[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
CAN THE IRS PROTECT TAXPAYERS'
PERSONAL INFORMATION?
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
April 14, 2016
__________
Serial No. 114-72
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
________
U.S. GOVERNMENT PUBLISHING OFFICE
20-842 PDF WASHINGTON : 2017
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR., ZOE LOFGREN, California
Wisconsin DANIEL LIPINSKI, Illinois
DANA ROHRABACHER, California DONNA F. EDWARDS, Maryland
RANDY NEUGEBAUER, Texas SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas ERIC SWALWELL, California
MO BROOKS, Alabama ALAN GRAYSON, Florida
RANDY HULTGREN, Illinois AMI BERA, California
BILL POSEY, Florida ELIZABETH H. ESTY, Connecticut
THOMAS MASSIE, Kentucky MARC A. VEASEY, Texas
JIM BRIDENSTINE, Oklahoma KATHERINE M. CLARK, Massachusetts
RANDY K. WEBER, Texas DON S. BEYER, JR., Virginia
JOHN R. MOOLENAAR, Michigan ED PERLMUTTER, Colorado
STEVE KNIGHT, California PAUL TONKO, New York
BRIAN BABIN, Texas MARK TAKANO, California
BRUCE WESTERMAN, Arkansas BILL FOSTER, Illinois
BARBARA COMSTOCK, Virginia
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
RALPH LEE ABRAHAM, Louisiana
DARIN LaHOOD, Illinois
------
Subcommittee on Research and Technology
HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma DANIEL LIPINSKI, Illinois
MICHAEL T. MCCAUL, Texas ELIZABETH H. ESTY, Connecticut
RANDY HULTGREN, Illinois KATHERINE M. CLARK, Massachusetts
JOHN R. MOOLENAAR, Michigan PAUL TONKO, New York
BRUCE WESTERMAN, Arkansas SUZANNE BONAMICI, Oregon
GARY PALMER, Alabama ERIC SWALWELL, California
RALPH LEE ABRAHAM, Louisiana EDDIE BERNICE JOHNSON, Texas
DARIN LaHOOD, Illinois
LAMAR S. SMITH, Texas
C O N T E N T S
Thursday, April 14, 2016
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Barbara Comstock, Chairwoman,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 7
Written Statement............................................ 9
Statement by Daniel Lipinski, Minority Ranking Member,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 11
Written Statement............................................ 13
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 16
Written Statement............................................ 17
Witness:
The Honorable John Koskinen, Commissioner, Internal Revenue
Service
Oral Statement............................................... 19
Written Statement............................................ 22
The Honorable J. Russell George, Inspector General, Treasury
Inspector General for Tax Administration
Oral Statement............................................... 39
Written Statement............................................ 41
Mr. Gregory Wilshusen, Director, Information Security Issues,
U.S. Government Accountability Office
Oral Statement............................................... 55
Written Statement............................................ 57
Discussion....................................................... 79
Appendix I: Answers to Post-Hearing Questions
The Honorable John Koskinen, Commissioner, Internal Revenue
Service........................................................ 104
The Honorable J. Russell George, Inspector General, Treasury
Inspector General for Tax Administration....................... 108
Mr. Gregory Wilshusen, Director, Information Security Issues,
U.S. Government Accountability Office.......................... 110
Appendix II: Slides
Document submitted by Representative arbara Comstock, Chairwoman,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 114
Document submitted by Representative arbara Comstock, Chairwoman,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 149
Document submitted by Representative arbara Comstock, Chairwoman,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 195
Statement submitted by Representative Eddie Bernice Johnson,
Ranking Member, Committee on Science, Space, and Technology,
U.S. House of Representatives.................................. 234
CAN THE IRS PROTECT TAXPAYERS'
PERSONAL INFORMATION?
----------
THURSDAY, APRIL 14, 2016
House of Representatives,
Subcommittee on Research and Technology,
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittee met, pursuant to call, at 10:05 a.m., in
Room 2318 of the Rayburn House Office Building, Hon. Barbara
Comstock [Chairwoman of the Subcommittee] presiding.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. The Committee on Science, Space, and
Technology will come to order.
Without objection, the Chair is authorized to declare
recesses of the Committee at any time.
Good morning, and welcome to today's hearing titled ''Can
the IRS Protect Taxpayers' Personal Information?'' I now
recognize myself for five minutes for an opening statement.
As someone who, myself, received one of those IRS letters
telling me that my tax information had been possibly
compromised, as the deadline to file taxes winds down, you
know, certainly the only question on taxpayers' minds should be
when they will receive their tax refund and not whether someone
else has already beaten them to it. You know, as I said, I
received that letter actually last year informing me that my
account may have been compromised, but recent news reports and
audits of the Internal Revenue Service by the Treasury
Inspector General for Tax Administration and the U.S.
Government Accountability Office would suggest otherwise.
On May 26, 2015, the IRS announced that criminals had
gained unauthorized access to taxpayer information through its
online ``Get Transcript'' application by accurately answering
taxpayers' security questions. At first, as it shut down the
application, the IRS claimed that around 100,000 taxpayers'
accounts had been accessed out of about 200,000 total attempts.
Since then, those numbers have been revised to approximately
340,000 in August, and as of this February this year to over
700,000 taxpayers who have had their personal and tax data
stolen. So I guess I'm in a lot of company.
The theft of this data enabled hackers to access
information from prior tax returns, which resulted in
fraudulent tax claims. Approximately 15,000 of the fraudulent
tax claims were successfully filed with the IRS leading to an
estimated $50 million in illicit refunds--$50 million in
illicit refunds to people who have stolen information and who
had no right to that $50 million.
Then on March 7, 2016, the IRS suspended the Identity
Protection Personal Identification Number--or IP PIN--
application due to security concerns. The IRS began issuing IP
PINS five years ago to victims of identity theft as an
additional layer of security when they filed their taxes. But
the system to protect the IP PIN application was the same as
the ``Get Transcript'' application that was hacked last year.
While the IRS suspended the ``Get Transcript'' application in
May, it did not--May of last year--it did not suspend the IP
PIN application until last month, during which time at least
one individual had her taxpayer information stolen and used to
file a fraudulent tax return.
I understand and sympathize with the frustrations of the
American public and the hardworking taxpayers over these
incidents. And what makes matters worse is that no one had to
break into the IRS system to access information. Instead, the
criminals used information from other cyber-attacks to
accurately answer questions on the IRS website to access
information they should not have been able to access, and may
not have been able to access had the agency followed security
guidelines provided by the National Institute of Standards and
Technology. This ostensible lack of compliance with NIST
guidelines is disconcerting, to say the least.
While I appreciate the IRS's efforts to accommodate most
people's desire to access their tax information electronically,
it cannot do so at the expense of their security. Again, as
someone whose own information was possibly compromised, we
never know in last year's OPM hack, I assure you, more security
is better than less. This would also help many of my federal
employee constituents who were impacted by the OPM breach, and
I can tell you, as I go around to dozens and dozens of events
and businesses, one of the first questions I ask them is, how
many of you have had your information breached, how many of you
have gotten those letters, because I've gotten two of them. I
had my OPM information also breached. And it is rare that I
don't have half of the hands at any meeting in my district go
up, that they have had some type--they've gotten one of those
letters from the government. As one of the largest health
insurance providers in the Commonwealth, the Anthem hack also
hit close to home for us.
I look forward to hearing from our witnesses today, and I
thank you all again for being here.
[The prepared statement of Chairwoman Comstock follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Before I recognize the Ranking Member,
I would like to ask unanimous consent to enter into the record
a couple of reports relevant to the hearing: one by the GAO and
one by TIGTA. I also plan to submit my letter minus some of the
personal information just so we have a sample of that. So
without objection, so ordered.
[The information appears in Appendix II]
Chairwoman Comstock. And I now recognize the Ranking
Member, the gentleman from Illinois, Mr. Lipinski, for an
opening statement.
Mr. Lipinski. Thank you Chairwoman Comstock for holding
this hearing and welcome to the witnesses today. Today we'll be
discussing cybersecurity breaches at two IRS online service
portals.
Just about every American can expect to interact with the
IRS during his or her life, and the agency's responsibilities
make it privy to significant amounts of personal information
about all of these individuals. Consequently, the data breaches
at the IRS are particularly troubling and we should closely
examine what the IRS has done wrong when it comes to protecting
the personal information of Americans, how it can do better in
regard to cybersecurity, and what Congress can do to better
support IRS cybersecurity efforts. In meeting their obligation
to pay taxes, Americans should have confidence that the IRS is
taking all possible steps to protect them from cyber thieves.
Cybersecurity remains an evolving challenge across federal
agencies as well as the private sector. Standards that were
leading edge a year ago may be outdated today. Security is not
a one-time goal to be achieved and placed on autopilot; it is a
process that requires vigilance, continual learning, and fast
dissemination of critical information to prevent and respond to
new threats. While no entity, public or private, can protect
data with 100 percent certainty, we must be nimble in learning
from failures or missteps in cybersecurity policies and
procedures.
To this end, we should heed the careful and detailed
recommendations of the GAO and the Inspectors General. We must
also ensure that decisions on cybersecurity policies are backed
by a process that supports accountability, robust and forward-
looking decision-making, and a clear sense of the consequences
that can stem from data security failures.
Unfortunately, it is not at all apparent from the recent
breaches at the IRS that the agency's policies were governed by
such a comprehensive process. The two breaches that we are
discussing today--the Get Transcript application and the
Identity Protection PIN application--should not be viewed in
isolation. Both of these breaches were facilitated in part by
the same security weakness, namely the overreliance on out-of-
the-wallet questions derived from credit report data. While in
principle the answers to such questions should only be known by
taxpayers, in practice they can often be guessed or uncovered
from sources such as social media or websites compiling public
record data. As a result, a breach in one application should
have tipped off the IRS that the other was vulnerable as well.
Yet the agency continued to make online IP PIN retrieval
available long after shutting down the Get Transcript
application because of security concerns. Further, the agency
continued to do so even after the Treasury Inspector General
for Tax Administration warned the IRS to shut down the IP PIN
tool as well.
We must get clarity on what steps the IRS is taking to
ensure internal information sharing so that any breaches and
their implications are quickly assessed across the entire
organization and not just separate units or staff dealing
directly with a problem at hand. Further, we must examine why
the IRS ignored or deprioritized the TIGTA recommendation to
shut down the IP PIN tool. Simply put, given how one breach
built on the other, this should not have occurred.
In the context of this hearing, it is important to talk
about NIST, an agency that this Subcommittee has jurisdiction
over. NIST plays an important role in developing technical
standards and providing expert advice to agencies across the
government as they carry out their responsibilities under the
Federal Information Security Management Act, or FISMA.
