SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
49–308 CC
1998
SOCIAL SECURITY ADMINISTRATION'S WEBSITE
HEARING
before the
SUBCOMMITTEE ON SOCIAL SECURITY
of the
COMMITTEE ON WAYS AND MEANS
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTH CONGRESS
FIRST SESSION
MAY 6, 1997
Serial 105–27
Page 2 PREV PAGE TOP OF DOC
Printed for the use of the Committee on Ways and Means
COMMITTEE ON WAYS AND MEANS
BILL ARCHER, Texas, Chairman
PHILIP M. CRANE, Illinois
BILL THOMAS, California
E. CLAY SHAW, Jr., Florida
NANCY L. JOHNSON, Connecticut
JIM BUNNING, Kentucky
AMO HOUGHTON, New York
WALLY HERGER, California
JIM McCRERY, Louisiana
DAVE CAMP, Michigan
JIM RAMSTAD, Minnesota
JIM NUSSLE, Iowa
SAM JOHNSON, Texas
JENNIFER DUNN, Washington
MAC COLLINS, Georgia
ROB PORTMAN, Ohio
PHILIP S. ENGLISH, Pennsylvania
JOHN ENSIGN, Nevada
JON CHRISTENSEN, Nebraska
Page 3 PREV PAGE TOP OF DOC
WES WATKINS, Oklahoma
J.D. HAYWORTH, Arizona
JERRY WELLER, Illinois
KENNY HULSHOF, Missouri
CHARLES B. RANGEL, New York
FORTNEY PETE STARK, California
ROBERT T. MATSUI, California
BARBARA B. KENNELLY, Connecticut
WILLIAM J. COYNE, Pennsylvania
SANDER M. LEVIN, Michigan
BENJAMIN L. CARDIN, Maryland
JIM McDERMOTT, Washington
GERALD D. KLECZKA, Wisconsin
JOHN LEWIS, Georgia
RICHARD E. NEAL, Massachusetts
MICHAEL R. McNULTY, New York
WILLIAM J. JEFFERSON, Louisiana
JOHN S. TANNER, Tennessee
XAVIER BECERRA, California
KAREN L. THURMAN, Florida
A.L. Singleton, Chief of Staff
Janice Mays, Minority Chief Counsel
Page 4 PREV PAGE TOP OF DOC
Subcommittee on Social Security
JIM BUNNING, Kentucky, Chairman
SAM JOHNSON, Texas
MAC COLLINS, Georgia
ROB PORTMAN, Ohio
JON CHRISTENSEN, Nebraska
J.D. HAYWORTH, Arizona
JERRY WELLER, Illinois
KENNY HULSHOF, Missouri
BARBARA B. KENNELLY, Connecticut
RICHARD E. NEAL, Massachusetts
SANDER M. LEVIN, Michigan
JOHN S. TANNER, Tennessee
XAVIER BECERRA, California
Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public hearing records of the Committee on Ways and Means are also published in electronic form. The printed hearing record remains the official version. Because electronic submissions are used to prepare both printed and electronic versions of the hearing record, the process of converting between various electronic formats may introduce unintentional errors or omissions. Such occurrences are inherent in the current publication process and should diminish as the process is further refined. The electronic version of the hearing record does not include materials which were not submitted in an electronic format. These materials are kept on file in the official Committee records.
Page 5 PREV PAGE TOP OF DOC
C O N T E N T S
Advisory of April 23, 1997, announcing the hearing
WITNESSES
Social Security Administration, Hon. John J. Callahan, Ph.D., Acting Commissioner of Social Security; accompanied by Dean Mesterharm, Deputy Commissioner for Systems
Social Security Administration, Office of the Inspector General, Hon. David C. Williams, Inspector General; accompanied by Pamela Gardiner, Assistant Inspector General for Audit; and Jim Huse, Investigative Chief
U.S. General Accounting Office, Joel C. Willemssen, Director, Information Resources Management; accompanied by Keith A. Rhodes, Technical Director, Office of the Chief Scientist, Accounting and Information Management Division
Electronic Privacy Information Center, and Georgetown University Law Center, Marc Rotenberg
Information Security Inc., Silver Spring, MD, Noel Matchett
Privacy Times, Evan Hendricks
U.S. Junior Chamber of Commerce, Bruce A. Rector
SUBMISSIONS FOR THE RECORD
U.S. Department of Justice, Robert S. Litt, Deputy Assistant Attorney General, Criminal Division, statement
Page 6 PREV PAGE TOP OF DOC
American Association of Retired Persons, James Parkel, statement
SRI International, Menlo Park, CA, Peter G. Neumann, statement
SOCIAL SECURITY ADMINISTRATION'S WEBSITE
TUESDAY, MAY 6, 1997
House of Representatives,
Committee on Ways and Means,
Subcommittee on Social Security,
Washington, DC.
The Subcommittee met, pursuant to call, at 3 p.m., in room B–318, Rayburn House Office Building, Hon. Jim Bunning (Chairman of the Subcommittee) presiding.
[The advisory announcing the hearing follows:]
ADVISORY
FROM THE COMMITTEE ON WAYS AND MEANS
SUBCOMMITTEE ON SOCIAL SECURITY
CONTACT: (202) 225–9263
FOR IMMEDIATE RELEASE
Page 7 PREV PAGE TOP OF DOC
April 23, 1997
No. SS–4
Bunning Announces Hearing on
the Social Security Administration's Website
Congressman Jim Bunning (R–KY), Chairman, Subcommittee on Social Security of the Committee on Ways and Means, today announced that the Subcommittee will hold a hearing on the Social Security Administration's on-line program to provide workers with Social Security earnings information and projected benefits via the Internet. The hearing will take place on Tuesday, May 6, 1997, in room B–318 Rayburn House Office Building, beginning at 3:00 p.m.
Oral testimony at this hearing will be from invited witnesses only. The Subcommittee will receive testimony from the Social Security Administration (SSA), the Inspector General of SSA, the U.S. General Accounting Office, privacy experts, and others who will comprehensively review SSA's on-line initiative. However, any individual or organization not scheduled for an oral appearance may submit a written statement for consideration by the Committee and for inclusion in the printed record of the hearing.
BACKGROUND:
Ten years ago, SSA began providing Personal Earnings and Benefit Estimate Statements (PEBES). These statements provide individuals with their earnings by year, Social Security taxes paid, and an estimate of future benefits. Individuals have been able to request these statements by mail.
Page 8 PREV PAGE TOP OF DOC
As part of its initiative to improve service to the public, SSA developed a project to request PEBES via the Internet. Last month, after a year of testing, SSA began providing individuals with the opportunity to obtain their actual PEBES statement on-line. The Internet request form required five authenticating elements (name, Social Security number, date of birth, place of birth, and mother's maiden name). According to SSA, a number of security features were built into the service.
Following press reports of privacy concerns, along with negative public and Congressional reaction, SSA suspended the on-line PEBES service to ''conduct a rigorous evaluation of the system's security features,'' according to an SSA statement.
In announcing the hearing, Chairman Bunning stated: ''While I appreciate SSA's desire to provide fast and expedient service, such action should never put the privacy of millions of Americans at risk. The public trusts SSA to keep personal records safe and secure. This hearing will provide important information for SSA, and the American public to consider, as we review the fate of PEBES access via the Internet.
FOCUS OF THE HEARING:
The Subcommittee is interested in receiving witnesses views regarding whether, and how: (1) privacy and security of the information can be protected, (2) violations of the process can be detected, and (3) such violations can be investigated and prosecuted.
DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:
Page 9 PREV PAGE TOP OF DOC
Any person or organization wishing to submit a written statement for the printed record of the hearing should submit at least six (6) copies of their statement and a 3.5-inch diskette in WordPerfect or ASCII format, with their address and date of hearing noted, by the close of business, Tuesday, May 20, 1997, to A.L. Singleton, Chief of Staff, Committee on Ways and Means, U.S. House of Representatives, 1102 Longworth House Office Building, Washington, D.C. 20515. If those filing written statements wish to have their statements distributed to the press and interested public at the hearing, they may deliver 200 additional copies for this purpose to the Subcommittee on Social Security office, room B–316 Rayburn House Office Building, at least one hour before the hearing begins.
FORMATTING REQUIREMENTS:
Each statement presented for printing to the Committee by a witness, any written statement or exhibit submitted for the printed record or any written comments in response to a request for written comments must conform to the guidelines listed below. Any statement or exhibit not in compliance with these guidelines will not be printed, but will be maintained in the Committee files for review and use by the Committee.
1. All statements and any accompanying exhibits for printing must be typed in single space on legal-size paper and may not exceed a total of 10 pages including attachments. At the same time written statements are submitted to the Committee, witnesses are now requested to submit their statements on a 3.5-inch diskette in WordPerfect or ASCII format.
2. Copies of whole documents submitted as exhibit material will not be accepted for printing. Instead, exhibit material should be referenced and quoted or paraphrased. All exhibit material not meeting these specifications will be maintained in the Committee files for review and use by the Committee.
Page 10 PREV PAGE TOP OF DOC
3. A witness appearing at a public hearing, or submitting a statement for the record of a public hearing, or submitting written comments in response to a published request for comments by the Committee, must include on his statement or submission a list of all clients, persons, or organizations on whose behalf the witness appears.
4. A supplemental sheet must accompany each statement listing the name, full address, a telephone number where the witness or the designated representative may be reached and a topical outline or summary of the comments and recommendations in the full statement. This supplemental sheet will not be included in the printed record.
The above restrictions and limitations apply only to material being submitted for printing. Statements and exhibits or supplementary material submitted solely for distribution to the Members, the press and the public during the course of a public hearing may be submitted in other forms.
Note: All Committee advisories and news releases are available on the World Wide Web at 'HTTP://WWW.HOUSE.GOV/WAYS_MEANS/'.
The Committee seeks to make its facilities accessible to persons with disabilities. If you are in need of special accommodations, please call 202–225–1721 or 202–226–3411 TTD/TTY in advance of the event (four business days notice is requested). Questions with regard to special accommodation needs in general (including availability of Committee materials in alternative formats) may be directed to the Committee as noted above.
Page 11 PREV PAGE TOP OF DOC
—————
Chairman BUNNING. The Subcommittee will come to order.
This afternoon the Subcommittee will hear about the Social Security Administration's online program to provide workers with Social Security earnings information and protected benefits via the Internet. Acting Commissioner Callahan rightly suspended the online initiative following reports that citizens' privacy could possibly be violated. Dr. Callahan has stated—and I plan to hold him to his word—that SSA will conduct a rigorous evaluation of the system security futures.
