The White House is considering replacing Social Security Numbers (SSN) as a prime way to identify individuals and is calling on federal agencies to develop new methods for people to identify themselves in light of the recent Equifax data breach of millions of Americans personal data, the Trump administration’s cyber security coordinator said on Tuesday.
A possible SSN replacement is one of the initiatives the Trump administration is implementing following the president’s cyber executive order in May, which now includes releasing a cyber deterrence strategy, pushing back against intellectual property theft by foreign adversaries, devising a role to combat future election interference.
“I feel very strongly that social security number’s outlived its usefulness. It’s a flawed system,” Rob Joyce said at a Washington Post cyber summit. “Let’s look at what would be a better system. Certainly, the idea that we could use a public and private key is something that I can use publicly but not put the information at risk, something that can be revoked if it’s known to be compromised.”
Joyce believes there’s a need for a greater governmental role in protecting citizens’ data held in massive quantities by companies such as Equifax, whose recent breach left over 145 million American’s personal information vulnerable.
The White House cyber coordinator urged Congress to continue considering regulations for companies such as Equifax [EFX] that could reform personal information activities and new requirements for breach notification.
“I think it’s really clear there needs to be a change, but we’ll have to look at the details of what’s being proposed,” said Joyce.
The White House is aiming to take a more proactive approach to cyber security measures as the first reports roll in from the administration’s cyber executive order.
A federal cyber deterrence strategy is slated to be finalized later this fall, but will not be released to the public, according to Joyce.
A focus of deterrence for the administration remains moving past coalitions, and working directly with other nations willing to act toward establishing norms in international cyberspace and imposing costs on those who act in an adversarial manner.
“Our focus now is looking at bilateral agreements where we can find a friend, a partner, someone willing to come along with us to push back and impose those costs. At that point, we can act and we’ll bring a coalition along with us. But we’re operating at the speed of the two most willing nations rather than the speed of a slower coalition,” said Joyce.
Options for imposing costs include diplomatic tools, judicial tools, subpoenas, and most importantly, sanctions, according to Joyce.
Among the chief concerns for potential nation-state cyber threats is the continued theft of intellectual property. Joyce hopes to curb these attempts as foreign adversaries push further information operations campaigns.
“I’m very worried about the protectionist rules that are going up in a lot of countries. The idea that you can’t enter China’s market without offering up your intellectual property, in this way, without agreeing to hobble some of the security and privacy features of it, like encryption,” said Joyce. “Russia’s heading that way. A bunch of the totalitarian regimes are headed that way. It’s a problem for the free and open internet that we designed and pushed out there for the world’s benefit.”
In response specifically to Russian cyber threats, Joyce backed up the recently announced ban on Kaspersky Lab’s anti-virus software and cited DHS’ lead on preventing future interference in elections by naming electoral systems as critical infrastructure.
Joyce argued against requiring the intelligence community to disclose to Congress findings on potential interference in the lead up to elections. He was asked if this would remove any partisan tinge to these investigation, and noted that he imagined DHS and FBI would be forthcoming with any pertinent info.
“In the U.S. government, if you look at the way we’re presently organized, cyber has so many committees of jurisdiction. The great thing about cyber is it’s an apolitical issue,” said Joyce. “Unfortunately, what we see is the committees of jurisdiction have very strong opinions about the way we should be structured, and who should be in charge. We can either expend a lot of energy trying to shape those decisions or we can go and optimize what we’ve got and that’s what I’m focused on right now.”