IRS Security

Monday is Tax Day. Many of us are thinking about our taxes. Are they too high or too low? What’s our money being spent on? Do we have a government worth paying for? I’m not here to answer any of those questions—I’m here to give you something else to think about. In addition to sending the IRS your money, you’re also sending them your data.

It’s a lot of highly personal financial data, so it’s sensitive and important information.

Is that data secure?

The short answer is “no.” Every year, the GAO—Government Accountability Office—reviews IRS security and issues a report. The title of this year’s report kind of says it all: “IRS Needs to Further Improve Controls over Financial and Taxpayer Data.” The details are ugly: failures in identification and authentication of network users, failures to encrypt data, failures in audit and monitoring and failures to patch vulnerabilities and update software.

To be fair, the GAO can sometimes be pedantic in its evaluations. And the 43 recommendations for the IRS to improve security aren’t being made public, so as not to advertise our vulnerabilities to the bad guys. But this is all pretty basic stuff, and it’s embarrassing.

More importantly, this lack of security is dangerous. We know that cybercriminals are using our financial information to commit fraud. Specifically, they’re using our personal tax information to file for tax refunds in our name to fraudulently collect the refunds.

We know that foreign governments are targeting U.S. government networks for personal information on U.S. citizens: Remember the OPM data theft that was made public last year in which a federal personnel database with records on 21.5 million people was stolen?

There have been some stories of hacks against IRS databases in the past. I think that the IRS has been hacked even more than is publicly reported, either because the government is keeping the attacks secret or because it doesn’t even realize it’s been attacked.

So what happens next?

If the past is any guide, not a lot. The GAO has been warning about problems with IRS security since it started writing these reports in 2007. In each report, the GAO has issued recommendations for the IRS to improve security. After each report, the IRS did a few of those things, but ignored most of the recommendations. In this year’s report, for example, the GAO complained that the IRS ignored 47 of its 70 recommendations from 2015. In its 2015 report, it complained that the IRS only mitigated 14 of the 69 weaknesses it identified in 2013. The 2012 report didn’t paint IRS security in any better light.

If I had to guess, I’d say the IRS’s security is this bad for the exact same reason that so much corporate network-security is so bad: lack of budget. It’s not uncommon for companies to skimp on their security budget. The budget at the IRS has been cut 17% since 2010; I am certain IT security was not exempt from those cuts.

So we’re stuck. We have no choice but to give the IRS our data. The IRS isn’t doing a good job securing our data. Congress isn’t giving the IRS enough budget to do a good job securing our data. Last Tuesday, the Senate Finance Committee urged the IRS to improve its security. We all need to urge Congress to give it the money to do so.

Nothing is absolutely hacker-proof, but there are a lot of security improvements the IRS can make. If we have to give the IRS all our information—and we do—we deserve to have it taken care of properly.

This essay previously appeared on CNN.com.

Tags: accountability, essays, IRS, national security policy, security policies

Posted on April 15, 2016 at 6:52 AM • 53 Comments

Comments

User • April 15, 2016 7:15 AM

Concur

garyh • April 15, 2016 7:36 AM

Things may get worse.

http://www.bankinfosecurity.com/irs-chief-agency-faces-loss-key-infosec-personnel-a-9038

crandall • April 15, 2016 7:52 AM

      "I'd say the IRS's security is this bad for... lack of budget."

And you would be wrong.

The core problem is bad management by unaccountable government bureaucrats running the IRS fiefdom.

Inadequate budget is the standard lame excuse used by all government bureaucracies (and their apologists) to excuse any failures in performance.

The IRS bureaucrats get over $2Billion a year for their operations, with hefty annual increases in budget (+12% this year). And Congress would certainly give them special subsidies for security… if IRS managers had any credible plan to fix their internal security.

“lack of budget” ain’t the problem at the IRS.

Spaniard • April 15, 2016 8:00 AM

And it’s not just the US.

Just a week ago the tax return filing period started in Spain. On the first day, which had announced an improved online process, somehow many people were able to see the data from other taxpayers.

