The Social Security Administration — an institution that last year provided roughly $930 billion in payments to about 67 million Americans — is under fire for what one GOP lawmaker calls a concerning gap in its cybersecurity defenses.
Now the SSA is pushing back against the claims from House Oversight and Government Reform Committee Chairman Rep. Jason Chaffetz, R-Utah, telling FedScoop that the agency has made progress over the year since DHS auditors discovered vulnerabilities via a penetration test.
In short, the SSA is more secure today than the House Oversight and Government Reform Committee suggests, according to SSA Chief Information Security Officer Marti Eckert.
Last week, agency officials were grilled during a lengthy hearing led by Chaffetz and Rep. Will Hurd, R-Texas.
SSA inspector general Gale Stallworth Stone has said that agency officials failed to fully share a crucial 2015 DHS auditor’s report until just last week, though it was originally conducted about nine months ago.
“It just seems to us, it comes across, that you were hiding something from the inspector general,” Chaffetz told SSA chief Carolyn Colvin at the hearing.
Eckert, on the other hand, said in an interview with FedScoop that the SSA briefed the inspector general last year — shortly before the penetration testing was concluded.
The testing, done by external DHS contractors, is designed to measure the effectiveness of the agency’s cyber defenses — of increasing importance in a post-OPM breach world.
“OIG officials were briefed on the DHS report in 2015. However, we were just recently provided the full report, and we are carefully evaluating DHS’s concerns. Oversight of SSA’s information systems and internal controls is a top OIG priority,” inspector general spokesman Andrew Cannarsa wrote in an email.
Importantly, the auditor’s report showed that once testers were inside the system, they were able to gain access to personally identifiable information.
“The DHS team was able to escalate privileges once they were inside your system and take control of your entire system. That’s a big deal,” Hurd said during the hearing Thursday.
He later added, “I’ve said this a hundred times. This is not an issue of technology, this is an issue of leadership.”
Hurd’s direct commentary on SSA’s leadership comes at a time when CIO Robert Klopp and acting administrator Carolyn Colvin have publicly and continuously advocated for increased funding to invest in innovative cybersecurity technologies.
FedScoop reached out to Hurd’s office for comment, but they did not provide a response.
Tanium, a Silicon Valley-based end point detection cybersecurity firm that services the SSA, also declined to comment for this story.
Eckert said she couldn’t comment on the results of recent and ongoing penetration tests, but felt “rewarded” by the results of these simulated attacks.
She also said that the SSA did nothing “suspicious,” and that Chaffetz’s suggestions to the contrary — that her agency withheld a damning report — are unequivocally false.
“If we had been doing anything suspicious then why would we have turned over the report to the committee in the first place?” Eckert asked rhetorically.
Last week, Klopp told the committee: “As far as we know, no one — without help from us — has ever come into the agency, entered and penetrated in and exfiltrated data out.”
Director of Technical Operations in the Office of Information Security Dirk Wiker said the SSA encouraged DHS auditors further into the system to better understand deficiencies and other cyber risks.
Eckert echoed Wiker’s statement, saying that these penetration tests are supposed to be educational and not a benchmark on performance — “security is a continuous process … we’re progressively becoming more integrated into other processes of the agency.”
Watch the hearing here:
To contact the reporter on this story you can send him an email via firstname.lastname@example.org or follow him on Twitter at @Bing_Chris. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on.