It is clear that the IRS did not follow the risk analysis
or cybersecurity and authentication standards set by NIST when
it set up these portals. The most important question is
``why?'' Was it a lacking--was it a lack of understanding of
the standards? In this case, we need to have NIST here to talk
about the standards and how to make them more clear. Or are
there technical barriers to implementing the NIST standards at
all? In this case, we need to have information on why these
applications were allowed to go live in the first place. Or was
this a strategic decision driven by tradeoffs between consumer
convenience and security? These were put online to make the
experience of taxpayers with the IRS better and easier. But if
that's the case, we must be clear: the IRS has a unique role
among federal agencies and holds information on taxpayers that
few others have. Protection of taxpayer data must be a top-
level priority, and we must work to ensure that a breach of
this nature doesn't happen again.
Finally, I'd like to note that successful data security
efforts depend on agencies being able to hire experienced
cybersecurity professionals as well as having budgetary
resources specifically directed toward security infrastructure.
While some security failures at the IRS raise oversight
questions about decision-making protocols at the management
level, we also cannot ignore that successful implementation of
good security practices costs money. Although this is beyond
the scope of our Committee's jurisdiction, I am concerned that
Congress has yet to reauthorize IRS's streamlined critical pay
authority which helps the agency compete with the private
sector for top cybersecurity talent. And as Congress makes
funding decisions for the coming fiscal year, we must ensure
that we provide resources to match current IT-specific needs.
I look forward to this morning's discussion, and I yield
back the balance of my time
[The prepared statement of Mr. Lipinski follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you, and I now recognize the
chairman of the full Committee, Mr. Smith.
Chairman Smith. Thank you, Madam Chair, and I appreciate
the witnesses being here today.
In this Congress, the Science Committee has held half a
dozen hearings on cybersecurity issues and vulnerabilities at
federal agencies, and we continue to hear the concerns of
millions of Americans who quite frankly don't trust the federal
government to protect their personal information from cyber
criminals. Too many federal agencies fail to meet the basic
standards of information security. We've seen this with
HealthCare.Gov and the cyber breach at the Office of Personnel
Management. The same is true for the IRS.
According to a report published last November by the
Treasury Inspector General for Tax Administration), the IRS's
identity authentication methods for online services do not
comply with Government Information Security Standards. In other
words, the IRS has not taken the necessary steps to ensure that
individuals are who they claim to be before handing over
Americans' confidential tax information. As a result of these
vulnerabilities, the TIGTA report found that, ``unscrupulous
individuals have gained unauthorized access to tax account
information.''
The U.S. Government Accountability Office has identified a
number of ongoing cybersecurity system gaps and IRS failures to
fully implement certain security controls. The report found
that of 28 prior GAO cybersecurity recommendations to the IRS,
nine have not been effectively implemented. These gaps could
open the door for cyber criminals to steal confidential
taxpayer data.
The past year's IRS breaches are especially troubling.
Taxpayer data was fraudulently accessed, not through a forcible
compromise of the computer systems, but by hackers who
correctly answered security questions that should have only
been answerable by the actual individual. The hackers likely
accessed the requisite data from prior high-profile hacks.
Last year's OPM and Anthem Health Insurance breaches
compromised the information of over 100 million people. This
included the names, addresses, dates of birth, and Social
Security numbers of the victims. For cyber criminals, this
information is similar to making duplicate keys to your house.
It's a license to steal whenever and wherever the criminals
find an opportunity.
The IRS security breach demonstrates once again that
rigorous adherence to all cybersecurity protections must be the
top priority for every federal agency. Slow responses and
partial measures at the IRS do not protect innocent Americans
from these cyber-attacks. The government should be accountable
to the people and keep Americans' sensitive information secure.
Thank you, Madam Chairman, and I'll yield back.
[The prepared statement of Chairman Smith follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you.
And now I will introduce our witnesses. Our first witness
today is the Honorable John Koskinen, 48th Commissioner of the
Internal Revenue Service. Prior to his appointment, he served
in executive rules at Freddie Mac and 21 years in the private
sector in various leadership positions. He received his
bachelor's degree from Duke University and a law degree from
Yale. He also studied international law for one year in
Cambridge, England.
Our second witness today is the Honorable Russell George,
Treasury Inspector General for Tax Administration. Prior to his
confirmation by the Senate in 2004, Mr. George served as the
Inspector General of the Corporation for National and Community
Service. His government service also includes working at the
White House Office of Management and Budget as Assistant
General Counsel, and working here in Congress as Staff Director
and Chief Counsel of the then-named Government Management
Information and Technology Subcommittee. Mr. George received
his bachelor of arts degree from Howard University and his
doctorate of jurisprudence from Harvard University's School of
Law.
Our third and final witness today is Mr. Gregory Wilshusen.
Mr. Wilshusen is the Director of Information Security Issues at
the Government Accountability Office, where he leads
cybersecurity and privacy-related studies and audits of the
federal government in critical infrastructure. Prior to joining
GAO in 1997, he held a variety of public- and private-sector
positions. He is a certified public accountant, certified
internal auditor, and certified information systems auditor. He
received his bachelor of science degree in business
administration from the University of Missouri and his master
of science and information management from George Washington
University.
I now recognize the IRS Commissioner for five minutes to
present his testimony.
TESTIMONY OF THE HONORABLE JOHN KOSKINEN,
COMMISSIONER, INTERNAL REVENUE SERVICE
Mr. Koskinen. Thank you, Chairman Smith, Chairwoman
Comstock, Ranking Member Lipinski, and members of the
Subcommittee. I appreciate the opportunity to discuss with you
today the IRS's ongoing efforts in regard to cybersecurity and
identity theft. Securing our systems and taxpayer data
continues to be a top priority for the IRS. Even with our
constrained resources as a result of repeatedly decreased
funding over the past few years, we continue to devote
significant time and attention to this challenge. We work
continuously to protect our main computer systems from cyber-
attacks and to safeguard taxpayer information stored in our
databases. These systems withstand more than one million
attempts to access them each day.
We're also continuing to battle a growing problem of stolen
identify refund fraud. Over the past few years, we've made
steady progress in protecting against fraudulent refund claims
and criminally prosecuting those who engage in this crime.
But we've found the type of criminal we are dealing with
has changed. This problem used to be random individuals filing
a few dozen or a few hundred false tax returns at a time. Now
we're dealing more and more with organized-crime syndicates
here and in other countries. They're gathering unimaginable
amounts of personal data as noted from sources outside the IRS
so they can do a better job of impersonating taxpayers, evading
our return processing filters, and obtaining fraudulent
refunds.
To improve our efforts against this complex and evolving
threat, in March 2015 we joined with the leaders of the
electronic tax industry and the private sector, the software
industry and the states to create the Security Summit Group.
This is an unprecedented partnership that is focused on making
the tax filing experience safer and more secure for taxpayers
in 2016 and beyond.
Our collaborative efforts with the private sector and state
tax commissioners have already shown concrete results this
filing season. For example, Security Summit partners have
helped us improve our ability to spot potentially false returns
before they are processed. Over the past year, we've seen three
examples of what identity thieves are capable of and why we
can't let up in this fight. In each case we detected and
stopped unauthorized attempts to access online services on our
website, IRS.gov, by criminals masquerading as legitimate
taxpayers. One of the services targeted, as noted, was our``Get
Transcript'' online application used by taxpayers to quickly
obtained a copy of their prior year return. Another, as noted,
was the online tool to retrieve lost identity protection
personal identifier numbers, or IP PINs. Taxpayers who
previously were victims of identity theft used these PINs to
prove their identity when they filed a return. And the third
was a tool that some people used to generate a PIN number when
they e-filed their tax returns. In all three cases, criminals
were trying to use our online tools to help them pretend to be
legitimate taxpayers and sneak past false returns past our
fraud filters. These incidents, which unfortunately in the case
of ``Get Transcript'' access, resulted in the loss of taxpayer
information for thousands of taxpayers before the application
was disabled, has shown us that improving our reaction time to
suspicious activity isn't enough. We need to be able to
anticipate the criminals' next moves and attempt to stay ahead
of them. The ongoing work of the Security Summit Group will be
critical to our success here.
As we confront the challenge of identity theft, we're also
working to expand and improve our ability to interact with
taxpayers online to meet taxpayers' increasing demand for
digital services. We are aware, however, that in building
toward this enhanced online experience, we must continually
upgrade and improve our ability to verify the identity of
taxpayers using these services. Taxpayers will only use these
services if they're confident that they are safe and secure. So
we're in the process of developing a strong, coordinated
authentication framework.
We have a delicate balance to maintain here. We need to
keep the criminals out while letting the legitimate taxpayers
in. Our goal is to have the strongest possible authentication
process for our ongoing services while maintaining the ability
of taxpayers to access their data and use IRS services online.
Congress can provide critical support by providing adequate
resources for these efforts. We appreciate the $290 million in
additional funding Congress provided for fiscal 2016, which
included funds to improve cybersecurity and fight identity
theft. We used over $100 million of that funding and are using
it now in those areas. Sustaining and increasing funding in
this area will be critical as we move forward.
Another way Congress can help us is by passing legislative
proposals to improve tax administration and cybersecurity. One
of the most important requests we have made is for the
reauthorization of streamlined critical pay, the loss of which
has made it very difficult, if not impossible, to recruit and
retain employees with expertise in highly technical areas such
as information technology.
Chairman Smith, Chairwoman Comstock, Ranking Member
Lipinski, and members of the Subcommittee, this concludes my
statement. I'd be happy to take your questions.
[The prepared statement of Mr. Koskinen follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Mr. George.
TESTIMONY OF THE HONORABLE J. RUSSELL GEORGE,
INSPECTOR GENERAL,
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
Mr. George. Thank you, Chairwoman Comstock, Ranking Member
Lipinski, Chairman Smith, and members of the Subcommittee.
Thank you for the opportunity to testify on the IRS's actions
to protect taxpayers' personal information.
For the last six years, we have identified the security of
taxpayer data as the most serious management challenge
confronting the IRS. Based on our work on information
technology security, TIGTA has identified a number of areas in
which the IRS could do better to protect taxpayer data.
The IRS has been moving towards providing more services
through the internet referred to as online services. Web
applications that provide online services must be set up in a
secure manner. Even without breaching the security of the
application or hardware, hackers can pose as legitimate users
in order to make it through the authentication process and
obtain sensitive data.
Recent security incidents, has been noted during the outset
of this hearing, that involved two of the IRS's online service
applications, are prime examples of what can go wrong when
security is inadequate. While the IRS had established processes
and procedures to authenticate individuals requesting online
access to IRS services, they did not comply with government
standards. For example, the processes that the IRS used to
authenticate users of the ``Get Transcript'' and Identity
Protection Personal Identification Number applications required
only single-factor authentication. However, government
standards require multifactor authentication for such high-risk
applications. Of further concern, the authentication framework
used for these applications did not comply with government
standards for single-factor authentication.