This hearing will provide important information for SSA and the American public as we consider the fate of earnings and benefits estimates access via the Internet. Also, we must keep in mind that providing online access to earnings and benefit estimates is just one of the number of electronic services delivered options that SSA is exploring which they view as more convenient for the public and more economical. It is vital for all of us to learn more about the risks of privacy loss and fraudulent use of information obtained online.
The Internet is becoming a widely accepted resource these days. Our grandkids are learning to use computers in kindergarten and even earlier in their homes. But the point I must make is that progress and convenience must not come at the cost of privacy or at the cost of Americans losing their trust that SSA will keep their personal records safe and secure. It is just not worth it.
I look forward to hearing the views of our witnesses today and thank them in advance for their testimony.
Page 12 PREV PAGE TOP OF DOC
And, Mrs. Kennelly, you can enter your statement or you can read your statement.
Mrs. KENNELLY. I apologize, Mr. Chairman; I am very aware that you would like to get meetings started promptly, and it was inadvertent that I was a little late.
Chairman BUNNING. Anyone who has a statement can enter it into the record.
Mrs. KENNELLY. I want to thank you, Mr. Chairman, for calling this hearing.
We are here today to review the Social Security Administration's recent action providing online access to Social Security earnings records. Members of Congress, the press, and the public expressed concern that Internet access to Social Security earnings data would compromise the security and confidentiality of personal financial information. The Social Security Administration has appropriately suspended its online service in order to give the public time to weigh the value of the efficiencies of the service against the risk of personal privacy.
Over the next 2 months, SSA will be holding a series of hearings around the country to test public opinion. The first of these forums was held yesterday in my congressional district in Hartford. And I want to thank you, Dr. Callahan, for being in Hartford and for bringing your associates to Hartford and making this hearing possible, which many people in Hartford appreciated, and the information that was disseminated was very, very interesting.
At yesterday's forum, we learned a considerable amount about the new frontier called the Internet. We learned about both its technological promise and its technological limitations. I am pleased that Commissioner Callahan is here today as a witness. In that capacity, he will be able to tell us what SSA has done to date. The difference between today and yesterday was that Dr. Callahan was sitting here and the various panels were sitting there, and it is just the opposite today.
Page 13 PREV PAGE TOP OF DOC
In addition, we will hear from the General Accounting Office. GAO has reviewed a number of Federal computer systems and will be able to tell us about the hazards of placing personal financial records on the Internet.
I could go on, but I would just like to make a short comment on yesterday's hearing, Mr. Chairman. And of course there will be additional hearings across the country. The Social Security Administration did something that was very good. They wanted to provide services to the clientele to make sure that people could very quickly get their earnings-wage records and find out what their benefits were, and, as we know, it went online and there was a certain amount of controversy.
The concern focused on the fact that the Internet is not like an old-fashioned telephone system where one or two people could pick up; everybody in the world can pick up on the Internet. Therefore people were concerned about personal information being made public.
Yesterday we had an interesting hearing, Mr. Chairman, in that we had panel after panel; we had privacy experts; we had computer high-tech experts; we received a lot of information. And so I would just like to say today what I thought about in the evening was that Social Security decided to do something that they thought was a good idea, putting earning and wage records on the Internet so that people—and these are their records, the history of their earnings—could go on the Internet and see them.
I heard so many ideas yesterday about how high technology could help us have a smart card or something even newer than the smart card, all sorts of interesting things that we could do to protect that information. My feeling is, Mr. Chairman, that, let's not get down the road too far that we can't pull back.
Right now, as you know, when you are 60, you get the PEBES automatically. I think from 50 up, you can get it. You can right now pick up the phone and call and get that information sent to your home. You can go on the Internet and ask for that information from the Social Security Administration and get that sent to your home.
Page 14 PREV PAGE TOP OF DOC
So what I don't want to see happen here is that because there was a good idea, that all of a sudden we are going to do all sorts of safety procedures with additional expenses.
What I found from one of the panels that was so fascinating, to me, was that this has great commercial attraction. And I don't think the Social Security Administration should be in the position of providing information for commercial reasons.
So as there has only been one hearing, and, Dr. Callahan, you are going to hear a great deal more across the country, but I want to make sure that because we had a good idea that everybody didn't agree with, that we don't go out of our way to spend taxpayers' dollars for the safety of that idea. Maybe it is not necessary, but I don't know. I am not making any judgment here.
Thank you, Mr. Chairman.
Chairman BUNNING. As Barbara has told us, we begin today's hearing with Hon. John J. Callahan, Acting Commissioner, Social Security Administration. This is the first time for the Acting Commissioner to testify before this Subcommittee.
The earnings and benefit statement online crisis sure put you in a spotlight very quickly. We appreciate you being here today, and you can provide at your leisure.
STATEMENT OF HON. JOHN J. CALLAHAN, PH.D., ACTING COMMISSIONER OF SOCIAL SECURITY, SOCIAL SECURITY ADMINISTRATION; ACCOMPANIED BY DEAN MESTERHARM, DEPUTY COMMISSIONER FOR SYSTEMS
Mr. CALLAHAN. Thank you very much, Mr. Chairman.
Chairman Bunning, Ranking Member Congresswoman Kennelly, Congressman Tanner, and Congressman Christensen, I appreciate the invitation to appear before you today to discuss the Social Security Administration's initiative to provide Personal Earnings and Benefit Estimate Statements—what we all know as PEBES—on the Internet.
Page 15 PREV PAGE TOP OF DOC
I would like to submit my statement for the record and summarize it briefly.
Chairman BUNNING. Without objection.
Mr. CALLAHAN. Let me say at the outset that the Social Security Administration is and always has been vigilant about protecting the privacy of the information in our records. Nothing is more important to Social Security than maintaining the public's confidence in our ability to keep confidential the sensitive data that we maintain on American citizens.
Given the concerns raised about the security of this data in the online service of PEBES, I decided on April 9 to suspend the online service and, as Congresswoman Kennelly and Chairman Bunning have mentioned, hold a series of forums throughout the country to solicit further views on this matter.
The Personal Earnings and Benefit Estimate Statement, as this Subcommittee knows, contains a year-by-year listing of the worker's reported earnings, estimated Social Security and Medicare taxes paid, and estimates of the benefits for the Retirement, Disability, and Survivors Program. It is a financial roadmap to millions of Americans.
Let me assure the Subcommittee that, contrary to some reports, PEBES does not—I repeat, does not—contain information which could be used to contact the worker or the worker's employers nor does the online process allow anyone to alter Social Security Administration records. We began issuing these statements on request in 1988, and, complying with the legislative mandates of 1989 and 1990, we started to issue these statements automatically in 1995 to persons aged 60 and older.
We are expanding this service to increasingly younger workers. Indeed, by the end of 1996, we had issued more than 12.5 million automatic PEBES. By the year 2000, the Social Security Administration will provide annual Personal Earnings and Benefit Estimate Statements to all workers 25 years of age and older. That is more than 120 million statements each year.
Page 16 PREV PAGE TOP OF DOC
Since the public's response to this service has been positive, SSA wanted to provide the information in a more convenient manner, in keeping with our commitment to provide the American public with efficient, world-class service. We planned this initiative with significant outside consultation to ensure the security of the PEBES online process as well as the integrity of the Social Security Administration data system.
We conducted several pilots where individuals could request a PEBES through the Internet and receive a paper PEBES mailed to them. Access to the individual's records via the Internet PEBES, the online PEBES, requires a match against Social Security Administration records of five authenticating elements: Exact name, Social Security number, State of birth, date of birth, and mother's maiden name. We also provide an onscreen warning about the substantial and severe criminal penalties for the intentional abuse or misuse of Social Security data.
SSA then began a limited pretest of interactive PEBES, online PEBES, during which the PEBES response was returned to the requester's screen immediately. User feedback showed that the public reaction to the electronic response was enthusiastic. So, after 1 1/2 years of testing, SSA made the online PEBES available to all individuals in March 1997.
During the month the service was available, we received approximately 71,000 nonduplicated requests for information over the Internet. Of these, only 48,000 requests were granted, because the other requests failed to pass the Social Security Administration authentication requirements. The primary reasons for failing to pass the authentication requirements were mismatches of mother's maiden name and place of birth.
Although many regarded the security measures as adequate, I suspended the service so that we could thoroughly examine the views of the public and experts, and, as I mentioned, we are holding six public forums around the country. After holding these forums, we will issue a report and we will provide the information from these forums on the matters of authentication, privacy protection, and disclosure problems vis-a-vis the online PEBES service.
Page 17 PREV PAGE TOP OF DOC
Mr. Chairman, the Social Security Administration is by no means the only organization, public or private, which is addressing these issues of security of data on the Internet. These are serious questions, involving access to personal information, and so forth. Our challenge is to allow individuals to conveniently access their records while protecting the security of this information. I believe that in the case of the online PEBES, at least, our forums and certainly this hearing will go a long way toward helping us achieve that goal.
I am happy to answer any questions that the Subcommittee might have of me.
[The prepared statement follows:]
Statement of Hon. John J. Callahan, Ph.D., Acting Commissioner of Social Security, Social Security Administration
Mr. Chairman and Members of the Subcommittee:
I appreciate your invitation to appear before you today to discuss the Social Security Administration's (SSA) initiative to provide Personal Earnings and Benefit Estimate Statements (PEBES) online via the Internet.
Let me say at the outset, nothing is more important to Social Security than maintaining the public's confidence in our ability to keep confidential the sensitive data we maintain on American citizens. We are very much aware that the public's perception about the online PEBES could undermine confidence in the safety and security of the sensitive data we maintain. Because of this concern, I decided on April 9 to suspend the online interactive PEBES service which had been available for about a month.
I would like to begin today by describing what information the PEBES displays and by providing a brief history of the PEBES. I will then discuss the steps SSA is taking to further evaluate the issues relating to the online PEBES process. In addressing these issues, I would note that the appropriate discussion should focus on authentication requirements, not system security, because, as I will relate, the PEBES system is secure. SSA is using time-tested commercial encryption that banks and other online businesses use every day for credit card transactions.
Page 18 PREV PAGE TOP OF DOC
What's In the PEBES
The PEBES statement is widely considered to be one of SSA's primary tools for restoring confidence in SSA programs, and is among the most popular information documents provided by SSA. The PEBES is designed to help workers ensure that SSA's record of their earnings—the basis for all future benefit payments—is complete and accurate, to show workers the full range of protection that Social Security programs provide, and to give them personal information about potential benefits for use in their financial planning. In Fiscal Year 1996 alone, 3.4 million workers requested a copy of their PEBES.
The PEBES response contains:
• Current earnings estimates as provided by the requestor.
• A year-by-year listing of the Social Security-reported earnings up to the Social Security maximum and the estimated Social Security taxes paid.
