[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]



 
                     CAN THE IRS PROTECT TAXPAYERS'
                         PERSONAL INFORMATION?

=======================================================================

                                HEARING

                               BEFORE THE

                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             April 14, 2016

                               __________

                           Serial No. 114-72

                               __________

 Printed for the use of the Committee on Science, Space, and Technology
 
 
 
 
 
 
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
 
 
 


       Available via the World Wide Web: http://science.house.gov
       
       
       
       
       
                              ________

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 20-842 PDF              WASHINGTON : 2017       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001   
       
       
       

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR.,         ZOE LOFGREN, California
    Wisconsin                        DANIEL LIPINSKI, Illinois
DANA ROHRABACHER, California         DONNA F. EDWARDS, Maryland
RANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas             ERIC SWALWELL, California
MO BROOKS, Alabama                   ALAN GRAYSON, Florida
RANDY HULTGREN, Illinois             AMI BERA, California
BILL POSEY, Florida                  ELIZABETH H. ESTY, Connecticut
THOMAS MASSIE, Kentucky              MARC A. VEASEY, Texas
JIM BRIDENSTINE, Oklahoma            KATHERINE M. CLARK, Massachusetts
RANDY K. WEBER, Texas                DON S. BEYER, JR., Virginia
JOHN R. MOOLENAAR, Michigan          ED PERLMUTTER, Colorado
STEVE KNIGHT, California             PAUL TONKO, New York
BRIAN BABIN, Texas                   MARK TAKANO, California
BRUCE WESTERMAN, Arkansas            BILL FOSTER, Illinois
BARBARA COMSTOCK, Virginia
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
RALPH LEE ABRAHAM, Louisiana
DARIN LaHOOD, Illinois
                                 ------                                

                Subcommittee on Research and Technology

                 HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois
MICHAEL T. MCCAUL, Texas             ELIZABETH H. ESTY, Connecticut
RANDY HULTGREN, Illinois             KATHERINE M. CLARK, Massachusetts
JOHN R. MOOLENAAR, Michigan          PAUL TONKO, New York
BRUCE WESTERMAN, Arkansas            SUZANNE BONAMICI, Oregon
GARY PALMER, Alabama                 ERIC SWALWELL, California
RALPH LEE ABRAHAM, Louisiana         EDDIE BERNICE JOHNSON, Texas
DARIN LaHOOD, Illinois
LAMAR S. SMITH, Texas

                            C O N T E N T S

                        Thursday, April 14, 2016

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Barbara Comstock, Chairwoman, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........     7
    Written Statement............................................     9

Statement by Daniel Lipinski, Minority Ranking Member, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........    11
    Written Statement............................................    13

Statement by Representative Lamar S. Smith, Chairman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    16
    Written Statement............................................    17

                                Witness:

The Honorable John Koskinen, Commissioner, Internal Revenue 
  Service
    Oral Statement...............................................    19
    Written Statement............................................    22

The Honorable J. Russell George, Inspector General, Treasury 
  Inspector General for Tax Administration
    Oral Statement...............................................    39
    Written Statement............................................    41

Mr. Gregory Wilshusen, Director, Information Security Issues, 
  U.S. Government Accountability Office
    Oral Statement...............................................    55
    Written Statement............................................    57
Discussion.......................................................    79

             Appendix I: Answers to Post-Hearing Questions

The Honorable John Koskinen, Commissioner, Internal Revenue 
  Service........................................................   104

The Honorable J. Russell George, Inspector General, Treasury 
  Inspector General for Tax Administration.......................   108

Mr. Gregory Wilshusen, Director, Information Security Issues, 
  U.S. Government Accountability Office..........................   110

                          Appendix II: Slides

Document submitted by Representative arbara Comstock, Chairwoman, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........   114

Document submitted by Representative arbara Comstock, Chairwoman, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........   149

Document submitted by Representative arbara Comstock, Chairwoman, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........   195

Statement submitted by Representative Eddie Bernice Johnson, 
  Ranking Member, Committee on Science, Space, and Technology, 
  U.S. House of Representatives..................................   234


                     CAN THE IRS PROTECT TAXPAYERS'



                         PERSONAL INFORMATION?

                              ----------                              


                        THURSDAY, APRIL 14, 2016

                  House of Representatives,
           Subcommittee on Research and Technology,
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittee met, pursuant to call, at 10:05 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Barbara 
Comstock [Chairwoman of the Subcommittee] presiding.

 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairwoman Comstock. The Committee on Science, Space, and 
Technology will come to order.
    Without objection, the Chair is authorized to declare 
recesses of the Committee at any time.
    Good morning, and welcome to today's hearing titled ''Can 
the IRS Protect Taxpayers' Personal Information?'' I now 
recognize myself for five minutes for an opening statement.
    As someone who, myself, received one of those IRS letters 
telling me that my tax information had been possibly 
compromised, as the deadline to file taxes winds down, you 
know, certainly the only question on taxpayers' minds should be 
when they will receive their tax refund and not whether someone 
else has already beaten them to it. You know, as I said, I 
received that letter actually last year informing me that my 
account may have been compromised, but recent news reports and 
audits of the Internal Revenue Service by the Treasury 
Inspector General for Tax Administration and the U.S. 
Government Accountability Office would suggest otherwise.
    On May 26, 2015, the IRS announced that criminals had 
gained unauthorized access to taxpayer information through its 
online ``Get Transcript'' application by accurately answering 
taxpayers' security questions. At first, as it shut down the 
application, the IRS claimed that around 100,000 taxpayers' 
accounts had been accessed out of about 200,000 total attempts. 
Since then, those numbers have been revised to approximately 
340,000 in August, and as of this February this year to over 
700,000 taxpayers who have had their personal and tax data 
stolen. So I guess I'm in a lot of company.
    The theft of this data enabled hackers to access 
information from prior tax returns, which resulted in 
fraudulent tax claims. Approximately 15,000 of the fraudulent 
tax claims were successfully filed with the IRS leading to an 
estimated $50 million in illicit refunds--$50 million in 
illicit refunds to people who have stolen information and who 
had no right to that $50 million.
    Then on March 7, 2016, the IRS suspended the Identity 
Protection Personal Identification Number--or IP PIN--
application due to security concerns. The IRS began issuing IP 
PINS five years ago to victims of identity theft as an 
additional layer of security when they filed their taxes. But 
the system to protect the IP PIN application was the same as 
the ``Get Transcript'' application that was hacked last year. 
While the IRS suspended the ``Get Transcript'' application in 
May, it did not--May of last year--it did not suspend the IP 
PIN application until last month, during which time at least 
one individual had her taxpayer information stolen and used to 
file a fraudulent tax return.
    I understand and sympathize with the frustrations of the 
American public and the hardworking taxpayers over these 
incidents. And what makes matters worse is that no one had to 
break into the IRS system to access information. Instead, the 
criminals used information from other cyber-attacks to 
accurately answer questions on the IRS website to access 
information they should not have been able to access, and may 
not have been able to access had the agency followed security 
guidelines provided by the National Institute of Standards and 
Technology. This ostensible lack of compliance with NIST 
guidelines is disconcerting, to say the least.
    While I appreciate the IRS's efforts to accommodate most 
people's desire to access their tax information electronically, 
it cannot do so at the expense of their security. Again, as 
someone whose own information was possibly compromised, we 
never know in last year's OPM hack, I assure you, more security 
is better than less. This would also help many of my federal 
employee constituents who were impacted by the OPM breach, and 
I can tell you, as I go around to dozens and dozens of events 
and businesses, one of the first questions I ask them is, how 
many of you have had your information breached, how many of you 
have gotten those letters, because I've gotten two of them. I 
had my OPM information also breached. And it is rare that I 
don't have half of the hands at any meeting in my district go 
up, that they have had some type--they've gotten one of those 
letters from the government. As one of the largest health 
insurance providers in the Commonwealth, the Anthem hack also 
hit close to home for us.
    I look forward to hearing from our witnesses today, and I 
thank you all again for being here.
    [The prepared statement of Chairwoman Comstock follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
   
