Criminal Justice & the Rule of Law Cybersecurity & Tech

On the Anthem Hack

Herb Lin
Tuesday, February 10, 2015, 7:00 AM
On February 5, 2015, Anthem---a health insurance company---announced that hackers had been able to access records containing tens of millions of names, birthdays, Social Security numbers, addresses and employment data.

Published by The Lawfare Institute
in Cooperation With

On February 5, 2015, Anthem---a health insurance company---announced that hackers had been able to access records containing tens of millions of names, birthdays, Social Security numbers, addresses and employment data. Because such information can easily be used by identity thieves, concerns have arisen about a rash of identity thefts in the future. Such accounts are increasingly common, although the Anthem hack apparently counts as one of the largest to date, and media stories tend to play the cybersecurity angle---how vulnerable firms are to being compromised, what they can do about it and so on. All of these angles are legitimate, and are covered in many other posts on Lawfare and elsewhere. But often overlooked is another important point---the inadequacy of the Social Security number as the centerpiece of records relating to personal identity. Consider that the SSN has only 9 digits, which means that at most it can identify a billion individuals. The current population of the United States is over 300 million, and about 450 million SSNs have been issued, which means a high probability that a mistake on the SSN for John Doe will refer to another real person. The SSN also does not have a check digit, the use of which could help to eliminate most single-digit errors in recording SSNs. And of most significance for this discussion, it is very difficult to obtain a new SSN, as one must provide evidence of ongoing problems as the result of the compromise---preventive action to defend against the possibility of misuse is not allowed. If one could start from scratch today, no one imagines that we would want the current SSN identification system. But any replacement system will encounter at least two major problems. First is the cost of upgrading. The SSN is a set of 9 digits, and many, many computers have been programmed on this basis. Changing the SSN to include alphabetic characters, or expanding it to more than 9 digits, would create enormous headaches as lots of computer programs would have to be rewritten. But such technical problems can be overcome. The second problem is more difficult. Nearly all proposals for a replacement to the SSN face significant opposition from advocates who fear abuse of any such replacement. In essence, they argue that a new system would be used as the foundation for a identification system that conjures up images of national ID cards and government authorities tracking the movements and activities of all citizens. These advocates are not wrong to have such concerns, and given a history of the SSN that shows over time significant growth in its use in initially unanticipated applications, it will take a great deal of political will to ensure that the same fate does not await any replacement system. I welcome any thoughts on how to limit the use of a replacement ID system to its original stated purpose.

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare