Audit Reveals IRS Struggles to Implement Security ControlsGAO: Taxpayer Data 'Unnecessarily Vulnerable' to Inappropriate Use
The Internal Revenue Service continues to struggle to implement proper security controls to protect taxpayers' data, a new audit from the Government Accountability Office reveals.
Until the IRS takes appropriate steps to resolve control deficiencies, taxpayer data will remain "unnecessarily vulnerable" to inappropriate use, says Gregory Wilshusen, GAO director of information security issues and co-author of the audit report, which was published March 28.
The audit uncovered IRS's failure to perform comprehensive tests and evaluations of its information security controls. "This is vitally important because this control helps IRS to identify vulnerabilities that they can take action on," Wilshusen says. "But in comparing our test and the result from our procedures, we found a number of vulnerabilities to IRS systems that IRS did not identify and was unaware of."
Some Signs of Progress
GAO acknowledges in the audit that the IRS has made progress in restricting access privileges for key financial applications and expanding multifactor authentication across the agency, a point IRS Commissioner John Koskinen accentuated in his written response to the report.
"The security and privacy of all taxpayer information is of the utmost importance to us, and the integrity of our financial systems continues to be sound," Koskinen says. The IRS chief says GAO recommendations in the latest audit "provided more specificity" than earlier reports; GAO sent 44 recommendations to the IRS in a private addendum to the audit. "While the increased level of detail has likely resulted in more recommendations, it will allow the IRS to better address cybersecurity risk," Koskinen says.
Auditors note, however, that the tax-collection agency has not fully implemented unique user identification and authentication that complies with a presidential directive.
The GAO report also notes that as the IRS expands the use of encryption, weak cryptography controls persist. GAO says it identified 11 systems that had not been configured to encrypt sensitive user authentication data. Such failures, the auditors say, increased the risk that unauthorized individuals could view and then use the data to gain unwarranted access to its system or sensitive information.
Koskinen concedes IRS information systems are vulnerable to attack. "We have to recognize that this is going to be an ongoing problem," Koskinen testified at a Feb. 10 Senate Financial Services Committee hearing, adding that IRS systems are attacked or pinged 1 million times a day (see Tax Commissioner Expects More IRS Cyberattacks). "The caliber of the enemy we are facing is increasingly more sophisticated and more global. We're dealing with organized crime syndicates all around the world."
Recent IRS Security Issues
Earlier this month, the IRS said it was temporarily deactivating an online security feature after it discovered that it was being abused by identity thieves attempting to profit from tax return fraud. The IRS said it had discovered and blocked at least 800 cases that appear to involve criminals who were able to obtain legitimate identity protection PINs tied to tax filers' accounts, and it warned that it's facing up to 130,000 fraudulent returns (see IRS Disables Hacked PIN Tool).
The IRS also recently revised upward the number of accounts victimized in its Get Transcript breach, originally discovered last May, with the tax agency saying the personal information from as many as 724,000 taxpayers' accounts may have been stolen (see IRS Doubles Number of Get Transcript Victims). At first, the IRS believed that 114,000 accounts had been breached (see IRS: 100,000 Taxpayer Accounts Breached). Then, last August, the IRS revised that tally to 334,000 accounts (see IRS: Hack Much Wider Than First Thought).
Past Weaknesses Not 'Effectively Corrected'
In its new audit, GAO says the IRS claimed it had corrected previously identified control weaknesses in 28 cases, but in nine of those instances, auditors determined they were not "effectively corrected."
GAO, in the audit, also points out weaknesses in IRS password controls. The auditors say the tax agency used passwords on a number of servers that could be easily guessed. On some servers, password expiration dates were not set. None of the 112 mainframe service accounts was configured to require a password change. As a result of these weaknesses, GAO says the IRS had reduced ability to control who was accessing its systems and data.
The audit also reveals that unpatched and outdated software exposed IRS to known vulnerabilities.
Wilshusen says some of the IRS's policies and procedures no longer reflected its current computing environment and systems security plans. "So, this increases the risk that the controls in place may not be appropriate, given the current environment."