IRS improves security, but challenges remain
- By Derek B. Johnson
The IRS officials responsible for protecting taxpayer data are getting better at their jobs, but so are the fraudsters.
In a Government Accountability Office audit released on July 23, the agency received mostly passing marks on identity authentication. However, auditors identified a range of incomplete tasks that have uncertain funding and said a rapidly changing threat landscape threatens to overwhelm the agency's cybersecurity and IT resources.
Online services, which account for 16.5 million of the approximately 28.5 million people authenticated in 2017, fared the best, with auditors noting that the IRS regularly assesses risks and monitors its online applications but "has not established equally rigorous internal controls for its telephone, in-person and correspondence channels."
Officials have started holding regular "security summits" with industry and cybersecurity experts to gain better insight into the current threat landscape. A strategic road map developed in 2016 outlined core strategic objectives for achieving better identity proofing and unearthed dozens of recommended steps to get there.
However, auditors noted that in many cases, officials at the tax agency have failed to match those projects with available funding or agency resources, leading to concerns that momentum could stall or the projects could become de-prioritized.
The findings come as IRS faces increasing threat from hackers, identity thieves and a boom in tax refund fraud. Fraudsters made off with $1.6 billion in identity theft tax refund fraud in 2016, but the IRS says it managed to successfully block an additional $10.5 billion in illegal transactions. Earlier this month, the agency created a new resource guide on data protection for tax professionals and updated another publication on safeguarding taxpayer data.
Additionally, the agency has faced criticism in Congress and within the information security community for a range of stumbles around protecting sensitive data in recent years. A day after GAO released its audit, the Treasury inspector general released a separate report flagging security vulnerabilities in one of the IRS' customer online portals, finding that the status quo "unnecessarily expose[s] taxpayer data to unauthorized access and disclosure."
The biggest threat identified in the report was not any particular weakness in the IRS network, but rather the increasing sophistication and adaptability of attackers.
Charles Rettig, the Trump administration's nominee for IRS commissioner, has said that modernizing IRS systems to facilitate better protection of taxpayer data will be one of his top priorities if confirmed.