The worse part of all this is, because of the data leaked, many people could actually fill the tax return for others. Fortunately, this isn’t directly exploitable for receiving refunds as the law requires to provide a bank account the taxpayer owns, however a malicious person could file wrong data for which the actual taxpayer could be fined.

And that’s why I still do my tax filing on actual paper, with a proper IRS-equivalent stamp as proof of presentation.

mike~acker • April 15, 2016 8:07 AM

the requirements to secure digital documents are simple

(1) a signature that can be recognized, but
(2) which cannot be produced by anyone other than the signatory

this is beautifully described by Mr. Whitfield Diffie himself in an article published on Ars Technica: Whitfield Diffie testifies at NewEgg v TQP Holdings

the critical note is in the section “A Brief History of Public Key Encryption” :

“The receiver of the document can come into court with the signed document and prove to a judge that the document is legitimate,” he said. “That person can recognize the signature but could not have created the signature.”

the place to start is with the tax software folks: get PGP incorporated into the electronic tax software.

people will need a means by which to get their Public Keys authenticated; this service needs to be offered in Credit Unions, DMV Offices, County Clerks, Notaries — places we already have that deal with authenticating identities

the old Name, Address, Date of Birth, Social Security Number and Mother’s Maiden Name — are insufficient in today’s digital world. It’s either Back to Paper — or onward to Public Key Encryption. the current World of Hacking is unacceptable.

I like Apple’s concept of a “security enclave” — a chip added to the “smart phone” that serves to carry the security keys,—- we used to call it a “KEK” device in the Army.

The solution is available. PGP or GnuPG — has been available for 20 years…

failure to put it to good use says something about those who are neglecting this responsibility.

paul • April 15, 2016 8:16 AM

@mike~acker

Public-key encryption works perfectly if

a) you can verify the identity of every person to whom you issue a keypair and
b) every person can keep their private key secure indefinitely.

Good luck with that for the universe of taxpayers and potential taxpayers. (I say potential taxpayers because one of the primary tricks for IRS-related fraud has been getting there first: falsely signing up for online filing before the actual person has a chance to do so. Then, when the real taxpayer arrives, they’re shut out.)

Tatütata • April 15, 2016 8:49 AM

There is apparently a problem with the HTML of the article.

The first “<a href=”…”>” does not have a matching “</a>”

Mike Barno • April 15, 2016 8:50 AM

@Bruce:

It looks like there’s a malformed HTML tag in the posting’s first link, so the link text spans three paragraphs.

Winter • April 15, 2016 9:11 AM

“We know that foreign governments are targeting U.S. government networks for personal information on U.S. citizens:”

I read rumors that several “agents” in the world are working on a database of all humans (or all humans that are online or have a mobile phone). Tax authorities would seem a prime target for that information, next to telecoms.

Ergo Sum • April 15, 2016 9:17 AM

@crandall… I agree…

I’ve dealt with a number of CSOs at government organizations. It made me wonder, how did they ever get in to that position? And as the old saying goes, “the fish start to smell from its head”, the rest of the organization under the CSO wasn’t much better either. Seemingly, it is more important for them having a ton of paper proving the security compliance than actually having a secure system. And it’s not much different in the corporate world either. Especially when lower IT or IT Security budgets contribute to higher profit margins and by proxy, higher bonuses for “C” level execs…

About PGP/GnuPGP for the rescue stated by others…

Yes, it’s been available for about 20 years. Don’t you think that there’s a reason why it didn’t become the standard for protecting data? Like encryption is easy, but decryption is hard. Not to mention the widely populated malware everywhere, especially on Windows desktops, that may question the validity of positive ID. PKI has its own issues and it’s not for John or Jean Doe…

jbmartin6 • April 15, 2016 9:29 AM

I’m not so sure about the budget issue, although very likely a contributing factor. But there are a lot of basic security practices that don’t require money, they are simply a matter of operations. That’s not to say free, because changes to workflows and cultures are, but the actual cash cost is zero.

mike andrews • April 15, 2016 9:34 AM

on the day of deadline for some money due after an audit, my wife got a call from “the irs”, by a dude with strong indian accent but very americanised name, saying “we’ve filed suit and a sheriff will come to your house to arrest you in 45 minutes, since you didn’t pay by the deadline. but if you pay by cash now, it’ll all be settled.” so, obviously the IRS has been hacked, even recently, and our personal data stolen by these fraudsters in order for them to perpetrate such a scheme.