In August 2015, the IRS reported that unauthorized users
had been successful in obtaining tax information on the ``Get
Transcript'' application for an estimated 334,000 taxpayer
accounts, as you noted, Madam Chairwoman. To prevent further
unauthorized access, the IRS removed the application from its
website. TIGTA's subsequent review of the ``Get Transcript''
breach identified additional suspicious accesses to taxpayers'
accounts that the IRS had not identified. Based on TIGTA's
analysis, the IRS reported on February 26th of this year that
potentially unauthorized users had been successful in obtaining
access to an additional 390,000 taxpayer accounts, again, as
has been noted.
We also reported in November 2015 that the IRS did not
complete the required authentication risk assessment for its
Identify Protection PIN application and recommended that the
IRS not reactivate this application for the 2016 filing season.
However, the IRS reactivated the application on January 19th of
this year. We issued a second recommendation to the IRS on
February 24th advising it to remove the Identity Protection PIN
application from its public website. On March 7th, the IRS
reported that it was temporarily suspending use of the Identity
Protection PIN application as part of an ongoing security
review.
The IRS does not anticipate having the technology in place
for either the ``Get Transcript'' or Identity Protection PIN
application to provide multifactor authentication capability
before the summer of 2016. In addition, TIGTA's assessment of
the IRS's compliance with information security standards and
guidelines found that while the IRS information security
program generally complied with the requirements of FISMA--the
Federal Information Security Modernization Act--there were
three security program areas which did not, and they are
continuous monitoring management, configuration management, and
identity and access management. Until the IRS takes steps to
improve these security program deficiencies and fully implement
all security program areas in compliance with requirements,
taxpayer data will remain vulnerable to inappropriate and
undetected use, modification for disclosure.
Chairman Comstock, Ranking Member Lipinski, Chairman Smith,
Members of the Subcommittee, thank you for the opportunity to
share my views.
[The prepared statement of Mr. George follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you.
TESTIMONY OF MR. GREGORY WILSHUSEN, DIRECTOR,
INFORMATION SECURITY ISSUES,
U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Wilshusen. Chairwoman Comstock, Ranking Member
Lipinski, Chairman Smith, and Members of the Subcommittee,
thank you for the opportunity to testify on IRS's Information
Security program.
As part of GAO's annual audit of IRS's financial
statements, we examined the information security controls over
the Service's financial and tax processing systems. As we
reported in March, IRS has implemented numerous protections
over these systems but weaknesses remain in controls that are
intended to prevent, detect and limit unauthorized access to
systems and the information they contain.
IRS had developed controls for identifying and
authenticating the identity of users and servers. However, they
were inconsistently implemented. For example, the agency used
easily guessed passwords on servers supporting several systems
including those relating to procurements, automated file
transfers, management of taxpayer accounts, and processing of
electronic tax payment information. In addition, users were
granted excessive access permissions on 11 of 14 systems we
reviewed including on one system which allowed users to access
or change tax payment-related data.
IRS policies require use of encryption, and the agency
continued to expand its use. However, sensitive administrative
credentials were not encrypted on key systems that we reviewed.
Software patches were often not installed in a timely manner on
several systems including at least one critical patch that has
been available since August 2012. To its credit, IRS had
established contingency plans for the systems we review, which
help to ensure that critical operations can continue when
unexpected events occur. Nevertheless, the control weaknesses
we identified were caused in part by IRS's inconsistent
execution of its information security program. Including the 45
new recommendations we made in March, IRS has yet to implement
94 of our recommendations. Implementing these recommendations
will assist IRS in bolstering its information security and
protection over taxpayer information. Until it does so,
taxpayer and financial data will continue to be exposed to
unnecessary risk.
The importance of protecting taxpayer information is
further highlighted by the recent incidents involving the ``Get
Transcript'' online service and the billions of dollars that
have been lost to identity theft refund fraud. This type of
fraud occurs when a criminal obtains personally identifiable
information of a legitimate taxpayer and uses it to file a
fraudulent return seeking a refund. Because of its continuing
significance, we added IRS's efforts to combat identity theft
refund fraud to our high-risk area on the enforcement of tax
laws. IRS has acted to address this problem but additional
actions are needed.
In January 2015, we reported that its tools for
authenticating the identity of taxpayers using e-file had
limitations and recommended that IRS assess the risks, costs
and benefits of its authentication options.
To assist and guide federal efforts, OMB--the Office of
Management and Budget--and the National Institute of Standards
and Technology play a key role in developing information
security policies, standards, and guidelines for federal
agencies. Among other things, OMB and NIST have developed
guidance for agencies implementing e-authentication protocols.
OMB is responsible for overseeing and holding agencies
accountable for complying with information security
requirements such as those provided in the Federal Information
Security Modernization Act of 2014.
In summary, IRS has made progress implementing security
protections over its tax-processing and financial systems.
However, it needs to do more to adequately safeguard taxpayer
data. Until IRS fully implements all of our recommendations to
mitigate deficiencies in access and other controls, to
consistently implement elements of its Information Security
program, and to assess the risks, costs and benefits of its
authentication options, taxpayer information will remain at
unnecessary risk.
Chairwoman Comstock, Ranking Member Lipinski, Chairman
Smith, this concludes my statement. I'd be happy to answer your
questions.
[The prepared statement of Mr. Wilshusen follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you, and I thank all of you, and
I now recognize myself for five minute questions rounds. We'll
be having our questions now.
Mr. Koskinen, I'd like to read you a quote from Mr. George
which said ``It continues to identify''--TIGTA does--
``significant security weaknesses that could affect the
confidentiality, integrity, and availability of financial and
sensitive taxpayer information.''
Now, we have no choice--I've got my LifeLock but I've got
to send it in anyway--to send in all our personal information
to the IRS even though we don't know that you're not doing
enough to secure that data, as we've heard here today. Can you
right now assure the American taxpayers, our hardworking
taxpayers who are going to be working over the weekend--because
it's not due until Monday this year, so they're going to be
turning it in on Monday--that the IRS information, you know,
that their data is 100 percent secure?
Mr. Koskinen. I don't think there's any financial
institution of any size in the world that can give you 100
percent guarantee. As you noted, the organized criminals we're
dealing with are increasingly sophisticated and well-funded but
I can tell you it is the highest priority for us. I can tell
you that, knocking on wood thus far, our basic database,
notwithstanding the over million attacks a day, continues to
remain secure. We have not had a data breach into the database
but we do not think that that necessarily means we can stop. In
fact, we're using $95 million of the additional funding that
Congress gave us on cybersecurity to deal with in fact the
issues that you've heard about, that is, continuous monitoring,
being able to in fact segment our systems to protect them.
So all I can tell you is, we're doing everything we can at
this point. The basic database has been secure. We hope it will
be secure. But as I say, I can't give you 100 percent guarantee
it'll always be secure.
Chairwoman Comstock. Now, my understanding, and actually
the Speaker was interested in this hearing as he's been
interested in what's going on with the IRS, and he had asked
about the IRS cybersecurity staff has been cut as the budget
increased. Why did the agency cut its cybersecurity staff when
they received additional resources?
Mr. Koskinen. That's an incorrect statement. The
cybersecurity staff--all of our staff, we're down 15,000
people. We'll be down 17,000 people over the last five years
because of budget cuts. The cybersecurity staff, the IT staff,
in fact, has gone up somewhat. Our budget for IT has gone down
$200 million over the last five years. We are using the $95
million of the $290 million, as I said, for cybersecurity and
we're hiring 55 additional new people in information technology
to deal with cybersecurity. So there has been no significant
cut in cybersecurity compared to anything else. We have far
more people lost in revenue agents, officers and criminal
investigators. So I would stress, when we've been given the
money, and I think year will establish it, we put it to work
effectively and efficiently. There are taxpayer dollars that
deserve to be spent wisely.
Chairwoman Comstock. Okay, and now who is the person who is
in charge of cybersecurity at the IRS?
Mr. Koskinen. The person in charge of cybersecurity left a
few weeks ago. He was one of the people on streamline critical
pay, and without the reauthorization, we're trying to fill that
spot. All of it reports to our Chief Technology Officer, also
who will be leaving because of the expiration of streamline
critical pay. It is important for everyone to understand, we
have----
Chairwoman Comstock. So right now the person who's in
charge of cybersecurity is leaving and the person----
Mr. Koskinen. Has left.
Chairwoman Comstock. Has left, and----
Mr. Koskinen. The person he reports to----
Chairwoman Comstock. --the person who he's reporting to,
the CTO, so the cybersecurity leadership has left the building?
Mr. Koskinen. We have people replacing them internally but
what we need, as Congressman Lipinski said, Congress needs to
give us the reauthorization to allow us to hire the highest
skilled, capable IT security experts we can. We struggle
otherwise. We find good people in the private sector and say if
you'll sit there for three to six months while we work you
through the process and fill out the applications, we'll be
able to hire you, and these people are in great demand. Our
people are in great demand. The people who are leaving are
being recruited by the best companies in the world.
Chairwoman Comstock. Well, certainly you've been aware of
the problems here in cybersecurity given all the recent
breaches, so when this--you know, you don't have these people
now but what kind of planning had been going into this so you'd
have that kind of talent pool when this expired, when you lost
the people.
Mr. Koskinen. We have succession plans. We have replaced
the Director of Cybersecurity on an acting basis but that's one
of the reasons that the most critical request we have for
Congress is to give us the additional support we need to bring
people of the highest skills into the agency.
Chairwoman Comstock. Okay. Now, have you talked with other
agencies about how they're dealing with cybersecurity and----
Mr. Koskinen. We talk with them all the time. We work
closely with the Department of Homeland Security, the Justice
Department, the FBI, others, and----
Chairwoman Comstock. And how often do you personally have
meetings with these cybersecurity leaders within the agency?
Mr. Koskinen. I've met with the Secretary of the Department
of Homeland Security and I've met with----
Chairwoman Comstock. No, I mean with these people who just
left. What type of meetings did you have sort of to emphasize
that this was--you say it's a top priority so it's the top
priority and we have the two people are leaving, I was
wondering how often you were--okay, you guys are leaving, who
do we have to replace and what are we doing for the succession
plan?
Mr. Koskinen. I met with the Chief Technology Officer
probably every two weeks. I have a regular monthly meeting with
him for over an hour to review all of the matters of
information technology. He participated in all of our senior
executive meetings.
Chairwoman Comstock. I see my time has expired. Now I'll
recognize Mr. Lipinski for five minutes.
Mr. Lipinski. Thank you.
I want to say I'm--no one's happy here having to do their
taxes right now, and fortunately my wife's an actuary and she
takes over those duties. She'll be working on finishing this
weekend. But I'm not here to beat up the IRS. I don't want to
beat up the IRS. It's not my purpose. It's not because of the
TV cameras here. But I think we need to know what has gone
wrong and why, and get a guarantee that that is not going to
happen again.