    
    Chairwoman Comstock. Before I recognize the Ranking Member, 
I would like to ask unanimous consent to enter into the record 
a couple of reports relevant to the hearing: one by the GAO and 
one by TIGTA. I also plan to submit my letter minus some of the 
personal information just so we have a sample of that. So 
without objection, so ordered.
    [The information appears in Appendix II]
    Chairwoman Comstock. And I now recognize the Ranking 
Member, the gentleman from Illinois, Mr. Lipinski, for an 
opening statement.
    Mr. Lipinski. Thank you Chairwoman Comstock for holding 
this hearing and welcome to the witnesses today. Today we'll be 
discussing cybersecurity breaches at two IRS online service 
portals.
    Just about every American can expect to interact with the 
IRS during his or her life, and the agency's responsibilities 
make it privy to significant amounts of personal information 
about all of these individuals. Consequently, the data breaches 
at the IRS are particularly troubling and we should closely 
examine what the IRS has done wrong when it comes to protecting 
the personal information of Americans, how it can do better in 
regard to cybersecurity, and what Congress can do to better 
support IRS cybersecurity efforts. In meeting their obligation 
to pay taxes, Americans should have confidence that the IRS is 
taking all possible steps to protect them from cyber thieves.
    Cybersecurity remains an evolving challenge across federal 
agencies as well as the private sector. Standards that were 
leading edge a year ago may be outdated today. Security is not 
a one-time goal to be achieved and placed on autopilot; it is a 
process that requires vigilance, continual learning, and fast 
dissemination of critical information to prevent and respond to 
new threats. While no entity, public or private, can protect 
data with 100 percent certainty, we must be nimble in learning 
from failures or missteps in cybersecurity policies and 
procedures.
    To this end, we should heed the careful and detailed 
recommendations of the GAO and the Inspectors General. We must 
also ensure that decisions on cybersecurity policies are backed 
by a process that supports accountability, robust and forward-
looking decision-making, and a clear sense of the consequences 
that can stem from data security failures.
    Unfortunately, it is not at all apparent from the recent 
breaches at the IRS that the agency's policies were governed by 
such a comprehensive process. The two breaches that we are 
discussing today--the Get Transcript application and the 
Identity Protection PIN application--should not be viewed in 
isolation. Both of these breaches were facilitated in part by 
the same security weakness, namely the overreliance on out-of-
the-wallet questions derived from credit report data. While in 
principle the answers to such questions should only be known by 
taxpayers, in practice they can often be guessed or uncovered 
from sources such as social media or websites compiling public 
record data. As a result, a breach in one application should 
have tipped off the IRS that the other was vulnerable as well. 
Yet the agency continued to make online IP PIN retrieval 
available long after shutting down the Get Transcript 
application because of security concerns. Further, the agency 
continued to do so even after the Treasury Inspector General 
for Tax Administration warned the IRS to shut down the IP PIN 
tool as well.
    We must get clarity on what steps the IRS is taking to 
ensure internal information sharing so that any breaches and 
their implications are quickly assessed across the entire 
organization and not just separate units or staff dealing 
directly with a problem at hand. Further, we must examine why 
the IRS ignored or deprioritized the TIGTA recommendation to 
shut down the IP PIN tool. Simply put, given how one breach 
built on the other, this should not have occurred.
    In the context of this hearing, it is important to talk 
about NIST, an agency that this Subcommittee has jurisdiction 
over. NIST plays an important role in developing technical 
standards and providing expert advice to agencies across the 
government as they carry out their responsibilities under the 
Federal Information Security Management Act, or FISMA.
    It is clear that the IRS did not follow the risk analysis 
or cybersecurity and authentication standards set by NIST when 
it set up these portals. The most important question is 
``why?'' Was it a lacking--was it a lack of understanding of 
the standards? In this case, we need to have NIST here to talk 
about the standards and how to make them more clear. Or are 
there technical barriers to implementing the NIST standards at 
all? In this case, we need to have information on why these 
applications were allowed to go live in the first place. Or was 
this a strategic decision driven by tradeoffs between consumer 
convenience and security? These were put online to make the 
experience of taxpayers with the IRS better and easier. But if 
that's the case, we must be clear: the IRS has a unique role 
among federal agencies and holds information on taxpayers that 
few others have. Protection of taxpayer data must be a top-
level priority, and we must work to ensure that a breach of 
this nature doesn't happen again.
    Finally, I'd like to note that successful data security 
efforts depend on agencies being able to hire experienced 
cybersecurity professionals as well as having budgetary 
resources specifically directed toward security infrastructure. 
While some security failures at the IRS raise oversight 
questions about decision-making protocols at the management 
level, we also cannot ignore that successful implementation of 
good security practices costs money. Although this is beyond 
the scope of our Committee's jurisdiction, I am concerned that 
Congress has yet to reauthorize IRS's streamlined critical pay 
authority which helps the agency compete with the private 
sector for top cybersecurity talent. And as Congress makes 
funding decisions for the coming fiscal year, we must ensure 
that we provide resources to match current IT-specific needs.
    I look forward to this morning's discussion, and I yield 
back the balance of my time
    [The prepared statement of Mr. Lipinski follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
   
    Chairwoman Comstock. Thank you, and I now recognize the 
chairman of the full Committee, Mr. Smith.
    Chairman Smith. Thank you, Madam Chair, and I appreciate 
the witnesses being here today.
    In this Congress, the Science Committee has held half a 
dozen hearings on cybersecurity issues and vulnerabilities at 
federal agencies, and we continue to hear the concerns of 
millions of Americans who quite frankly don't trust the federal 
government to protect their personal information from cyber 
criminals. Too many federal agencies fail to meet the basic 
standards of information security. We've seen this with 
HealthCare.Gov and the cyber breach at the Office of Personnel 
Management. The same is true for the IRS.
    According to a report published last November by the 
Treasury Inspector General for Tax Administration), the IRS's 
identity authentication methods for online services do not 
comply with Government Information Security Standards. In other 
words, the IRS has not taken the necessary steps to ensure that 
individuals are who they claim to be before handing over 
Americans' confidential tax information. As a result of these 
vulnerabilities, the TIGTA report found that, ``unscrupulous 
individuals have gained unauthorized access to tax account 
information.''
    The U.S. Government Accountability Office has identified a 
number of ongoing cybersecurity system gaps and IRS failures to 
fully implement certain security controls. The report found 
that of 28 prior GAO cybersecurity recommendations to the IRS, 
nine have not been effectively implemented. These gaps could 
open the door for cyber criminals to steal confidential 
taxpayer data.
    The past year's IRS breaches are especially troubling. 
Taxpayer data was fraudulently accessed, not through a forcible 
compromise of the computer systems, but by hackers who 
correctly answered security questions that should have only 
been answerable by the actual individual. The hackers likely 
accessed the requisite data from prior high-profile hacks.
    Last year's OPM and Anthem Health Insurance breaches 
compromised the information of over 100 million people. This 
included the names, addresses, dates of birth, and Social 
Security numbers of the victims. For cyber criminals, this 
information is similar to making duplicate keys to your house. 
It's a license to steal whenever and wherever the criminals 
find an opportunity.
    The IRS security breach demonstrates once again that 
rigorous adherence to all cybersecurity protections must be the 
top priority for every federal agency. Slow responses and 
partial measures at the IRS do not protect innocent Americans 
from these cyber-attacks. The government should be accountable 
to the people and keep Americans' sensitive information secure.
    Thank you, Madam Chairman, and I'll yield back.
    [The prepared statement of Chairman Smith follows:]
   
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
    
    Chairwoman Comstock. Thank you.
    And now I will introduce our witnesses. Our first witness 
today is the Honorable John Koskinen, 48th Commissioner of the 
Internal Revenue Service. Prior to his appointment, he served 
in executive rules at Freddie Mac and 21 years in the private 
sector in various leadership positions. He received his 
bachelor's degree from Duke University and a law degree from 
Yale. He also studied international law for one year in 
Cambridge, England.
    Our second witness today is the Honorable Russell George, 
Treasury Inspector General for Tax Administration. Prior to his 
confirmation by the Senate in 2004, Mr. George served as the 
Inspector General of the Corporation for National and Community 
Service. His government service also includes working at the 
White House Office of Management and Budget as Assistant 
General Counsel, and working here in Congress as Staff Director 
and Chief Counsel of the then-named Government Management 
Information and Technology Subcommittee. Mr. George received 
his bachelor of arts degree from Howard University and his 
doctorate of jurisprudence from Harvard University's School of 
Law.
    Our third and final witness today is Mr. Gregory Wilshusen. 
Mr. Wilshusen is the Director of Information Security Issues at 
the Government Accountability Office, where he leads 
cybersecurity and privacy-related studies and audits of the 
federal government in critical infrastructure. Prior to joining 
GAO in 1997, he held a variety of public- and private-sector 
positions. He is a certified public accountant, certified 
internal auditor, and certified information systems auditor. He 
received his bachelor of science degree in business 
administration from the University of Missouri and his master 
of science and information management from George Washington 
University.
    I now recognize the IRS Commissioner for five minutes to 
present his testimony.

           TESTIMONY OF THE HONORABLE JOHN KOSKINEN,

             COMMISSIONER, INTERNAL REVENUE SERVICE

    Mr. Koskinen. Thank you, Chairman Smith, Chairwoman 
Comstock, Ranking Member Lipinski, and members of the 
Subcommittee. I appreciate the opportunity to discuss with you 
today the IRS's ongoing efforts in regard to cybersecurity and 
identity theft. Securing our systems and taxpayer data 
continues to be a top priority for the IRS. Even with our 
constrained resources as a result of repeatedly decreased 
funding over the past few years, we continue to devote 
significant time and attention to this challenge. We work 
continuously to protect our main computer systems from cyber-
attacks and to safeguard taxpayer information stored in our 
databases. These systems withstand more than one million 
attempts to access them each day.
    We're also continuing to battle a growing problem of stolen 
identify refund fraud. Over the past few years, we've made 
steady progress in protecting against fraudulent refund claims 
and criminally prosecuting those who engage in this crime.
    But we've found the type of criminal we are dealing with 
has changed. This problem used to be random individuals filing 
a few dozen or a few hundred false tax returns at a time. Now 
we're dealing more and more with organized-crime syndicates 
here and in other countries. They're gathering unimaginable 
amounts of personal data as noted from sources outside the IRS 
so they can do a better job of impersonating taxpayers, evading 
our return processing filters, and obtaining fraudulent 
refunds.
    To improve our efforts against this complex and evolving 
threat, in March 2015 we joined with the leaders of the 
electronic tax industry and the private sector, the software 
industry and the states to create the Security Summit Group. 
This is an unprecedented partnership that is focused on making 
the tax filing experience safer and more secure for taxpayers 
in 2016 and beyond.
    Our collaborative efforts with the private sector and state 
tax commissioners have already shown concrete results this 
filing season. For example, Security Summit partners have 
helped us improve our ability to spot potentially false returns 
before they are processed. Over the past year, we've seen three 
examples of what identity thieves are capable of and why we 
can't let up in this fight. In each case we detected and 
stopped unauthorized attempts to access online services on our 
website, IRS.gov, by criminals masquerading as legitimate 
taxpayers. One of the services targeted, as noted, was our``Get 
Transcript'' online application used by taxpayers to quickly 
obtained a copy of their prior year return. Another, as noted, 
was the online tool to retrieve lost identity protection 
personal identifier numbers, or IP PINs. Taxpayers who 
previously were victims of identity theft used these PINs to 
prove their identity when they filed a return. And the third 
was a tool that some people used to generate a PIN number when 
they e-filed their tax returns. In all three cases, criminals 
were trying to use our online tools to help them pretend to be 
legitimate taxpayers and sneak past false returns past our 
fraud filters. These incidents, which unfortunately in the case 
of ``Get Transcript'' access, resulted in the loss of taxpayer 
information for thousands of taxpayers before the application 
was disabled, has shown us that improving our reaction time to 
suspicious activity isn't enough. We need to be able to 
anticipate the criminals' next moves and attempt to stay ahead 
of them. The ongoing work of the Security Summit Group will be 
critical to our success here.
    As we confront the challenge of identity theft, we're also 
working to expand and improve our ability to interact with 
taxpayers online to meet taxpayers' increasing demand for 
digital services. We are aware, however, that in building 
toward this enhanced online experience, we must continually 
upgrade and improve our ability to verify the identity of 
taxpayers using these services. Taxpayers will only use these 
services if they're confident that they are safe and secure. So 
we're in the process of developing a strong, coordinated 
authentication framework.
    We have a delicate balance to maintain here. We need to 
keep the criminals out while letting the legitimate taxpayers 
in. Our goal is to have the strongest possible authentication 
process for our ongoing services while maintaining the ability 
of taxpayers to access their data and use IRS services online.
    Congress can provide critical support by providing adequate 
resources for these efforts. We appreciate the $290 million in 
additional funding Congress provided for fiscal 2016, which 
included funds to improve cybersecurity and fight identity 
theft. We used over $100 million of that funding and are using 
it now in those areas. Sustaining and increasing funding in 
this area will be critical as we move forward.
    Another way Congress can help us is by passing legislative 
proposals to improve tax administration and cybersecurity. One 
of the most important requests we have made is for the 
reauthorization of streamlined critical pay, the loss of which 
has made it very difficult, if not impossible, to recruit and 
retain employees with expertise in highly technical areas such 
as information technology.
    Chairman Smith, Chairwoman Comstock, Ranking Member 
Lipinski, and members of the Subcommittee, this concludes my 
statement. I'd be happy to take your questions.
    [The prepared statement of Mr. Koskinen follows:]
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    Chairwoman Comstock. Mr. George.

