Internal Revenue Service cybersecurity is woefully inadequate, and Congress is to blame, according to Sen. Ron Wyden, D-Ore.
“Congress has sat back and watched while criminals have come in and preyed on taxpayers,” Wyden said at a Senate Finance Committee hearing on Tuesday. The hearing addressed cybersecurity as it relates to taxpayer data, with testimonies from the IRS, Government Accountability Office (GAO), and Treasury Department.
Recent GAO reports have found significant vulnerabilities in the IRS’s coverage of taxpayer data, with significant problems in IRS’s Get Transcript program, e-file PIN retrieval, and fraud PIN retrieval.
“Key systems that should have been encrypted were not encrypted,” GAO comptroller general Gene Dodaro said of a recent IRS audit. He noted that of 49 prior security flaws GAO had identified, the IRS stated that they had complied with 28. Yet the GAO found that nine of those that had been reportedly complied with still retained key vulnerabilities. GAO also criticized the IRS’s use of single-factor identification in accessing their systems, as well as weaknesses in the Get Transcript program.
“These processes and procedures do not comply with government standards,” Dodaro said.
Wyden argued that many of the IRS’s weaknesses stemmed from a lack of funding and authority that should be granted by Congress.
“The IRS does not have the legal authority it needs from the Congress to build a cybersecurity team that can beat back the cyber attacks,” Wyden said. In particular, he emphasized the lack of Streamlined Critical Pay Authority that was necessary to hire the IT experts needed to protect taxpayer information.
“The authority expired in 2013 and the IRS has lost many of its experts,” he said.
The authority used to allow the IRS to hire a select number of IT experts without having to go through the months of paperwork and verification typically required for those positions. Without it, those offered a job at the IRS can expect to wait 3-6 months before being officially hired.
“Most of those people aren’t around when we come back [to them],” IRS Commissioner John Koskinen said. “Replacing them is very challenging for us.”
Another issue is the fact that the IRS does not have the legal authority to set standards on paid tax preparers that would ensure data security on the preparer’s end. When they tried to do so, Dodaro noted, the standards were overturned by the courts because it was determined that the IRS did not have the authority to enforce them.
“I cannot understand, for the life of me–when taxpayers are getting ripped off–why we don’t have minimum standards,” Wyden said. In fact, GAO found that paid tax preparers make mistakes approximately 60 percent of the time, compared with the 50 percent of mistakes occurring when citizens do their taxes themselves.
“We’ve recommended that Congress give the IRS the authority to set standards for paid tax preparers,” Dodaro replied.
Wyden was not the only senator to admit congressional culpability. “We have some responsibility too,” said Sen. Tom Carper, D-Del.
Congress is beginning to work on some of these issues, as Wyden, along with Sen. Orrin Hatch, R-Utah, has proposed a bill that would reinstate the Streamlined Critical Pay Authority to the IRS, alleviating its IT workforce strain. Processing of the bill, however, has been repeatedly delayed.
“I think this is a problem for all of our government,” said Sen. Maria Cantwell, D-Wash.