• A year-by-year listing of the Medicare earnings reported, up to the maximum, and the Medicare taxes paid. (For the years 1994 on there is no limit on the Medicare earnings taxed and so the full amount of earnings for these years is displayed.)
• An estimate of retirement benefits at age 62, at full retirement age (currently, age 65) and age 70.
• An estimate of a current disability benefit amount.
• An estimate of survivor benefit amounts for a spouse and children.
The PEBES response does not contain:
• The requestor's mailing address.
• The name and address of the requestor's employer.
Page 19 PREV PAGE TOP OF DOC
• Current Social Security-reported earnings. Earnings for 1997 are not reported by employers until 1998. In most cases, 1996 earnings data are also not available as earnings reports for 1996 are currently being processed by SSA.
• Information an improper requestor could use to contact the worker.
History of PEBES
SSA began issuing PEBES on request in 1988, and legislation enacted in 1989 and 1990 required that by the year 2000 SSA provide an annual PEBES automatically to all workers who are age 25 and older for whom a current address can be located. The legislation also provided for phasing in mailing the automatic PEBES by requiring that they be sent to workers approaching retirement age. Thus, SSA started to issue automatic PEBES in FY 1995 to persons age 60 and older, and is moving on to increasingly younger workers during the FY 1996 through FY 1999 period. By the end of Fiscal Year 1996, SSA had issued more than 12.5 million automatic PEBES, and by the end of FY 1999, will have issued a total of some 70 million automatic PEBES. In FY 2000, when issuance becomes annual and all workers age 25 and older are brought into the process, yearly issuance volumes will exceed 120 million statements.
Developing an Online PEBES
SSA is committed to providing world-class service—service which is equal to or better than that available in the private sector—to all of our customers. We believe that an important aspect of this service is to provide wage and benefit information that workers and their families can use to help make financial plans for retirement.
Page 20 PREV PAGE TOP OF DOC
Many private sector and government agencies are now using the Internet in ways unique to their needs. Chase Manhattan, Wells Fargo, Bank of America, and other smaller institutions now offer Internet banking. The United States Government Thrift Fund, Charles Schwab, Prudential Securities, American Century Investments, and the NASDAQ stock exchange all offer personal access to financial data via the Internet. Retailers who offer Internet ordering and accept credit card information online include TV Guide, Macy's, Spiegel, Recreational Equipment, Amazon Books, Gateway 2000 Computers, and many others.
The public's response to the PEBES service we began offering almost 10 years ago has been overwhelmingly positive. Because of our commitment to providing world class service, SSA began to study the feasibility of providing the information in a more convenient manner. The PEBES was identified as a workload that would involve a useful service to the public and demonstrate the ability to do business on the World Wide Web as an alternative to the public's use of the 800 number, a visit to the local office, or the mailing of a PEBES request to SSA.
SSA began its initiative to provide PEBES online with significant consultation with outside experts. Through our membership in CommerceNet consortium, a unique, not-for-profit market and business development organization located in Silicon Valley, California, and our consultation with experts in business and academia, we built a secure Internet support system with high-level security features. These features include the encryption of data moving to and from the requestor over the Internet and the total isolation of the online PEBES service from SSA's vast online data resources.
We commissioned an extensive study on all the risks and solutions for our entire Internet service. This report was prepared for us in July 1995 by the Los Alamos National Laboratory. We used the report in implementing the PEBES Internet application. Extensive consultation with vendors such as IBM, Openmarket Inc., Bank of America, and Wells Fargo Bank also provided useful technical information.
Page 21 PREV PAGE TOP OF DOC
We also participated in Federal government committees and organizations and maintained staff contacts at the Office of Management and Budget, the Departments of the Treasury and Justice, and other agencies involved in Internet services to ensure that our planned services were consistent with government standards and guidelines. In some instances, SSA staff helped shape government-wide policies which affect our Internet services, such as the National Information Infrastructure Privacy Guidelines.
We used the IBM security response team to give us guidance in designing a secure gateway (known as a ''computer firewall'') to protect SSA mainframe computer-based data resources from unauthorized access via the Internet. We hired professional consultants to test the gateway using a variety of penetration tools and techniques. The gateway was not breached. To ensure no future breaches, we implemented some additional technical security measures, based on the advice of these consultants.
I would like to emphasize this point, because I am concerned that some of the reports about interactive PEBES implied that access to PEBES would also allow the viewer to alter data or gain access to other SSA records. This is absolutely false. The earnings data displayed on the screen may not be altered by the viewer in any way, nor can the user gain entry to or modify any other SSA record. It has never been possible for anyone—either the worker or another individual posing as the worker—to change information on SSA records or to view data other than earnings data.
After these security features were in place, SSA conducted a pilot program that allowed individuals to request a PEBES through the Internet, and to receive a paper PEBES mailed to the address provided by the individual. The pilot involved testing at 22 Internet kiosk sites in the San Francisco area from March 21 through April 16, 1996. We reviewed almost 4,000 comments received between April 17 and August 16, 1996, and found that approximately 450 (11 percent) of those commenting asked SSA for the ability to obtain the response online.
Page 22 PREV PAGE TOP OF DOC
The online PEBES service we developed in consultation with experts has a number of security measures other than those I have already mentioned to help prevent access to wage records by anyone other than the worker. To view an online PEBES requires a match against SSA records of five authenticating elements: name, Social Security number, date of birth, State of birth, and mother's maiden name. We also provided an on-screen warning that there are substantial criminal penalties for the intentional misuse of Social Security data—penalties which SSA is fully prepared to pursue.
On October 30, 1996, SSA then began a limited, controlled pretest of the online PEBES service in partnership with the Cedar Falls, Iowa, public library. In December 1996, we expanded our test partners to include the Baltimore County Public Library, Wells Fargo Bank, and SSA employees with Internet access. In this phase of the pilot, the PEBES response was returned to the requestor's screen immediately. Again, feedback and our direct observations showed that the public reaction to the electronic response was enthusiastic.
After a year and a half of testing, SSA expanded the limited availability of online PEBES to provide all individuals with access to the Internet with the opportunity to obtain the PEBES statements online. During the month that the online PEBES was available, SSA received about 71,000 requests. Of those requests, we provided only 47,000 PEBES to online requestors because the other requests failed to pass SSA authentication requirements. The primary reasons for failing to pass the authentication requirements were mismatches of mother's maiden name and place of birth.
Next Steps to Protect Privacy
Although many people would regard the security measures we employed as fully adequate, I concluded that, in view of the concerns being expressed about the online process, we needed to more thoroughly investigate the views of the public and appropriate experts with regard to all aspects of Internet access to online PEBES. Thus, when I made the decision to suspend the availability of the online PEBES, I announced that SSA would conduct a series of public forums across the country over a 60-day period to obtain input from experts in computer security and privacy and from members of the public.
Page 23 PREV PAGE TOP OF DOC
These forums will have the following primary objectives:
• To obtain informed public input regarding how best to protect the privacy of information and confidential communications when using electronic service delivery;
• To refine our authentication, privacy protection, and disclosure policy which reflects the appropriate balancing of stakeholder concerns;
• To develop options which will enable SSA to add any necessary and appropriate protections to the interactive PEBES service and begin planning and implementing additional online services, both short-and long-term; and
• To produce a report which reflects all of the above objectives, and serves as the foundation for additional action.
The first of six forums was held yesterday in Hartford, Connecticut, and will be followed over the next six weeks by five additional forums. The information we gain from these forums will assist us in articulating a clear policy foundation to enable SSA to take appropriate steps regarding the viewing on the Internet of earnings data maintained by SSA.
Conclusion
Mr. Chairman, SSA experience with online PEBES raises issues that are not unique to SSA. The question that SSA and society as a whole must address is how to properly balance the rights of individuals to access and request any necessary correction of their records, the value of allowing them to do so in a convenient way, against the risk, however slight, of unauthorized access to confidential information. The resolution of this question may be made easier if there develops a general consensus of opinion as to how much risk, if any, is acceptable, and whether it is feasible and cost-effective to maintain an acceptable level of risk. I believe that, in the case of the online PEBES at least, our public forums will go a long way to answering these questions. However, they are questions which will inevitably be raised again and again as society develops and uses new technologies.
Page 24 PREV PAGE TOP OF DOC
—————
Chairman BUNNING. Thank you, Dr. Callahan.
Let me start. Based on my review of your testimony today, I am convinced and confident, Dr. Callahan, that SSA will receive important information to help determine the future of making earnings and benefit statements available online. I am convinced, however, that ultimately this discussion represents just the tip of the iceberg regarding the overall debate on government information available via the Internet.
Does the Clinton administration have specific final guidelines for Federal agencies to follow as far as putting information on the Internet?
Mr. CALLAHAN. I can't give you a very specific answer on that, Mr. Chairman. I am certainly going to look into that.
I think our immediate question, Mr. Chairman, on this very narrow matter of the online PEBES is to get the information that we need to address the privacy questions that you are concerned about, and we will be happy to supply that information to you. But I don't have a precise answer for you on that.
Chairman BUNNING. Then as an independent agency, when the decision was made, it was made internally by the Social Security Administration, so you are telling me that the administration didn't say yes or no?
Mr. CALLAHAN. That is correct, sir. The decision was made independently; as was the decision to suspend the online service. I made that decision, sir.
Chairman BUNNING. Were you surprised by the reaction of the American public, and what do you think went wrong?
Page 25 PREV PAGE TOP OF DOC
Mr. CALLAHAN. Well, I think that, clearly, the American public, as all of us here in this room, have a right to be concerned about the privacy of our information. I think this matter is twofold: We want our sensitive information private; we don't want other people to have that information. At the same time, we would like to have access to that information.
I think probably some of us over the years have dealt, for example, with credit bureau reports. It is important that we have personal access to that information. So we were trying to balance two things here, and, as it turns out, obviously, we have to look at that balance again and make sure that persons' concerns about the privacy of their data will be protected.
Chairman BUNNING. Can you give me a cost estimate for mailing a Social Security PEBES back to someone who requested it on the Internet?
Mr. CALLAHAN. Let me give you three cost figures, if I could, Mr. Chairman. If you write in and request one of these statements and we send it back to you, it costs us about $5 a request. If you ask us online for the request and we were to mail it back to you, it costs us presently about $1. We estimate that when we finally mail out these statements at high volumes—as I mentioned earlier, every worker aged 25 and older will be receiving these statements several years from now—it will cost us approximately, I think, about 70 cents or 60 cents per request. Multiply that, of course, by 120 million. We will be mailing out 120 million forms.