         TESTIMONY OF THE HONORABLE J. RUSSELL GEORGE,

                       INSPECTOR GENERAL,

       TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

    Mr. George. Thank you, Chairwoman Comstock, Ranking Member 
Lipinski, Chairman Smith, and members of the Subcommittee. 
Thank you for the opportunity to testify on the IRS's actions 
to protect taxpayers' personal information.
    For the last six years, we have identified the security of 
taxpayer data as the most serious management challenge 
confronting the IRS. Based on our work on information 
technology security, TIGTA has identified a number of areas in 
which the IRS could do better to protect taxpayer data.
    The IRS has been moving towards providing more services 
through the internet referred to as online services. Web 
applications that provide online services must be set up in a 
secure manner. Even without breaching the security of the 
application or hardware, hackers can pose as legitimate users 
in order to make it through the authentication process and 
obtain sensitive data.
    Recent security incidents, has been noted during the outset 
of this hearing, that involved two of the IRS's online service 
applications, are prime examples of what can go wrong when 
security is inadequate. While the IRS had established processes 
and procedures to authenticate individuals requesting online 
access to IRS services, they did not comply with government 
standards. For example, the processes that the IRS used to 
authenticate users of the ``Get Transcript'' and Identity 
Protection Personal Identification Number applications required 
only single-factor authentication. However, government 
standards require multifactor authentication for such high-risk 
applications. Of further concern, the authentication framework 
used for these applications did not comply with government 
standards for single-factor authentication.
    In August 2015, the IRS reported that unauthorized users 
had been successful in obtaining tax information on the ``Get 
Transcript'' application for an estimated 334,000 taxpayer 
accounts, as you noted, Madam Chairwoman. To prevent further 
unauthorized access, the IRS removed the application from its 
website. TIGTA's subsequent review of the ``Get Transcript'' 
breach identified additional suspicious accesses to taxpayers' 
accounts that the IRS had not identified. Based on TIGTA's 
analysis, the IRS reported on February 26th of this year that 
potentially unauthorized users had been successful in obtaining 
access to an additional 390,000 taxpayer accounts, again, as 
has been noted.
    We also reported in November 2015 that the IRS did not 
complete the required authentication risk assessment for its 
Identify Protection PIN application and recommended that the 
IRS not reactivate this application for the 2016 filing season. 
However, the IRS reactivated the application on January 19th of 
this year. We issued a second recommendation to the IRS on 
February 24th advising it to remove the Identity Protection PIN 
application from its public website. On March 7th, the IRS 
reported that it was temporarily suspending use of the Identity 
Protection PIN application as part of an ongoing security 
review.
    The IRS does not anticipate having the technology in place 
for either the ``Get Transcript'' or Identity Protection PIN 
application to provide multifactor authentication capability 
before the summer of 2016. In addition, TIGTA's assessment of 
the IRS's compliance with information security standards and 
guidelines found that while the IRS information security 
program generally complied with the requirements of FISMA--the 
Federal Information Security Modernization Act--there were 
three security program areas which did not, and they are 
continuous monitoring management, configuration management, and 
identity and access management. Until the IRS takes steps to 
improve these security program deficiencies and fully implement 
all security program areas in compliance with requirements, 
taxpayer data will remain vulnerable to inappropriate and 
undetected use, modification for disclosure.
    Chairman Comstock, Ranking Member Lipinski, Chairman Smith, 
Members of the Subcommittee, thank you for the opportunity to 
share my views.
    [The prepared statement of Mr. George follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    
    Chairwoman Comstock. Thank you.

         TESTIMONY OF MR. GREGORY WILSHUSEN, DIRECTOR,

                  INFORMATION SECURITY ISSUES,

             U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Wilshusen. Chairwoman Comstock, Ranking Member 
Lipinski, Chairman Smith, and Members of the Subcommittee, 
thank you for the opportunity to testify on IRS's Information 
Security program.
    As part of GAO's annual audit of IRS's financial 
statements, we examined the information security controls over 
the Service's financial and tax processing systems. As we 
reported in March, IRS has implemented numerous protections 
over these systems but weaknesses remain in controls that are 
intended to prevent, detect and limit unauthorized access to 
systems and the information they contain.
    IRS had developed controls for identifying and 
authenticating the identity of users and servers. However, they 
were inconsistently implemented. For example, the agency used 
easily guessed passwords on servers supporting several systems 
including those relating to procurements, automated file 
transfers, management of taxpayer accounts, and processing of 
electronic tax payment information. In addition, users were 
granted excessive access permissions on 11 of 14 systems we 
reviewed including on one system which allowed users to access 
or change tax payment-related data.
    IRS policies require use of encryption, and the agency 
continued to expand its use. However, sensitive administrative 
credentials were not encrypted on key systems that we reviewed. 
Software patches were often not installed in a timely manner on 
several systems including at least one critical patch that has 
been available since August 2012. To its credit, IRS had 
established contingency plans for the systems we review, which 
help to ensure that critical operations can continue when 
unexpected events occur. Nevertheless, the control weaknesses 
we identified were caused in part by IRS's inconsistent 
execution of its information security program. Including the 45 
new recommendations we made in March, IRS has yet to implement 
94 of our recommendations. Implementing these recommendations 
will assist IRS in bolstering its information security and 
protection over taxpayer information. Until it does so, 
taxpayer and financial data will continue to be exposed to 
unnecessary risk.
    The importance of protecting taxpayer information is 
further highlighted by the recent incidents involving the ``Get 
Transcript'' online service and the billions of dollars that 
have been lost to identity theft refund fraud. This type of 
fraud occurs when a criminal obtains personally identifiable 
information of a legitimate taxpayer and uses it to file a 
fraudulent return seeking a refund. Because of its continuing 
significance, we added IRS's efforts to combat identity theft 
refund fraud to our high-risk area on the enforcement of tax 
laws. IRS has acted to address this problem but additional 
actions are needed.
    In January 2015, we reported that its tools for 
authenticating the identity of taxpayers using e-file had 
limitations and recommended that IRS assess the risks, costs 
and benefits of its authentication options.
    To assist and guide federal efforts, OMB--the Office of 
Management and Budget--and the National Institute of Standards 
and Technology play a key role in developing information 
security policies, standards, and guidelines for federal 
agencies. Among other things, OMB and NIST have developed 
guidance for agencies implementing e-authentication protocols. 
OMB is responsible for overseeing and holding agencies 
accountable for complying with information security 
requirements such as those provided in the Federal Information 
Security Modernization Act of 2014.
    In summary, IRS has made progress implementing security 
protections over its tax-processing and financial systems. 
However, it needs to do more to adequately safeguard taxpayer 
data. Until IRS fully implements all of our recommendations to 
mitigate deficiencies in access and other controls, to 
consistently implement elements of its Information Security 
program, and to assess the risks, costs and benefits of its 
authentication options, taxpayer information will remain at 
unnecessary risk.
    Chairwoman Comstock, Ranking Member Lipinski, Chairman 
Smith, this concludes my statement. I'd be happy to answer your 
questions.
    [The prepared statement of Mr. Wilshusen follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
    