Yup • April 15, 2016 9:44 AM

I’ve worked with some of the IRS infosec people and I can concur that their problems are absolutely lack of budget. They’re smart, well-intentioned and…extremely few and far between. Imagine being paid peanuts to do what they’re asked to do with maybe 10% of the budget they need to do it right. It’s all they can do to keep the systems they have running with the band-aids, paperclips, bubble gum and tired, beaten down people they’re given to do it with.

Anyone who doesn’t think that just doesn’t understand the gargantuan job the IRS is tasked with. It’s easy to sit back and armchair it and whip on everyone’s favorite whipping boy, but I doubt any of you naysayers would want to do their job with the utter lack of resources and support they’re faced with.

Just like most things, everyone wants perfection and no one wants to pay for it. I’m really tired of all the moaning and whining about security on the one hand and all the “no” I hear when it comes time to pay for it.

You want security? Put your money where your mouth is. If you’re not willing to do that, sit down and shut the hell up.

[/rant]

Clive Robinson • April 15, 2016 9:46 AM

@ Bruce,

I’d say the IRS’s security is this bad for… lack of budget.

@ crandall

And you would be wrong

If UK Gov IT systems are anything to go by you both have a corner of the problem, but not the whole problem…

Almost all Western nations with Big IT programs have them fail in all sorts of ways. A cursory look at who is behind the design of these systems and how the almost always fail in similar ways should tell you it’s a problem that nobody wants to fix. After all why stop a gravy train having it’s squeaky wheels geting more than liberal bucketfulls of prime pork grease?

Part of the problem is “ownership” of the code and the designs, another part is the legal mess quite deliberately created by the suppliers, another is the kick backs to senior civil servents feathering their nests with future consultancy and senior –sinecure– positions, and the list goes on.

Basically there is little or no interest by the seniors involved in getting anything working to specification including the specification because that way the money tap gets turned off and they don’t get their continuing percentage. After all consider all the extra payments involved with sorting the endless problems out…

Causing various people to ask “Who Are the Real Welfare Queens?” and citing that such “corporate welfare” is around two and a half times the exaggerated 55 billion total of “social welfare”. Often noting that it’s, actually quite likely to be a lot, lot more because both the corporates and bureaucrats who benifit are at pains to keep such kickbacks out of public sight… whilst politicians throw as much as they possibly can under the “social welfare” label as they can to get votes from idiot voters who just swallow the headlines with their cup of tea rather than investigate a little further…

paul • April 15, 2016 9:53 AM

@mike andrews:

We’ve gotten a couple of those calls too, on days when we didn’t owe anything. So I think you just hit the jackpot. Somebody has to. (Also got a call from someone purporting to be the local sheriff’s department with a warrant out that could be settled by wiring money…)

Boris • April 15, 2016 10:30 AM

The problem is you could give them all the money in the world and they would still not fix all the reported vulnerabilities. The money would just go somewhere else instead.

65535 • April 15, 2016 11:12 AM

“It’s a lot of highly personal financial data, so it’s sensitive and important information.” -Bruce S.

I agree. And, the near very near future will be directly linked to very sensitive medical data. That is toxic [as Bruce has talked about data being toxic]. Worse, the IRS leaks data like the Titanic. Bruce notes the many ways.
How did the IRS get this much personal data – which is leaked.

I would have to point to the Tax Payment Act of 1943—Withholding and the W-4, W-2 and the IRS has an Efficient, dependable and extraordinarily invasive method of spying on people.

