The U.S. Internal Revenue Service’s cybersecurity measures are woefully inadequate, according to testimony presented this week to the Senate Finance Committee.
The hearing was convened to examine how the IRS is safeguarding private taxpayer information this filing season and to determine what improvements may be necessary, said Sen. Orrin Hatch, the committee’s chairman.
Agencies, tax preparers and Congress have failed taxpayers, ranking member Sen. Ron Wyden said.
The IRS has not enacted numerous security recommendations from the U.S. Government Accountability Office and theTreasury Inspector General for Tax Administration, or TIGTA, officials testified.
The service is undermanned and underfunded and is working to secure taxpayer data in the face of increasingly sophisticated hackers, IRS representatives countered.
The IRS has not implemented 49 of the GAO’s prior recommendations, Gene Dodaro, comptroller general of the United States, told the hearing.
Weaknesses remain in “key controls for identifying and authenticating users, authorizing users’ level of rights and privileges, encrypting sensitive data, auditing and monitoring network activity, and physically securing facilities housing its IT resources,” he said.
The GAO has made 45 new recommendations.
As of March, the IRS had yet to implement 23 recommendations from 14 TIGTA audits that address weaknesses related to connections with external partners, continuous efforts to monitor information security, implementation of the Homeland Security Presidential Directive initiative and IT asset management, TIGTA head J. Russell George testified.
Among other problems, the IRS’s Computer Security Incident Response Center “was not monitoring a significant percentage of IRS servers, which leaves that portion of the IRS network and data at risk,” he said. TIGTA is evaluating the response center’s effectiveness at preventing, detecting, reporting and responding to cyberattacks on the IRS.
“Organizations like the IRS sometimes attempt to bite off too much via a master plan that fixes everything at once,” noted Tim McElwee, president ofProficio.
“We recommend a phased approach and using cloud-based services,” he told the E-Commerce Times.
The IRS’s Defense
Cybercriminals are becoming increasingly sophisticated, and attacks and privacy breaches “are increasing across the country in all areas of government and industry,” said IRS Commissioner John Koskinen.
Organized crime syndicates are getting involved, he testified.
The IRS has “been making steady progress within our reduced resources,” investigating and prosecuting fraudsters, helping fraud victims and educating taxpayers, Koskinen said.
Also, it has partnered with four major payroll service providers, which add a special coded number on W-2 forms that’s known only to the IRS, the providers and the W-2’s recipient and will help the IRS detect changes made to the W-2s.
More Cash Needed
Congress has cut the IRS’s budget sharply since 2010, and IRS funding is 17 percent below the 2010 level, adjusting for inflation, theCenter on Budget and Policy Priorities reported this month. The agency has cut staff by 14 percent since 2010.
“It’s possible that further funding for cybersecurity combined with increasing the requirements for verifying identity may help offset [tax return] fraud,” Christian Lees, CISO atInfoArmor, told the E-Commerce Times.
Technical and Leadership Issues
Organizations that interact with multiple third-party providers have more complexity than self-contained networks, said Tim Erlin, director of IT security and risk strategy atTripwire.
“Securing a complex network of computing resources is just plain hard to do,” he told the E-Commerce Times.
The Obama administration’s push for encryption backdoors isn’t helping.
“Why require a back door and offer a target?” asked Craig Kensek, security expert withLastline.
The IRS should “focus on protecting the data and build a process where unencrypted data can be requested,” he told the E-Commerce Times.
“The IRS is saddled with very old systems, tight timelines, hard service-level requirements and limited budgets for R&D, as well as an aging workforce,” remarked Philip Lieberman, CEO ofLieberman Software.
Wages and benefits for IRS staff “are not among the best, which inhibits their ability to provide top-notch talent to apply to the cyberdefense problem,” he told the E-Commerce Times. It’s “an issue of congressional leadership, funding and clear guidance on what the legislature provides to the IRS.”