    
    Chairwoman Comstock. Thank you, and I thank all of you, and 
I now recognize myself for five minute questions rounds. We'll 
be having our questions now.
    Mr. Koskinen, I'd like to read you a quote from Mr. George 
which said ``It continues to identify''--TIGTA does--
``significant security weaknesses that could affect the 
confidentiality, integrity, and availability of financial and 
sensitive taxpayer information.''
    Now, we have no choice--I've got my LifeLock but I've got 
to send it in anyway--to send in all our personal information 
to the IRS even though we don't know that you're not doing 
enough to secure that data, as we've heard here today. Can you 
right now assure the American taxpayers, our hardworking 
taxpayers who are going to be working over the weekend--because 
it's not due until Monday this year, so they're going to be 
turning it in on Monday--that the IRS information, you know, 
that their data is 100 percent secure?
    Mr. Koskinen. I don't think there's any financial 
institution of any size in the world that can give you 100 
percent guarantee. As you noted, the organized criminals we're 
dealing with are increasingly sophisticated and well-funded but 
I can tell you it is the highest priority for us. I can tell 
you that, knocking on wood thus far, our basic database, 
notwithstanding the over million attacks a day, continues to 
remain secure. We have not had a data breach into the database 
but we do not think that that necessarily means we can stop. In 
fact, we're using $95 million of the additional funding that 
Congress gave us on cybersecurity to deal with in fact the 
issues that you've heard about, that is, continuous monitoring, 
being able to in fact segment our systems to protect them.
    So all I can tell you is, we're doing everything we can at 
this point. The basic database has been secure. We hope it will 
be secure. But as I say, I can't give you 100 percent guarantee 
it'll always be secure.
    Chairwoman Comstock. Now, my understanding, and actually 
the Speaker was interested in this hearing as he's been 
interested in what's going on with the IRS, and he had asked 
about the IRS cybersecurity staff has been cut as the budget 
increased. Why did the agency cut its cybersecurity staff when 
they received additional resources?
    Mr. Koskinen. That's an incorrect statement. The 
cybersecurity staff--all of our staff, we're down 15,000 
people. We'll be down 17,000 people over the last five years 
because of budget cuts. The cybersecurity staff, the IT staff, 
in fact, has gone up somewhat. Our budget for IT has gone down 
$200 million over the last five years. We are using the $95 
million of the $290 million, as I said, for cybersecurity and 
we're hiring 55 additional new people in information technology 
to deal with cybersecurity. So there has been no significant 
cut in cybersecurity compared to anything else. We have far 
more people lost in revenue agents, officers and criminal 
investigators. So I would stress, when we've been given the 
money, and I think year will establish it, we put it to work 
effectively and efficiently. There are taxpayer dollars that 
deserve to be spent wisely.
    Chairwoman Comstock. Okay, and now who is the person who is 
in charge of cybersecurity at the IRS?
    Mr. Koskinen. The person in charge of cybersecurity left a 
few weeks ago. He was one of the people on streamline critical 
pay, and without the reauthorization, we're trying to fill that 
spot. All of it reports to our Chief Technology Officer, also 
who will be leaving because of the expiration of streamline 
critical pay. It is important for everyone to understand, we 
have----
    Chairwoman Comstock. So right now the person who's in 
charge of cybersecurity is leaving and the person----
    Mr. Koskinen. Has left.
    Chairwoman Comstock. Has left, and----
    Mr. Koskinen. The person he reports to----
    Chairwoman Comstock. --the person who he's reporting to, 
the CTO, so the cybersecurity leadership has left the building?
    Mr. Koskinen. We have people replacing them internally but 
what we need, as Congressman Lipinski said, Congress needs to 
give us the reauthorization to allow us to hire the highest 
skilled, capable IT security experts we can. We struggle 
otherwise. We find good people in the private sector and say if 
you'll sit there for three to six months while we work you 
through the process and fill out the applications, we'll be 
able to hire you, and these people are in great demand. Our 
people are in great demand. The people who are leaving are 
being recruited by the best companies in the world.
    Chairwoman Comstock. Well, certainly you've been aware of 
the problems here in cybersecurity given all the recent 
breaches, so when this--you know, you don't have these people 
now but what kind of planning had been going into this so you'd 
have that kind of talent pool when this expired, when you lost 
the people.
    Mr. Koskinen. We have succession plans. We have replaced 
the Director of Cybersecurity on an acting basis but that's one 
of the reasons that the most critical request we have for 
Congress is to give us the additional support we need to bring 
people of the highest skills into the agency.
    Chairwoman Comstock. Okay. Now, have you talked with other 
agencies about how they're dealing with cybersecurity and----
    Mr. Koskinen. We talk with them all the time. We work 
closely with the Department of Homeland Security, the Justice 
Department, the FBI, others, and----
    Chairwoman Comstock. And how often do you personally have 
meetings with these cybersecurity leaders within the agency?
    Mr. Koskinen. I've met with the Secretary of the Department 
of Homeland Security and I've met with----
    Chairwoman Comstock. No, I mean with these people who just 
left. What type of meetings did you have sort of to emphasize 
that this was--you say it's a top priority so it's the top 
priority and we have the two people are leaving, I was 
wondering how often you were--okay, you guys are leaving, who 
do we have to replace and what are we doing for the succession 
plan?
    Mr. Koskinen. I met with the Chief Technology Officer 
probably every two weeks. I have a regular monthly meeting with 
him for over an hour to review all of the matters of 
information technology. He participated in all of our senior 
executive meetings.
    Chairwoman Comstock. I see my time has expired. Now I'll 
recognize Mr. Lipinski for five minutes.
    Mr. Lipinski. Thank you.
    I want to say I'm--no one's happy here having to do their 
taxes right now, and fortunately my wife's an actuary and she 
takes over those duties. She'll be working on finishing this 
weekend. But I'm not here to beat up the IRS. I don't want to 
beat up the IRS. It's not my purpose. It's not because of the 
TV cameras here. But I think we need to know what has gone 
wrong and why, and get a guarantee that that is not going to 
happen again.
    Now, there's no 100 percent guarantee of security. We know 
that. We have to accept that. We strive for that, hopefully 
everyone should be striving for that in both the public and 
private sector, but there's no 100 percent guarantee.
    But I want to understand the reasons for the issues that 
Mr. George and Mr. Wilshusen had--the issues that they brought 
up such as the IRS didn't use the multifactor authentication, 
that the risk assessment wasn't done for IP PIN, and on top of 
that, there were two requests from TIGTA before IP PIN was 
taken down, and that there are 94 recommendations from GAO that 
have yet to be implemented. Why have these things happened? Is 
it a lack of understanding of the NIST standards, technical 
requirements? Is it a lack of ability within the IRS to do 
cybersecurity correctly? What is it that caused these issues in 
the past and why should we sit here and believe that those same 
things are not going to happen in the future, or is there 
something--is there anything wrong with what we've heard about 
these issues in the past? Is anything incorrect about those or 
did those happen, and why should we expect that they're not 
going to happen in the future?
    Mr. Koskinen. As you noted, we're dealing with a moving 
target. Life is getting more complicated. The challenges are 
more sophisticated. When the Get Transcript application was 
designed and formulated in 2011 and 2012, the out-of-wallet 
questions were in fact a standard way of verification that was 
used by banks and financial institutions. The analysis was 
done, and the determination was made that at that time that was 
the appropriate authentication in light of the balance, as you 
know, between convenience for the consumers and the risks. As 
identify fraud and identity theft has increased and the 
sophistication has increased, it has become clear that 
questions that used to be answered only by the taxpayer now are 
actually more easily answered, although half the time the 
criminals can't even answer them. But I would note on the Get 
Transcript, 22 percent of legitimate taxpayers could not answer 
their own out-of-wallet questions, so it's not as if anybody 
could walk in and answer those questions. But it become clear 
over time that in fact more and more information was in the 
hands of the public and the out-of-wallet questions were no 
longer sufficient but that was not the decision and not the 
situation when it started.
    I would note that we value and work cooperatively and 
collaboratively with the IG and GAO. Over the last few years 
we've had over 2,000 recommendations from them, and we work and 
we take them seriously, and in fact, we are implementing them 
as quickly as we can. As we move forward with the IP PIN, the 
determination was made, as noted, discussed with the IG, that 
it was an important service for people trying to file in 
January when they got their new PIN in January if they lost it 
to be able to access it. What we did was add another layer of 
authentication in the sense that we marked every Social 
Security number when anybody got an IP PIN access, put that 
into a file, and every return filed with those Social Security 
numbers is put through a review. If there's any questions, we 
write taxpayers. A number of the letters the taxpayers are 
getting are to re-authenticate them before we will process 
those returns. As a result, we've determined that over 40,000--
about 135,000 accesses were made. Forty thousand returns that 
have been filed have been authenticated as legitimate 
taxpayers. Over 5,000 have been stopped because they were 
fraudulent, and we determined those were fraudulent. We're 
continuing to review those as they are filed but we were 
satisfied at the start, and we discussed this with the IG in 
December and January, that the additional monitoring of 
literally every return against those Social Security numbers 
would increase our authentication ability.
    In February, as we saw more volumes of what looked like 
suspicious access, because we were monitoring volumes as well, 
we agreed with the IG that we should bring the app down, and if 
anybody wanted their PIN we would mail it to them rather than 
having it accessible during filing season immediately. We are 
now, as noted, developing a multifactor authentication, which 
is difficult to do because we don't have immediate access to 
telephone numbers and other issues, but the tradeoff is, as I 
said, 22 percent of people couldn't get through to answer their 
own out-of-wallet questions. We think with the new multifactor 
authentication, it will be difficult for as many as 50 percent 
of taxpayers to get in but it will be much more difficult for 
the criminals. And so we're always in that balance of how 
difficult and burdensome will it be for taxpayers compared to 
how impossible can we make it for the criminal.
    But it's an ongoing battle. As we design this system, it 
won't be the perfect system forever. We'll need to continue to 
monitor and assess what's happening. We'll need to continue the 
partnership we're developing with the private sector and with 
banks and others to compare notes about how we're doing. We 
continue to follow the NIST and OMB guidelines to the extent 
that they're there and, as I say, when we started with the IP 
PIN and Get Transcript 3 or four years ago, developing it, the 
standard was in fact being able to identify someone with out-
of-wallet questions, and we've changed that and we're moving, 
but it's going to be more difficult for taxpayers.
    Mr. Lipinski. My time is up right now. Hopefully we'll have 
a chance for a second round and we'll follow up on that and get 
