There are less than three weeks remaining in the 2016 tax filing season, but there’s no end to the attacks on our private information held by the IRS. Sadly, the IRS is failing to really safeguard us from hacks despite constant warnings and recommendations.
Another such warning comes from the Government Accountability Office (GAO). The GAO spanked the IRS this week with a report that says the tax agency has not implemented a number of security information protocols for its systems containing the treasure trove of taxpayer data.
Through an audit of the IRS’s systems, GAO found that the agency had failed to use controls that identified and authenticated users, to restrict access to servers, to ensure that sensitive user authentication data is encrypted, to audit and monitor systems, and to properly limit access to restricted areas. In addition, the agency was using outdated software that exposed them to known vulnerabilities.
The implications of lax cybersecurity are real and devastating to taxpayers. Vulnerable computer systems are an open door for hackers and people with malicious intentions to obtain sensitive information, commit fraud and identity theft, disrupt operations, or launch attacks against other systems and networks. We have reported extensively on IRS hacks from this tax year and last year. The numbers of affected Americans are in the millions and counting.
The IRS is also connected to the data systems of other agencies and hubs such as the ObamaCare data hub. As we suggested recently, if you get into one system, hackers may be able to worm their way into other systems.
Vigilance and security must be top priorities for all agencies, but especially agencies such as the IRS which bears the responsibility of collecting our money and storing our sensitive, personal information.
While the GAO acknowledges that the IRS has taken some steps to ensure security, the report chides the agency for not fully implementing safety guards leading to security “deficiencies”:
An underlying reason for these weaknesses is that IRS has not effectively implemented elements of its information security program. The agency had a comprehensive framework for its program, such as assessing risk for its systems, developing security plans, and providing employees with security awareness and specialized training. However, aspects of its program had not yet been effectively implemented. For example, IRS had not updated key mainframe policies and procedures to address issues such as comprehensively auditing and monitoring access. In addition, IRS did not include sufficient detail in its authorization procedures to ensure that access to systems was appropriate. Further, IRS had not ensured that many of its corrective actions to address previously identified deficiencies were effective. For example, for the 28 prior recommendations that IRS informed us that it had addressed, 9 of the associated weaknesses had not been effectively corrected.
Until IRS takes additional steps to (1) address unresolved and newly identified control deficiencies and (2) effectively implement elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure.
IRS head John Koskinen is busy playing the blame game with Congress. He’s been using the media to push Congress to restore billions in funding that were cut following the agency’s inappropriate use of funding. The Washington Times reports on his reaction to the GAO report:
IRS Commissioner John A. Koskinen insisted his agency’s systems are sound, but said he was happy investigators provided so much detail, because it gives his agency a chance to fix problems. He said previous audits were light on those details.
Mr. Koskinen did not say what steps his agency will take to fix the problems the GAO identified, but signaled whatever they do will likely be limited because he doesn’t think his agency has enough money.
“While we agree with GAO’s recommendations, we will review them to ensure that our actions include sustainable fixes that implement appropriate security controls balanced against agency information technology and human capital resource limitations,” he said in his official response to the GAO.
The more reports that emerge that the IRS is failing in its duty to safeguard our information, the more Americans will distrust this powerful agency. The next hacking will only underscore that politics and not privacy protection is the pri