White House official calls for ending Social Security numbers as means of identification

The White House’s cybersecurity coordinator, Rob Joyce, is calling for the end of Social Security numbers as a national identification code.  

“I believe the Social Security number has outlived its usefulness,” he said Tuesday at The Washington Post’s Cybersecurity Summit.

Joyce on Tuesday listed a number of problems with the reliance on Social Security numbers to verify Americans’ identities, including the inability to change the numbers after they’ve been stolen.

“It’s a flawed system that we can’t roll back after a breach,” he said, pointing to a lack of secrecy in the way the numbers are stored as well.

Joyce said he had raised the issue within an administration working group. 

Equifax hackers gained access to the Social Security numbers of more than 145 million Americans in a recent breach.

Joyce said Congress needed to take some form of action to regulate the cybersecurity of credit bureaus

“It’s really clear there needs to be a change,” he said. 

{mosads}Joyce also said the White House needs more transparency in the Vulnerabilities Equities Process, which the government uses to determine which hacking techniques can be kept secret for espionage purposes.  

Companies like Microsoft have argued that the government should not hoard any security vulnerabilities it finds in software or hardware, and instead report all vulnerabilities to manufacturers for repairs. 

Joyce acknowledged that process is shrouded in a lot of “smoke-filled room mystery.”  

“Why can’t we talk about this? There isn’t a good reason,” he said. 

Joyce said at the summit that the White House and federal agencies are working on a mechanism to be more open about the rules. He also mentioned that vulnerabilities kept secret undergo a review every six months, a development that had not previously been reported. 

Vulnerabilities believed to have been used by the NSA for years were at the core of the recent, massive WannaCry and NotPetya malware attacks. Microsoft had patched those flaws only weeks before the two attacks. More companies would have likely been protected had there been years to patch the problem. 

Joyce also discussed the recent federal ban on Kaspersky Lab software over fears that the company is at risk of being or has been co-opted by Russian intelligence.

“We made bad decisions in the past and there are no reasons to perpetuate them,” he said, noting that Russia likely did not use U.S. firms to protect its cyber systems. 

Joyce also said the Trump administration had begun to change path on developing international rules for cyber diplomacy. While the Obama administration emphasized large organizations like the U.N., Joyce said the Trump administration would focus on one-on-one agreements. 

“We’ve often tried to get big groups together to solve the problems of the day,” he said.

Now, he said the Trump administration is working toward more agile, bilateral agreements. 

“We’re operating at the speed of two nations rather than the speed of a coalition,” he said.