The heart of the 1943 act is the W4 and W2 which has the Name, address, Social Security number, sex, marital status, and number of children for each person. The actual 1040 reveal the names, ages and sex of the children belonging to said tax payer. Throw in the I-9 and the government theoretically knows the country of origin and ethnicity of their victims.

Note, that this W4, W2, and money withholding came about during World War 2. Which is somewhat like the multiple wars the USA is involved in today – but not as hot as WW2.

Fast forward to 2016 with digital documents and the leaky IRS and you have a “perfect storm” for the average Joe. The lesson learned – data gotten under the threat of war and in the wrong hands is a recipe for disaster. Don’t give the government your data!

Dan • April 15, 2016 11:17 AM

the solution is,
if they cannot secure the IRS in it’s current form and governance, remove or change it,
if the 2 Billion dollar budget is not enough for them to securely collect and process the tax returns…

shrink the IRS and it’s responsibility, make them enforcers and investigators, give the tax collection to the states in the form of sales tax.

it’s called the flat tax, and one advantage is a large percentage of the $2b per year would go back into the budget. http://www.fairtax.org I think has all the points.

the tax rules can be written on a single sheet of paper also.
the bureaucrats won’t like it because they loose control of incentives for folks to spend $$ (think mortgage, electric car, charitable deductions).

here’s the irs commissioner saying save money and simpler.
http//freebeacon.com/issues/irs-commissioner-flat-tax-simpler-save-agency-lot-money/

Dan

Mmmmmh Donuts • April 15, 2016 11:56 AM

Anyone knows how long the IRS kept their IBM 1401s running?

Revenue Canada must have kept theirs well into the 1980s, judging from all the surplus stuff they were disposing of in those years.

The IRS wouldn’t have been the only federal administration running antique gear.

David Leppik • April 15, 2016 11:58 AM

@Dan:

I don’t think 50 states are going to have fewer security holes than one federal agency. This is a difficult problem, since the information is so juicy. If you shift it to the states, you have 50 targets, each with 1/50th the security budget and 1/50th the visibility. Or less, if you’re also lowering taxes.

Of course, most of those 50 states are already collecting this information for tax purposes, so perhaps eliminating the IRS would improve security. But it sounds like you’re more interested in promoting the flat tax than coming up with solutions to the security issue.

Z.Lozinski • April 15, 2016 12:00 PM

Here in the UK, the online tax return is acknowledged (by HMRC) to be insufficiently secure for Government Ministers and Members of Parliament.

“A small minority of individual records, including those for MPs, require additional internal safeguards over and above the very high standards of confidentiality with which HMRC treat all taxpayers’ data. The separate arrangements for dealing with these records mean that the online service cannot accept your return because your taxpayer reference number will not be recognised by the authentication system.”

Source: HMRC Publication “Tax and National Insurance contributions Guide for MPs and Ministers”.

http://parliamentarystandards.org.uk/Publicationsdocs/HMRC%20tax%20guidance%202011_12.pdf

From a security point of view, once should design an online filing system to be secure for all taxpayers, since in Bruce’s words: “today’s nation state attack is tomorrow’s PhD and the next day’s script kiddie attack”

Anura • April 15, 2016 12:01 PM

Sales taxes are regressive, and harmful to the poor. The ideal solution is to eliminate taxes entirely. With public ownership of property (land and fixed structures), the government can be funded entirely through rent. No tax evasion to investigate, no chance for fraud. Of course, this will likely lead to a citizens dividend, when the government inevitably runs a budget surplus, which just introduces a different avenue for fraud.

Dan • April 15, 2016 12:17 PM

@Dan,
Hi, I am another person on this blog who goes by the psudonym “Dan”. Avoiding psudonym collision is hard on this blog 🙂

dan • April 15, 2016 12:22 PM

@David Leppik
the 50 states would only collect money (it’s a sales tax along with the state tax already collected in most states).

there is NOT ANY personal info required since you pay when you spend.

