Obfuscation Is Not Security

 There’s been much ado about sensitive information being shared inappropriately with the public. Reality is more nuanced and troubling. Most federal agencies possess deeply ingrained political instincts that overemphasize secrecy in public statements, rely heavily on “obfuscation” as a low-cost security strategy, and suffer from consistently poor operational security (OpSec).

A prime example is the Social Security Administration. On February 26, 2014, then Acting Commissioner Carolyn Colvin testified before Congress, stating:

“Although there is a low level of fraud in our disability programs, no amount of fraud is tolerable.”

While well-intentioned, this kind of messaging sets unrealistic expectations for the public. Fraud is a risk in any large-scale system, and every major bank accepts certain loss levels as the cost of doing business. Striving for zero fraud is noble. Pretending it’s achievable without tradeoffs is misleading.

As one former CIA Director put it:

“If an organization guards its pencils and diamonds equally, it will lose a lot more diamonds, and fewer pencils.”

This highlights a key principle in modern security: risk-based prioritization.

Best practices in risk management, from NIST to GAO guidance, recommend quantification. Using tools like Annual Rate of Occurrence (ARO), Single Loss Expectancy (SLE), and Annual Loss Expectancy (ALE) is an industry best practice. Unfortunately, federal agencies rarely use these quantitative models. Instead, they default to qualitative labels, “high,” “medium,” or “low” risk, without connecting them to actual costs or quantitative financial probabilities.

Meanwhile, obfuscation remains the tool of choice, not because it’s effective, but because it’s cheap. It's easier to redact, bury, or wordsmith than to invest in real security infrastructure, an anti-fraud practice, or tools like AI to help. But obfuscation doesn’t stop fraudsters; it helps them. It creates blind spots. It signals to adversaries that there’s more effort in controlling the message than securing the systems.

This is especially dangerous in agencies like the SSA. While proud of their mission and open about successes, SSA, like many agencies, operates in a culture of documentation and publication. Collaboration breeds transparency, but transparency, paired with technological inertia, creates risk. The agency’s data systems, integration points, and internal network architecture are all discoverable simply by reading SSA’s public materials. Want to understand SSA’s databases? Review the IRM strategic plan. Curious about data, databases, data pipelines, and data field structures? Check the published privacy impact assessments and Data exchange applications. Examples abound:

• SSA FY 2024 Annual Performance Report outlines mission goals and performance metrics.
• SSA Information Resources Management (IRM) Strategic Plan, 2016 describes network architecture and modernization goals.
• SSA Digital Government Strategy details digital service delivery frameworks.
• SSA Enterprise Roadmap FY 2014 reveals enterprise-wide integration plans.
• Computer Matching Agreements and Data Exchange Applications document external system linkages and shared data flows.
• Social Security Administration Electronic Service Provision: A Strategic Assessment by The National Academies Press documents legacy systems
• SSA publishes record layouts like this one, which show the exact data structure of key internal systems.

If a fraudster or foreign actor wanted to understand SSA’s systems, they wouldn’t need to hack in. They would just need to read: A pattern true across the federal government.

This isn’t a call to shut down transparency. It’s a call for real security, anti-fraud measures, fundamental IT, and adoption of best practices: OpSec, not obfuscation; risk management, not press management; and clear-eyed prioritization, not blanket denial of risk.