Chairman BUNNING. You maintain that the discussion should focus on the authenticity requirements rather than the system security because you maintain the system is secure. If this is the case, can you provide additional rationale for why you chose the specific authenticity requirements for online PEBES that you did and whether you believe that these need to be changed?
Page 26 PREV PAGE TOP OF DOC
Mr. CALLAHAN. We chose those elements for authentication, the five data elements that I mentioned in my testimony, because we felt, obviously, as someone asks for information in a service, the more times they have to supply information, they have to be more knowledgeable about their request. So any time you go from one to two to three or four or five items, whatever it is, it becomes more complex to get that data. There are only so many what they call numidents—this is the technical term—under your Social Security record. There are only so many pieces of information that you supply to be used in this process, and we felt that five items just about stretched the limit, sir.
Chairman BUNNING. Barbara, go ahead.
Mrs. KENNELLY. Thank you, Mr. Chairman. Just a quick followup on how much it costs.
According to statute, you will have to mail out these records.
Mr. CALLAHAN. Yes, ma'am, that is correct.
Mrs. KENNELLY. What happens if you are on the Internet and people have requested? Do you still have to mail out?
Mr. CALLAHAN. The question, I suppose, is, if everyone at that time is getting all these statements by mail, whether they would want to ask for the information by Internet.
But I think the one thing that should be borne in mind, it may well be as we explore other online services that, just as an example, if there were another level of security on the online process, we could do more business with the individual Social Security beneficiary or customer, if you will, through the online than we could through the mail.
Mrs. KENNELLY. And one of my concerns is how you trace or audit who is acquiring information. What happens in a college where there are 3,000 students using a library? How are you making sure that they are the right ones to be asking that information?
Page 27 PREV PAGE TOP OF DOC
Mr. CALLAHAN. In this particular case, our Deputy Commissioner for Systems, who is here with me today, Dean Mesterharm, who runs our computer systems, has advised me that, whenever we look at the online process, when we find anomalies, such as multiple requests or a lot of requests going to one address or something that doesn't fit the basic pattern of one person asking for one piece of data, we provide these anomalies to the Inspector General for investigation.
Mrs. KENNELLY. That is my next question. I know there are monetary penalties, and I know there is prison time if you misuse the system. However, we all know that our courts are pretty heavily loaded.
Has the Social Security Administration got the means to prosecute to find these people to bring them to court? Because if they don't and people realize they can get away with it, what happens then?
Mr. CALLAHAN. It would certainly be our intention, Congresswoman Kennelly, that we would press this issue very, very hard, because clearly the privacy of these records is very important to us. And I have talked to the Inspector General about this. We would certainly bring this to the Inspector General's immediate attention. We would expect him, and I am sure he would agree, to also press it.
In terms of the U.S. attorneys and the system and prosecuting these cases, that is a little bit outside our jurisdiction, but I can assure you, from the Social Security Administration's point of view, we would regard this as a very serious violation.
Mrs. KENNELLY. As you know, in 1992 the U.S. attorney prosecuted 12 people working within the Social Security system for selling information to outsiders, and you take that from 1992 to now we are in 1997, and everybody in the world can get this very same information. I think we have a real question about whether you have the capacity to do what has to be done to keep the system safe.
Page 28 PREV PAGE TOP OF DOC
Thank you, Mr. Chairman.
Chairman BUNNING. Mr. Christensen.
Mr. CHRISTENSEN. Thank you, Mr. Chairman.
I would like to echo the sentiments of Mrs. Kennelly from Hartford and really instead of, I guess, criticize on anything that you have done, I want to tell you that I appreciate you going ahead and moving forward with the whole program.
We go to high schools a lot, and Social Security usually is the number one issue in the high school forums and the frustration that high school seniors have with not knowing where this money is going, not knowing where it is going to be in 40 years, not knowing anything about why 25 to 30 percent of their pay stub is going into some deep, dark black hole.
And we have talked a lot about the Internet, and I want to tell you, I appreciate you going ahead and getting this information available and online. Yes, mistakes may have been made. Maybe something went just a little bit awry, and that is what I want to visit with you about. I believe this is of vital importance to young people. If the generation X people cannot become more informed on this information, it is our fault. And I want to thank you for going ahead with this.
When you were looking at the security issues, whom did you contact as far as government agencies or private sector help, and did they put together any written guidelines for you? Did they offer suggestions?
Mr. CALLAHAN. Yes, there is a fairly long list of governmental organizations that we work with, acronyms which I probably couldn't even fully tell you about right now, but we will supply that for the record. We also worked with the Los Alamos National Laboratory; we consulted with the National Institute of Standards and Technology, all the requisite people that, for organizations inside the government, are familiar with the Internet and online transmission. So we believe that we did a thorough job in that regard in terms of consultation, but we will supply the names for you in the record.
Page 29 PREV PAGE TOP OF DOC
[The following was subsequently received:]
[The official Committee record contains additional material here.]
—————
Mr. CHRISTENSEN. I would like to have all the written memorandums that the various outside organizations as well as the public sector offered you in terms of guidance and advice not only in security matters but also technical advice.
Mr. CALLAHAN. There is one aspect that we must be sensitive about. There is some data that relates to what we call the architecture of our central data system, which is highly, highly sensitive, and we would want to make that available in the appropriate fashion to the Subcommittee because this protects our central records.
Mr. CHRISTENSEN. It is my understanding that NIST does provide, under legislative authority, the technical assistance, computer assistance. Did you seek out their input more so than Los Alamos? Which one did you rely more heavily upon?
Mr. CALLAHAN. This was a little bit before my time, but my understanding was that we sought out NIST assistance certainly in a very intensive fashion, as well as Los Alamos. So it is my understanding that we did seek them out very aggressively.
Mr. CHRISTENSEN. Since April 9, have you sat down with the National Institute to look at modifications and what we can do to make sure that this doesn't happen again or that we can make the correct modifications so that we can get this information back online so that high school seniors can access that information?
Mr. CALLAHAN. We will do that, Congressman. We are also in the process of doing these forums around the country and consulting with a variety of experts. But we will do that, sir.
Page 30 PREV PAGE TOP OF DOC
Mr. CHRISTENSEN. Well, I want to tell you, I appreciate the important issue that you are working on. I, maybe unlike my colleagues, want to see this back online as soon as possible. I believe it is vital information for the future, for our generation, our seniors, our 25—I would like to see you even take the PEBES system and move it down to 18-year-olds versus 25-year-olds.
But I understand the security measures here, and I understand also the modifications that need to be put in place. But I want to thank you, and I want to encourage you, and let's get this back going and let's make the corrections.
Mr. CALLAHAN. Thank you, sir.
Chairman BUNNING. Mr. Hayworth.
Mr. HAYWORTH. I thank the Chairman. And, Dr. Callahan, we thank you for coming by.
It is interesting to hear from constituents on a variety of issues that come under the jurisdiction of this Committee. Just a couple of months ago, we were very concerned about another area involving computers with the Internal Revenue Service and the reports of a computer system that was supposed to be the wonder of wonders, a technological marvel that was going to streamline what the IRS did, and now it appears that taxpayers are some $5 billion in the hole for a system that has yet to be perfected and is filled with all sorts of technological bugs.
And in talking to the people of the Sixth District of Arizona, Dr. Callahan, I have heard a great deal of concern about this procedure; press reports, yes, but also philosophical concerns, because I don't believe it is so much technophobia as it is a concern about people's benefits being somehow disseminated unlawfully, hackers getting in, somehow the system not providing the very security that we have come to expect from the Social Security system.
So in hearing from a variety of people, there are genuine, genuine concerns. And I know that even as you tried to deal with this problem, you cannot be prepared today, nor can anyone be prepared, to say that after reviewing the situation you will have a system that is foolproof.
Page 31 PREV PAGE TOP OF DOC
And just for the record, I want to make sure that we are on the same wavelength; you are not willing to sit before us today and say that we can have a system that will be foolproof in the days ahead.
Mr. CALLAHAN. For the record, if you are saying, you cannot construct any system that will be absolutely 100 percent safe from these concerns you mentioned, I am sure you are correct.
Mr. HAYWORTH. With that in mind, I think it is important that we move very deliberately and carefully, because even now as we move to expand the computer technology here in the Capitol with e-mail, there is great concern about hackers and people violating the messages. So I think that we have to move deliberately and with a variety of examinations and seeking the input of so many different people.
You mentioned, Dr. Callahan, that SSA plans to hold public forums across the country in order to gauge the country's view of offering PEBES on the Internet. Future forums are scheduled in Atlanta, San Jose, and Austin, among other locations. Can you tell me how many SSA staffmembers will be traveling to these associations?
Mr. CALLAHAN. I don't have that precise number, but I will supply that for the Subcommittee.
[The following was subsequently received:]
The number of SSA staff traveling to the PEBES forums typically ranges from 8 to 10.
• This number consists of the Acting Commissioner and three senior executives who appear with him on the SSA panel.
• Additionally, SSA sends a senior official from the Office of Communications to deal with the media and to provide any necessary onsite support.
Page 32 PREV PAGE TOP OF DOC
• SSA also sends several technical experts to provide advice to the SSA panel and to prepare for the written report that will follow.
• Lastly, the host Regional Commissioner and the lead Public Affairs Officer will normally travel to the site if it is not located in a regional city (e.g., Hartford).
—————
Mr. HAYWORTH. And could you offer us the insight and the methodology as to how these particular cities were chosen?
Mr. CALLAHAN. We wanted to cover all parts of the country, and I think you will see that all the regions in the country are covered by these locations. We are also having a final set of hearings in Washington in an online forum from which we will be able to receive information.
Mr. HAYWORTH. Do you have any idea of the estimated costs for travel and the organizational expenses?
Mr. CALLAHAN. We will supply that to the Subcommittee, too.
[The following was subsequently received:]
SSA expects to hold six forums throughout the country in May and June 1997. The total cost is estimated to be $35,000.
Page 33 PREV PAGE TOP OF DOC
—————
Mr. HAYWORTH. Could you indicate to me what portion of the SSA budget will these funds come from?
Mr. CALLAHAN. Again, we will supply all of that for the Subcommittee.
[The following was subsequently received:]
The costs of conducting the forums will be borne by SSA's Limitation on Administration Expenses Appropriation.
—————
Mr. CALLAHAN. I would say that I regard this as a very legitimate and very worthwhile expenditure of the Social Security Administration. We could have done the normal bureaucratic thing and gone back into our shells and muttered and groaned and moaned and tried to come back with a proposal which may not be well understood. This is an important service to millions of Americans.
I appreciate the concern that you have raised about privacy, but we also should remember that this service is very, very valuable to the American public. We have mailed out, as I said, close to 12.5 million of these statements. People use these statements every day to plan their financial retirement. We heard yesterday in Hartford from one of the major insurance companies who said this was a very valuable service for their customers so that they could integrate not only their Social Security benefits but their private benefits, their pension benefits, their savings.