@Anura fair tax gives a refund to the poor of ALL their tax up to the poverty line ($12k ish), and the current system is unfair to EVERYONE almost.

also the IRS budget is not 2b per year, but according to the article I referenced

–how much of the IRS’ current budget of $11.2 billion could be saved if a flat tax were implemented.
“I can’t give you a guess, but it would be a lot,” Koskinen said. “It’d clearly be a sea change, a difference in the way the place operates.–

I am more against the current form of the IRS, rather than any particular new variation.
I know I want simpler cheaper and more secure. seems fair tax has those features.

Anura • April 15, 2016 12:28 PM

@dan

“fair tax gives a refund to the poor of ALL their tax up to the poverty line ($12k ish), and the current system is unfair to EVERYONE almost.”

If that’s the case, then how does your proposal prevent fraud? It seems like it introduces the exact same problem.

terry • April 15, 2016 12:29 PM

They will build hotels on Mars before a flat tax is implemented because the current system is designed for legislators to control the masses by awarding and punishing groups. It is a fact.

Bong-Smoking Primitive Monkey-Brained Tax Payer • April 15, 2016 12:48 PM

One should be very careful what to say on this particular thread. There seems to be an IRS goon[1] or two waiting to audit your a$$ if you piss them off.

[1] That’s the IRS underpaid counterpart of a spook.

Michael Dortch • April 15, 2016 12:51 PM

Sigh…

I’ve been following IT security and media coverage of the IRS’ woefully inadequate attempts to play catch-up with current technologies since the 1970s. From my perspective, technologies have continued to evolve, of course, but little if anything has changed in terms of how the IRS acquires, implements, and operates its IT.

Until and unless the IRS is compelled to be more transparent, agile, and subject to external oversight — and serious penalties for non-compliance with at least basic, proven best practices for protection of sensitive data — little will change or improve. And until and unless the ecosystem of contractors, lobbyists, legislators, and politicians who benefit from the status quo is extremely disrupted or displaced, inertia will cause the current state of affairs to continue along its current, sad, and potentially dangerous trajectory.

Of course, such disruption or displacement will require massive legislative reform, which will require significant and sustained voter and legislator activism. Which of course will likely require fundamental changes in how laws and regulations are drawn up, passed, and enforced. Which of course will likely require fundamental changes in how regulators and legislators are appointed, elected, and overseen. Which of course will likely require fundamental changes in how political campaigns are funded and run. Which will of course likely require far more focus and political will than we’ve seen so far from most if not all of the constituents being negatively affected.

Sigh…

tz • April 15, 2016 1:15 PM

Was the Obamacare healthcare.gov website such a disaster for “lack of budget”?

After writing “liars and outliers”, I would think you would have learned a bit about incentives.

You need to check into some basic economics – public goods and externalities. A public good is something you can’t provide to just one person – an example is artistic or literary works, which is why we have copyright. An externality is like pollution – everyone in the city might be damaged a penny or two, so there is no incentive to take them to court to stop.

How do you create an incentive for either the IRS as a whole, or any particular person within the IRS to make their systems secure?

Consider Hillary Clinton – how secure were her CLASSIFIED emails, and is anyone ever going to prison? No, they’re going after Edward Snowden who might have compromised less information.

If every tax record was made public, no one at the IRS would be demoted, lose a raise, or suffer anything. The IRS wouldn’t be defunded.

If you and/or your company would not only get paid, but could add costs to “fix” problems if you provided a defective system (see the F31 fighter), would you deliver a perfect system the first time, or deliver a defective one that you could eventually collect several times the initial contract cost?

THAT is the problem. You can throw as much money at it as you want, but no one will care. Even “privatization” won’t work – Obamacare was contracted out and even Snowden worked for a contractor.

Money can only buy security when security is the top priority to spend the money on, and when there are real penalties for failure.

The incentives are to give CronyCorp. the contract for 5 billion dollars because they gave $100M for your presidential library or foundation. It isn’t your money, it is some amorphous, abstract “taxpayers” – some who are not yet born considering the deficit – who are paying for it. There is no incentive to hold CronyCorp accountable, because there will always be more presidents, foundations, and libraries.