Now, there's no 100 percent guarantee of security. We know
that. We have to accept that. We strive for that, hopefully
everyone should be striving for that in both the public and
private sector, but there's no 100 percent guarantee.
But I want to understand the reasons for the issues that
Mr. George and Mr. Wilshusen had--the issues that they brought
up such as the IRS didn't use the multifactor authentication,
that the risk assessment wasn't done for IP PIN, and on top of
that, there were two requests from TIGTA before IP PIN was
taken down, and that there are 94 recommendations from GAO that
have yet to be implemented. Why have these things happened? Is
it a lack of understanding of the NIST standards, technical
requirements? Is it a lack of ability within the IRS to do
cybersecurity correctly? What is it that caused these issues in
the past and why should we sit here and believe that those same
things are not going to happen in the future, or is there
something--is there anything wrong with what we've heard about
these issues in the past? Is anything incorrect about those or
did those happen, and why should we expect that they're not
going to happen in the future?
Mr. Koskinen. As you noted, we're dealing with a moving
target. Life is getting more complicated. The challenges are
more sophisticated. When the Get Transcript application was
designed and formulated in 2011 and 2012, the out-of-wallet
questions were in fact a standard way of verification that was
used by banks and financial institutions. The analysis was
done, and the determination was made that at that time that was
the appropriate authentication in light of the balance, as you
know, between convenience for the consumers and the risks. As
identify fraud and identity theft has increased and the
sophistication has increased, it has become clear that
questions that used to be answered only by the taxpayer now are
actually more easily answered, although half the time the
criminals can't even answer them. But I would note on the Get
Transcript, 22 percent of legitimate taxpayers could not answer
their own out-of-wallet questions, so it's not as if anybody
could walk in and answer those questions. But it become clear
over time that in fact more and more information was in the
hands of the public and the out-of-wallet questions were no
longer sufficient but that was not the decision and not the
situation when it started.
I would note that we value and work cooperatively and
collaboratively with the IG and GAO. Over the last few years
we've had over 2,000 recommendations from them, and we work and
we take them seriously, and in fact, we are implementing them
as quickly as we can. As we move forward with the IP PIN, the
determination was made, as noted, discussed with the IG, that
it was an important service for people trying to file in
January when they got their new PIN in January if they lost it
to be able to access it. What we did was add another layer of
authentication in the sense that we marked every Social
Security number when anybody got an IP PIN access, put that
into a file, and every return filed with those Social Security
numbers is put through a review. If there's any questions, we
write taxpayers. A number of the letters the taxpayers are
getting are to re-authenticate them before we will process
those returns. As a result, we've determined that over 40,000--
about 135,000 accesses were made. Forty thousand returns that
have been filed have been authenticated as legitimate
taxpayers. Over 5,000 have been stopped because they were
fraudulent, and we determined those were fraudulent. We're
continuing to review those as they are filed but we were
satisfied at the start, and we discussed this with the IG in
December and January, that the additional monitoring of
literally every return against those Social Security numbers
would increase our authentication ability.
In February, as we saw more volumes of what looked like
suspicious access, because we were monitoring volumes as well,
we agreed with the IG that we should bring the app down, and if
anybody wanted their PIN we would mail it to them rather than
having it accessible during filing season immediately. We are
now, as noted, developing a multifactor authentication, which
is difficult to do because we don't have immediate access to
telephone numbers and other issues, but the tradeoff is, as I
said, 22 percent of people couldn't get through to answer their
own out-of-wallet questions. We think with the new multifactor
authentication, it will be difficult for as many as 50 percent
of taxpayers to get in but it will be much more difficult for
the criminals. And so we're always in that balance of how
difficult and burdensome will it be for taxpayers compared to
how impossible can we make it for the criminal.
But it's an ongoing battle. As we design this system, it
won't be the perfect system forever. We'll need to continue to
monitor and assess what's happening. We'll need to continue the
partnership we're developing with the private sector and with
banks and others to compare notes about how we're doing. We
continue to follow the NIST and OMB guidelines to the extent
that they're there and, as I say, when we started with the IP
PIN and Get Transcript 3 or four years ago, developing it, the
standard was in fact being able to identify someone with out-
of-wallet questions, and we've changed that and we're moving,
but it's going to be more difficult for taxpayers.
Mr. Lipinski. My time is up right now. Hopefully we'll have
a chance for a second round and we'll follow up on that and get
the IG and GAO's response to any of that. Thank you.
Chairwoman Comstock. And I now recognize the Chairman for
five minutes.
Chairman Smith. Thank you, Madam Chair.
Commissioner, recently the GAO made, I believe, 49
recommendations as to how the IRS could better protect
taxpayers from being hacked, having their information hacked.
This is on top of 49 recommendations that were made previously.
My question is, how many of the 49 earlier recommendations have
been implemented, and when do you expect all these
recommendations to be implemented?
Mr. Koskinen. We're working on those GAO. As I said, we've
had a couple thousand recommendations over time. GAO has done a
very great service for us in the last year of prioritizing of
the range of recommendations which are the highest priorities,
and we are working on those. Our hope----
Chairman Smith. How many of the 49 have you implemented so
far, the earlier 49?
Mr. Koskinen. The earlier 49, I don't have that number for
you. I'll have to get that for you. But our goal is to
implement all of them. There's been some question about why we
didn't immediately sign on to the most recent ones but the
process is, we are supposed to advise Congress within 60 days
of the detailed timeline, and we will provide you with the
timeline for solutions to all of those.
Chairman Smith. And the most recent 45 were just last
month, and I realize you need some time to have them
implemented, but I did hear you say you intend to implement
them all.
Mr. Koskinen. Yes.
Chairman Smith. In regard to the 49, how long will it take
you to inform us as to how many have been implemented?
Mr. Koskinen. We'll be able to provide you that information
in the next week.
Chairman Smith. Okay. Why not in the next ten minutes?
Mr. Koskinen. Because I don't have that information with
me. I'll have to get it from----
Chairman Smith. Can some member of your staff sitting
behind you get it for us before the hearing is over?
Mr. Koskinen. Some members of my staff sitting there can
try to do that. We'd be delighted.
Chairman Smith. Okay. Thank you for that.
Mr. Koskinen. Pardon?
Chairwoman Comstock. I said we have computers and
assistants here. They don't have paper with them.
Chairman Smith. My next question, Commissioner, is this. I
understand that the IRS issues refunds to individuals even when
the names and the Social Security numbers don't match. Why does
the IRS do that? It seems to me that you're catering to and
perhaps even encouraging fraud. I understand there may be
millions of individuals who are getting these funds to the tune
of many, many millions of dollars. Why don't you stop doing
that, or what can you do to correct it?
Mr. Koskinen. We actually don't issue refunds where there's
a Social Security number on the return and a name that doesn't
match.
Chairman Smith. Okay.
Mr. Koskinen. I think the issue you're dealing with is
people who aren't able to get a Social Security number file
with an IP PIN.
Chairman Smith. Correct.
Mr. Koskinen. And those IP PINs come in, and people who are
paying taxes, a lot of them are in the country working without
the ability to get a Social Security number. Their obligation
is to pay taxes if there ever is a way for them to become
citizens, the first question they're asked is, have you paid
your taxes.
Chairman Smith. But again, if the name and the Social
Security number don't match, you are not issuing any refunds?
Mr. Koskinen. No, if the name and the Social Security
number on the return don't match. Now, what the situation I
think you're focused on is, people borrow, steal, however they
get a Social Security number to get a job so their W-2 may have
a different Social Security number but their name and the IP
PIN, we grant the IP PINs. Those will match, and as long as
they match, our responsibility is to collect the taxes people
owe. It's not to in fact----
Chairman Smith. But for example, I've heard--I don't know
this is accurate--where someone would put in a Social Security
number of 00000 all the way across and yet they are still
getting refunds. Is that----
Mr. Koskinen. They can't do that on a tax return. The only
thing they would be doing there is if they're using that Social
Security number to get a job----
Chairman Smith. Right. I understand. But still no refunds
when there's a mismatch?
Mr. Koskinen. If you file a return with a Social Security
and a name that don't match, we wouldn't give you a refund.
Chairman Smith. Okay. That's good to know.
The next question is addressed to Mr. Wilshusen and Mr.
George, and it is this. We've had a situation where something
like over 700,000 people have had their tax information stolen,
over 100,000 have had their Social Security numbers stolen, all
in order to access an e-file PIN just this last year. What are
the implications of that? What are the consequences of that?
What does that say about the future and what can do about it?
Mr. Wilshusen, we'll start with you.
Mr. Wilshusen. Well, one of the implications is that
information could be used by criminals to commit identity theft
and related financial crimes. It can also be used to help
promote or facilitate identity theft refund fraud since they
would have additional information that could potentially get
past IRS's filters for trying to detect that type of fraud.
Chairman Smith. Mr. George?
Mr. George. I associate myself with the comments that he
just made, and this actually relates somewhat to a very
important factor that hasn't really been discussed much today,
and that is while we at TIGTA haven't found that the IRS's
computers themselves have been breached as was indicated, the
moment people are able to gain the name, Social Security number
and other information, personal information, of taxpayers,
that's really where the vulnerability exists currently to the
system of tax administration.
Mr. Koskinen. And I might just add for the Chairman's
benefit, the Social Security numbers that have been stolen and
the identity information that's been stolen, all has been
stolen someplace outside the IRS. Nobody is being able to get
that information from us. The hacks have come from people
masquerading already as taxpayers legitimately with Social
Security numbers and names that match.
Chairman Smith. Okay. Last quick question, if you'll
address it yes or no. I'll address it to all three of our
witnesses today. Is an individual's tax return and their
personal information on that tax return safer this year than
last year? Commissioner, what would you say?
Mr. Koskinen. Yes, safer.
Chairman Smith. Mr. George?
Mr. George. I have no indication that that is not the case.
Chairman Smith. Okay. Mr. Wilshusen?
Mr. Wilshusen. I wouldn't be able to comment on that but I
would probably say I have no evidence to show it's higher or
lower.
Chairman Smith. It may be the same. Okay. Thank you, Mr.
Chair.
Chairwoman Comstock. I now recognize Mr. Tonko for five
minutes.
Mr. Tonko. Thank you, Madam Chair, and welcome to our
guests, and I believe that the information exchanged here is
very critical, and it's important to protect taxpayer
information. I think that we all bear that sort of
responsibility and goal, and I thank you for the information
again.
Can I just get a better sense of the IT budget for perhaps
the last five years or so from 2010? Has it been flat? Has
there been a decrease, increase? What basically are we talking
about in numbers here?