Page 34 PREV PAGE TOP OF DOC
So I think, clearly, we are also talking here about a service and a set of information that is very, very valuable to millions of Americans; there is no doubt about that in my mind.
Mr. HAYWORTH. I appreciate your perspective on that, Dr. Callahan, and in closing would simply add what tempers a lot of this is the fact that this Congress is mindful that just a couple of weeks ago we had to pass in terms of the Internal Revenue Service an antibrowsing provision, which I think was rather mildly stated, because I believe when people willfully go into individual accounts and peruse those things it is more than simple browsing, it is a criminal act.
Mr. CALLAHAN. If I may, Congressman, your point is well taken, and we have severe penalties for anyone in the Social Security Administration that does that, and we will enforce those to the letter of the law. That wasn't right in Treasury; it is not right in Social Security; and you can depend, as long as I am here, that we will enforce those penalties to the letter of the law, sir.
Mr. HAYWORTH. Dr. Callahan, I thank you.
Chairman BUNNING. Mr. Tanner.
Mr. TANNER. Thank you very much, Mr. Chairman. And, Dr. Callahan, welcome. Thank you for your testimony.
As I understand your statement, what you presented here orally and also in reading it, the main concern is the privacy issue as it relates to the Internet access.
Mr. CALLAHAN. Yes, sir.
Mr. TANNER. That was primarily the reason that the experiment was discontinued?
Mr. CALLAHAN. The experiment was discontinued because sufficient concerns were raised that we wanted to take a look at it and get the views, as I mentioned, of these various forums.
Page 35 PREV PAGE TOP OF DOC
Mr. TANNER. The General Accounting Office, I think, is here and is going to present some testimony. But in reading their material, they expressed some degree of skepticism that current technology will allow a secure system to be placed on the Internet, if I am reading correctly, with the current technology base we have. Has there been any coordination between you all and GAO about that issue?
Mr. CALLAHAN. Well, remember, we suspended this on April 9. Here it is May 6, so it is rather early in the game. We are providing GAO with all the material from these forums; we have provided GAO, as we should, with all the data relative to where we were coming from.
I think it is fair to say on the technology issue, Congressman Tanner, technology changes incredibly rapidly. I think we heard some good testimony yesterday in Hartford, and I am sure we will hear it elsewhere, as well as advice from elsewhere, that there may be a variety of changes in technology wherein we could enhance the privacy of the transaction.
Mr. TANNER. I want to say that I think the public hearings around the country are a good idea. This is a high priority to the American people and worthy, as you stated earlier, of bureaucrats getting out of Washington and getting around the country to see; and it raises the profile of the issue out in the country when you all are there. So I think it is an excellent idea and appropriate in this case.
Other than raising the awareness, can you tell us what you anticipate the hearings producing?
Mr. CALLAHAN. Well, the forums are structured to get testimony and views from a wide variety of not only the public but also computer experts and business experts. More and more businesses are providing their services online with various levels of security on those online services. We are hearing from, again, computer experts that talk about changes in technology, and we are also hearing from privacy experts. I don't think any community, whether it is the computer people or the privacy people, always speaks with one voice.
Page 36 PREV PAGE TOP OF DOC
We heard an interesting piece of testimony from a privacy expert in Hartford yesterday who offered the notion that one of the things about privacy that is very important is choice, suggesting there may be a lot of people that will look at the risk that is involved in online services and say, I want that data. You have told me what the risk is to the privacy of that data, but I still want that data.
So the question you have to ask yourself is, if they want that data and they understand the risks, why shouldn't you give that to them? And this was a privacy expert. So I think we will hear a wide variety of views; and again, we will make all of this available to the Subcommittee as it considers this matter on down the line.
Mr. TANNER. Thank you very much.
Chairman BUNNING. Mr. Collins.
Mr. COLLINS. Thank you, Mr. Chairman.
Dr. Callahan, I understand you had a hearing—when, yesterday—at Harvard?
Mr. CALLAHAN. Hartford.
Mr. COLLINS. Hartford. OK. That is good. You mentioned that you heard from the insurance industry there?
Mr. CALLAHAN. There were four business panelists. One was from Chase Manhattan, one was from the Hartford, one was from a computer service, and there was one other. The affiliation escapes me at the moment, but we will supply it for the record.
[The following was subsequently received:]
[The official Committee record contains additional material here.]
Page 37 PREV PAGE TOP OF DOC
—————
Mr. COLLINS. Did you hear from any individuals?
Mr. CALLAHAN. Yes, we did.
Mr. COLLINS. What did you ascertain from the insurance company?
Mr. CALLAHAN. The insurance company said that, if you as a Social Security recipient go to your financial planner and sign an authorization statement allowing that financial planner to get your Personal Earnings and Benefit Estimate Statement so that he or she can aid you in your financial planning, SSA supplies that statement to that person.
Mr. COLLINS. What did Chase tell you? What was their interest?
Mr. CALLAHAN. Well, Chase Manhattan was talking to us about the security features they have on their online banking system. They have, as I understand it, a wholesale banking system with the financial industry over which they daily transmit some astronomical figure. I think he said 1.3 trillion dollars' worth of money, so they have had a lot of experience in dealing with online security; so they provided us that information.
Mr. COLLINS. The good side of this is the information would be available to the beneficiaries of Social Security.
What would be the downside of it? What would be the downside of someone else ascertaining that information and using it for what purpose?
Mr. CALLAHAN. Well, a number of people have raised the specter of the nosy neighbor, the divorce lawyer, people who may want to get the information on your particular earnings statement to use it for untoward purposes. And so I think that is one of the basic concerns that we are hearing about.
And, again, I would say, people should be reminded that there are severe criminal penalties for that. So if you engage in that process, whether it is on the Internet or any other process, you are liable to severe prosecution.
Page 38 PREV PAGE TOP OF DOC
Mr. COLLINS. Say some lawyer got this information for a divorce case; would it be evidence? Would they have to present it as that type of evidence? And how could they use it, would it not be revealing that they got it from the Social Security Administration through the Internet?
Mr. CALLAHAN. Well, I imagine they wouldn't take any pains to reveal that because they would be subject to prosecution.
And then this raises the broader question, which is how much of the information that relates to our daily life, whether it is income or whatever it is, is available out in the marketplace from a variety of sources. And I think this is the larger question that we have to be concerned about, which is broader than just the Social Security Administration.
Mr. COLLINS. I missed the opportunity to check and see what I had in the account. But had I—it was very little.
Mr. CALLAHAN. You can still request it; you just can't get it on the Internet.
Mr. COLLINS. All right. I go in and how do I do this? I might want to look mine up.
Mr. CALLAHAN. OK. You have to supply us——
Mr. COLLINS. He said it was closed. I knew it was closed.
Chairman BUNNING. Can you apply for it?
Mr. CALLAHAN. If you were to get on your home computer and ask us for this information, we would not send it back to you now over the Internet.
Mr. COLLINS. OK. You are going to send it back to me by mail?
Mr. CALLAHAN. That is correct.
Mr. COLLINS. What would I receive? I am not talking about numbers.
Page 39 PREV PAGE TOP OF DOC
Mr. CALLAHAN. I hope a lot.
Mr. COLLINS. Will I receive my total investment, total amount of earnings, annual earnings?
Mr. CALLAHAN. You will receive your earnings record that is taxable under Social Security and under Medicare, and an estimate of what you would receive in terms of Social Security benefits when you retire.
And I actually have for the record what a PEBES Statement looks like. There is no particular name on this, but we would supply this for the record.
Mr. COLLINS. Good, I would like to see it. Thank you very much.
[The following was subsequently received:]
[The official Committee record contains additional material here.]
—————
Chairman BUNNING. Mr. Portman.
Mr. PORTMAN. Thank you, Mr. Chairman, and Dr. Callahan for your testimony today. I understand you are going to have some hearings and forums and consult with experts, so you may not be prepared to answer all of these questions; but to the extent you can, I would appreciate it.
You have looked into the issue, I know, and others we are going to hear from later talking about having a PIN number requirement or a password or perhaps some kind of a digital signature. Of those options, which do you think might be practical for Social Security?
Mr. CALLAHAN. I can't give you a definitive answer, but my understanding, at least from talking with our own experts and, obviously, based on this forum that we held yesterday, it seems the most readily available in the first instance is the PIN or the password, which is something we are all familiar with.
Page 40 PREV PAGE TOP OF DOC
There seems to be a growing desire to look into the real possibilities of the privacy aspects of digital signatures, and that is certainly something that we would look at.
Mr. PORTMAN. You mean in relation to addressing the privacy problem?
Mr. CALLAHAN. Digital signatures would enable us to authenticate who it is that is communicating with us so that we could be able to have a secure transaction between ourselves and the authentic individual.
Mr. PORTMAN. I hope you are working with the Internal Revenue Service on this, as they are addressing many of the same problems.
As you know, one of the problems with electronic filing is, we have a separate requirement for a paper return to be signed so that the signature is available; and we are hoping that we can come up with something like that on the IRS side, as well, because it makes a lot of sense.
My general question to you is, and again I know that you are going through this process of evaluating whether this is feasible, but do you think, given what you know about the problems you had with the PEBES system and, generally speaking, with regard to your computer systems being subject to hackers or other outsiders, do you think this thing is feasible? Do you think it can happen?
Mr. CALLAHAN. It would probably be premature for me to give you an absolute, definitive answer. But I will say—let me divide the answer into two parts.
In terms of the integrity of our basic data system—and you mentioned hackers, and every central data system is concerned about——
Mr. PORTMAN. Have you had problems with hackers in your data systems?
Mr. CALLAHAN. No, we have not.
Page 41 PREV PAGE TOP OF DOC
Mr. PORTMAN. This is not just related to the Internet?
Mr. CALLAHAN. We maintain the highest level of vigilance on that. We understand that, like everything else, people will try. They have not succeeded. And believe me, that is very, very——
Mr. PORTMAN. You know that people have tried?
Mr. CALLAHAN. Yes, sir. And they have not succeeded and if we find them doing it, we will track them down and we will prosecute them.
Mr. PORTMAN. And that is through encryption and other methods that you use to ensure the privacy?
Mr. CALLAHAN. Yes.
Mr. PORTMAN. So you do have some systems in place?
Mr. CALLAHAN. Yes, we do.
Mr. PORTMAN. Let me, before we run out of time, ask you a couple of other specific ones. At the IRS, and I understand at HHS also, although I am less familiar with that, there is a privacy office. Social Security doesn't have one to my knowledge.