The taxpayers are an “externality” that suffers all the failures, both in getting their data exposed and in having to pay for all kinds of stupid and failed systems. But the crony insiders all continue to profit and succeed.

Milo M. • April 15, 2016 1:34 PM

@ mike_andrews :

“so, obviously the IRS has been hacked, even recently, and our personal data stolen by these fraudsters in order for them to perpetrate such a scheme.”

No need for that. Name, address, and phone number are pretty accessible. The last four digits of a SSN can be acquired various ways that don’t involve hacking anything.

This scam has been in the wild since at least 2013.

https://www.irs.gov/uac/Newsroom/IRS-Warns-of-Continued-Scams-and-Varied-Tactics-as-the-Tax-Deadline-Nears

http://money.cnn.com/2013/10/31/pf/taxes/irs-phone-scam/index.html

http://www.cnet.com/news/scam-draft-internal-revenue-service-irs-phishing/

http://www.cbsnews.com/news/irs-warns-of-biggest-tax-scam-ever/

http://www.bbb.org/blog/2014/10/scam-warning-the-ongoing-irs-phone-scam/

https://www.treasury.gov/tigta/contact_report_scam.shtml

And there’s a new twist, courtesy of Congress:

https://www.washingtonpost.com/news/federal-eye/wp/2015/12/20/will-scammers-hide-behind-new-law-for-private-tax-collectors/

“Generally, the IRS does not contact taxpayers by phone. But legitimate bill collectors and tax scammers do. Once the private collection program begins, which Congress says should be early next year [2016], it will be even more difficult to distinguish between the real and fake bill collectors.”

Anura • April 15, 2016 1:55 PM

@tz

“Was the Obamacare healthcare.gov website such a disaster for “lack of budget”?”

That was a problem because they contracted the website out to the lowest bidder, when they should have built and maintained it in house. Contractors have incentive to put as little effort into it as possible so they can increase their profit margins.

PhilS • April 15, 2016 3:23 PM

@mike~acker

Basically a good idea. But what is also needed is for the IRS to set up and publish their public key on their website. Then a taxpayer can download the PDF forms, fill them out off-line,encrypt them with the IRS’s public key. (All preferably on an air-gaped computer.) Then sneaker-net the encrypted files to the on-line computer and send to the IRS. Complete end-to-end encryption.

If they implement such a system then I will likely give up my “old school” of using dead trees to send in my taxes.

Michael Dortch • April 15, 2016 3:24 PM

Some interesting and timely commentary on the IRS and our taxation system: http://www.nytimes.com/2016/04/14/opinion/the-real-welfare-cheats.html

My favorite take-aways:

According to the Oxfam study cited in the piece, “for each dollar America’s 50 biggest companies paid in federal taxes between 2008 and 2014, they received $27 back in federal loans, loan guarantees and bailouts.”

Also from the same study: “each $1 the biggest companies spent on lobbying was associated with $130 in tax breaks and more than $4,000 in federal loans, loan guarantees and bailouts.”

Where can I get my own lobbyist? Sigh…

off-the-wall • April 15, 2016 9:11 PM

Maybe Trump will build a firewall?

r • April 15, 2016 9:24 PM

If your government can’t or won’t protect your data: encryption can and will.

Wael • April 15, 2016 9:34 PM

How does the IRS deal with bitcoins? Not the I own any…

Anura • April 15, 2016 11:33 PM

@Wael

Bitcoins are treated like property. If you receive bitcoins as payment, you are required to report the fair market value of that property. If you buy bitcoins for $5000 and sell them for $6000, you report that as $1000 in capital gains.

There’s an IRS FAQ in PDF form I read a while back, which I’m sure you can google for.

Wael • April 15, 2016 11:48 PM

@Anura,

There’s an IRS FAQ in PDF form I read a while back, which I’m sure you can google for

Thanks. Maybe on a brighter day when investment is an option 😉

Jon • April 16, 2016 2:35 AM

The IRS’s biggest security problem is one not of its own making. If you will insist on trying to do security with publicly available data like the SSN, you deserve everything that’s coming to you.