Mr. Koskinen. Even after the money that we appreciated
Congress added this year, the $290 million, we're still $900
million below where we were six years ago, so we have 10
million more taxpayers, we have a set of unfunded mandates
including the Affordable Care Act, FATCA, the ABLE Act, private
debt collection that we're implementing with $900 million less,
and as I said, 15,000 fewer employees.
Mr. Tonko. So the efforts here to go forward I would think
some of it is a function of having resources essential to
address some of the dynamics perhaps a pay scale differential
with the private sector to compete for the talent. Can we talk
about that for a bit, your efforts with a skilled cybersecurity
workforce? How do you address the whole impact of strengthening
that given that the private sector may have that pay
differential?
Mr. Koskinen. Well, the Restructuring Act of the IRS was
implemented in 1998, the IRS was given special authority for 40
places, 40 positions called streamline critical pay, which
allowed us to hire people as if we were in the private sector,
bring them right in without going through the 3 to 6 months of
hiring, and allowed us to have a differential pay, not enough
to match the private sector, but we have found, because we have
so many challenges in such a large organization, a lot of
people with IT backgrounds and the people we've been able to
hire want to come work for the IRS. So one of the great
concerns we have about the loss of that authority is our
ability to compete with the private sector, and not on dollars
but really on the combination of appropriate pay and a very
great challenge in IT has been diminished with the failure to
reauthorize that streamline critical pay. It's only 40
positions. We never used all 40 of them. The most we ever used
was 34.
The IG a year and a half ago reviewed the program and said
it had been run appropriately, and so we view it as critical
because we are the largest financial institution in the world.
We collected last year $3.3 trillion. We are the most
attractive database to attack because we've got information on
300 million Americans. So our sense is, whatever support we can
get in this regard is very important.
Mr. Tonko. And in the last 5 or six years you've had to
make up a decline in revenues, resources with the shot that you
got, the one shot you got last year, but that must have
impacted somehow addressing the differential.
Mr. Koskinen. Yes. So what happens is, as a result across
the board we have to prioritize. Cybersecurity, identity theft,
protection of taxpayer data is a high priority. As I said,
we've actually had more people in IT while we've lost thousands
of other employees. But it does mean, for instance, on patches,
there are thousands of patches--we have a very complicated
system--that come in every year and we have to prioritize which
we can implement because we actually have a limited amount of
resources. That's why we appreciate the work that both the IG
and GAO do helping us prioritize of those security updates,
which are the most critical that need to be improved
immediately.
Mr. Tonko. And so other than the workforce issue, what are
those reforms or those improvements? Where do we need to reach?
What are the tools in the toolkit that are required to provide
for taxpayer protection here?
Mr. Koskinen. But we're continuing to work, as I say, to
implement the recommendations that we have and that we get from
the IGs and GAO. As I say, we need to improve, and part of the
money we're spending this year out of the 290 is to improve our
continuous monitoring of the system. We're working on
segmenting the system so if you actually happen to get into the
database, you can't run barefoot through it all. We'll
actually--you'll only be able to get into limited parts of it.
We're working to improve the security, as noted by GAO. I don't
have it with me, but you can run--I can't access my computer,
not with--I don't need passwords, I have to actually put an
identity card into the computer. Part of the money we hope to
use if we get it for 2017 would be to have that same access
code requirement for access to all of our internal systems. As
GAO noted, we're as worried and focused on internal protection
as we are on external protection.
Mr. Tonko. Thank you very much. I have used up my available
time, but I appreciate the efforts that are being made. And
again, bearing in mind that taxpayer protection should be the
guiding force, I appreciate the response to the questions here.
And with that, I yield back, Madam Chair.
Chairwoman Comstock. Thank you.
And I now recognize Mr. Lucas for five minutes.
Mr. Lucas. Thank you, Madam Chair.
Mr. Wilshusen, let's talk for a moment about the magnitude
of the fraud. According to your testimony, the IRS estimated
that it prevented or recovered $22.5 billion in fraudulent
identity theft refunds in 2014 but paid out $3.1 billion in
fraudulent refunds. These numbers seem rather precise
considering there's no range given. How does the IRS estimate
how much it's prevented in fraudulent payments and how much has
been paid? And how confident are you, I should say, on the
accuracy of these numbers?
Mr. Wilshusen. Well, uncertainly exists with any estimates
with regard to the amount that has been paid or that has not
been detected and not paid. IRS provides a rather specific
point estimate. However, because you really don't know what you
don't know, there's likely to be undetected fraud that hasn't
been determined. So there's always uncertainty with those
estimates, and that's why we recommended that IRS look at its
estimating procedures to account for that uncertainty as to the
extent of the fraud.
Mr. Lucas. Mr. George, fraudulent tax payouts ultimately
hurt taxpayers because their public money is going to
criminals. How confident are you that the IRS has a grasp on
these estimates? And does this raise concerns about whether the
IRS is allocating enough resources to combat the identity theft
problem?
Mr. George. This is a very complicated question,
Congressman, because it overlaps with a lot of other issues as
it relates to monies owed to the Internal Revenue Service. The
Service itself estimates what it calls the tax gap at being
over $450 billion every year, money that is owed to the IRS
that no one has really contested that figure. And so it's a
serious problem.
Then, of course, you're talking about programs such as
refundable credits and the like that are being taken advantage
of by people who are here in this country both legally and
illegally.
So it is a major problem. The IRS is aware of it. I'm sure
the Commissioner will point out that if he had additional
resources, he would be able to address it more sufficiently.
But this is a concern that we've raised extensively during my
tenure at TIGTA.
Mr. Lucas. Thank you, gentlemen.
Madam Chairman, actually, I yield back.
Chairwoman Comstock. And I now recognize Mr. Abraham for
five minutes.
Mr. Abraham. Thank you, Madam Chairman.
I think this hearing may be the best argument for a simpler
flat-tax-type deal because we look at OPM, we look at the IRS,
ACA, every government agency recently in the last year or 2 or
3 at the most seems to have had a major data breach. And every
time it starts out with a lower number such in your case with
the IRS, the 300, then it goes to 7. Same thing happened in the
OPM. It started out a few million, went up to 24, 25 million.
So, again, you know, I personally--and I think everybody
listening to this hearing--would rather be responsible for
their own security because, you know, our agencies are having
major problems getting it right. And again, when we--I'll talk
to you, Mr. Koskinen, about you guys--you know what you need to
do. I mean, from a single identification to a multiple, I mean,
that's pretty commonsense stuff. And it's not like these things
were born of yesterday. I mean, these things have been going on
for a long time.
But I know you guys are asking for more money, so help me
out here. Of the $290 million that we as Congress gave you for
this fiscal year 2016, I'm told--and you can certainly correct
me if I'm misstating--but how much of that went to employ
temporary people to help on the toll-free line?
Mr. Koskinen. I would note, by the way, that government
agencies are challenged, everybody is challenged, Target,
Anthem, J.P. Morgan Chase----
Mr. Abraham. I understand that, but, I mean, we've been--
you know, we've been here so many times.
Mr. Koskinen. Yes.
Mr. Abraham. We just keep going to the same well and the
water keeps coming up dry so----
Mr. Koskinen. So with regard to the $290 million, which,
again, I would say we appreciate it. It's a step in the right
direction. One hundred and seventy-eight million was devoted to
taxpayer service. Last year----
Mr. Abraham. Right. So is that about 1,000 employees?
Mr. Koskinen. So we hired slightly over 1,000 employees,
temporary employees. We hire eight to 10,000 temporary and
seasonal employees----
Mr. Abraham. Yes.
Mr. Koskinen. --to help with filing season.
Mr. Abraham. And I guess my point is that $178 million did
not go to specifically fight cybercrime?
Mr. Koskinen. No. The other then of the $178 million, $95
million went to cybercrime----
Mr. Abraham. Right.
Mr. Koskinen. --and another $16 million went to identity
theft, primarily to support our partnership with the private
sector and the States.
Mr. Abraham. All right. So I'm doing the math and certainly
won't--don't want to disparage any employee at the IRS. I'm
sure they hopefully earn their money every day. But 1,000--the
$170 million, that's $178,000 per employee. Is that the normal
salary? I mean, I may want to----
Mr. Koskinen. No.
Mr. Abraham. --apply there.
Mr. Koskinen. I'd apply there. That's more than I make. No,
the $178,000 includes all of the supporting issues that go with
it. The major expenditure was the 1,000, but they get paid in
the 30, 40, $50,000 range. The $178 million that was spent
there was all of the supporting systems to in fact get our
level of taxpayer service up from last year's 37 percent to
this year's 72, 75 percent. So you can actually get somebody on
the line within a few minutes this year. Last year, you had to
wait for 30 to 40 minutes. Sixty percent of people couldn't get
through it all.
Mr. Abraham. Okay. And I know that OMB required you guys to
reassess and look back at your security procedures, and I guess
the question, again going back to the earlier statement, why
don't you guys conduct an authentication process with your IP
issue, your IP PIN problem? Did you all review, did you look
ahead? Why didn't you follow OMB guidelines?
Mr. Koskinen. We actually followed OMB guidelines and the
NIST guidelines as well when we were establishing these
programs. As I noted, what happens is life gets more
complicated as you move along. What used to be acceptable no
longer works.
With the IP PIN, as I noted, we brought it back up this
year because we added another level of authentication. We
monitored every return filed as a result of anybody accessing
that system, and therefore, we're reasonably confident and as
our life has shown, the vast majority of people using those IP
PINS are legitimate taxpayers.
We ultimately brought it down when our monitoring of each
one of those accesses identified that there were an increasing
number of criminals trying to get through and the vast majority
of criminals couldn't get through, and so we shut it down,
deciding that, while it was a great convenience to taxpayers,
at that point it needed to be brought down because of our
concerns about the security.
Mr. Abraham. Thank you, sir.
Thank you, Madam Chairwoman. I yield back.
Chairwoman Comstock. Thank you.
And I now recognize Mr. LaHood for five minutes.
Mr. LaHood. Thank you, Chairwoman. And I want to thank the
witnesses for being here today, for your testimony.
Commissioner, you know, as an outsider looking in and
looking at what we've heard, 700,000 taxpayers having their
personal information compromised, that we had the GAO come in
with 45 recommendations that, you know, the Chairman asked you
how many of those have been implemented, and we didn't get a
sufficient answer on that, and then more recommendations from
GAO. And I guess, I mean, what are the successes that you've
had in fixing this problem? I mean, when we tell the American
people we've had successes, we're fixing this, we're giving you
confidence that we're on the right track after we've had these
series of events, statistics out there, and these breaches, I
mean, what are the successes?
Mr. Koskinen. The successes are, first of all--and again, I
always knock on wood--our basic system has not been breached.
As I say, we are attacked over a million times a day.
Mr. LaHood. Since when? When is the date that you use on
that?
Mr. Koskinen. Forever. We've not had a breach of our
database directly. We've had breaches by people masquerading as
taxpayers and applications. The basic database of the IRS has
had no significant breach that I know of ever.