Do you have a privacy office, a privacy department?
Mr. CALLAHAN. I know we have some senior officials that are charged with privacy concerns. I am not exactly——
Mr. PORTMAN. We are going to hear from a witness later today, based on the testimony that I saw that we have a Privacy Commissioner for the Federal Government; and my question would be, if that makes sense for the IRS, which I think it does, whether Social Security might want to prioritize this issue and add stature to the people who are looking into it by establishing a group of people that focus on this issue, because it is so important.
Mr. CALLAHAN. We will look into that.
Let me just say, though, like everything else, we have to be very, very concerned with privacy. We have said that repeatedly. At the same time, where we serve so many people, beneficiaries, taxpayers, and so forth, we have to have a lot of commerce with people that are concerned about this.
Page 42 PREV PAGE TOP OF DOC
Every Member of this Subcommittee is right. People really are very concerned about Social Security, the future of Social Security, the maintenance of Social Security. That means we have to have that back-and-forth communication with them, whether it is over the telephone or coming into the field office.
Mr. PORTMAN. That is precisely why you need to focus on privacy. I would agree with comments made earlier by some of my colleagues that what the Social Security Administration was attempting to do through providing this information on the Internet is a good idea and particularly with our younger generation having that access to the Internet for other reasons. I think it is a great idea. But to do that the privacy concerns have to be addressed and addressed at the outset; otherwise we will have another shutdown, as we just experienced.
Mr. CALLAHAN. That is a point well made.
Mr. PORTMAN. One other point: Since you are going through this process, I hope you will also make a recommendation to the Clinton administration that there be a governmentwide effort to look at this issue. This is not just related to SSA. And I think we will hear from a lot of people about the lack of focus on privacy in all the government agencies, and one can learn from another.
Thank you, Mr. Chairman.
Chairman BUNNING. Mr. Levin.
Mr. LEVIN. Do you know, most people who inquire, are they mainly interested in the estimate of their benefit they are going to receive?
Mr. CALLAHAN. You mean, why they inquire?
Mr. LEVIN. Isn't that the reason that most do?
Mr. CALLAHAN. Most of them use it for financial planning purposes, yes.
Page 43 PREV PAGE TOP OF DOC
Mr. LEVIN. Isn't one possibility to provide that information over the Internet, but not all of the earnings records?
Mr. CALLAHAN. Yes, that is a possibility, and that was discussed the other day.
Mr. LEVIN. Within——
Mr. CALLAHAN. The forums that we mentioned. That is a matter that has been brought to our attention.
Mr. LEVIN. I take it that most people who might attempt to misuse the Internet are really interested not in the benefit estimate, but in the earnings record, right?
Mr. CALLAHAN. Yes, although—let me amend my statement, if I could, Congressman Levin.
When people look at their earnings record, we encourage them to examine their earnings record carefully because, if they believe it is incorrect, they should bring it to our attention. We will correct it, where appropriate, so they will get the accurate benefit to which they are entitled.
Mr. LEVIN. I understand that, but most people who inquire are interested in the bottom line benefit. They could receive the earnings record in other ways, right?
Mr. CALLAHAN. Yes, sir.
Mr. LEVIN. And I take it, it is also true that most of the abuse would come from people who want not the benefit estimate, but the earnings record.
Mr. CALLAHAN. I believe that would be correct.
Mr. LEVIN. So, there might be a relatively—I hate to suggest around here a simple answer, and I am not saying it is a complete one, but I mean, there might be a relatively easy way to at least in the near future to resolve this issue, no?
Page 44 PREV PAGE TOP OF DOC
Mr. CALLAHAN. That could well be, sir.
Mr. LEVIN. Thank you.
Chairman BUNNING. I only have one more question. The SSA Inspector General points out that while the financial and retail industries provide online services at a level of risk acceptable to their customers, these exchanges are generally voluntary.
Did you consider that when you were making the decision to put it online?
In other words, if I am a Social Security recipient or could be a recipient of PEBES, I want to opt out. I don't want my information online; since I have already received from the Social Security Administration my physical document, I don't need to be online.
Mr. CALLAHAN. Right.
Chairman BUNNING. That is why eventually the older members of our population will not need to have anything online. It is the young group that Mr. Christensen was talking about that would like to see what is online and what their benefits might be or might be projected to be.
Mr. CALLAHAN. Right.
Chairman BUNNING. So did you consider that? If not, why not?
Mr. CALLAHAN. Again, it precedes my time here, but let me speak.
Chairman BUNNING. There are some people here who were in on the decision.
Mr. CALLAHAN. I understand, but I believe that that certainly was a matter that was considered. There is a cost, obviously, to creating a service where you, in essence, would have to block all these records; so it would not be the normal Internet service. You would have to take that into consideration. That obviously would raise the cost of ''providing'' online service as if we had put it in with a pen or what have you. So, it is my understanding that those things were looked at, but the decision was made to go forward without that option in the service.
Page 45 PREV PAGE TOP OF DOC
Chairman BUNNING. In other words, you couldn't opt.
Mr. CALLAHAN. I am not saying you couldn't do it. I am sure it is possible in a systems sense. There is a program cost of doing that, and I believe that, as well as other——
Chairman BUNNING. I understand.
Mr. CALLAHAN [continuing]. Other considerations, made it go forward without exercising that option.
Mrs. KENNELLY. Will the gentleman yield?
Chairman BUNNING. Certainly.
Mrs. KENNELLY. I believe there is a bill already introduced that people would have to request that their particular information not be available. To me, that misses the point because once you are online—and you heard the gentleman yesterday—we have got hackers you can't stop.
And once you are online—I don't know yet, and I don't know that we all know—can you protect that information? We should approach it before you go online, rather than after you go online, and then block it.
Mr. CALLAHAN. I think that was a consideration that was raised yesterday and we will have to further explore it. But I think it is also not one obviously without cost and without creating segmented data systems that we have. So I think I understand the point that you have raised and the Inspector General has raised. But we did not exercise that option as is evident when we did the service.
Chairman BUNNING. Anyone else?
Go ahead, Jon.
Mr. CHRISTENSEN. Yes, when you were looking at the system and, obviously, take a college library or a high school library, you have got hundreds if not thousands of kids who are into the system. When you were testing the system, what did you look at in terms of trying to decide if someone was hacking into the system, how could you find that person and how could you go after that person in terms of the prosecution? What type of ID did you put together initially in your test plan? You had to foresee something like this occurring.
Page 46 PREV PAGE TOP OF DOC
Mr. CALLAHAN. I know that one of the concerns that they had in communicating with the PCs in the public setting, where it wasn't your own PC, was to make sure that the information is not left in the computer's memory and could not be retrieved and what have you. We worked out the encryption for the transmission between the Social Security Administration and that particular terminal to make sure that data could not be retrieved by someone other than the person at the particular computer station.
We also in some of our other experiments had controlled experiments whereby we worked with large organizations such as GMAC and Wells Fargo where they interacted with us to see how the transmission went.
Mr. CHRISTENSEN. How did you come up with the number ''eight for eight'' attempts before you kicked them out of the system?
Mr. CALLAHAN. I think some of us can relate to this. I think most of us think about the number, three—three strikes and you are out. All of us go to our ATM, and I think it is the third time you lose your card; you know, that is it. So most of us, when you put it in two times and you miss it, it is like a real dilemma: Do I put it in the third time and lose my card, or take it back? So that is a very popular number. But we felt that obviously we are asking people for five knowledge-based elements that we talked about earlier: Social Security number, date of birth, mother's maiden name, and so forth. We found out in some of our analysis that a lot of people had a problem with their mother's maiden name. I don't know what that says in a societal sense.
Mr. CHRISTENSEN. Out of 77,000 attempts, Dr. Callahan, 47,000, you have actually mailed PEBES statements.
Mr. CALLAHAN. Made the connection.
Mr. CHRISTENSEN. So 44 percent were either honest error or actually hacking into the system?
Page 47 PREV PAGE TOP OF DOC
Mr. CALLAHAN. Right, and as I mentioned earlier, we looked at the question of ''hacking into the system'' for anomalies, and we have turned those over to the Inspector General for the 5 months we had it online. There were five cases in which we thought there were particular anomalies that might have led to hacking, and it turns out these were financial planners, legitimate financial planners with a large number of family members who wanted to get this information.
Mr. CHRISTENSEN. So out of 25,000 cases that didn't—were not legitimate or made an honest mistake, your Administration believes there was only five?
Mr. CALLAHAN. That is correct.
Mr. CHRISTENSEN. I guess that is a number that I would hold highly suspect, even though I know that you are doing the best effort to try to find out what you can. I would really look at that number a little bit closer because I don't think that is probably very accurate.
Mr. CALLAHAN. Let me also suggest this: Remember we have had the PEBES mail service going for a long time. We send out a lot of PEBES. I am sure it is not inconceivable that some of these pieces of mail may have fallen into the wrong hands. In all of the time we have had this service available, we haven't had any major concerns brought to our attention of violations of this process. I mean, it just hasn't been brought to our attention.
Mr. CHRISTENSEN. If we go to a PIN or a password or a digital signature, what disadvantages do you see with that if we go to that type of system?
Mr. CALLAHAN. Like everything else, it is one more thing to remember. Some of the computer experts tell us, you know, we are going to have a separate PIN for Social Security, a separate PIN for other government agencies that we want to deal with, and so forth; so there is some feeling that that could be complicated.
Mr. CHRISTENSEN. Has NIST suggested this approach?
Page 48 PREV PAGE TOP OF DOC
Mr. CALLAHAN. I don't know for sure.
Mr. CHRISTENSEN. Does your staff know or can you get back to us on that?
Mr. CALLAHAN. Yes, we will get back to you on that and supply it for the record.
[The following was subsequently received:]
You asked that we provide information on NIST's views on PINS and passwords. While SSA did consult with NIST on other facets of providing PEBES on the internet, we did not consult with them specifically about PINS and passwords.
—————
Mr. CHRISTENSEN. Thank you, Mr. Chairman.
Chairman BUNNING. Thank you very much. We appreciate your testimony.
Mr. CALLAHAN. Thank you very much, Mr. Chairman.
Chairman BUNNING. If you see one side of this Subcommittee leaving at 4 o'clock, they have a caucus. At least, that is what I have been told.
Mrs. KENNELLY. We do.
Chairman BUNNING. So we know where you are going.
Hon. David Williams, Inspector General, accompanied by Pamela Gardiner, Assistant Inspector General for Audit at SSA's Office of the Inspector General. And reporting from the GAO is Joel Willemssen, Director of Information Resources Management Issues, and he is accompanied by Keith Rhodes, Director of Computer and Telecommunication Issues.