Wesley Parish • April 16, 2016 4:46 AM

I think I’ve harped on this matter before, but since the record’s broken and people have sieves like memories, I suppose I should reiterate:

because personal data is generated by the person, not the company or the state, the personal data is the personal property of the person, not the state or the company. Hence the personal data is entrusted by the person to the state or the company, not owned by the state or the company.

The corollary of this is the state and the company are in each and every case accountable to each and every individual citizen or customer whose data they are entrusted with.

You should get a fine-size set of class actions out of that. Lessee, at an estimated two hundred million potentially aggrieved citizens from all fifty states, that’s a whole lot of pressure to bring to bear.

James Sutherland • April 16, 2016 5:40 AM

From what I’ve seen of large companies and public sector outfits, the problem is not as simple as “not enough budget”, but “not enough inventive”. When a bank screws up security, they bury the story. When a government agency gets compromised, they either blame the attacker or try to paint it as inevitable. Either way, they don’t end up losing customers or money over it.

We saw a version of this with TalkTalk in the UK (bottom-end ISP with a large market share), when they were compromised for something like the third time in a single year, losing the customer database and billing information yet again, this time to a curious teenager trying an exploit older than he was. How much blame attached to the company and its management for failing to comply with their moral (and, in Europe, legal) duty to keep that information safe? As far as I saw: none! No jail time, no fines, not even a proper investigation of their failings. Being a private business, though, they did at least lose a lot of customers who were affected and recognised their choice of supplier was a bad one.

The IRS, though, could be storing all the taxpayer data in a world-readable Google Docs spreadsheet, and their “customers” would still be forced under threat of jail to populate it with their data – so why bother securing it properly? When was the last IRS employee fired or prosecuted for failing to secure systems properly?

In uniform, it’s “secure the classified into or be court-martialled” – and that actually works, for the most part. Throwing money into the system won’t fix anything, because this is not “we can’t afford to buy two-factor key fobs for our staff” or “we can’t afford to air gap the key systems”, but “the organisation doesn’t feel the need to secure things better”.

mike andrews • April 16, 2016 5:44 AM

paul and milo, thanks for your responses. one thing i didn’t mention is that the dollar amount supposedly due was also recited by the caller, which to my mind had to somehow originate from the IRS’s private databases.

DS • April 16, 2016 9:51 AM

Relevant parallel: a hack of the Philippine government, releasing massive amounts of sensitive data.

http://www.troyhunt.com/2016/04/when-nation-is-hacked-understanding.html

Something like this in the US? That would be interesting to watch.

Milo M. • April 16, 2016 11:32 AM

@mike andrews:

Knowing an accurate dollar amount is pretty scary. And does sound like an inside job or a hack, though the hack could have been of some entity other than the IRS (e.g., a tax preparer, a lawyer, an accountant, etc.).

I know two people (one a family member) who got these calls a year or two ago. Neither one really owed anything, but they were initially willing to believe that maybe they did. Both fortunately smelled a rat before losing any money.

We have gotten one call, a few months ago. Hung up after the very guttural announcement, “This is the IRS”, so have no idea what came next.

Kerkston • April 16, 2016 11:50 AM

Terence V. Milholland is the current and first IRS Chief Technology Officer/CTO since 2008… responsible for all aspects 400+ IRS systems. He manages a multi-billion dollar budget and 7,000-person tech organization.

He was previously CTO for Visa International, Electronic Data Systems Corporation, and The Boeing Company. Has a BS in Physics from the University of Maryland and MS in Computer Science from George Washington University.

Milholland stated to the Washington Post that he quickly learned that a primary measure of his IRS technical job performance was keeping the IRS out of the newspapers (adverse publicity).

In 2013 the GAO discovered the IRS and parent Treasury Dept had wasted hundreds of millions of dollars in mismanagement of the routine area of agency commercial software licenses.

