Cybersecurity

Is IRS dropping the risk assessment ball?

IRS Headquarters in Washington, D.C. (Photo credit: Rob Crandall / Shutterstock.com)

As far as everyone knows, troves of taxpayer records maintained by the IRS have never been breached. But watchdogs are concerned by the leadership decisions that enabled fraudsters to snatch sensitive information through the digital front door.

"A risk assessment was done for Get Transcript," said Treasury Inspector General for Tax Administration J. Russell George. "And they made the wrong call."

Get Transcript is a web tool that IRS officials took down in May 2015 after fraudsters exploited the knowledge-based security and took tax data for more than 700,000 taxpayer accounts. In March 2016, the IRS suspended another online tool, its Identity Protection Personal Identification Number (IP PIN) retrieval tool, over similar concerns.

Testifying before the House Committee on Science, Space and Technology's Research and Technology Subcommittee, George said the IRS didn't conduct a thorough enough risk assessment of the IP PIN tool, especially after the botched assessment of Get Transcript.

George's office had repeatedly called for the IP PIN retrieval tool to be taken offline before IRS finally acknowledged a potential breach and nixed it.

IRS Commissioner John Koskinen defended knowledge-based security as a good practice when it was first implemented by the IRS in 2011.

"It's not as if anybody could walk in and answer those questions," he said at the time, noting one-fifth of taxpayers couldn't even answer their own questions.

Since 2011, however, a deluge of data breaches has rendered the practice much less effective.

Koskinen stressed the fact that IRS' own taxpayer records database hasn't been hacked; the taxpayer info that fueled the Get Transcript and IP PIN breaches came from outside the tax agency.

"The basic database has been secure," Koskinen said. "We hope it remains secure."

He said IRS is working on system segmentation – "So if you actually get into the database you can't run barefoot through it all" – and two-factor authentication.

But as it tries to maintain its cybersecurity posture, the agency is facing a leadership exodus.

The agency's cybersecurity director has already left, and its chief technology officer will soon likely leave as well. Both were hired under a streamlined critical pay authority that the IRS no longer has – and which Koskinen says it desperately needs to effectively hire and retain top tech talent.

Going forward, Koskinen pushed back against suggestions that IRS should limit online services in order to promote security. For IRS, offering more services online is the clear vision of the future.

But for their part, lawmakers indicated that on the security-versus-convenience question, they favor the former.

"Taxpayer protection should be the guiding force" as IRS invests its limited budget, said Rep. Paul Tonko (D-N.Y.).

"I assure you," echoed Rep. Barbara Comstock (R-Va.), "more security is better than less."

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.