By Brett Daniel Shehadey
Special Correspondent for In Homeland Security
America is moving too fast in the technical space. It is at least moving faster than it is ready for. Whether it is governments, bureaucracies like the IRS or companies pushing the latest digital trends into the Internet of things, the result is often the same—a lack or lapse of security consciousness.
The IRS rolled out a brand new service called Get Transcript. Out of a reported 281,000 failed attempts, some 334,000 accounts were successfully breached by hackers.
The IRS Get Transcript website allowed online access to view the complete reported tax accounts of taxpayers who signed up. To gain entry, the hackers needed substantial personal information that is unfortunately not too difficult to acquire today for a skillful team of hackers or a foreign power.
According to USA Today, they needed to know the taxpayer’s: Social Security numbers, date of birth, filling status, the street address and the correct responses to four questions known as “knowledge-based authentication” (e.g., prior phone numbers or addresses).
While the USA Today article was highly critical of the access requirements, they are actually far superior to most industry standard methods in use. If a person has your Social Security number and date or birth alone, they can effectively become you in today’s extremely insecure and unsecured identification environment. If they know how much money you have and your bank account number from a check stub, and if they find you are a worthy target, they can make a phone call to your bank and wire it right out with far less than the information used by the IRS.
But the article is correct in that the black-market sells too much of our personal information. The truth is that such information is available in today’s ‘big data’ environment for those that are listening or paying attention. Then there is the silliness of the knowledge-based authentication labeled as questions that “only you can answer,” on the IRS website.
Get Transcripts was shut down after the attack reported last May. Just today, the IRS is piecing together that at least a hundred thousand more accounts had been compromised. This makes it triple the damage originally reported.
Unfortunately, the U.S. governments and U.S. corporations are not the only ones recording our private information and online interactions. The IRS admitted that the hackers gathered tremendous data from social media sites like Facebook.
Unfortunately, the U.S. federal government and certain corporations have created an environment that allows Russia, China and many enemies of the state and criminals access to this personal information as well; including the purchase and sharing of what was once considered confidential information or highly personally information such as Social Security numbers. The private-public system is one in which the American people are forced to use SSNs but does not secure or sufficiently protect them and does not offer a universal insurance program for losses incurred by their now mechanical and mandatory use.
The entire Social Security number system is obsolete and remain a severe public threat. Personal identification numbers are now being issued to those taxpayers affected in the Get Transcript hack in addition to new SSNs as a past ID number. Other security measures such as knowledge-based authentications are used by banks and others. The fact that government bureaucracies and private companies have been using and continue to use these outdated methods without further precautions is a government-wide epidemic that is a responsibility beyond the agencies under scrutiny.
The entire out-of-control Social Security for ID usage should be scaled back as soon as possible. One drastic measure could be enacted to law, for example, that could make be illegal for anyone to have that number but the rightful owner and the Social Security Administration. All copies external floating copies of the numbers would be destroyed over a period of time (both hard copy or virtual). Then, a system involving three separate entities would on three separate protected computer systems be permitted to hold such information as new numbers were being issued out.
There are strong advocates still for biometrics. Biometrics would have some of the benefits but ultimately there are problems with any stored and observable information or ID numbers. Once an eye or finger is a in a security system, that eye or finger, once thought to be perfectly unique and therefore ideal, can be recreated by downloading the scanner inputs, 3D printing and other methods. Compartmentalizing personal ID information with multiple levels and layers of security is not foolproof but necessary. These will likely include greater usage of external and mobile devices that can store a personal digital key or the final layer of protection.
Americans need new ID measures and safeguards but the replacement of Social Security numbers has not and will not happen overnight (unless something extremely bad happens). Still, in the meantime, identity theft insurance from the government, like an FDIC for ID theft.
American citizens deserve roving Internet patrols by the government that protects rather than intrudes or invades their personal space; much like police patrol the streets; especially of those crowded streets but also those back alley-ways. When something is suspicious, such agents would have probable cause. Unfortunately, the cybersecurity is not setup like that right now, but one day could be. The problem has been getting there.
Maybe the U.S. needs more cyber-drone crawlers than cybersecurity police on patrol within the Internet. Better detections from agencies, companies and personal devices reporting feedback; better reporting of breaches in real-time would be a plus. As of now, the NSA has enough on its hands attempting to safe-guard the national security infrastructure, including defense and intelligence contractors that is apparently unable to protect other government agencies. It is also preoccupied with mass surveillance data collection as a dominant part of its time and resources.
NSA could ultimately be tasked with a stricter mission of cyberdefense for military and intelligence matters of national security. Another dedicated agency, like the NSA, indeed come from out of that agency, could be made to focus entirely on cybersecurity of non-critical infrastructure and jointly preventing cybercrime by foreign entities against Americans and American entities with perhaps the FBI and others. But this would require military grade-cryptographic blanketed protections to block foreign kleptocratic governments and independent criminals. Picture an extra protection of cryptographic protocols over the homeland in addition to real-time feedback from the ground up. This would have the further benefit of reassuring the people that privacy is a priority from that agency as well and a more cooperative system could be arranged.
The only problem would be our inability to crack our own codes domestically in real-time to glean any massive domestic surveillance information. A heavy encryption, zero back door approach is the solution for hardcore airtight security enthusiasts. Giving the government access to all computers and devices through a key encryption point is recommended by higher-up national security professionals. The problem becomes one of safeguard the homeland by locking it down and making the people of America a hardened secure target from up to government attacks or the U.S. government mission of tracking potential terrorists with blanket warrants, subpoenas and at the same time watching the unprotected population and important segments get breached in less protective but potentially catastrophic ways: incur recessions, spark massive panics, civil disorder and disruption or even civil unrest.
Enter the cyber-drone security age.