But the other thing that's happened, we're talking of
identity--we are increasingly successful at stopping refund
fraudulent returns. Last year, we stopped over four million
suspicious returns, 1.5 million of them for about $8 billion
were identified as fraudulent. Our ability--our filters are
going forward.
The most significant thing we've done in the last year,
very successful, is our partnership with the private sector and
the States, working together for the first time, exchanging
information in real time during the filing season of where do
they see suspicious patterns, where do we. We are sharing that
back-and-forth. A small part of the money that we got for the
$290 million is being spent in support of that partnership.
I think the data will show that this year taxpayers were
safer. I was asked that question. And the reason I'm confident
about that is that for the first time we have a level of
authentication for taxpayers when they go to their preparers or
when they use software. We have increased data that we get now
that we get now that we didn't used to be able to have access
to of where the returns are coming from and how many are coming
from individual computers all through our private sector
partnership so that we have, as I say, taken the entire tax
system and put it together in a unified attempt for the first
time ever, in a partnership, in in a true public-private
partnership.
Mr. LaHood. So the 700,000 that have had their personal
information compromised, I mean, when did that change in terms
of the implementations that you've made and that we're not
seeing the numbers that have been compromised? I mean, has that
changed since when?
Mr. Koskinen. I'm not sure I quite understand. The 700,000
successful accesses by criminals in our ``Get Transcript'' took
place over a period from 2014 to '15. We originally looked at
the immediate impact with the IG then with them. They collected
data for us for the entire time. That system is down. When it
comes back up, it will be much more secure and also much more
difficult for taxpayers to use, but that's the tradeoff we
continually have to make.
Mr. LaHood. And then one thing that I haven't heard you
talk about is--so we've talked about these hackers and the
criminals. I mean, tell me about the successful prosecutions
that you've had in terms of the deterrent effect if we're going
to stop this from going forward, the successes you've had
with--successful prosecutions going after people that you can
kind of hold out that we've stopped this and these people are
being held accountable?
Mr. Koskinen. We've put over 2,000 people in jail in
cooperation with the IG and the Department of Justice. Our
criminal----
Mr. LaHood. And can you give me a couple examples of kind
of highlighted cases and the effect that that's had?
Mr. Koskinen. I get reports of those every day. Those are
people who have created syndicates. They filed $100 million
worth of false returns. They've filed large numbers. The courts
have been very supportive. The average time of incarceration is
over 3-1/2 years for each of those convictions. They are widely
publicized. As I say, I get a list of them every day. I would
be delighted to give you--we just put out--about three or four
weeks ago the Criminal Investigation Division put out a release
which I'd be happy to get you of the 10 most significant
criminal prosecutions for identity theft and refund fraud.
Mr. LaHood. And have you found that the criminal code right
now in terms of the senses people are getting, is it having a
deterrent effect? Does that need to change? Are there
recommendations on that?
Mr. Koskinen. At this point we think that the courts and
the code have been sufficient on that ground. As I say, part of
what's happened as we've, I think, begun to be successful at
stopping criminals locally, increasingly what we're discovering
is we're dealing with organized crime syndicates in Eastern
Europe and Asia where it's much harder to get prosecution. The
people that are operating with them here are basically
relatively low level. We have over 1,700 investigations going
on right now leading toward further criminal prosecutions, but
at this point I don't think increasing the severity of the
penalty for fraud is a need for us. As I say, the courts have
been very good. Average sentence--some sentences have been in
the range of 10 to 20 years.
Mr. LaHood. Thank you. Those are all my questions.
Chairwoman Comstock. Okay. I now recognize Mr. Hultgren
for--oh, he's not here now. Okay.
Mr. Moolenaar for five minutes.
Mr. Moolenaar. Thank you, Madam Chair, and I appreciate the
panelists today.
And, Mr. Wilshusen, I wanted to just--your role at GAO has
to do with accountability, especially in the--sort of the
information technology area, is that correct?
Mr. Wilshusen. That's correct, on information security,
cybersecurity issues.
Mr. Moolenaar. So because you're probably looking at this
over a wide range of agencies and government entities. I
basically have three questions that I'd like to kind of lay out
for you and you'll kind of get the pattern of where I'm going
with these questions. So you might want to just take notes just
so you--I apologize for overwhelming you with three questions
at the same time.
But basically I just wanted you to elaborate on the
testimony you've already given just so I have a clear
understanding. But the first question is what potential
enforcement and accountability options could be applied against
an agency that is noncompliant with OMB and NIST information
security standards and guidelines? That's kind of the one
question, you know, what options are available?
And then secondly, what federal agency or White House
office might have the authority to enforce compliance with OMB
and NIST standards and guidelines? So who has the authority to
implement that?
And then finally, and thirdly, are you aware of any cases
when action was taken against any agency for failing to comply
with OMB and NIST information security standards and
guidelines?
Mr. Wilshusen. Okay. First, I would answer those questions
in order. In terms of enforcing compliance or holding agencies
or individuals accountable for implementing information
security, it starts first at the agency with the head of the
agency. FISMA, the Federal Information Security Modernization
Act of 2014, requires the head of the agency and assigns
overall responsibility to the head of each agency to ensure
that that agency implements appropriate safeguards to protect
against the unauthorized use, disclosure, modification of
information within that agency. The head of the agency is also
responsible for enforcing and ensuring that individuals and
employees within that organization are held accountable and
comply with that policy and with those procedures.
Some of that responsibility has been delegated to the Chief
Information Officer. In some respects at agencies, the Chief
Information Security Officer will have some responsibilities to
help program managers and assist them in complying with the
procedures.
At the government level, it's the Director of Office of
Management and Budget, who under FISMA, has responsibility for
assuring and enforcing the compliance of information security
under the law. The Office of Management and Budget they have
employed several different mechanisms to help provide
accountability and, if you will, assistance to federal
agencies. One of these is through the budget process in which
OMB can recommend changes to proposed budgeted amounts for
organizations and agencies to help assure that information
security policies are being implemented.
It's also through cyber stat meetings, which the Office has
established, in which OMB will meet with officials from
individual agencies to talk about weaknesses or issues of
concern related to information security at that agency with
those officials from that agency. And it's intended not only to
hold those officials accountable to some extent but also to
assist them in implementing the appropriate security controls.
OMB also provides a reporting mechanism through the FISMA
annual reporting mechanism in which OMB reports on agencies'
progress in implementing information security controls, as
determined by the metrics that OMB has determined.
So those are at least some of the options that are
available, in terms of what federal agency has that
enforcement--well, first of all, it's within--you know, each
agency has responsibility, as does OMB, and so they have a
responsibility to perform those functions.
In terms of actual actions taken, well, OMB does have the
cyber stat reviews. It holds them annually with several
organizations. But in terms of holding someone accountable in
terms of like firing someone if that's what you're referring to
or actually reducing the budget of an organization, I don't
know if OMB has done that. I know over the last several years
the actual budgets for information security have been
increasing rather than decreasing.
Chairwoman Comstock. Thank you. And I now recognize Mr.
Westerman for five minutes.
Mr. Westerman. Thank you, Madam Chair. Good morning,
Commissioner and panel.
You know, I attended the prayer breakfast this morning and
seeing the Commissioner here in this special time of season
reminded me of life's two certainties of death and taxes. But,
you know, I think there may be----
Mr. Koskinen. I'd like to note we're the tax part of that.
Mr. Westerman. I'll leave that one alone, but there may be
a third part, there may be a new certainty in life and that is
that your personal identifiable information is going to be
stolen at some point.
When the current e-authentication framework was being
developed, the National Institute of Standards and Technology
informed the IRS that a taxpayer identification number was an
acceptable form of identification. Now, I'm going to get real
acronym-heavy here because as slow as I talk, there won't be
time to answer if I didn't use these acronyms.
In August 2015 NIST informed TIGTA that a TIN is now not an
acceptable government identification number for the purpose of
authentication. IRS agreed with this update and indicated the
agency would take steps to conform to NIST standards.
So my first question is when and how did NIST initially
inform the IRS that a TIN was acceptable?
Mr. Koskinen. It was accessible?
Mr. Westerman. Was acceptable.
Mr. Koskinen. It was acceptable, again, when the programs
were developed in 2011 and '12. It was part of a general
framework. I'm not aware of a particular NIST approval. NIST
sets out standards that we're obligated to and do follow. It
doesn't necessarily, that I'm aware of, do reviews and respond
to particular questions. But we did, through the IG, understand
that NIST's view by last summer was that, by that time, because
as you noted, so much personal information has been stolen and
in the hands of criminals, by itself, a taxpayer identification
number was no longer acceptable. And by that time we had taken
the ``Get Transcript'' down.
Mr. Westerman. All right. So that was in 2011, you said,
when it was----
Mr. Koskinen. 2011 and '12 when we designed the system.
Taxpayer identification numbers and out-of-wallet questions
were being used by a range of financial institutions and others
for authentication.
Mr. Westerman. So what steps have you or the IRS taken with
this communication you've had with TIGTA to conform to the NIST
standards? Are you saying you're not aware that they're----
Mr. Koskinen. No, in light of that and our experience have
taken down the ``Get Transcript'' application, the IP PIN
application. We are in the process right now of testing a
multifactor authentication process that will require taxpayers
to identify themselves through an additional factor. We'll
communicate with them with their cell phones or smartphones or
other devices that we've not had access to before, and they'll
have to come back through with a PIN and identifier,
reinforcing all the other information they'll still have to
provide us. That system we hope to have up in the next two or
three months, perhaps earlier, and that will in fact be at the
highest level and the appropriate high level that NIST now has
out there. It's called multifactor authentication.
Mr. Westerman. Okay. And, Mr. George, is the current e-
authentication framework compliant with NIST standards? And if
not, does that mean that other online services such as online
payment agreement, Direct Pay, and Where's My Refund are more
vulnerable to compromise?
Mr. George. They're vulnerable to compromise, but the
impact on the taxpayer is not the same. If someone wants to
find out where their refund is, it won't affect--even if it's
an impersonation type of a situation, that won't affect the
amount of money involved here. I mean, they might get
additional information that ultimately could be misused if one
of the factors to authenticate who the taxpayer is is what was
your refund last year.
Mr. Koskinen. But you can't access the app without knowing
what the refund was.
Mr. George. Right.
Mr. Koskinen. It's a good point because authentication
depends on the nature of the risk. When our assumption is if
you're going to pay us on an online payment agreement, you're
unlikely to be a criminal. Criminals don't usually send us
checks. If you're checking for a piece of information like
where's my refund, you have to actually know what the refund is
that you're asking about. You can't just go in and say have I
got a refund coming. You have to put all of your personal
information in and you have to identify the exact dollar amount
of the refund to find out where it is. We had about 250 million
hits on that app already this year. Those people used to have
to call.