Page 49 PREV PAGE TOP OF DOC
If they will sit down, please, let's begin with Mr. Williams.
STATEMENT OF HON. DAVID C. WILLIAMS, INSPECTOR GENERAL; ACCOMPANIED BY PAMELA GARDINER, ASSISTANT INSPECTOR GENERAL FOR AUDIT; AND JIM HUSE, INVESTIGATIVE CHIEF, SOCIAL SECURITY ADMINISTRATION
Mr. WILLIAMS. Thank you, Mr. Chairman and Members of the Subcommittee. I am pleased to appear today to discuss the Social Security Administration's initiative to provide online PEBES Statements via the Internet. I agree with Acting Commissioner Callahan that the ultimate goal of electronic service is to balance agency cost, customer service, and protection of an individual's privacy.
Low cost and fast service are fairly easy to define. The Agency's shift from mailed, hard copy statements to online PEBES reduced costs from over $5 per statement to just a few cents. It also provided customers with PEBES Statements instantly. Privacy protection, on the other hand, is not so easily measured.
SSA consulted with numerous experts to structure security features aimed at assuring a level of privacy for the system's personal information data. Although a number of security features were structured to prevent unauthorized access, other powerful features such as PINs and passwords were not ultimately added. Recent media accounts provided examples of the value of PEBES information to unauthorized parties. Creditors, litigants, private investigators, and divorce attorneys are just some of the groups for whom earnings information is valuable. The financial and retail industries also provided online services at a level of risk to their customers. However, these services are entered into voluntarily, while SSA's online service placed citizens' earnings histories on SSA's Website without individuals' consent.
The vast interest in earnings information was implicit in the dramatic upswing in PEBES requests which immediately followed the April 7 front page story in ''USA Today.'' In the month preceding the newspaper article, there were 28,000 requests. In 2 days following the publication, the number of requests increased to nearly 50,000.
Page 50 PREV PAGE TOP OF DOC
This substantial interest in earnings information creates a privacy risk that is magnified by the unique way in which PEBES are requested online. Individuals seeking earnings information, other than their own, may remain virtually anonymous through the use of computers at sites with multiple users such as libraries and universities. In a recent case, SSA traced a single Internet request back to a university computer and learned that as many as 3,000 students had access to it.
Another concern with SSA's online service is the possibility of a computer hacker penetrating SSA's firewalls which serve as buffers between SSA's internal computer operations and the general public. To evaluate its computer security, SSA hired specialists to attempt to penetrate the firewalls. Although their attempts were unsuccessful, they did identify some shortcomings in SSA's security procedures.
The Office of the Inspector General's concerns with Internet vulnerabilities are longstanding. We discussed with SSA's Electronic Service Delivery Steering Team the difficulty of verifying users' identities, the risk to SSA's computer operations from hackers, and the broad interest in the information stored in SSA's databases.
Unauthorized access to SSA's records through the Internet presents a challenge to our investigative and prosecutive efforts. Threats to private and governmental computers have been escalating in concert with the expansion of electronic services. The U.S. Secret Service, the Federal Bureau of Investigation (FBI) and the Air Force's Office of Special Investigations have been battling criminals that are exploiting this new electronic frontier. Although substantial case law is lacking and investigators require knowledge of sophisticated techniques, the government's experiences have shown that substantial investigative opportunities are available through proper training, equipment, and dedication. This investigative commitment, coupled with security and audit mechanisms have proven to be an effective deterrent to these emerging criminal threats. The OIG is prepared to vigorously investigate allegations and seek prosecution of violators.
Page 51 PREV PAGE TOP OF DOC
Numerous security measures are available to SSA to safeguard online earnings; however, most additional security measures would result in either added costs or more restrictive access.
We do offer the following options for SSA to consider: Explore the option of confirming requester addresses against the address file SSA obtains from the IRS; reduce the number of unsuccessful attempts allowed from eight to three, and then deny further access until the individual visits an SSA office; confirm the entire maiden name of the requester's mother; provide PEBES only by mail, but allow requests via the Internet; allow the public the option to block their records; and consider using PINS, personal identification numbers, passwords or digital signatures.
We believe SSA's planned public forums are prudent. These forums will provide valuable insight into the public's perception of acceptable levels of risk to privacy, service expectations, and costs. We will continue to remain involved in the decisions related to the PEBES electronic delivery and will coordinate with the General Accounting Office to audit any areas of concern.
This concludes my statement, Mr. Chairman.
[The prepared statement follows:]
Statement of Hon. David C. Williams, Inspector General, Social Security Administration
Mr. Chairman and members of the Subcommittee, I am pleased to appear today to discuss the Social Security Administrations' initiative to provide on-line Personal Earnings and Benefit Estimate Statements (PEBES) via the Internet. I agree with the Acting Commissioner that the ultimate goal of electronic service is to balance agency cost, customer service, and protection of an individual's privacy.
Page 52 PREV PAGE TOP OF DOC
Low cost and fast service are fairly easy to define. The Agency's shift from mailed hard copy statements to on-line PEBES reduced costs from over $5 per statement to just a few cents. It also provided customers with PEBES statements instantly. Privacy protection, on the other hand, is not so easily measured.
SSA consulted with numerous experts to ensure that its migration to electronic service was done in a responsible manner. As SSA moved to on-line service, it devoted considerable effort and resources to structuring security features aimed at assuring a level of privacy for the system's personal information data. Although a number of security features were structured to prevent unauthorized access, other powerful features such as personal identification numbers (PINs) and passwords were not ultimately added.
Recent media accounts provided examples of the value of PEBES information to unauthorized parties. Creditors, litigants, private investigators, and divorce attorneys are just some groups for whom earnings information is inherently valuable. The financial and retail industries provided on-line services at a level of risk to their customers. However, these services are entered into voluntarily, while SSA's on-line service placed citizens' earnings histories on SSA's web site without individuals' consent.
The vast interest in earnings information was implicit in the dramatic upswing in PEBES requests which immediately followed the April 7 front page story in the USA Today. In the month preceding the newspaper article, nearly 28,000 requests for PEBES were received by SSA through the Internet. In the 2 days following publication, the number of attempts to obtain PEBES increased to nearly 50,000.
This substantial interest in earnings information creates a privacy risk that is magnified by the unique way in which PEBES are requested on-line. Individuals seeking earnings information, other than their own, may remain virtually anonymous through the use of computers at sites with multiple users such as libraries and universities. In a recent case, SSA traced a single Internet request back to a university computer and learned that as many as 3,000 students had access to it.
Page 53 PREV PAGE TOP OF DOC
Another concern with SSA's on-line service is the possibility of a computer hacker penetrating SSA's firewall, which serves as a buffer between SSA's internal computer operations and the general public. To evaluate its computer security, SSA hired specialists to attempt to penetrate the firewall. Although their attempts were unsuccessful, they did identify shortcomings in SSA's security procedures. As SSA looks to the future, it must confront the continuous advancement in techniques available to outsiders to penetrate its data processing systems.
The Office of the Inspector General's (OIG) concerns with Internet vulnerabilities are longstanding. We discussed with SSA's Electronic Service Delivery Team the difficulty of verifying user identities, the risk to SSA's computer operations from hackers, and the broad interest in the information stored in SSA's data bases.
Unauthorized access to SSA's records through the Internet presents a challenge to our investigative and prosecutive efforts. Threats to private and governmental computers have been escalating in concert with the expansion of electronic services. The U.S. Secret Service has been confronted with anonymous electronic threats to the President; the Federal Bureau of Investigations (FBI) has dedicated considerable resources to identifying computer criminals who extort major corporations; and the Air Force's Office of Special Investigations has developed techniques to detect foreign and domestic cyber-intrusions into Government computers. These agencies, and others, have been battling criminals that are exploiting this new electronic frontier. Although substantial case law is lacking and investigators require knowledge of sophisticated techniques, the Government's experiences have shown that substantial investigative opportunities are available through proper training, equipment, and dedication. This investigative commitment, coupled with security and audit mechanisms have proven to be an effective deterrent to these emerging criminal threats. The OIG is prepared to vigorously investigate allegations and seek prosecution of violators.
Page 54 PREV PAGE TOP OF DOC
Numerous security measures are available to SSA to safeguard on-line earnings access. However, most security measures would result in either additional costs or more restricted access that may prevent legitimate requestors from obtaining their records. We offer the following options, some of which SSA is considering:
• explore the option of confirming requester addresses against the address file SSA obtains from the Internal Revenue Service (IRS);
• reduce the number of unsuccessful attempts allowed from eight to three, and then deny further access until the individual visits an SSA office;
• confirm the ENTIRE maiden name of the requester's mother;
• provide PEBES only by mail, but allow requests via the Internet;
• allow the public the option to block their records from Internet PEBES; and
• consider using PINs, passwords, or digital signatures.
We believe SSA's planned public forums across the country over a 60-day period is prudent. These forums will provide valuable insight into the public's perception of acceptable levels of risk to privacy, service expectations, and costs that taxpayers are willing to pay.
We will continue to remain involved in decisions related to PEBES electronic delivery and will coordinate with the General Accounting Office (GAO) to audit any areas of concern.
This concludes my statement, Mr. Chairman.
Page 55 PREV PAGE TOP OF DOC
—————
Chairman BUNNING. Thank you, Mr. Williams.
Mr. Willemssen.
STATEMENT OF JOEL C. WILLEMSSEN, DIRECTOR, INFORMATION RESOURCES MANAGEMENT; ACCOMPANIED BY KEITH A. RHODES, TECHNICAL DIRECTOR, OFFICE OF THE CHIEF SCIENTIST, ACCOUNTING AND INFORMATION MANAGEMENT DIVISION, U.S. GENERAL ACCOUNTING OFFICE
Mr. WILLEMSSEN. Thank you, Mr. Chairman. Thank you for inviting us to testify today. Accompanying me is Keith Rhodes, GAO Technical Director and a recognized expert in computer security and the Internet. As agreed, we will briefly summarize our statement.
We just initiated last week a review of SSA's use of the Internet to provide benefit information and, therefore, we are not yet in a position to conclude on the effectiveness of SSA's actions in providing this Internet access.
However, we have previously performed reviews at other agencies and reported on computer and Internet security and on the risks facing agencies in providing electronic access to data. And based on this work and our knowledge of what SSA has done, we do have a few observations to provide.
First, we support the Acting Commissioner's decision to suspend the Internet service. And we also would caution SSA to make sure that it carefully looks at the issue before resuming the service.
Second, the use of Internet is inherently risky because of the way the Internet was designed. Therefore, one issue is whether SSA should provide sensitive information via the Internet.
