Multiple hacks of government databases, along with the well-publicized breaches of retailer and credit reporting agency databases, mean that a wealth of personally identifiable information (PII) is in the hands of criminals. A key issue, says Jeff Kramer, Senior Director of Government Solutions for Reed Tech, is that this data is duplicated in too many agencies’ systems, resulting in more places for bad actors to attack. We asked him about the potential benefits and risks of this approach and got his insights on how to keep PII more secure going forward.
Government Technology Insider (GTI): You’ve proposed a “Department of Data” – a single agency that would store, protect and make PII available only as needed. What are the downsides to having information stored in multiple agency databases?
Jeff Kramer, Reed Tech (JK): Having key pieces of personal data stored in multiple places results in a great attack surface for bad actors and a greater possibility of data being compromised. However, if you put some type of identifiable information in one central place, that would reduce the risk. You wouldn’t have to worry about different versions of data. You wouldn’t have to worry about who’s in control of it. It would be one central repository, and you’d have to create strong data governance guidelines for how to access it — I think those things can be easily overcome.
GTI: One huge risk to PII is that Social Security numbers are being used as an identifier everywhere. When an employer, a health care provider, or a bank needs to know that you’re really you, they require that this same universal identifier is available. But that wasn’t its original purpose.
JK: I’m of the opinion that maybe the Social Security number has kind of come and gone, in terms of its usefulness. It was created back in, I believe, the late 30s, and now it’s a single identifier of somebody. Information like that may need to be revamped. But, right now, it would take a pretty good effort to go through and scrub all the places where something like your Social Security number is housed in federal agencies.
GTI: In practice, how would a Department of Data work to make sure that agencies and anyone else who needed that information would be able to get it?
JK: We’d have to set up some practices or put some policies in place so that this is viable. There would have to be an effort to go through and look at the different agencies and consolidate information and then, once you do have a single point of access, each agency would have to make a case for accessing the data and why they need it. There would have to be procedures on the back end so that when they do get the data, it’s not, in fact, stored somewhere else. It’s just an instance of the data, and the main piece, or the main PII, is continually stored in one central location.
GTI: How would this Department of Data idea fit with ensuring proper governance and, if there is a breach, how hard would it be to restore operations versus having information in distributed databases?
JK: I think the mentality now is: “How reactive can you be in case of a data breach?” Maybe we need to think in terms of going on the offensive and not having a breach. There’s cybersecurity procedures that we can set up to create a little bit more of a defensive network posture versus reactive.
If you think of military bases or even someplace like the Pentagon, I think they’re probably a little bit more formidable, and their posture is, “Well, what happens if there is some kind of attack or if there is some kind of breach, what does that mean exactly?” And maybe we fortify our defenses, and part of that is keeping one place secure and solid versus having multiple locations that could possibly be compromised.
GTI: How does this idea fit with technology innovations and emerging standards. For example, isn’t blockchain the opposite of a single data point? And would a Department of Data get in the way of new tech that could actually improve security?
JK: Well, blockchain is it the latest buzzword – is it a fad, is it something that’s going to be around for a while? There’s obviously pluses and minuses to blockchain — private blockchain versus global or enterprise blockchain.
Blockchain is good if you do not know or trust the other person, in terms of data. But if you do have some type of trusted private database or something that is a central authority, blockchain isn’t really needed.
I think we need to get back to the roots of “let’s just secure that data.” Let’s put the data in place and make sure it’s secure without having to worry about other new, emerging technologies. PKI has been around for a decade. It’s trusted, it’s proven and public and private keys should be used for transferring data back and forth. It’s very efficient, it’s very fast and I don’t necessarily know that we need to come up with newer technologies. Maybe we could take a step back and look at the technologies that we’ve created and figure out ways to use them more efficiently.
GTI: Do you have any final thoughts on keeping personally identifiable information more secure?
JK: Well I think the government needs to step in and hold the agencies accountable for data breaches. Our data is all over the place. There’s three credit reporting agencies and they have breaches all the time. Somebody needs to be held liable for a data breach and its consequences. If we start putting some teeth into consequences for data breaches, I think you’d find that they would happen a lot less frequently. If it’s somebody’s bank account and they have to start paying for breaches, or are responsible, even legally liable, I think there would be fewer and fewer breaches.
It seems to happen every day and it’s, “Oh, well, we’ll give you access to another credit agency to protect your data and if you have a breach, let us know.” But right now, I’ve probably been through four or five breaches and will likely subject to more, particularly if you get a security clearance, or any kind of clearance with the government, your data is even more at risk, with all the broader set of agencies that have social security numbers and PII.
Ready to learn more about how to navigate the digital future and manage data? You can do that here.