the IG and GAO's response to any of that. Thank you.
    Chairwoman Comstock. And I now recognize the Chairman for 
five minutes.
    Chairman Smith. Thank you, Madam Chair.
    Commissioner, recently the GAO made, I believe, 49 
recommendations as to how the IRS could better protect 
taxpayers from being hacked, having their information hacked. 
This is on top of 49 recommendations that were made previously. 
My question is, how many of the 49 earlier recommendations have 
been implemented, and when do you expect all these 
recommendations to be implemented?
    Mr. Koskinen. We're working on those GAO. As I said, we've 
had a couple thousand recommendations over time. GAO has done a 
very great service for us in the last year of prioritizing of 
the range of recommendations which are the highest priorities, 
and we are working on those. Our hope----
    Chairman Smith. How many of the 49 have you implemented so 
far, the earlier 49?
    Mr. Koskinen. The earlier 49, I don't have that number for 
you. I'll have to get that for you. But our goal is to 
implement all of them. There's been some question about why we 
didn't immediately sign on to the most recent ones but the 
process is, we are supposed to advise Congress within 60 days 
of the detailed timeline, and we will provide you with the 
timeline for solutions to all of those.
    Chairman Smith. And the most recent 45 were just last 
month, and I realize you need some time to have them 
implemented, but I did hear you say you intend to implement 
them all.
    Mr. Koskinen. Yes.
    Chairman Smith. In regard to the 49, how long will it take 
you to inform us as to how many have been implemented?
    Mr. Koskinen. We'll be able to provide you that information 
in the next week.
    Chairman Smith. Okay. Why not in the next ten minutes?
    Mr. Koskinen. Because I don't have that information with 
me. I'll have to get it from----
    Chairman Smith. Can some member of your staff sitting 
behind you get it for us before the hearing is over?
    Mr. Koskinen. Some members of my staff sitting there can 
try to do that. We'd be delighted.
    Chairman Smith. Okay. Thank you for that.
    Mr. Koskinen. Pardon?
    Chairwoman Comstock. I said we have computers and 
assistants here. They don't have paper with them.
    Chairman Smith. My next question, Commissioner, is this. I 
understand that the IRS issues refunds to individuals even when 
the names and the Social Security numbers don't match. Why does 
the IRS do that? It seems to me that you're catering to and 
perhaps even encouraging fraud. I understand there may be 
millions of individuals who are getting these funds to the tune 
of many, many millions of dollars. Why don't you stop doing 
that, or what can you do to correct it?
    Mr. Koskinen. We actually don't issue refunds where there's 
a Social Security number on the return and a name that doesn't 
match.
    Chairman Smith. Okay.
    Mr. Koskinen. I think the issue you're dealing with is 
people who aren't able to get a Social Security number file 
with an IP PIN.
    Chairman Smith. Correct.
    Mr. Koskinen. And those IP PINs come in, and people who are 
paying taxes, a lot of them are in the country working without 
the ability to get a Social Security number. Their obligation 
is to pay taxes if there ever is a way for them to become 
citizens, the first question they're asked is, have you paid 
your taxes.
    Chairman Smith. But again, if the name and the Social 
Security number don't match, you are not issuing any refunds?
    Mr. Koskinen. No, if the name and the Social Security 
number on the return don't match. Now, what the situation I 
think you're focused on is, people borrow, steal, however they 
get a Social Security number to get a job so their W-2 may have 
a different Social Security number but their name and the IP 
PIN, we grant the IP PINs. Those will match, and as long as 
they match, our responsibility is to collect the taxes people 
owe. It's not to in fact----
    Chairman Smith. But for example, I've heard--I don't know 
this is accurate--where someone would put in a Social Security 
number of 00000 all the way across and yet they are still 
getting refunds. Is that----
    Mr. Koskinen. They can't do that on a tax return. The only 
thing they would be doing there is if they're using that Social 
Security number to get a job----
    Chairman Smith. Right. I understand. But still no refunds 
when there's a mismatch?
    Mr. Koskinen. If you file a return with a Social Security 
and a name that don't match, we wouldn't give you a refund.
    Chairman Smith. Okay. That's good to know.
    The next question is addressed to Mr. Wilshusen and Mr. 
George, and it is this. We've had a situation where something 
like over 700,000 people have had their tax information stolen, 
over 100,000 have had their Social Security numbers stolen, all 
in order to access an e-file PIN just this last year. What are 
the implications of that? What are the consequences of that? 
What does that say about the future and what can do about it? 
Mr. Wilshusen, we'll start with you.
    Mr. Wilshusen. Well, one of the implications is that 
information could be used by criminals to commit identity theft 
and related financial crimes. It can also be used to help 
promote or facilitate identity theft refund fraud since they 
would have additional information that could potentially get 
past IRS's filters for trying to detect that type of fraud.
    Chairman Smith. Mr. George?
    Mr. George. I associate myself with the comments that he 
just made, and this actually relates somewhat to a very 
important factor that hasn't really been discussed much today, 
and that is while we at TIGTA haven't found that the IRS's 
computers themselves have been breached as was indicated, the 
moment people are able to gain the name, Social Security number 
and other information, personal information, of taxpayers, 
that's really where the vulnerability exists currently to the 
system of tax administration.
    Mr. Koskinen. And I might just add for the Chairman's 
benefit, the Social Security numbers that have been stolen and 
the identity information that's been stolen, all has been 
stolen someplace outside the IRS. Nobody is being able to get 
that information from us. The hacks have come from people 
masquerading already as taxpayers legitimately with Social 
Security numbers and names that match.
    Chairman Smith. Okay. Last quick question, if you'll 
address it yes or no. I'll address it to all three of our 
witnesses today. Is an individual's tax return and their 
personal information on that tax return safer this year than 
last year? Commissioner, what would you say?
    Mr. Koskinen. Yes, safer.
    Chairman Smith. Mr. George?
    Mr. George. I have no indication that that is not the case.
    Chairman Smith. Okay. Mr. Wilshusen?
    Mr. Wilshusen. I wouldn't be able to comment on that but I 
would probably say I have no evidence to show it's higher or 
lower.
    Chairman Smith. It may be the same. Okay. Thank you, Mr. 
Chair.
    Chairwoman Comstock. I now recognize Mr. Tonko for five 
minutes.
    Mr. Tonko. Thank you, Madam Chair, and welcome to our 
guests, and I believe that the information exchanged here is 
very critical, and it's important to protect taxpayer 
information. I think that we all bear that sort of 
responsibility and goal, and I thank you for the information 
again.
    Can I just get a better sense of the IT budget for perhaps 
the last five years or so from 2010? Has it been flat? Has 
there been a decrease, increase? What basically are we talking 
about in numbers here?
    Mr. Koskinen. Even after the money that we appreciated 
Congress added this year, the $290 million, we're still $900 
million below where we were six years ago, so we have 10 
million more taxpayers, we have a set of unfunded mandates 
including the Affordable Care Act, FATCA, the ABLE Act, private 
debt collection that we're implementing with $900 million less, 
and as I said, 15,000 fewer employees.
    Mr. Tonko. So the efforts here to go forward I would think 
some of it is a function of having resources essential to 
address some of the dynamics perhaps a pay scale differential 
with the private sector to compete for the talent. Can we talk 
about that for a bit, your efforts with a skilled cybersecurity 
workforce? How do you address the whole impact of strengthening 
that given that the private sector may have that pay 
differential?
    Mr. Koskinen. Well, the Restructuring Act of the IRS was 
implemented in 1998, the IRS was given special authority for 40 
places, 40 positions called streamline critical pay, which 
allowed us to hire people as if we were in the private sector, 
bring them right in without going through the 3 to 6 months of 
hiring, and allowed us to have a differential pay, not enough 
to match the private sector, but we have found, because we have 
so many challenges in such a large organization, a lot of 
people with IT backgrounds and the people we've been able to 
hire want to come work for the IRS. So one of the great 
concerns we have about the loss of that authority is our 
ability to compete with the private sector, and not on dollars 
but really on the combination of appropriate pay and a very 
great challenge in IT has been diminished with the failure to 
reauthorize that streamline critical pay. It's only 40 
positions. We never used all 40 of them. The most we ever used 
was 34.
    The IG a year and a half ago reviewed the program and said 
it had been run appropriately, and so we view it as critical 
because we are the largest financial institution in the world. 
We collected last year $3.3 trillion. We are the most 
attractive database to attack because we've got information on 
300 million Americans. So our sense is, whatever support we can 
get in this regard is very important.
    Mr. Tonko. And in the last 5 or six years you've had to 
make up a decline in revenues, resources with the shot that you 
got, the one shot you got last year, but that must have 
impacted somehow addressing the differential.
    Mr. Koskinen. Yes. So what happens is, as a result across 
the board we have to prioritize. Cybersecurity, identity theft, 
protection of taxpayer data is a high priority. As I said, 
we've actually had more people in IT while we've lost thousands 
of other employees. But it does mean, for instance, on patches, 
there are thousands of patches--we have a very complicated 
system--that come in every year and we have to prioritize which 
we can implement because we actually have a limited amount of 
resources. That's why we appreciate the work that both the IG 
and GAO do helping us prioritize of those security updates, 
which are the most critical that need to be improved 
immediately.
    Mr. Tonko. And so other than the workforce issue, what are 
those reforms or those improvements? Where do we need to reach? 
What are the tools in the toolkit that are required to provide 
for taxpayer protection here?
    Mr. Koskinen. But we're continuing to work, as I say, to 
implement the recommendations that we have and that we get from 
the IGs and GAO. As I say, we need to improve, and part of the 
money we're spending this year out of the 290 is to improve our 
continuous monitoring of the system. We're working on 
segmenting the system so if you actually happen to get into the 
database, you can't run barefoot through it all. We'll 
actually--you'll only be able to get into limited parts of it. 
We're working to improve the security, as noted by GAO. I don't 
have it with me, but you can run--I can't access my computer, 
not with--I don't need passwords, I have to actually put an 
identity card into the computer. Part of the money we hope to 
use if we get it for 2017 would be to have that same access 
code requirement for access to all of our internal systems. As 
GAO noted, we're as worried and focused on internal protection 
as we are on external protection.
    Mr. Tonko. Thank you very much. I have used up my available 
time, but I appreciate the efforts that are being made. And 
again, bearing in mind that taxpayer protection should be the 
guiding force, I appreciate the response to the questions here.
    And with that, I yield back, Madam Chair.
    Chairwoman Comstock. Thank you.
    And I now recognize Mr. Lucas for five minutes.
    Mr. Lucas. Thank you, Madam Chair.
    Mr. Wilshusen, let's talk for a moment about the magnitude 
of the fraud. According to your testimony, the IRS estimated 
that it prevented or recovered $22.5 billion in fraudulent 