Page 56 PREV PAGE TOP OF DOC
Third, if the decision is made to use the Internet, the question is whether SSA is doing what is necessary to ensure that sensitive information is not compromised. It should be noted that top experts in the field don't currently agree on how to provide computer security for the Internet.
I would like Mr. Rhodes to briefly mention some of the vulnerabilities with the Internet system.
Mr. RHODES. Thank you.
Mr. Chairman, first let me preface my remarks by saying that SSA is the vanguard in both public and private sectors in public advice via the Internet. The questions we ask and answer here and in the coming days will have to be asked and answered by any and all agencies that wish to send and receive sensitive data to individuals via the Internet.
That said, I would like to explain two points today: One, what the basis for good security is; and two, why the Internet is a unique environment in which to pass information. On the first point, we need to understand that security in any environment is a three-legged stool. Each leg representing the abilities to protect, to detect, and to react to a threat or risk.
We must protect the assets we value against compromise—either unwarranted exposure, modification or theft—to detect an attempt at compromise either internal or external, and to react both technically and legally to stop the attempted exposure and to prosecute the would-be attacker.
For example, if one were building a house, one decides what security measures will be designed in the house. Protection equates to locks and fire extinguishers, detection is found in smoke and burglar alarms, and reaction is in the local fire and police departments.
The key is that the homeowner decides what is to be protected and what is enough, whether the smoke alarm just senses smoke and sends out a 120-decibel scream that wakes everyone up or also sends a message automatically to the local fire department. The point is the homeowner decides what he or she is going to protect, from what, for how long and at what cost.
Page 57 PREV PAGE TOP OF DOC
The second point is the house we are building, the Internet, has already been built. The house is made of glass, has no doors, just holes in the walls, everyone knows our address, and we are simultaneously in the best and worst neighborhood. People we do not know are walking in and out of our house, having conversations with people we do not know; and every once in a while one of these people gives us a message that we have to deliver to someone else we don't know.
Now, with all this commotion, we want to have a private conversation with someone we do know. How do we do this? We are not contractors. We are homeowners. The security we want has to be put into the house after the house has been built by someone else.
What do you do, however, when the contractors to whom we are listening do not agree or if they fix something and break something else? This is the environment to which SSA is venturing. Thus, the key decisions that have to be made in order for anyone to safely navigate this environment are, one, who owns the assets; two, what risk is acceptable; three, at what cost?
This concludes our statement, and we are open to questions.
[The prepared statement follows:]
Statement of Joel C. Willemssen, Director, Information Resources Management, and Keith A. Rhodes, Technical Director, Office of the Chief Scientist, Accounting and Information Management Division, U.S. General Accounting Office
Mr. Chairman and Members of the Subcommittee:
We appreciate this opportunity to participate in the Subcommittee's hearing on privacy and security concerns relating to the Social Security Administration's (SSA) recent experiences in providing personal benefits estimates to individuals via the Internet. Mr. Chairman, both you and the Ranking Minority Member have expressed concerns about whether SSA's interactive benefits estimates service adequately protects the privacy of Americans, and whether unauthorized access to confidential information is taking place over the Internet. Such concerns are understandable. SSA, as administrator of the nation's largest federal benefits program, touches the lives of almost every American. It is essential that citizens be able to trust that the agency is safeguarding the personal information it collects.
Page 58 PREV PAGE TOP OF DOC
While we have just initiated a review of SSA's use of the Internet to disseminate benefits estimates, we have, however, reported on computer and Internet security, and on the risks facing agencies in providing electronic access to data(see footnote 1) Our remarks today will, therefore, focus on general privacy and security considerations that federal agencies should address to safeguard any sensitive information made available as a public service via the Internet.
Providing Personal Earnings and Benefits Information Via the Internet
As you know, Mr. Chairman, for just under 10 years, SSA has been providing a Personal Earnings and Benefit Estimate Statement (PEBES) to any individual requesting it. The statement includes a yearly record of earnings, estimates of Social Security taxes paid, estimates of retirement and disability benefits, and potential survivor benefits should the individual die. Legislation(see footnote 2) mandated that beginning in fiscal year 1995, PEBES be sent to all eligible U.S. workers aged 60 and over; beginning October 1, 1999, it is scheduled to be sent annually to all eligible workers aged 25 and over—an estimated 123 million people.(see footnote 3) As we reported last year, the public has found PEBES to be a useful financial planning tool.(see footnote 4)
SSA has recently tried to educate the public about the importance of its programs and availability of information, such as the PEBES statement; this initiative to provide ''world class service'' was—at least in part—in reaction to surveys showing public confidence in SSA programs at a low level. While much of this perception may relate to continual discussion about SSA's financial viability, officials at the agency have stated that they are attempting to be more responsive to customer desires. As part of this initiative, the agency last year began permitting individuals to request PEBES through the Internet, with the document being sent by mail. This was seen as a new alternative to visiting an SSA office in person or using its toll-free telephone number.
Page 59 PREV PAGE TOP OF DOC
In March of this year, in an effort to be as responsive as possible, SSA began permitting on-line dissemination of the statement to individuals. Using the Internet for this purpose was a planned part of the agency's electronic service delivery project, a component of its business plan for fiscal years 1997–2001. According to this plan, the project would ensure that, among other items, ''integrity and confidentiality of client data are safeguarded.(see footnote 5)
According to SSA officials, before taking the step of transmitting PEBES data over the Internet, they spent a year testing and consulting with outside experts, including those in the areas of privacy and computer security. Among the security features intended to preserve individual privacy was the requirement for an individual to enter five authenticating elements into the system in order to access the data. These elements were name, Social Security number, date and place of birth, and mother's maiden name.
In early April, press reports of privacy concerns over the availability of this information via the Internet sparked widespread reaction—including the fear that those not entitled to the information could access it without difficulty. Experts also questioned the adequacy of the five key pieces of information needed to obtain the data, pointing out that three of the five are available in public databases. With this publicity, according to SSA officials, attempts to access the data at SSA's web site(see footnote 6) escalated from about 10 to 80 per second.
SSA officials believed the situation was well in hand, that the security measures taken were sufficient. They pointed out that, as of April 7, security screening denied access to about 9,000 of the 27,000 requests for on-line PEBES data. SSA officials stated that while they monitored many attempts to break into the system, none succeeded.
Page 60 PREV PAGE TOP OF DOC
On April 9, after public outcry and concerns about the privacy of sensitive information, the Acting Commissioner of Social Security suspended on-line receipt of PEBES data.
Mr. Chairman, we see this issue as one of balance. While SSA has attempted to be responsive to the needs of its customers, the question is how—and, given the risks involved, whether—to do this via the Internet. If the decision is made to use the Internet in this way, the question is whether SSA is doing everything possible to ensure that sensitive information is not compromised. Convenience with undue risk to security is no bargain.
This is especially important because the interactive PEBES project is just one of many initiatives planned for the next few years that are intended to make greater use of technology. Other SSA efforts under the electronic service delivery umbrella include third-party access (using technology to allow others, such as state or local government employees or advocacy-group members, to assist individuals in dealing with SSA), dial-up bulletin boards, touchtone telephone access (for less sensitive customer records), and even interactive cable television.(see footnote 7)
Information Security on the Internet
In the last few years, the use of the Internet has grown tremendously and has placed a vast array of information at the fingertips of millions of users. This is due primarily to the availability of tools that have made the Internet much easier to use. As a result, we have witnessed a rush to connect to the Internet; today there are over 40 million users worldwide.
Despite this growth and leap in ease of use, the Internet has inherent security risks because of the way it was designed. The Internet is a complex network that has evolved over the last decade from an initially limited and experimental link of interconnected computers. The network, developed for the most part by scientists and engineers, was initially designed to test how a military command and control system could get messages through in a post-nuclear environment without regard to security. To do this, the network was built so that a message would use any available path to its destination, regardless of how many ''dead ends'' it encountered. The most important element of the network was, therefore, its robustness, or tenacity—not security.
Page 61 PREV PAGE TOP OF DOC
The relative insecurity of the Internet makes using it as a vehicle for transmitting sensitive data—such as personal Social Security information—a decision requiring careful consideration. In such an environment, one must weigh added convenience against the potential compromise and misuse of such information—and the potential damage to the database itself. In considering such tradeoffs, it is important to remember that, whether on-line or not, Social Security benefits information is available through means other than electronic.
Computer hackers(see footnote 8) have for years exploited the security weaknesses of systems connected to the Internet.(see footnote 9) The growing number of people having access to the Internet—any one of whom is a potential hacker—coupled with the rapid growth of and reliance on interconnected computers, has made cyberspace a dangerous frontier. Informal groups of hackers openly share information on how to break into computer systems. Despite security features that boast ever-increasing sophistication, hackers have more tools and techniques than ever before, and the number of attacks on systems is growing each day.(see footnote 10) As a result, the need for secure information systems and networks has never been greater.
This problem is directly affecting federal systems. Interconnectivity, combined with poor security management, is placing billions of dollars' worth of assets at risk of loss, and vast amounts of sensitive data at risk of unauthorized disclosure. While greater use of interconnected systems offers significant benefits, such systems are much more vulnerable to malicious attack by anonymous intruders—an increasing threat to our national welfare. Consequently, information security has been added to our list of government programs designated as high-risk because of vulnerabilities to waste, fraud, abuse, or mismanagement.(see footnote 11)
Page 62 PREV PAGE TOP OF DOC
Implementing Computer Security: Protect, Detect, React
Making information systems more secure is complicated, not only by the huge numbers of people having access to them, but also by the complexity of most systems themselves. Most large organizations have, along with personal workstation computers, mainframes, software applications, servers, routers, and external connections. These systems use a variety of products from a number of different vendors. Fully understanding the security weaknesses caused by the complex interrelationships of these products is a difficult task. Accordingly, absolute computer security is not possible. In developing effective systems security, officials must, then, consider what level of risk is acceptable. Such a decision will hinge on issues such as the type and sensitivity of the information, how vulnerable to attack the computers and networks are, where potential threats might come from, available countermeasures, and costs.
For most organizations, a prudent approach involves determining an appropriate level of protection, then ensuring that any security breaches that do occur can be effectively detected and countered. This generally means establishing (1) a comprehensive program with top management commitment, sufficient resources, and clearly defined roles and responsibilities; (2) clear, consistent, and up-to-date security policies and procedures; (3) periodic vulnerability assessments to identify security weaknesses; (4) security awareness training; (5) sufficient time and training for systems administrators and information security personnel; (6) efficient use of automated security tools; and (7) a robust incident-response capability, so that attacks can be detected and a response initiated quickly in order to aggressively track and prosecute the offenders.
The first point just mentioned, about roles and responsibilities, is essential. In determining these, a decision must be made on identifying the