However, Milholland could fix the many IRS security problems– except cheap & dumb taxpayers somehow won’t give him a much larger budget to work with (?)

CallMeLateForSupper • April 16, 2016 12:04 PM

@PhilS
“Then sneaker-net the encrypted files to the on-line computer and send to the IRS. Complete end-to-end encryption.”

Lovely. But the problem at hand is not taxpayer PI being snatched from the internet, it is taxpayer PI being stolen from IRS computers. What becomes of your PI after IRS decrypts your carefully encrypted and sneaker-netted tax documents? It gets stored – IN THE CLEAR – on an insecure IRS computer.

Nick P • April 16, 2016 2:28 PM

@ Kerkston

Great summary. This isn’t about budget so much as willingness to act. Their document and request/response style of doing things without time guarantees is actually the easiest type of architecture to secure with things like network guards. There’s also been free solutions like Truecrypt, OpenBSD, whitelisting, vulnerability scanners, and so on. They just don’t apply much of it. Contrast it with the security-focused organizations that rarely have problems despite their IT staff to systems ratio and budget being lower.

They’re just not trying. They might also have a budget issue if we’re talking licensing of best-of-breed solutions for mainframes, etc. Yet, they could be doing a ton more with what they have just using free stuff. Where’s the evidence they’re doing it?

Anon10 • April 16, 2016 6:41 PM

There’s a really easy solution to the problem of tax refund fraud: require all tax refunds to be deposited in a bank account associated with the filer’s SSN. The main obstacle to that is not lack of IRS budget, or even an incompetent IT security staff, but political.

Marcos El Malo • April 16, 2016 10:19 PM

It’s a government-wide problem not confined to the IRS. The problem is that Cybersecurity should be a cabinet level department with the authority to create and implement security policies and then audit and enforce. Instead, a spy agency has been given the job, a spy agency that works with and cultivates cybercriminals.

Debating sales taxes and flat taxes is irrelevant at best.

trsm.mckay • April 19, 2016 4:59 PM

There are some problems almost unique to the IRS, though I am certain they share problems common with other large US and state departments too.

The almost unique IRS problem (shared with only a few others like Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) where congress refused to confirm any director for years) is that they are disliked by a significant group – for the IRS this would be the money party (almost all Republicans, and many Democrats). The IRS has been under substantial attack to hinder their ability to find tax cheats. The small guys may cheer (no one like paying taxes, and hard to dislike when congress cuts them down), but the real victors are the top 0.1% earners who use questionable methods to avoid paying taxes.

If they had enough budget (and motivation to solve the common problems) they might not only provide security, but catch the tax cheats as well. So long as the tax cheats have as much control over government as they do, I don’t expect the IRS computer systems to get much better. A good part of the “starve the beast” and “make government small enough to drown in a bathtub” folks have the IRS as their primary target (only just ahead of pollution and environment regulations).

AJWM • April 19, 2016 5:17 PM

@Mmmmmh Donuts

Actually, I worked at Revenue Canada HQ a couple of times in the 1970s, once as a keypunch operator, another time as a security guard. (Students acquire the strangest resumes.)

No IBM 1401s then that I recall. They had IBM 360s, Honeywells, Univacs and assorted other mainframes, but no 1401s (or Burroughs), at least not in the main data centre or anywhere else I did my rounds. Maybe the surplus stuff was sitting in a storeroom in the basement or something.

SJ • April 20, 2016 9:37 AM

…and this is why I print my 1040, and send it via U.S. Postal Service.

Even though both Intuit_TurboTax and the IRS want me to submit it electronically.

Marcos El Malo • April 20, 2016 1:38 PM

@SJ

I don’t think that paper filing is going to afford you much protection. Your paper tax return gets scanned and the data extracted and stored in an IRS database. The databases reside on networked computers—and the security of those networks and computers are in doubt. Mitm attacks between you and the IRS should be the least of your worries. It’s those fat juicy databases that are the target.

IRS Security

Comments

Leave a comment Cancel reply