identity theft refunds in 2014 but paid out $3.1 billion in 
fraudulent refunds. These numbers seem rather precise 
considering there's no range given. How does the IRS estimate 
how much it's prevented in fraudulent payments and how much has 
been paid? And how confident are you, I should say, on the 
accuracy of these numbers?
    Mr. Wilshusen. Well, uncertainly exists with any estimates 
with regard to the amount that has been paid or that has not 
been detected and not paid. IRS provides a rather specific 
point estimate. However, because you really don't know what you 
don't know, there's likely to be undetected fraud that hasn't 
been determined. So there's always uncertainty with those 
estimates, and that's why we recommended that IRS look at its 
estimating procedures to account for that uncertainty as to the 
extent of the fraud.
    Mr. Lucas. Mr. George, fraudulent tax payouts ultimately 
hurt taxpayers because their public money is going to 
criminals. How confident are you that the IRS has a grasp on 
these estimates? And does this raise concerns about whether the 
IRS is allocating enough resources to combat the identity theft 
problem?
    Mr. George. This is a very complicated question, 
Congressman, because it overlaps with a lot of other issues as 
it relates to monies owed to the Internal Revenue Service. The 
Service itself estimates what it calls the tax gap at being 
over $450 billion every year, money that is owed to the IRS 
that no one has really contested that figure. And so it's a 
serious problem.
    Then, of course, you're talking about programs such as 
refundable credits and the like that are being taken advantage 
of by people who are here in this country both legally and 
illegally.
    So it is a major problem. The IRS is aware of it. I'm sure 
the Commissioner will point out that if he had additional 
resources, he would be able to address it more sufficiently. 
But this is a concern that we've raised extensively during my 
tenure at TIGTA.
    Mr. Lucas. Thank you, gentlemen.
    Madam Chairman, actually, I yield back.
    Chairwoman Comstock. And I now recognize Mr. Abraham for 
five minutes.
    Mr. Abraham. Thank you, Madam Chairman.
    I think this hearing may be the best argument for a simpler 
flat-tax-type deal because we look at OPM, we look at the IRS, 
ACA, every government agency recently in the last year or 2 or 
3 at the most seems to have had a major data breach. And every 
time it starts out with a lower number such in your case with 
the IRS, the 300, then it goes to 7. Same thing happened in the 
OPM. It started out a few million, went up to 24, 25 million.
    So, again, you know, I personally--and I think everybody 
listening to this hearing--would rather be responsible for 
their own security because, you know, our agencies are having 
major problems getting it right. And again, when we--I'll talk 
to you, Mr. Koskinen, about you guys--you know what you need to 
do. I mean, from a single identification to a multiple, I mean, 
that's pretty commonsense stuff. And it's not like these things 
were born of yesterday. I mean, these things have been going on 
for a long time.
    But I know you guys are asking for more money, so help me 
out here. Of the $290 million that we as Congress gave you for 
this fiscal year 2016, I'm told--and you can certainly correct 
me if I'm misstating--but how much of that went to employ 
temporary people to help on the toll-free line?
    Mr. Koskinen. I would note, by the way, that government 
agencies are challenged, everybody is challenged, Target, 
Anthem, J.P. Morgan Chase----
    Mr. Abraham. I understand that, but, I mean, we've been--
you know, we've been here so many times.
    Mr. Koskinen. Yes.
    Mr. Abraham. We just keep going to the same well and the 
water keeps coming up dry so----
    Mr. Koskinen. So with regard to the $290 million, which, 
again, I would say we appreciate it. It's a step in the right 
direction. One hundred and seventy-eight million was devoted to 
taxpayer service. Last year----
    Mr. Abraham. Right. So is that about 1,000 employees?
    Mr. Koskinen. So we hired slightly over 1,000 employees, 
temporary employees. We hire eight to 10,000 temporary and 
seasonal employees----
    Mr. Abraham. Yes.
    Mr. Koskinen. --to help with filing season.
    Mr. Abraham. And I guess my point is that $178 million did 
not go to specifically fight cybercrime?
    Mr. Koskinen. No. The other then of the $178 million, $95 
million went to cybercrime----
    Mr. Abraham. Right.
    Mr. Koskinen. --and another $16 million went to identity 
theft, primarily to support our partnership with the private 
sector and the States.
    Mr. Abraham. All right. So I'm doing the math and certainly 
won't--don't want to disparage any employee at the IRS. I'm 
sure they hopefully earn their money every day. But 1,000--the 
$170 million, that's $178,000 per employee. Is that the normal 
salary? I mean, I may want to----
    Mr. Koskinen. No.
    Mr. Abraham. --apply there.
    Mr. Koskinen. I'd apply there. That's more than I make. No, 
the $178,000 includes all of the supporting issues that go with 
it. The major expenditure was the 1,000, but they get paid in 
the 30, 40, $50,000 range. The $178 million that was spent 
there was all of the supporting systems to in fact get our 
level of taxpayer service up from last year's 37 percent to 
this year's 72, 75 percent. So you can actually get somebody on 
the line within a few minutes this year. Last year, you had to 
wait for 30 to 40 minutes. Sixty percent of people couldn't get 
through it all.
    Mr. Abraham. Okay. And I know that OMB required you guys to 
reassess and look back at your security procedures, and I guess 
the question, again going back to the earlier statement, why 
don't you guys conduct an authentication process with your IP 
issue, your IP PIN problem? Did you all review, did you look 
ahead? Why didn't you follow OMB guidelines?
    Mr. Koskinen. We actually followed OMB guidelines and the 
NIST guidelines as well when we were establishing these 
programs. As I noted, what happens is life gets more 
complicated as you move along. What used to be acceptable no 
longer works.
    With the IP PIN, as I noted, we brought it back up this 
year because we added another level of authentication. We 
monitored every return filed as a result of anybody accessing 
that system, and therefore, we're reasonably confident and as 
our life has shown, the vast majority of people using those IP 
PINS are legitimate taxpayers.
    We ultimately brought it down when our monitoring of each 
one of those accesses identified that there were an increasing 
number of criminals trying to get through and the vast majority 
of criminals couldn't get through, and so we shut it down, 
deciding that, while it was a great convenience to taxpayers, 
at that point it needed to be brought down because of our 
concerns about the security.
    Mr. Abraham. Thank you, sir.
    Thank you, Madam Chairwoman. I yield back.
    Chairwoman Comstock. Thank you.
    And I now recognize Mr. LaHood for five minutes.
    Mr. LaHood. Thank you, Chairwoman. And I want to thank the 
witnesses for being here today, for your testimony.
    Commissioner, you know, as an outsider looking in and 
looking at what we've heard, 700,000 taxpayers having their 
personal information compromised, that we had the GAO come in 
with 45 recommendations that, you know, the Chairman asked you 
how many of those have been implemented, and we didn't get a 
sufficient answer on that, and then more recommendations from 
GAO. And I guess, I mean, what are the successes that you've 
had in fixing this problem? I mean, when we tell the American 
people we've had successes, we're fixing this, we're giving you 
confidence that we're on the right track after we've had these 
series of events, statistics out there, and these breaches, I 
mean, what are the successes?
    Mr. Koskinen. The successes are, first of all--and again, I 
always knock on wood--our basic system has not been breached. 
As I say, we are attacked over a million times a day.
    Mr. LaHood. Since when? When is the date that you use on 
that?
    Mr. Koskinen. Forever. We've not had a breach of our 
database directly. We've had breaches by people masquerading as 
taxpayers and applications. The basic database of the IRS has 
had no significant breach that I know of ever.
    But the other thing that's happened, we're talking of 
identity--we are increasingly successful at stopping refund 
fraudulent returns. Last year, we stopped over four million 
suspicious returns, 1.5 million of them for about $8 billion 
were identified as fraudulent. Our ability--our filters are 
going forward.
    The most significant thing we've done in the last year, 
very successful, is our partnership with the private sector and 
the States, working together for the first time, exchanging 
information in real time during the filing season of where do 
they see suspicious patterns, where do we. We are sharing that 
back-and-forth. A small part of the money that we got for the 
$290 million is being spent in support of that partnership.
    I think the data will show that this year taxpayers were 
safer. I was asked that question. And the reason I'm confident 
about that is that for the first time we have a level of 
authentication for taxpayers when they go to their preparers or 
when they use software. We have increased data that we get now 
that we get now that we didn't used to be able to have access 
to of where the returns are coming from and how many are coming 
from individual computers all through our private sector 
partnership so that we have, as I say, taken the entire tax 
system and put it together in a unified attempt for the first 
time ever, in a partnership, in in a true public-private 
partnership.
    Mr. LaHood. So the 700,000 that have had their personal 
information compromised, I mean, when did that change in terms 
of the implementations that you've made and that we're not 
seeing the numbers that have been compromised? I mean, has that 
changed since when?
    Mr. Koskinen. I'm not sure I quite understand. The 700,000 
successful accesses by criminals in our ``Get Transcript'' took 
place over a period from 2014 to '15. We originally looked at 
the immediate impact with the IG then with them. They collected 
data for us for the entire time. That system is down. When it 
comes back up, it will be much more secure and also much more 
difficult for taxpayers to use, but that's the tradeoff we 
continually have to make.
    Mr. LaHood. And then one thing that I haven't heard you 
talk about is--so we've talked about these hackers and the 
criminals. I mean, tell me about the successful prosecutions 
that you've had in terms of the deterrent effect if we're going 
to stop this from going forward, the successes you've had 
with--successful prosecutions going after people that you can 
kind of hold out that we've stopped this and these people are 
being held accountable?
    Mr. Koskinen. We've put over 2,000 people in jail in 
cooperation with the IG and the Department of Justice. Our 
criminal----
    Mr. LaHood. And can you give me a couple examples of kind 
of highlighted cases and the effect that that's had?
    Mr. Koskinen. I get reports of those every day. Those are 
people who have created syndicates. They filed $100 million 
worth of false returns. They've filed large numbers. The courts 
have been very supportive. The average time of incarceration is 
over 3-1/2 years for each of those convictions. They are widely 
publicized. As I say, I get a list of them every day. I would 
be delighted to give you--we just put out--about three or four 
weeks ago the Criminal Investigation Division put out a release 
which I'd be happy to get you of the 10 most significant 
criminal prosecutions for identity theft and refund fraud.
    Mr. LaHood. And have you found that the criminal code right 
now in terms of the senses people are getting, is it having a 
deterrent effect? Does that need to change? Are there 
recommendations on that?
    Mr. Koskinen. At this point we think that the courts and 
the code have been sufficient on that ground. As I say, part of 
what's happened as we've, I think, begun to be successful at 
stopping criminals locally, increasingly what we're discovering 
is we're dealing with organized crime syndicates in Eastern 
Europe and Asia where it's much harder to get prosecution. The 
people that are operating with them here are basically 
relatively low level. We have over 1,700 investigations going 
