Senate Committee Hears Litany of IRS Cybersecurity Failings


ManageEngine OpManager, a powerful NMS for monitoring your network, physical & virtual (VMware/ HyperV) servers & other IT devices. Deploy and start monitoring in less than an hour. Trusted by over a million admins world-wide. Try it for free.

The U.S. Internal Revenue Service's cybersecurity measures are woefully inadequate, according to testimony presented this week to the Senate Finance Committee.

The hearing was convened to examine how the IRS is safeguarding private taxpayer information this filing season and to determine what improvements may be necessary, said Sen. Orrin Hatch, the committee's chairman.

Agencies, tax preparers and Congress have failed taxpayers, ranking member Sen. Ron Wyden said.

The IRS has not enacted numerous security recommendations from the U.S. Government Accountability Office and the Treasury Inspector General for Tax Administration, or TIGTA, officials testified.

The service is undermanned and underfunded and is working to secure taxpayer data in the face of increasingly sophisticated hackers, IRS representatives countered.

The IRS has not implemented 49 of the GAO's prior recommendations, Gene Dodaro, comptroller general of the United States, told the hearing.

Weaknesses remain in "key controls for identifying and authenticating users, authorizing users' level of rights and privileges, encrypting sensitive data, auditing and monitoring network activity, and physically securing facilities housing its IT resources," he said.

The GAO has made 45 new recommendations.

As of March, the IRS had yet to implement 23 recommendations from 14 TIGTA audits that address weaknesses related to connections with external partners, continuous efforts to monitor information security, implementation of the Homeland Security Presidential Directive initiative and IT asset management, TIGTA head J. Russell George testified.

Among other problems, the IRS's Computer Security Incident Response Center "was not monitoring a significant percentage of IRS servers, which leaves that portion of the IRS network and data at risk," he said. TIGTA is evaluating the response center's effectiveness at preventing, detecting, reporting and responding to cyberattacks on the IRS.

"Organizations like the IRS sometimes attempt to bite off too much via a master plan that fixes everything at once," noted Tim McElwee, president of Proficio.

"We recommend a phased approach and using cloud-based services," he told the E-Commerce Times.

Cybercriminals are becoming increasingly sophisticated, and attacks and privacy breaches "are increasing across the country in all areas of government and industry," said IRS Commissioner John Koskinen.

Organized crime syndicates are getting involved, he testified.

The IRS has "been making steady progress within our reduced resources," investigating and prosecuting fraudsters, helping fraud victims and educating taxpayers, Koskinen said.

Also, it has partnered with four major payroll service providers, which add a special coded number on W-2 forms that's known only to the IRS, the providers and the W-2's recipient and will help the IRS detect changes made to the W-2s.

Congress has cut the IRS's budget sharply since 2010, and IRS funding is 17 percent below the 2010 level, adjusting for inflation, the Center on Budget and Policy Priorities reported this month. The agency has cut staff by 14 percent since 2010.

"It's possible that further funding for cybersecurity combined with increasing the requirements for verifying identity may help offset [tax return] fraud," Christian Lees, CISO at InfoArmor, told the E-Commerce Times.

Organizations that interact with multiple third-party providers have more complexity than self-contained networks, said Tim Erlin, director of IT security and risk strategy at Tripwire.

"Securing a complex network of computing resources is just plain hard to do," he told the E-Commerce Times.

The Obama administration's push for encryption backdoors isn't helping.

"Why require a back door and offer a target?" asked Craig Kensek, security expert with Lastline.

The IRS should "focus on protecting the data and build a process where unencrypted data can be requested," he told the E-Commerce Times.

"The IRS is saddled with very old systems, tight timelines, hard service-level requirements and limited budgets for R&D, as well as an aging workforce," remarked Philip Lieberman, CEO of Lieberman Software.

Wages and benefits for IRS staff "are not among the best, which inhibits their ability to provide top-notch talent to apply to the cyberdefense problem," he told the E-Commerce Times. It's "an issue of congressional leadership, funding and clear guidance on what the legislature provides to the IRS."

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Q&A Sessions: Volume 44

    With CES now behind us and MWC on its way, we wanted to slip in our first Q&A Session of 2017.We have a very busy and exciting year ahead of us, one likely filled with plenty of new phones, Chromebooks, Android TV set-top boxes, Android Wear watches, and maybe even a tablet or two.
  • 5300c769af79e

    Secrets To Building Better Products: Fail Fast, Hire Full-Stack Engineers

    In this information technology age, the need for a new type of employee has risen The full-stack engineer.No longer can enterprises afford to have engineers with a singular focus.
  • 5300c769af79e

    Hacker's Playbook 2nd Edition

    Download Download the SafeBreach Hacker's Playbook, the first report of its kind to report on enterprise security trends and issues from the perspective of an attacker.Incorporating analysis of more than 4 million breach methods executed in real-world enterprise deployments, you will learn how attackers view you as a target, the mistakes security teams are making in their organization, and best practices to stay secure.
  • 5300c769af79e

    DEAL: Google Home + Chromecast Bundle is $15 Off, Home Bases 50% Off, Chromecast are $5 Off

    Probably because Google just spent millions on a Super Bowl ad for Google Home and people could potentially be flooding their online shop (at Best Buy too) to purchase one, they are hosting a couple of discounts on Google Home and its related products.For one, you can snag a $15 discount on Home when you purchase it with a Chromecast product.