From the Office of the CTO: Rethinking the SSN in light of Equifax

It has been almost two weeks since Equifax announced that a cyber-attack potentially affected 143 million Americans in an unprecedented and massive data breach. According to the US Census Bureau, there were 125.9 million adult men and women in the United States as of 2014. With a population growth rate of approximately 2.9 million per year, it is a safe bet that if you have received credit for anything in your life, you should assume you are affected and take steps to protect yourself.

The first reaction, as usual, has been to blame the victim, in this case Equifax. Many people want to point the finger at them and say their security program was negligent and we may find out that it was. Many others have pointed to their response as being selfish and irresponsible in that they waited so long to notify the public so they could prepare a website and credit monitoring services for affected people. That may also be true. Many people are righteously indignant about the fact they are likely to sell more credit monitoring services and gain revenue from people freezing their credit reports. That probably will happen, but none of it matters.

Here’s why: The usual parade of cybersecurity vendors trotting out articles about how this should fundamentally change the way we look at cybersecurity by buying more of their products and fewer of their competitors’ products is also sadly prevalent. Maybe this will be the breach that changes things, but it’s not likely. People still don’t patch their systems. It’s a basic premise of cybersecurity, but people just don’t do it, for some mind-blowing reason.

The truth is, aside from a few executives who sold stock with dubious timing, nothing will be done to hold Equifax accountable for the fact that they have exposed most of us to extremely damaging attacks related to identity theft. It isn’t that the government doesn’t want to hold Equifax accountable, it’s that they can’t. If you thought banks were too big to fail in 2008, the credit bureaus absolutely cannot fail without collapsing the global economy. That is not hyperbole, it’s fact. The entire global economy is built on people spending more money than they have. If people suddenly stopped using credit, the standard of living would decrease dramatically around the globe and the resulting global financial depression would be like nothing we have ever seen.

To understand the debt issue, let me give you a quick visualization, courtesy of Visual Capitalist. The Federal Reserve in the United States holds a balance sheet of $4.5 trillion. The US debt is approaching $20 trillion. This means the US government has about four to five times the amount of debt to the amount of money it has on hand. This pattern is similar in many American households. Therefore, up to 80% of U.S. purchasing power is tied to credit, or in other words, if the credit bureaus collapsed you could expect the total US economy to shrink by 80 percent. No one is going to let that happen, and they can’t. Therefore, any meaningful financial penalties against Equifax will result in a taxpayer bailout, meaning we’re really suing our friends and neighbors and not Equifax, and we’re going to be using credit to pay the bill since the government borrows about 80% of what it spends. Oh, the irony!

If anything happens, the executives who purportedly sold their stock, who could be found guilty, would be made an example of to quell the public outrage. They will be very publicly sentenced to the maximum extent of the law. Regarding Equifax as an entity, quietly, don’t expect anything substantially bad to happen.

That doesn’t mean there’s nothing valuable that can be done in the aftermath of this breach, however. It certainly can. This could be the tipping point for us as a global society to finally accept the idea that a serial number given to an individual at birth and kept secret throughout a lifetime as a means to identify that person is a ridiculously antiquated notion we have had to accept. The moment we connected with computers and began storing information on them, the idea of a single identification number became immediately antiquated.

In my 2016 Book, Building a Comprehensive IT Security Program, I wrote ‘The credit card industry provides a good example of how non-persistent identities can be used to effectively reduce the effect of cyber-crime. When a cyber-criminal steals a credit card number, the number is not persistent and can be deactivated within moments of it being reported stolen or observed to be displaying an anomalous behavior pattern. A similar methodology could be applied to identification numbers to make them much safer.

A system like this would be much better in the current scenario. How great would it be if the exposed 143 million people were simply sent a new identification number and this whole thing was behind us? This kind of solution could actually work and solve the problem, rather than continuing to kick the can down the road and deal with stolen identities being a part of life. It would require administrative overhead, but maybe we could fund it through fines we levy when breaches like this happen. That way the people responsible pay the bill and the fines used to fund the apparatus are used to limit the damage caused by them.

The real tragedy and irony of my position in the information security industry is that breaches like this happen time and time again, and rarely result in any meaningful change. Perhaps this go-around we can begin to shift our paradigm, accept but battle the ‘breach state’ and innovate around meaningful solutions to actually protect our identities!