on right now leading toward further criminal prosecutions, but 
at this point I don't think increasing the severity of the 
penalty for fraud is a need for us. As I say, the courts have 
been very good. Average sentence--some sentences have been in 
the range of 10 to 20 years.
    Mr. LaHood. Thank you. Those are all my questions.
    Chairwoman Comstock. Okay. I now recognize Mr. Hultgren 
for--oh, he's not here now. Okay.
    Mr. Moolenaar for five minutes.
    Mr. Moolenaar. Thank you, Madam Chair, and I appreciate the 
panelists today.
    And, Mr. Wilshusen, I wanted to just--your role at GAO has 
to do with accountability, especially in the--sort of the 
information technology area, is that correct?
    Mr. Wilshusen. That's correct, on information security, 
cybersecurity issues.
    Mr. Moolenaar. So because you're probably looking at this 
over a wide range of agencies and government entities. I 
basically have three questions that I'd like to kind of lay out 
for you and you'll kind of get the pattern of where I'm going 
with these questions. So you might want to just take notes just 
so you--I apologize for overwhelming you with three questions 
at the same time.
    But basically I just wanted you to elaborate on the 
testimony you've already given just so I have a clear 
understanding. But the first question is what potential 
enforcement and accountability options could be applied against 
an agency that is noncompliant with OMB and NIST information 
security standards and guidelines? That's kind of the one 
question, you know, what options are available?
    And then secondly, what federal agency or White House 
office might have the authority to enforce compliance with OMB 
and NIST standards and guidelines? So who has the authority to 
implement that?
    And then finally, and thirdly, are you aware of any cases 
when action was taken against any agency for failing to comply 
with OMB and NIST information security standards and 
guidelines?
    Mr. Wilshusen. Okay. First, I would answer those questions 
in order. In terms of enforcing compliance or holding agencies 
or individuals accountable for implementing information 
security, it starts first at the agency with the head of the 
agency. FISMA, the Federal Information Security Modernization 
Act of 2014, requires the head of the agency and assigns 
overall responsibility to the head of each agency to ensure 
that that agency implements appropriate safeguards to protect 
against the unauthorized use, disclosure, modification of 
information within that agency. The head of the agency is also 
responsible for enforcing and ensuring that individuals and 
employees within that organization are held accountable and 
comply with that policy and with those procedures.
    Some of that responsibility has been delegated to the Chief 
Information Officer. In some respects at agencies, the Chief 
Information Security Officer will have some responsibilities to 
help program managers and assist them in complying with the 
procedures.
    At the government level, it's the Director of Office of 
Management and Budget, who under FISMA, has responsibility for 
assuring and enforcing the compliance of information security 
under the law. The Office of Management and Budget they have 
employed several different mechanisms to help provide 
accountability and, if you will, assistance to federal 
agencies. One of these is through the budget process in which 
OMB can recommend changes to proposed budgeted amounts for 
organizations and agencies to help assure that information 
security policies are being implemented.
    It's also through cyber stat meetings, which the Office has 
established, in which OMB will meet with officials from 
individual agencies to talk about weaknesses or issues of 
concern related to information security at that agency with 
those officials from that agency. And it's intended not only to 
hold those officials accountable to some extent but also to 
assist them in implementing the appropriate security controls.
    OMB also provides a reporting mechanism through the FISMA 
annual reporting mechanism in which OMB reports on agencies' 
progress in implementing information security controls, as 
determined by the metrics that OMB has determined.
    So those are at least some of the options that are 
available, in terms of what federal agency has that 
enforcement--well, first of all, it's within--you know, each 
agency has responsibility, as does OMB, and so they have a 
responsibility to perform those functions.
    In terms of actual actions taken, well, OMB does have the 
cyber stat reviews. It holds them annually with several 
organizations. But in terms of holding someone accountable in 
terms of like firing someone if that's what you're referring to 
or actually reducing the budget of an organization, I don't 
know if OMB has done that. I know over the last several years 
the actual budgets for information security have been 
increasing rather than decreasing.
    Chairwoman Comstock. Thank you. And I now recognize Mr. 
Westerman for five minutes.
    Mr. Westerman. Thank you, Madam Chair. Good morning, 
Commissioner and panel.
    You know, I attended the prayer breakfast this morning and 
seeing the Commissioner here in this special time of season 
reminded me of life's two certainties of death and taxes. But, 
you know, I think there may be----
    Mr. Koskinen. I'd like to note we're the tax part of that.
    Mr. Westerman. I'll leave that one alone, but there may be 
a third part, there may be a new certainty in life and that is 
that your personal identifiable information is going to be 
stolen at some point.
    When the current e-authentication framework was being 
developed, the National Institute of Standards and Technology 
informed the IRS that a taxpayer identification number was an 
acceptable form of identification. Now, I'm going to get real 
acronym-heavy here because as slow as I talk, there won't be 
time to answer if I didn't use these acronyms.
    In August 2015 NIST informed TIGTA that a TIN is now not an 
acceptable government identification number for the purpose of 
authentication. IRS agreed with this update and indicated the 
agency would take steps to conform to NIST standards.
    So my first question is when and how did NIST initially 
inform the IRS that a TIN was acceptable?
    Mr. Koskinen. It was accessible?
    Mr. Westerman. Was acceptable.
    Mr. Koskinen. It was acceptable, again, when the programs 
were developed in 2011 and '12. It was part of a general 
framework. I'm not aware of a particular NIST approval. NIST 
sets out standards that we're obligated to and do follow. It 
doesn't necessarily, that I'm aware of, do reviews and respond 
to particular questions. But we did, through the IG, understand 
that NIST's view by last summer was that, by that time, because 
as you noted, so much personal information has been stolen and 
in the hands of criminals, by itself, a taxpayer identification 
number was no longer acceptable. And by that time we had taken 
the ``Get Transcript'' down.
    Mr. Westerman. All right. So that was in 2011, you said, 
when it was----
    Mr. Koskinen. 2011 and '12 when we designed the system. 
Taxpayer identification numbers and out-of-wallet questions 
were being used by a range of financial institutions and others 
for authentication.
    Mr. Westerman. So what steps have you or the IRS taken with 
this communication you've had with TIGTA to conform to the NIST 
standards? Are you saying you're not aware that they're----
    Mr. Koskinen. No, in light of that and our experience have 
taken down the ``Get Transcript'' application, the IP PIN 
application. We are in the process right now of testing a 
multifactor authentication process that will require taxpayers 
to identify themselves through an additional factor. We'll 
communicate with them with their cell phones or smartphones or 
other devices that we've not had access to before, and they'll 
have to come back through with a PIN and identifier, 
reinforcing all the other information they'll still have to 
provide us. That system we hope to have up in the next two or 
three months, perhaps earlier, and that will in fact be at the 
highest level and the appropriate high level that NIST now has 
out there. It's called multifactor authentication.
    Mr. Westerman. Okay. And, Mr. George, is the current e-
authentication framework compliant with NIST standards? And if 
not, does that mean that other online services such as online 
payment agreement, Direct Pay, and Where's My Refund are more 
vulnerable to compromise?
    Mr. George. They're vulnerable to compromise, but the 
impact on the taxpayer is not the same. If someone wants to 
find out where their refund is, it won't affect--even if it's 
an impersonation type of a situation, that won't affect the 
amount of money involved here. I mean, they might get 
additional information that ultimately could be misused if one 
of the factors to authenticate who the taxpayer is is what was 
your refund last year.
    Mr. Koskinen. But you can't access the app without knowing 
what the refund was.
    Mr. George. Right.
    Mr. Koskinen. It's a good point because authentication 
depends on the nature of the risk. When our assumption is if 
you're going to pay us on an online payment agreement, you're 
unlikely to be a criminal. Criminals don't usually send us 
checks. If you're checking for a piece of information like 
where's my refund, you have to actually know what the refund is 
that you're asking about. You can't just go in and say have I 
got a refund coming. You have to put all of your personal 
information in and you have to identify the exact dollar amount 
of the refund to find out where it is. We had about 250 million 
hits on that app already this year. Those people used to have 
to call.
    Mr. George. Now, keep in mind also--and this should've been 
stated at the outset--there's the figure of 700 or 400,000, 
800,000. That number is not accurate because if someone gets 
access to information under the ``Get Transcript'' application 
when it was up and running, they also have access to dependent 
information and spouse information, so that number could be 
exponentially higher in terms of potential victims of identity 
theft or any other taxpayer mischief.
    And then ultimately, again--and I'm glad that the 
Commissioner--and he and his staff have been extraordinarily 
cooperative, Congressman. But the IRS simply misjudged the risk 
of the processes that they had in place when they first 
instituted the ``Get Transcript'' program. They thought it was 
a very low-risk endeavor, and it obviously turned out not to be 
the case.
    Mr. Westerman. I yield back, Madam Chair.
    Chairwoman Comstock. Thank you.
    And I now recognize Mr. Palmer for five minutes.
    Mr. Palmer. Thank you, Madam Chairman.
    Mr. Koskinen, one of the potential vulnerabilities that 
concerns me is that government employees have access to the 
federal system to access their personal emails, you know, 
Facebook, Web sites, you know, online shopping using the 
federal network. Has the IRS taken any action to restrict 
access by their employees?
    Mr. Koskinen. I'm not sure----
    Mr. Palmer. In other words, do you allow your employees to 
use the federal network for personal use?
    Mr. Koskinen. No. Actually, you can't do personal email at 
home and your government email is to be used for government 
purposes. We are very strict about no one does work on their 
own personal computer. They may do other things with their 
personal computer. But basically, we restrict Web sites. We are 
actually now taking another look at should we restrict even 
access to more Web sites than there are now. But as a general 
matter, people do their personal work on their personal 
computers, do office work on their office computers.
    Mr. Palmer. Thank you. Do you have a written policy that 
you could provide the Committee?
    Mr. Koskinen. A--I'm sorry, a----
    Mr. Palmer. A written policy to that effect?
    Mr. Koskinen. Written policy about that, I'd be delighted 
to provide it to you.
    Mr. Palmer. Thank you, sir. Last week, I had opportunity to 
tour the Center for Information Assurance and the Joint 
Forensics Research at the University of Alabama Birmingham. The 
Center is doing fantastic work under in the cybersecurity field 
and producing talented students with the ability to make a real 
difference in the field. It's under the leadership of Gary 
Warner.
    The thing that disturbs me in this is that, despite the 
government's tremendous need for individuals with this skill 
