A government watchdog told lawmakers Tuesday that the Internal Revenue Service has failed to put in place dozens of security upgrades to fight cyberattacks, improvements he said would have made it “much more difficult” for hackers to gain access to the personal information of 104,000 taxpayers in the spring.
“It would have been much more difficult if they had implemented all of the recommendations we made,” J. Russell George, the Treasury Inspector General for Tax Administration, told the Senate Finance Committee at a hearing on the data breach, which the IRS says was part of an elaborate scheme to claim fraudulent tax refunds.
George and IRS Commissioner John Koskinen also said the thieves are operating a worldwide criminal syndicate that originates not just in Russia but in many other countries.
“It’s beyond Russia,” George said, denying media reports last week that said authorities believed the hackers, who used information stolen from previous breaches to complete a complex authentication process and request tax returns and other filings, were located in Russia.
“The domain names originated in other nations, too,” George said. “This is coming from several different countries that are syndicated around the world…You could be in Florida and be using a router or server and working with a different country on the other side of world.”
Added Koskinen of the criminals: “They cross geographic boundaries and cooperate when it’s in their interest.”
The committee is examining the increasing security risks faced by the IRS, which revealed last week that thieves hacked into a system called “Get Transcript,” clearing a security screen that requires users to know the taxpayer’s Social Security number, date of birth, address and tax filing status. The criminals were able to use the information to submit fraudulent tax returns. About 13,000 of these fraudulent returns were processed this tax season, costing the IRS about $39 million, Koskinen said.
Internet security for the IRS has been the inspector general’s top concern since 2011. His investigators audit the agency’s security systems every year and suggest improvements. For example, they are now auditing the effectiveness of the process for authenticating data when Americans file their tax returns.
As of March, 44 of those upgrades had not been completed, including vital security patches, George said. Ten of the recommendations were made more than three years ago.
“We also found that the IRS is not monitoring a significant percentage of its [computer] servers, which puts data at risk,” George said. “They need to be even more vigilant to protect the confidentiality of their data.”
Koskinen said his IT security staff has implemented many changes to shore up IT security, thwarting 3 million suspicious tax returns this tax season and heading off many false refunds. But he noted that hackers move faster than the government.
“What worked yesterday, what worked a year ago, may not work again today,” Koskinen said. He reiterated his long-standing concern that the IRS is hampered by antiquated computer systems: “Some of our systems don’t have patches, because they no longer support it. Some of our systems are 50 years old.”
Budget cuts have been an obstacle to security upgrades, Koskinen said, although Republicans on the committee were less sympathetic to money shortages than Democrats. Funding for cybersecurity fell to $149 million this fiscal year from $187 million in 2011, he said. Congress, led by House Republicans, has cut the overall IRS budget by $1 billion since 2010, to $10.9 billion this year.
Koskinen also said he has been unable to hire top IT talent to replace outgoing staff, since the federal hiring process is cumbersome and the government pays less than the private sector. A program that allowed the agency to circumvent normal hiring rules and pay higher salaries expired in 2013 and has not been renewed.
Koskinen said his staff is teaming up with tax preparation software companies and state tax authorities on a strategy to block hackers from filing false tax refunds. The groups will team up for next year’s tax season, shoring up the security of their computer networks. They will announce the new measures next week, he said.
Several senators acknowledged, though, that they are not optimistic that the IRS will be able to win the race against identity theft. Sen. Bill Nelson (D-Fla.) read from a list of victims in his colleagues’ states, from his own state of Florida (334,962 victims) to Utah (10,000 victims). He said 2.7 million Americans have had their identities stolen.
Sen. Ron Wyden (D-Ore.), the committee’s top Democrat, called the breach announced last week “an attack on the security of America.”
“The money stolen in the cybercrime wave could end up in war zones,” he said. “It could be used to fund acts of terror without being traced.”
Said George of the increase in cyberattacks: “This is a federal,state, local, global problem. I don’t see it ending anytime soon. As soon as the IRS increases its security posture, the bad guys will increase their efforts. They have a lot of time on their hands.”