Mr. George. Now, keep in mind also--and this should've been
stated at the outset--there's the figure of 700 or 400,000,
800,000. That number is not accurate because if someone gets
access to information under the ``Get Transcript'' application
when it was up and running, they also have access to dependent
information and spouse information, so that number could be
exponentially higher in terms of potential victims of identity
theft or any other taxpayer mischief.
And then ultimately, again--and I'm glad that the
Commissioner--and he and his staff have been extraordinarily
cooperative, Congressman. But the IRS simply misjudged the risk
of the processes that they had in place when they first
instituted the ``Get Transcript'' program. They thought it was
a very low-risk endeavor, and it obviously turned out not to be
the case.
Mr. Westerman. I yield back, Madam Chair.
Chairwoman Comstock. Thank you.
And I now recognize Mr. Palmer for five minutes.
Mr. Palmer. Thank you, Madam Chairman.
Mr. Koskinen, one of the potential vulnerabilities that
concerns me is that government employees have access to the
federal system to access their personal emails, you know,
Facebook, Web sites, you know, online shopping using the
federal network. Has the IRS taken any action to restrict
access by their employees?
Mr. Koskinen. I'm not sure----
Mr. Palmer. In other words, do you allow your employees to
use the federal network for personal use?
Mr. Koskinen. No. Actually, you can't do personal email at
home and your government email is to be used for government
purposes. We are very strict about no one does work on their
own personal computer. They may do other things with their
personal computer. But basically, we restrict Web sites. We are
actually now taking another look at should we restrict even
access to more Web sites than there are now. But as a general
matter, people do their personal work on their personal
computers, do office work on their office computers.
Mr. Palmer. Thank you. Do you have a written policy that
you could provide the Committee?
Mr. Koskinen. A--I'm sorry, a----
Mr. Palmer. A written policy to that effect?
Mr. Koskinen. Written policy about that, I'd be delighted
to provide it to you.
Mr. Palmer. Thank you, sir. Last week, I had opportunity to
tour the Center for Information Assurance and the Joint
Forensics Research at the University of Alabama Birmingham. The
Center is doing fantastic work under in the cybersecurity field
and producing talented students with the ability to make a real
difference in the field. It's under the leadership of Gary
Warner.
The thing that disturbs me in this is that, despite the
government's tremendous need for individuals with this skill
set, the Director of the Center explained that he has students
applying for jobs at the federal agencies who don't hear back
from them for months and they wind up getting jobs in the
private sector. And I'm talking about some of the very best. I
want to know if the IRS has taken any steps to expedite the
interview process for people with a skill set that we
definitely need?
Mr. Koskinen. All right. Well, certainly in that area, as a
general matter, as I say, our problem is we are not hiring very
many people at all. We'll shrink by another two to 3,000. The
only way we've been able to deal with the budget cuts, since 70
percent of our budget is people, is simply not replace people.
That's how we've shrunk by that much.
But IT is an area where we're trying to hire. The process
you mentioned is in fact, when you apply for a job in the
government, you go into the normal process, it takes three to
six months. Many times, it's several weeks or months before you
hear back when you've applied, and it's why, as we discussed
earlier, for us at the senior level of trying to get the best
people, the streamlined critical pay authority is so critical
because nobody is in greater demand than cybersecurity experts,
and if we tell them it's going to take you 3 to 6 months but
just sit tight and we really want to hire you, by the time we
get back to them, you know, they're not there anymore. And I
think that I take your point.
Mr. Palmer. Yes.
Mr. Koskinen. We have fewer than 300 people under age 25 in
the agency because we've not been able to hire. So those are
exactly the kind of people that we would love to hire and we
ought to be hiring and that we ought to be able to try to
figure out how to get into the system.
Mr. Palmer. Madam Chairman, I don't know what our
responsibility would be through the Committee, but I would like
to recommend that we develop a procedure that would expedite
the interview process for such critical personnel so that we
could get more of those highly skilled people into places where
they can help protect our IT systems.
Mr. Wilshusen, according to your testimony, the IRS
estimated, prevented, or recovered $22.5 billion in fraudulent
ID refunds, identity theft refunds in 2014, but paid $3.1
billion in fraudulent refunds. I don't know if the GAO has
looked into this, but those numbers are fairly obvious. It's
money that's leaving the system. But do you have any idea what
it costs the IRS to engage in prevention and recovery
activities? Because that's an additional cost to the federal
government.
Mr. Wilshusen. I do not.
Mr. Palmer. Chairman Koskinen, do you?
Mr. Koskinen. On cybersecurity, generally, we spend about
$150 million a year just on cybersecurity. We have about 3,500
people working on identity theft, devoted to that. We've never
pulled together the full cost of protecting against identity
theft and refund fraud, but it's obviously money well spent if
we're able to stop $25 billion from going out the door.
Earlier, there was a question on how accurate are those
numbers. We're pretty good at knowing which refunds we stopped.
The point is a good one. We can tell which refunds got out when
somebody--a legitimate taxpayer comes in. There's always an
uncertainty of which fraudulent refund went through where there
was no competing filing.
Mr. Palmer. If----
Mr. Koskinen. Those are the ones you don't know.
Mr. Palmer. What I'd like for you to do if you don't mind
is to provide the Committee with at least an estimate of what
you're spending on recovering fraudulent refunds.
Mr. Koskinen. Sure.
Mr. Palmer. Madam Chairman, if I may, I have one more
question.
Mr. Wilshusen, in the area of information security
controls, how many recommendations has the GAO made to the IRS
and how many of those recommendations remain unimplemented? And
how far back do those recommendations go?
Mr. Wilshusen. Okay. We have recommendations that remain
outstanding and open that go back to our report in 2011 and
2012 and so some of those recommendations actually pertain to
filing seasons or fiscal years from like 2010, 2011. We have
right now 94 open recommendations, but that includes 45 new
recommendations that we just made in March. And so other than
those, we do have 49 other recommendations that have been open
for over a year.
Mr. Palmer. Mr. George, same question, recommendations from
the IG's office?
Mr. George. Yes, I don't have off the top of my head the
exact number, but there are quite a few, and we have, for the
benefit of the IRS, prioritized those recommendations. Well, I
was just pointed out that as of March of this year the IRS has
23 open recommendations from 14 audits that we've provided them
between the years 2008 and 2016.
Mr. Palmer. My final question, and I promise this is the
final one, is a follow-up to Chairman Koskinen. Why is the IRS
unable to implement these GAO and IG recommendations? Assuming
that the agency concurs with them, when do you expect the IRS
to fully and successfully comply with the GAO and TIGTA
recommendations?
Mr. Koskinen. As I say, we value the partnership. I've
always been a fan of internal auditors in the 20 years in the
private sector as well. Our analysis is--for another purpose
was that we've had about slightly over 2,000 recommendations
from the IG and GAO across a wide range of areas, and about 80
percent of those have already been implemented.
In the security area, again--and the IG has started moving
that way--for both GAO and the IG, the ability to prioritize
those for us as to which they think are the most critical
allows us to then prioritize our work. We're limited obviously
by just time as well as resources, but time is one of them. But
we are committed in the security area to implement those as
quickly as we can.
And we will be providing Congress a report as quickly about
the most recent GAO recommendations. We, 60 days afterwards,
provide GAO and the Congress our timeline as to exactly what
the recommendations are and when they'll be implemented, and
we'll be providing you that report.
Mr. Palmer. Well, my final comment will be this: that when
you have recommendations from the IG's office that go back to
2008, that would indicate to me no intention to implement them.
I yield back. Thank you for your indulgence, Madam
Chairman.
Chairwoman Comstock. Thank you.
We're going to do a second round of questioning for those
who might want to stick around. And so I now recognize myself
for five minutes.
I did want to pick up on--Mr. Wilshusen, you had indicated
the increased budgets. I just want to make an observation
actually. In the report that the speaker had actually cited and
asked the question about--that I had asked was from Hill
newspaper articles saying the IRS cybersecurity staff was cut
as the budget rose and that was also--they referenced an IG
report that you had done, Mr. George, that it was also a
cybersecurity online report that referenced that also. So I'd
like to just put that into the record in recognition of what
you all had said.
[The information follows appears in Appendix II]
Chairwoman Comstock. But I also wanted to pick up on what
you testified about, Mr. Wilshusen, about the agency using
easily-guessed passwords, software patches not being done, and
you had said the IRS had inconsistent execution. Would this--
put it in a little more simpler way that people just weren't
doing their jobs. The people who were there, regardless of what
budgets and what things are being done, I mean, those are basic
cyber hygiene things that we've all heard about. I mean, we're
very familiar from the OPM breach and the hearings we had here.
So when I hear these kind of things that are very common
and the inconsistent execution really being people not doing
their jobs, would that be a correct assessment?
Mr. Wilshusen. Well, I think you're absolutely correct.
These are very common types of security practices that need to
be implemented. And they were not being consistently
implemented across the IRS. We think there are probably several
reasons why that occurs. In some respects, for example, we
looked at the IRS's security testing and evaluation procedures,
and we noted that they weren't always that successful in
identifying the same type of vulnerabilities that we
identified.
We also noted that when IRS implemented, for example--said
that it had implemented 28 of the recommendations that we
previously made, that it had not actually implemented nine of
those. That's a reflection of its information security
practices or its practices for closing our recommendations
before they were actually implemented.
So there's probably a number of reasons why these
conditions continue to exist, and certainly not performing
those functions and responsibilities in an appropriate manner
contribute to that.
Chairwoman Comstock. And I'd like to ask you and Mr.
George, given that right now there's basically no one in charge
of cyber at the IRS from what we've learned today----
Mr. Koskinen. I think that's unfair. That's not what I
said.
Chairwoman Comstock. Well, I'm asking Mr. Wilshusen and Mr.
George where we--is that--in terms of--you were asked earlier
about the safety. When these basic things that you're seeing--
and when they're telling you 28 of them have been implemented
but nine of those haven't, their own self-assessment is
inaccurate, you tell them what to do. The inconsistent
execution--I mean, execution is doing your job and being able
to do these basic tasks. Do you have confidence that you're
going to see this anytime soon?
Mr. George. Madam Chairwoman, we did make a recommendation,
which the IRS agreed to. The one kink in their armor was that
there was not a service-wide approach to cybersecurity. A
particular unit had a dedicated division that would interact
lightly with other units within the Internal Revenue Service,
but it wasn't across the board. And my understanding is that
the IRS and the Commissioner has agreed to change that.
Mr. Koskinen. And we've implemented that.
Chairwoman Comstock. And I would just note that, you know,
we had OPM before us--the Commissioner also noted that in the
private sector these things happen, but I would note that Ms.
Archuleta is no longer working at OPM. As our other CEOs of
companies where they had these major breaches, they were not
working there. So while--you know, Ms. Archuleta did move on.
