The Trump administration is exploring ways to replace the use of Social Security numbers as the main method of assuring people’s identities in the wake of consumer credit agency Equifax Inc.’s massive data breach.
The administration has called on federal departments and agencies to look into the vulnerabilities of employing the identifier tied to retirement benefits, as well as how to replace the existing system, according to Rob Joyce, special assistant to the president and White House cybersecurity coordinator.
“I feel very strongly that the Social Security number has outlived its usefulness,” Joyce said Tuesday at a cyber conference in Washington organized by the Washington Post. “Every time we use the Social Security number, you put it at risk.”
Joyce’s comments came as former Equifax CEO Richard Smith testified before the House Energy and Commerce Committee, the first of four hearings this week on Capitol Hill. Lawmakers from both parties expressed outrage over the size of the breach as well as the company’s response and grilled Smith on the timeline of the incident, including when top executives learned about it.
Smith said the rising number of hacks involving Social Security numbers have eroded its security value.
“The concept of a Social Security number in this environment being private and secure — I think it’s time as a country to think beyond that,” Smith said. “What is a better way to identify consumers in our country in a very secure way? I think that way is something different than an SSN, a date of birth and a name.”
Joyce said officials are looking into “what would be a better system” that utilizes the latest technologies, including a “modern cryptographic identifier,” such as public and private keys.
“It’s a flawed system that we can’t roll back that risk after we know we’ve had a compromise,” he said. “I personally know my Social Security number has been compromised at least four times in my lifetime. That’s just untenable.”
Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology in Washington, said one possibility could be giving individuals a private key, essentially a long cryptographic number that’s embedded in a “physical token” that then requires users to verify that the number belongs to them. It could work like the chip in a credit card that requires the owner to enter a pin allowing use. He pointed to Estonia where they have deployed such cards that people use to validate their identity.
“Your pin unlocks your ability to use that big number,” he said. The challenge is how to create the identifiers and how to distribute the keys. “It’s very promising” and “it’s possible to technically design something like this” but it could be expensive to design and disseminate such material to each American, he said. “This is a pretty big endeavor.”
The administration is also participating in discussions Congress is having about the requirements of protecting personal data and breach notifications for companies.
“It’s really clear, there needs to be a change, but we’ll have to look at the details of what’s being proposed,” Joyce said. In the response to the Equifax hack, though, he said, “we need to be careful of Balkanizing the regulations. It’s really hard on companies today” facing local, state and federal regulators as well as international rules, he added.
The U.S. government began issuing Social Security numbers in 1936. Nearly 454 million different numbers have been issued, according to the Social Security Administration. Supplanting such an ingrained apparatus would not happen over night. The original intent was to track U.S. workers’ earning to determine their Social Security benefits. But the rise of computers, government agencies and companies found new uses for the number, which gradually grew into a national identifier.
Over the decades, the Social Security number became valuable for what could be gained by stealing it, said Bruce Schneier, a fellow at Harvard’s Kennedy School of Government. It was the only number available to identify a person and became the standard used for everything from confirming someone at the doctor’s office to school.