowed the penetration test to be successful in the first place.
“You have the audacity to say that Social Security meets all of the cross-agency priority cybersecurity goals [but] somebody was able to sit on your system and take complete control over it,” Rep. Will Hurd (R-Texas) said. “I wouldn’t pat yourself on the back.”
“If I was the Russians, if I was the Chinese, I would be licking my chops because these people are not prepared to protect this information,” Hurd said.
Acting administrator Carolyn Colvin defended the agency, arguing that the testing was at the invitation of the SSA.
“We proactively try to penetrate our own information systems every day,” Colvin said. “With ongoing analysis and rigorous testing, we continuously learn more about the ways hackers may try to gain access to our systems, and we continuously devise ways to stop them.”
Colvin also argued that the agency has moved considerable resources into boosting its security stance.
The agency has increased its spending on cybersecurity from $74 million to $96 million, Colvin said, but that shift in resources has come at the expense of its customer service activities.
She noted that the SSA’s security performance “compares well” to other federal agencies.
But the agency’s Inspector General found that “the risk and severity of the weaknesses described constituted a significant deficiency.”
A potential breach at the SSA could be catastrophic, according to lawmakers.
Last year, the agency provided about $930 billion in payments to about 67 million Americans. Almost all of these transactions are electronic, according to the IG. The agency maintains 14 general support systems and 8 major applications to conduct its business.