And I think when we look at these issues, I don't have
confidence. I can't go back to those people, more than half of
whom in my district raised their hands when we hear about these
letters and their breaches, they certainly didn't have
confidence in OPM, and I know they don't have confidence with
the IRS. This is a pretty important area where we need to have
confidence, and I don't see it there.
And I think you've had other people move on when they
aren't having consistent execution of their jobs, and I think
what we've seen here today is not a lot of consistent execution
at all or confidence that there will be going forward.
So I will yield back my time. And if Mr. Lipinski--thank
you.
Mr. Lipinski. Thank you. There's a couple things I wanted
to go back to that have been mentioned. First, I want to ask--
and the Commissioner said that there'd been no breaches of the
database. Is that the understanding, Mr. George, Mr.
Wilshusen----
Mr. George. That----
Mr. Lipinski. --your understanding?
Mr. George. That is our understanding, sir, yes, of their
system itself----
Mr. Lipinski. Okay.
Mr. George. --of their hardware.
Mr. Lipinski. Do you have any--Mr. Wilshusen, any knowledge
of----
Mr. Wilshusen. No, I do not have knowledge of specific
incident. What I do know is that we identified a number of
vulnerabilities that increase the risk of such an incident. But
has one actually occurred on the databases I--we don't know of
one yet.
Mr. Lipinski. Okay. And the Commissioner had talked about
back in 2011, 2012 when these apps were being--online apps were
being developed, that the NIST technical requirements were
lower at that time. Now, first of all, is--Mr. George, is that
your--because you had talked about them not meeting the
requirements. Is that your understanding of how this happened?
Mr. George. It happened because of, again, the multifactor
authentication versus the single-factor authentication. And the
IRS took the approach that if they were to adopt the NIST
standard of multifactor authentication, which would have
included--in addition to the basic information--utility bills
and the like, that it would place an undue burden on taxpayers
as they attempted to interact with the IRS. And while that is a
laudable goal to make people's ability to comply with their
taxes as easy as possible, it also had the detrimental effect
of subjecting the IRS to vulnerabilities, which obviously
manifested themselves with the IP PIN and with the Get
Transcript application.
Mr. Lipinski. So, Commissioner, so was there a decision
made to go forward with less cybersecurity, less security
protection than the NIST requirements?
Mr. Koskinen. The NIST requirements start with, you know,
you have to show up in person is their fourth level. The third
level is you have to have multifactor authentication. The
second level is other identification. And then the NIST process
calls for them--there's no easy way to put everybody into one
of those categories for a risk assessment to be made and the
agency to decide at what level the risk is appropriately dealt
with. As we said earlier, if you're making an online payment,
that's a different risk issue.
When the system was developed, the determine--the review
and a determination was made that a standard used for
authentication, short of multifactor in the 2011 and '12 area,
was use of out-of-wallet questions in addition to other
identifiers. And in light of that and in light of the
effectiveness of the system, it was determined that that would
be an appropriate way to proceed pursuant to the NIST
standards.
And I would note in the last filing season 7 million people
downloaded 23 million legitimate transcripts. So----
Mr. Lipinski. Well, I want to--well, Mr. George had said
that a risk assessment was not done for IP PIN. Is that
correct, Mr. George? Is that----
Mr. George. A risk assessment was not done to the extent
that it should have been is--and that----
Mr. Lipinski. Okay.
Mr. George. --and what I was really referring to was that a
risk assessment was done for the Get Transcript, and they made
the wrong call. They--that's what I stated earlier----
Mr. Lipinski. Okay.
Mr. George. --in my testimony. But they made--they
considered----
Mr. Lipinski. The risk assessment----
Mr. George. --a very low risk----
Mr. Lipinski. --in your opinion, it seems like, from
experience, was not----
Mr. George. They made the wrong call.
Mr. Lipinski. --was--okay. I'll just use your words. They
made the wrong call. But there was a--so it wasn't just a--
because back in 2011, 2012 that NIST wasn't saying you should
have more. Obviously, after that and when this was in place
NIST was saying there should be higher requirements if this
needs level 3, if this reaches level 3, and it would seem that
it would because of the, you know--the type of information
that's at risk here. But the decision was made by the IRS to--
because of the inconvenience, that that wouldn't be required.
Now, is there a different opinion now moving forward on
this? And I think this is important not just for the IRS but
across federal agencies about having a risk assessment that,
you know, seems to be obviously in hindsight certainly and
maybe in foresight it should have an obvious that there should
have been a level 3 situation.
Mr. Koskinen. No, I think it's important, one of the things
we've done over the last 2-1/2 years since I've been there is
set up an enterprise-wide risk assessment program because the
point is exactly what's happened here. You may make a risk
decision and an assessment on any risk at a given point in
time. The question is you need to continue to review that at
least annually to see have the circumstances changed? Has the
nature of the risk changed? Has the risk-reward ratio changed?
To say we made a judgment that IG thought we made--should
have made a different judgment, but hindsight is always the
question of whether, you know--if we knew then what we know
now, we'd do a whole lot of things different. The real question
is, and I think we have a process now to do that, is on a
regular basis you should always review your risk assessments
because the circumstances will change. And clearly in
cybersecurity with the vast amount of personal data out there,
the level of authentication you need today is significantly
different than you would have needed four or five years ago.
Mr. Lipinski. Mr. George?
Mr. George. And just to clarify my statement a moment ago,
Congressman, the IRS did not complete an authentication risk
assessment for the identity--personal identification number,
the identity protection personal identification number. And
again, it was their thinking that it would be very burdensome
on taxpayers had they done so and implemented a process as a
result of that.
Mr. Lipinski. But I think sort of the bottom line of this
part right here, not just for the IRS but for all departments,
agencies across federal government is to do a good risk
assessment and to continue to consider that--reconsider that
and where it's been as things move very quickly. And I think
it's very important that that does occur everywhere as we move
forward.
So thank you. I yield back.
Mr. Hultgren. [Presiding] The gentleman from Illinois
yields back.
Chairwoman Comstock apologizes. She had a commitment in
Transportation Committee that she had to run to, but I will
yield myself five minutes for questions.
Just to follow up on Mr. Lipinski's question, Mr. George,
if the IG says that even at the lower risk level the IRS
process is not NIST-compliant, is that correct?
Mr. George. Repeat your question.
Mr. Hultgren. If the IG says that--yes, so if you say that
at the lower risk level the IRS process is not NIST-compliant,
is that what you're saying?
Mr. George. It is--correct, because they would not require
the additional information that NIST requested or mandated.
Mr. Hultgren. Okay. Let me get to some of my other
questions. First, I do want to thank you all for being here.
The federal government certainly does have a massive
cybersecurity problem, as we've seen most visibly with the OPM
data breach. We need to be doing more across the board to
prevent, identify, and thwart cybersecurity attacks.
I had the opportunity to visit the Department of Energy's
Cybersecurity Team at Germantown to get a crash course on the
bad actors that exist. I also saw how easily a company or
agency can find itself vulnerable. NIST develops the guidelines
that all federal nondefense agencies must follow. For industry,
they are minimal, a voluntary floor for our security. And it
seems to me, however, that an agency can just ignore these
rules, placing massive amounts of sensitive private information
of my constituents at risk.
Mr. Koskinen, if I can address this to you. In regular
business someone is usually responsible to accomplish their
task and are held responsible for their failure to do so. IRS
unfortunately has an abysmal record in holding their officials
accountable, as we saw with the Lois Lerner incident a few
years back. If you don't get fired for discriminating against
political organizations and destroying evidence, I don't know
how you would ever get fired at the IRS.
Mr. Wilshusen spoke about the enforcement actions that the
federal government and said that he does not know that OMB has
ever taken any action.
I appreciate your seemingly lamenting statement about the
burden of mandates such as ObamaCare that they have on your
agency, but all agencies have been strapped. And I think
keeping my constituents' private information safe should be one
of the highest priorities you have.
What internal actions have you taken considering you are
still noncompliant with basic NIST and OMB standards?
Mr. Koskinen. I think we are compliant with NIST standards,
as the Inspector General said. The prior authentication systems
are no longer appropriate, and we agree with that and have
taken those down. And in fact, with regard to go back in
history about what happened in the past, the entire chain of
command in the (c)(4) issues with regard to social welfare
organizations is shortly thereafter--none of them were in place
at the IRS. And so I don't think you can say people didn't
leave, were not held accountable.
But I do think it is important for people to be
accountable. I am actually talking to another Congressman now.
We have any number of people who are in fact dismissed every
year. For instance, we dismiss automatically anyone who uses
improper access to any taxpayer information, any IRS employee.
We discipline employees for being in default on their taxes. We
have the highest compliance rate of any federal agency by a
long shot, but even then, we take that very seriously. So I
think it's not fair to imply that in fact people are not held
accountable.
In cybersecurity we are dealing with a rapidly changing
circumstance fighting increasingly organized and sophisticated
criminal elements around the world. We are--as you say, we
regret that we've had the difficulties we've had. We've had
significant successes at the same time. We value the
partnerships we have with the IG and the GAO and we're working
to implement their security suggestions as quickly as we can.
Mr. Hultgren. I would say in certainly the most high-
profile situations we haven't seen that accountability and my
constituents haven't, and they still are very fearful of their
information.
Let me address--I just have a minute left--to Mr. George.
In your prior testimony, Mr. Koskinen had stated that access to
the ``Get Transcript'' application requires multistep
authentication. Is multistep the same as multifactor
authentication? If not, what is the difference, and could the
use of the term multistep be disingenuous as it might confuse
people into thinking they are the same?
Mr. George. They're the same. They're the same so----
Mr. Koskinen. And if I said multistep, multifactor is the
term of art, and that's what we're working toward.
Mr. Hultgren. Okay. Well, again, thank you all for being
here, appreciate your work. This is obviously an ongoing
concern for our constituents. They're frightened, quite
honestly, of what could happen and might happen if their
information is compromised. So I want to thank you all for
being here.
And I'll yield back the balance of my time and I will thank
the witnesses for their testimony and the members for their
questions. The record will remain open for two weeks for
additional written comments and written questions from members.
The hearing is adjourned.
[Whereupon, at 11:51 a.m., the Subcommittee was adjourned.]
Appendix I
----------
Answers to Post-Hearing Questions
Answers to Post-Hearing Questions
Responses by The Honorable John Koskinen,
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses by The Honorable J. Russell George
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses by Mr. Gregory Wilshusen
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Appendix II
----------
Additional Material for the Record
Report submitted by Subommittee Chairwoman
Barbara Comstock
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Report submitted by Subommittee Chairwoman
Barbara Comstock
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Report submitted by Subommittee Chairwoman
Barbara Comstock
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Statement submitted by Committee Ranking Member
Eddie Bernice Johsnon
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]