House Oversight Committee Probes Social Security’s Vulnerability to Hackers

Leaders of the House Oversight and Government Reform Committee are probing cybersecurity practices at the Social Security Administration, requesting an unredacted copy of a recent penetration test of the agency’s networks.

Penetration testing, sometimes called red-teaming, refers to purposefully attacking computer systems to look for vulnerabilities that could be exploited by hackers. The testing was conducted by independent auditors for a report issued last fall that identified information security weaknesses as a “significant deficiency” at the agency.

Reps. Jason Chaffetz, R-Utah, the House oversight chairman, and Elijah Cummings, D-Md., the committee’s ranking member, requested the report in an April 26 letter to Social Security Administrator Carolyn Colvin.

The report will “help the committee evaluate the current state of security for SSA’s information systems,” Chaffetz and Cummings wrote.

The penetration test was conducted as part of an annual review of SSA’s information security practices. That review, done by independent accounting firm Grant Thornton and published in November 2015, identified weaknesses in SSA’s handling of continuous monitoring, identity and access management and incident response.

Those weaknesses constituted a “significant deficiency,” which requires an agency head to take "immediate or near-immediate” action to correct them, according to federal policy.

The audit did not identify any loss of personally identifiable information.

Chaffetz and Cummings requested SSA provide the copy of the penetration test analysis by May 10. The lawmakers also want the agency to provide the committee with a progress report on closing recommendations identified in the report.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Separately, Chaffetz wrote to the commissioner of the Internal Revenue Service, John Koskinen, seeking documents relating to an IRS application exploited by hackers last year. Some 700,000 taxpayers had their personally identifiable information compromised by hackers via the “Get Transcript” application, IRS officials have said.

The estimate of the number of taxpayers who had their records accessed by hackers has continued to grow, though, leading to consternation in Congress. At first, IRS estimated about 100,000 taxpayers had their personal information compromised. A few months later, the agency revised it to 334,000. Finally, in February, agency officials announced after an expanded review, they believed at least 734,000 taxpayers’ information was compromised.

“The agency’s apparent inability to accurately assess the scope of the 2015 breach and continuing problems in its information security program raises questions about whether the IRS can protect the data in its systems and respond to cyber fraud,” Chaffetz wrote in the April 27 letter to Koskinen.

IRS officials have told Congress they’ve instituted new security procedures to protect access to the “Get Transcript” application. But Chaffetz said “questions remain about the detection of the breach, the source of the inaccurate initial estimate of the number of affected taxpayers and the IRS’s response to the incident.”

Chaffetz requested all documents and communications relating to the initial discovery of the hack.

Chaffetz also wants to know if the malicious code or logic that caused the breach was known to the Homeland Security Department’s National Cybersecurity and Communications Integration Center, and whether any third-party contractors were involved in providing incident-response services to remediate the hack.

Chaffetz asked for responses from the IRS by May 12 and also requested the agency provide a briefing for the committee no later than May 13.