Lawrence Walsh, CEO, The 2112 Group
Lawrence Walsh, CEO, The 2112 Group

The string of high-profile attacks over the last year all have one thing in common: the theft of Social Security Numbers. If we can't stop breaches, then let's remove the incentive for hacking by devaluing the data.

Insurance giant Anthem became the latest in a long string of high-profile corporations to suffer a major security breach. In this case, more than 80 million records of health care subscribers were compromised. Over the last year, several other well-known corporations and institutions such as JPMorgan and Home Depot also suffered massive breaches. The common denominator isn't necessarily weak security, but rather the targeted information – Social Security and credit card numbers.

In the wake of these breaches, everyone from President Obama to security evangelists are calling for tighter regulations, better technology and more spending on data protection. What's become obvious in this cat-and-mouse game between corporations and hackers is there is no stopping security breaches. They will happen, period.

So what's the solution? Perhaps it's time to devalue the targeted data. Let's start with Social Security numbers, which are the holy grail of these attacks since they are the keys to unlocking all kinds of other digital treasures.

Social Security Numbers (SSN) are taken granted as a universal identifier. The Social Security Administration says there are more than 450 million Social Security numbers in circulation, and there's ample supply of the 10-digit combination to last for several more generations. In other words, the government has no plans to abandon the system developed in the 1930s.

In fact, SSNs were never intended to be an identification card beyond tax purposes. Until the 1970s, Social Security cards even said “Not for identification purposes.” To this day, you cannot use a Social Security card to prove your identity; you need a second form of government ID with a photo.

For some reason, though, SSNs are a near-ubiquitous requirement for any financial transaction. If you want a job, you must submit your SSN. The same goes if you want a bank account or credit card, want to buy a car or house, or if you buy a cell phone. And while there are few legal requirements to surrender your SSN to any private company, it's nearly impossible to have conduct a financial transaction without it.

The idea of devaluing an asset isn't new. The Bureau of Engraving and Printing and the U.S. Secret Service, divisions of the U.S. Department of the Treasury do this all the time with currency. The reason legal tender changes color, incorporates microfibers and holograms, is to defeat the efforts of counterfeiters. By making it harder to copy bills, the mint is making it less advantageous to counterfeit.

The employment of basic economics as a security measure also isn't new. Security professionals and strategists have long known that cost in time, resources and risk is a critical factor in the hacking equation. If the hacking costs are too high, hackers will move on to another target. So it's a deterrent if security measures employed make hackers expend more time and resources than the target assets are worth. If the assets are devalued or even made worthless, there's no benefit in attacking.

Just what would replace SSNs is an open question. The government has played with advanced encryption and data protection measures such as public key infrastructure (PKI) for more than a decade and hasn't been able to make them work. The idea of replacing SSNs with public keys that require multifactor authentication is an interesting concept.

Banning SSNs outside the government is another means for simply eliminating value. When an individual works with a private corporation, they're assigned account, policy, transaction and other identifiers. If the SSN is used to validate a person's legal standing, then why can't the production of valid identification. Consider this is what we do with employment. When a person is hired by a company, they're required to produce two forms of legal identification. After that, they're never asked for that information again.

Perhaps SSNs should be redesigned. Today, we use a nine-digit numerical combination. What if SSNs were redesigned similar to what was done with IPv6 addressing protocol. The number could be made larger to increase the pool and alpha characters could be added to make it harder to crack. With a larger pool of numbers, the Social Security Administration could then sample the market with dummy combinations. Hackers will never know if they're getting legitimate or illegitimate numbers.

The Social Security Administration says it has ample supply of numbers. By greatly increasing the pool of numbers, Social Security Numbers could be rotated every few years. We already do this with state issued drivers' licenses and credit card numbers. Many people don't know they can change Social Security numbers up to three times a year. If Social Security numbers expired, their long-term value would be greatly limited.

Hard to say if any of these ideas are truly viable. But it's about time to acknowledge that security breaches can't be eliminated; risk can only be mitigated and it's never to zero. Security faces the same economics as hackers – you can keep throwing money at the problem, but you quickly reach an inflection point where the cost outweighs the benefit. So instead of always looking at how much more we can spend on security technology, it's time we start looking at devaluing the assets under attack. Social Security Numbers are a good starting point. 


Lawrence M. Walsh (@lmwalsh2112) is the CEO and chief analyst of The 2112 Group, a research and business strategy firm specializing in indirect channels and business development. He is the former editor of Information Security, VARBusiness and Baseline magazines.