Is IRS dropping the risk assessment ball?

As far as everyone knows, troves of taxpayer records maintained by the IRS have never been breached. But watchdogs are concerned by the leadership decisions that enabled fraudsters to snatch sensitive information through the digital front door.

"A risk assessment was done for Get Transcript," said Treasury Inspector General for Tax Administration J. Russell George. "And they made the wrong call."

Get Transcript is a web tool that IRS officials took down in May 2015 after fraudsters exploited the knowledge-based security and took tax data for more than 700,000 taxpayer accounts. In March 2016, the IRS suspended another online tool, its Identity Protection Personal Identification Number (IP PIN) retrieval tool, over similar concerns.

Testifying before the House Committee on Science, Space and Technology's Research and Technology Subcommittee, George said the IRS didn't conduct a thorough enough risk assessment of the IP PIN tool, especially after the botched assessment of Get Transcript.

George's office had repeatedly called for the IP PIN retrieval tool to be taken offline before IRS finally acknowledged a potential breach and nixed it.

IRS Commissioner John Koskinen defended knowledge-based security as a good practice when it was first implemented by the IRS in 2011.

"It's not as if anybody could walk in and answer those questions," he said at the time, noting one-fifth of taxpayers couldn't even answer their own questions.

Since 2011, however, a deluge of data breaches has rendered the practice much less effective.

Koskinen stressed the fact that IRS' own taxpayer records database hasn't been hacked; the taxpayer info that fueled the Get Transcript and IP PIN breaches came from outside the tax agency.

"The basic database has been secure," Koskinen said. "We hope it remains secure."

He said IRS is working on system segmentation – "So if you actually get into the database you can't run barefoot through it all" – and two-factor authentication.

But as it tries to maintain its cybersecurity posture, the agency is facing a leadership exodus.

The agency's cybersecurity director has already left, and its chief technology officer will soon likely leave as well. Both were hired under a streamlined critical pay authority that the IRS no longer has – and which Koskinen says it desperately needs to effectively hire and retain top tech talent.

Going forward, Koskinen pushed back against suggestions that IRS should limit online services in order to promote security. For IRS, offering more services online is the clear vision of the future.

But for their part, lawmakers indicated that on the security-versus-convenience question, they favor the former.

"Taxpayer protection should be the guiding force" as IRS invests its limited budget, said Rep. Paul Tonko (D-N.Y.).

"I assure you," echoed Rep. Barbara Comstock (R-Va.), "more security is better than less."