Senate Committee Hears Litany of IRS Cybersecurity Failings


ManageEngine OpManager, a powerful NMS for monitoring your network, physical & virtual (VMware/ HyperV) servers & other IT devices. Deploy and start monitoring in less than an hour. Trusted by over a million admins world-wide. Try it for free.

The U.S. Internal Revenue Service's cybersecurity measures are woefully inadequate, according to testimony presented this week to the Senate Finance Committee.

The hearing was convened to examine how the IRS is safeguarding private taxpayer information this filing season and to determine what improvements may be necessary, said Sen. Orrin Hatch, the committee's chairman.

Agencies, tax preparers and Congress have failed taxpayers, ranking member Sen. Ron Wyden said.

The IRS has not enacted numerous security recommendations from the U.S. Government Accountability Office and the Treasury Inspector General for Tax Administration, or TIGTA, officials testified.

The service is undermanned and underfunded and is working to secure taxpayer data in the face of increasingly sophisticated hackers, IRS representatives countered.

The IRS has not implemented 49 of the GAO's prior recommendations, Gene Dodaro, comptroller general of the United States, told the hearing.

Weaknesses remain in "key controls for identifying and authenticating users, authorizing users' level of rights and privileges, encrypting sensitive data, auditing and monitoring network activity, and physically securing facilities housing its IT resources," he said.

The GAO has made 45 new recommendations.

As of March, the IRS had yet to implement 23 recommendations from 14 TIGTA audits that address weaknesses related to connections with external partners, continuous efforts to monitor information security, implementation of the Homeland Security Presidential Directive initiative and IT asset management, TIGTA head J. Russell George testified.

Among other problems, the IRS's Computer Security Incident Response Center "was not monitoring a significant percentage of IRS servers, which leaves that portion of the IRS network and data at risk," he said. TIGTA is evaluating the response center's effectiveness at preventing, detecting, reporting and responding to cyberattacks on the IRS.

"Organizations like the IRS sometimes attempt to bite off too much via a master plan that fixes everything at once," noted Tim McElwee, president of Proficio.

"We recommend a phased approach and using cloud-based services," he told the E-Commerce Times.

Cybercriminals are becoming increasingly sophisticated, and attacks and privacy breaches "are increasing across the country in all areas of government and industry," said IRS Commissioner John Koskinen.

Organized crime syndicates are getting involved, he testified.

The IRS has "been making steady progress within our reduced resources," investigating and prosecuting fraudsters, helping fraud victims and educating taxpayers, Koskinen said.

Also, it has partnered with four major payroll service providers, which add a special coded number on W-2 forms that's known only to the IRS, the providers and the W-2's recipient and will help the IRS detect changes made to the W-2s.

Congress has cut the IRS's budget sharply since 2010, and IRS funding is 17 percent below the 2010 level, adjusting for inflation, the Center on Budget and Policy Priorities reported this month. The agency has cut staff by 14 percent since 2010.

"It's possible that further funding for cybersecurity combined with increasing the requirements for verifying identity may help offset [tax return] fraud," Christian Lees, CISO at InfoArmor, told the E-Commerce Times.

Organizations that interact with multiple third-party providers have more complexity than self-contained networks, said Tim Erlin, director of IT security and risk strategy at Tripwire.

"Securing a complex network of computing resources is just plain hard to do," he told the E-Commerce Times.

The Obama administration's push for encryption backdoors isn't helping.

"Why require a back door and offer a target?" asked Craig Kensek, security expert with Lastline.

The IRS should "focus on protecting the data and build a process where unencrypted data can be requested," he told the E-Commerce Times.

"The IRS is saddled with very old systems, tight timelines, hard service-level requirements and limited budgets for R&D, as well as an aging workforce," remarked Philip Lieberman, CEO of Lieberman Software.

Wages and benefits for IRS staff "are not among the best, which inhibits their ability to provide top-notch talent to apply to the cyberdefense problem," he told the E-Commerce Times. It's "an issue of congressional leadership, funding and clear guidance on what the legislature provides to the IRS."

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Tweets May Soon Breeze Past 140-Character Limit

    In an effort to better monetize its platform and boost user traffic, Twitter may relax the 140-character limit on individual tweets by no longer counting photos and Web links, Bloomberg reported earlier this week.Raising the character limit would make a stronger case for increasing user engagement on Twitter, Dorsey said.
  • 5300c769af79e

    Download Apps For Free: Sports

    }}FEATURES{{ # Stunning Graphics # Explore 60 tracks and 3 amazing real-world locations # Challenging Levels # Choose Different Riders and bikes # Perform Different Style and Stunts # Customize and upgrade # Easy Controls # And more {Requires Android 4.Jelly Bean(4.
  • 5300c769af79e

    6 Reasons Designers Prototype

    Download It's almost counter-intuitive.When creating a new product - whether that's a sexy pair of audio headphones or building an iOS/Android app, slowing down to build a prototype will invariably speed up the launch.
  • 5300c769af79e

    Video: Short Clip Shows Working Galaxy Note 7 In-Hand

    August 2, the date set by Samsung for the unveiling of the Galaxy Note 7, is right around the corner.The latest is a very short clip posted to YouTube, showing someone fondling the device and pressing down on its buttons, apparently testing to make sure everything is functional.