Why hackers are outgunning the IRS
Nothing like a high-profile hack attack to bring a government agency's computer woes into focus. Just ask the Internal Revenue Service.
The data breach the tax agency revealed in late May that exposed 104,000 tax returns to hackers might have been avoided if the IRS had implemented recommendations to beef up its security made by the agency's inspector general in recent years, according to an agency watchdog.
J. Russell George, Treasury inspector general for tax administration (TIGTA), noted in a Senate Finance Committee hearing on Tuesday that the IRS hadn't implemented 44 of his department's recommendations to improve computer security, 10 of which were more than three years old. After audits from his office, which operates independently of the IRS, the agency hasn't always applied upgrades or patches to its computer networks and failed to monitor a "significant percentage" of its servers for potential security risks.
Although George couldn't say with certainty that the latest hack could have been prevented, he told Committee Chairman Orrin Hatch, R-Utah, that it "would have become more difficult had they implemented all the recommendations." He also noted that the risk for breaches will become even worse as the IRS allows taxpayers greater access to online data.
"More avenues for online assistance also means more avenues for exploitation by hackers and greater risk to the IRS and taxpayers," George said. "The IRS faces a daunting task in protecting its data and IT environment from the ever changing and rapidly evolving hacker world."
George's view was echoed by IRS Commissioner John Koskinen, who told the committee the agency was doing the best it can "even with our constrained resources as the result of repeated decreased funding over the past few years." The increasing aggressiveness from criminals seeking people's personal information, makes protecting taxpayers "increasingly challenging and difficult," Koskinen said.
As the Associated Press noted, the IRS' cybersecurity budget fell more than 20 percent between 2011 and 2015. The agency's overall funding has been slashed by more than $1 billion since 2010. Committee member Tom Carper, D-Delaware, said that it was unfair to criticize the IRS for failing to bolster its cybersecurity budget while at the same time Congress is cutting the agency's funding.
In the recent attack, hackers from outside the U.S. managed to get access to a system called Get Transcript because they possessed personal information about taxpayers, such as dates of birth and tax-filing status that had been stolen from outside the IRS. The Get Transcript function has been taken down while investigations into the incident continue. The main IRS network wasn't hacked.
Senator Ron Wyden, D-Oregon, the ranking Democrat on the committee, argued that the hacking was the work of a "sophisticated" organized crime network and highlights the need for the IRS to have what he called a "21st century IT system" because it shows that "once again the thieves are one step ahead of the authorities."
He cited a report from the U.S. Department of Homeland Security that found federal agencies come under cyberattack hundreds of times a day and thousands of times a year.
"The problem continues to spiral with hackers targeting federal agencies, state governments--including my own--and private companies alike to steal money and data," Wyden said. "It's not just a question of resources, and it is certainly not a lack of commitment from the IRS staff. It's also a question of expertise. The era of punch cards and paper forms ended long ago."
Republicans, including Senator Tim Scott, R-South Carolina, were less sympathetic. He noted that the Obama administration has spent $5 billion on IT at the IRS and that the Bush administration spent $5.3 billion.
Referring to the scandal over the agency's targeting of groups allied with the Tea Party, Scott said: "This breach will add more fire to people who are petrified by the IRS."