Main Street Practitioner Blog

 View Only

Senate Finance Committee Agrees IRS Needs to Address Cybersecurity Weaknesses


All agreed at the Senate Finance Committee’s (SFC’s) cybersecurity hearing on April 12 that taxpayers are becoming more vulnerable to increasingly sophisticated criminal tactics designed to steal personal identity information. "Taxpayers have been failed by the agencies, the companies, and the policymakers here in Congress they rely on to protect them," ranking member Ron Wyden, D-Ore., stated in his remarks aimed at sharing blame among all stakeholders. Nevertheless, the majority of testimony focused on IRS shortcomings.

IRS Commissioner John Koskinen's testimony revealed that securing taxpayer data is a top priority at the IRS, but that the Service faces challenges in dealing with a type of criminal activity that is consistently evolving. Koskinen pointed to the efforts made by the IRS in increasing cybersecurity, singling out the formation of the Security Summit group. That group has been operating as a partnership with the IRS, state tax officials and the electronic tax and software industries as key participants.  NSA Executive Vice President John Ams is a member of the group’s Tax Pro subgroup and has been heavily involved in discussions about the involvement of tax professionals in securing their taxpayer data.

Chairman Orrin G. Hatch, R-Utah, applauded the creation of the Security Summit group in his opening statements. He went on to acknowledge, however, that,"in the face of this progress, we have also seen unprecedented growth in the scope and scale of cyber attacks aimed at stealing personal information and billions of dollars from taxpayers."

In discussing ways to defend against current cyber attacks and security breaches, Koskinen and Wyden pointed to the importance of the IRS regaining the ability to regulate tax return preparers. The National Society of Accountants sent a letter to the Senate Finance Committee prior to the hearing supporting the regulation of tax return preparers provided that the IRS is required to recognize third party examinations such as those offered by states such as Oregon and Maryland and by nationally recognized organizations such as the Accreditation Council for Accountancy and Taxation.

Treasury Inspector General for Tax Administration (TIGTA) J. Russell George's testimony mentioned the way in which the IRS fell short in its responsibilities to provide secure tools and systems for taxpayers to protect themselves from criminal manipulation. According to TIGTA analysis, the IRS remains noncompliant with various recommendations and federal law with regard to its cybersecurity systems.

George reported that the IRS failed to adhere to standards issued by the Commerce Department’s National Institute of Standards and Technology (NIST), which requires multifactor authentication for its e-Authentication processes. These high-risk processes are designed to be used for online IRS tools such as the IRS’s Get Transcript and Identity Protection Personal Identification Number (IP PIN) applications. As it stands, "the IRS remains noncompliant with single-factor authentication requirements," George stated.

In examining additional shortcomings of IRS cybersecurity, Sen. Charles E. Grassley, R-Iowa, former SFC chairman, pointed to the findings of two Government Accountability Office (GAO) reports for 2015 and 2016 on cybersecurity. Those reports highlighted that two particular IRS databases remained noncompliant each year despite recommendations that passwords expire every 90 days. In following up on what such password implementations would require from a cost-analysis perspective, Grassley asked GAO Director of Information Security Issues Gregory Wilshusen, "It is common to hear that the lack of funding is why we cannot have better cybersecurity…what is the approximate cost of setting up a password to expire every 90 days?" Wilshusen said that such a cost would be "negligible," adding that "it would be very low-cost, indeed." When asked the same question, Koskinen also confirmed such changes would be "low-cost."

"Agency watchdogs and auditors put out a lot of recommendations that took time and money and would help solve problems," Grassley observed. "It’s frustrating when agencies don’t implement the recommendations and even more frustrating when they don’t have a good reason for not implementing the recommendations, as we saw with the IRS today."

When it comes to assigning blame, however, Sen. Thomas Carper, D-Del., agreed with Wyden, stating, "We have some responsibility in this, too, and one of the things we can do to help out would be to provide for the reestablishment of the streamlined critical pay program." Although participants at the hearing voiced some disagreement over on the degree of blame that should be assigned between the IRS and Congress, the importance of working together to further achieve stronger cybersecurity systems was also stressed.

When asked whether electronic filing was safe despite the increase in cybersecurity attacks, Koskinen responded that fraud will continue to exist as well within the paper-return environment. On balance, he said, "our advice to you is to file electronically."

Committee Chair Orrin Hatch, R-Ut., concluded the hearing by expressing his determination to have the Committee consider a cybersecurity bill in the near future.

By Jessica Watkins, Wolters Kluwer News Staff

#IdentityTheft #IndividualIncomeTax #DataSecurity #NewsandInformation #IRS
Return to Blog List