set, the Director of the Center explained that he has students 
applying for jobs at the federal agencies who don't hear back 
from them for months and they wind up getting jobs in the 
private sector. And I'm talking about some of the very best. I 
want to know if the IRS has taken any steps to expedite the 
interview process for people with a skill set that we 
definitely need?
    Mr. Koskinen. All right. Well, certainly in that area, as a 
general matter, as I say, our problem is we are not hiring very 
many people at all. We'll shrink by another two to 3,000. The 
only way we've been able to deal with the budget cuts, since 70 
percent of our budget is people, is simply not replace people. 
That's how we've shrunk by that much.
    But IT is an area where we're trying to hire. The process 
you mentioned is in fact, when you apply for a job in the 
government, you go into the normal process, it takes three to 
six months. Many times, it's several weeks or months before you 
hear back when you've applied, and it's why, as we discussed 
earlier, for us at the senior level of trying to get the best 
people, the streamlined critical pay authority is so critical 
because nobody is in greater demand than cybersecurity experts, 
and if we tell them it's going to take you 3 to 6 months but 
just sit tight and we really want to hire you, by the time we 
get back to them, you know, they're not there anymore. And I 
think that I take your point.
    Mr. Palmer. Yes.
    Mr. Koskinen. We have fewer than 300 people under age 25 in 
the agency because we've not been able to hire. So those are 
exactly the kind of people that we would love to hire and we 
ought to be hiring and that we ought to be able to try to 
figure out how to get into the system.
    Mr. Palmer. Madam Chairman, I don't know what our 
responsibility would be through the Committee, but I would like 
to recommend that we develop a procedure that would expedite 
the interview process for such critical personnel so that we 
could get more of those highly skilled people into places where 
they can help protect our IT systems.
    Mr. Wilshusen, according to your testimony, the IRS 
estimated, prevented, or recovered $22.5 billion in fraudulent 
ID refunds, identity theft refunds in 2014, but paid $3.1 
billion in fraudulent refunds. I don't know if the GAO has 
looked into this, but those numbers are fairly obvious. It's 
money that's leaving the system. But do you have any idea what 
it costs the IRS to engage in prevention and recovery 
activities? Because that's an additional cost to the federal 
government.
    Mr. Wilshusen. I do not.
    Mr. Palmer. Chairman Koskinen, do you?
    Mr. Koskinen. On cybersecurity, generally, we spend about 
$150 million a year just on cybersecurity. We have about 3,500 
people working on identity theft, devoted to that. We've never 
pulled together the full cost of protecting against identity 
theft and refund fraud, but it's obviously money well spent if 
we're able to stop $25 billion from going out the door.
    Earlier, there was a question on how accurate are those 
numbers. We're pretty good at knowing which refunds we stopped. 
The point is a good one. We can tell which refunds got out when 
somebody--a legitimate taxpayer comes in. There's always an 
uncertainty of which fraudulent refund went through where there 
was no competing filing.
    Mr. Palmer. If----
    Mr. Koskinen. Those are the ones you don't know.
    Mr. Palmer. What I'd like for you to do if you don't mind 
is to provide the Committee with at least an estimate of what 
you're spending on recovering fraudulent refunds.
    Mr. Koskinen. Sure.
    Mr. Palmer. Madam Chairman, if I may, I have one more 
question.
    Mr. Wilshusen, in the area of information security 
controls, how many recommendations has the GAO made to the IRS 
and how many of those recommendations remain unimplemented? And 
how far back do those recommendations go?
    Mr. Wilshusen. Okay. We have recommendations that remain 
outstanding and open that go back to our report in 2011 and 
2012 and so some of those recommendations actually pertain to 
filing seasons or fiscal years from like 2010, 2011. We have 
right now 94 open recommendations, but that includes 45 new 
recommendations that we just made in March. And so other than 
those, we do have 49 other recommendations that have been open 
for over a year.
    Mr. Palmer. Mr. George, same question, recommendations from 
the IG's office?
    Mr. George. Yes, I don't have off the top of my head the 
exact number, but there are quite a few, and we have, for the 
benefit of the IRS, prioritized those recommendations. Well, I 
was just pointed out that as of March of this year the IRS has 
23 open recommendations from 14 audits that we've provided them 
between the years 2008 and 2016.
    Mr. Palmer. My final question, and I promise this is the 
final one, is a follow-up to Chairman Koskinen. Why is the IRS 
unable to implement these GAO and IG recommendations? Assuming 
that the agency concurs with them, when do you expect the IRS 
to fully and successfully comply with the GAO and TIGTA 
recommendations?
    Mr. Koskinen. As I say, we value the partnership. I've 
always been a fan of internal auditors in the 20 years in the 
private sector as well. Our analysis is--for another purpose 
was that we've had about slightly over 2,000 recommendations 
from the IG and GAO across a wide range of areas, and about 80 
percent of those have already been implemented.
    In the security area, again--and the IG has started moving 
that way--for both GAO and the IG, the ability to prioritize 
those for us as to which they think are the most critical 
allows us to then prioritize our work. We're limited obviously 
by just time as well as resources, but time is one of them. But 
we are committed in the security area to implement those as 
quickly as we can.
    And we will be providing Congress a report as quickly about 
the most recent GAO recommendations. We, 60 days afterwards, 
provide GAO and the Congress our timeline as to exactly what 
the recommendations are and when they'll be implemented, and 
we'll be providing you that report.
    Mr. Palmer. Well, my final comment will be this: that when 
you have recommendations from the IG's office that go back to 
2008, that would indicate to me no intention to implement them.
    I yield back. Thank you for your indulgence, Madam 
Chairman.
    Chairwoman Comstock. Thank you.
    We're going to do a second round of questioning for those 
who might want to stick around. And so I now recognize myself 
for five minutes.
    I did want to pick up on--Mr. Wilshusen, you had indicated 
the increased budgets. I just want to make an observation 
actually. In the report that the speaker had actually cited and 
asked the question about--that I had asked was from Hill 
newspaper articles saying the IRS cybersecurity staff was cut 
as the budget rose and that was also--they referenced an IG 
report that you had done, Mr. George, that it was also a 
cybersecurity online report that referenced that also. So I'd 
like to just put that into the record in recognition of what 
you all had said.
    [The information follows appears in Appendix II]
    Chairwoman Comstock. But I also wanted to pick up on what 
you testified about, Mr. Wilshusen, about the agency using 
easily-guessed passwords, software patches not being done, and 
you had said the IRS had inconsistent execution. Would this--
put it in a little more simpler way that people just weren't 
doing their jobs. The people who were there, regardless of what 
budgets and what things are being done, I mean, those are basic 
cyber hygiene things that we've all heard about. I mean, we're 
very familiar from the OPM breach and the hearings we had here.
    So when I hear these kind of things that are very common 
and the inconsistent execution really being people not doing 
their jobs, would that be a correct assessment?
    Mr. Wilshusen. Well, I think you're absolutely correct. 
These are very common types of security practices that need to 
be implemented. And they were not being consistently 
implemented across the IRS. We think there are probably several 
reasons why that occurs. In some respects, for example, we 
looked at the IRS's security testing and evaluation procedures, 
and we noted that they weren't always that successful in 
identifying the same type of vulnerabilities that we 
identified.
    We also noted that when IRS implemented, for example--said 
that it had implemented 28 of the recommendations that we 
previously made, that it had not actually implemented nine of 
those. That's a reflection of its information security 
practices or its practices for closing our recommendations 
before they were actually implemented.
    So there's probably a number of reasons why these 
conditions continue to exist, and certainly not performing 
those functions and responsibilities in an appropriate manner 
contribute to that.
    Chairwoman Comstock. And I'd like to ask you and Mr. 
George, given that right now there's basically no one in charge 
of cyber at the IRS from what we've learned today----
    Mr. Koskinen. I think that's unfair. That's not what I 
said.
    Chairwoman Comstock. Well, I'm asking Mr. Wilshusen and Mr. 
George where we--is that--in terms of--you were asked earlier 
about the safety. When these basic things that you're seeing--
and when they're telling you 28 of them have been implemented 
but nine of those haven't, their own self-assessment is 
inaccurate, you tell them what to do. The inconsistent 
execution--I mean, execution is doing your job and being able 
to do these basic tasks. Do you have confidence that you're 
going to see this anytime soon?
    Mr. George. Madam Chairwoman, we did make a recommendation, 
which the IRS agreed to. The one kink in their armor was that 
there was not a service-wide approach to cybersecurity. A 
particular unit had a dedicated division that would interact 
lightly with other units within the Internal Revenue Service, 
but it wasn't across the board. And my understanding is that 
the IRS and the Commissioner has agreed to change that.
    Mr. Koskinen. And we've implemented that.
    Chairwoman Comstock. And I would just note that, you know, 
we had OPM before us--the Commissioner also noted that in the 
private sector these things happen, but I would note that Ms. 
Archuleta is no longer working at OPM. As our other CEOs of 
companies where they had these major breaches, they were not 
working there. So while--you know, Ms. Archuleta did move on.
    And I think when we look at these issues, I don't have 
confidence. I can't go back to those people, more than half of 
whom in my district raised their hands when we hear about these 
letters and their breaches, they certainly didn't have 
confidence in OPM, and I know they don't have confidence with 
the IRS. This is a pretty important area where we need to have 
confidence, and I don't see it there.
    And I think you've had other people move on when they 
aren't having consistent execution of their jobs, and I think 
what we've seen here today is not a lot of consistent execution 
at all or confidence that there will be going forward.
    So I will yield back my time. And if Mr. Lipinski--thank 
you.
    Mr. Lipinski. Thank you. There's a couple things I wanted 
to go back to that have been mentioned. First, I want to ask--
and the Commissioner said that there'd been no breaches of the 
database. Is that the understanding, Mr. George, Mr. 
Wilshusen----
    Mr. George. That----
    Mr. Lipinski. --your understanding?
    Mr. George. That is our understanding, sir, yes, of their 
system itself----
    Mr. Lipinski. Okay.
    Mr. George. --of their hardware.
    Mr. Lipinski. Do you have any--Mr. Wilshusen, any knowledge 
of----
    Mr. Wilshusen. No, I do not have knowledge of specific 
incident. What I do know is that we identified a number of 
vulnerabilities that increase the risk of such an incident. But 
has one actually occurred on the databases I--we don't know of 
one yet.
    Mr. Lipinski. Okay. And the Commissioner had talked about 
back in 2011, 2012 when these apps were being--online apps were 
being developed, that the NIST technical requirements were 
lower at that time. Now, first of all, is--Mr. George, is that 
your--because you had talked about them not meeting the 
requirements. Is that your understanding of how this happened?
    Mr. George. It happened because of, again, the multifactor 
authentication versus the single-factor authentication. And the 
IRS took the approach that if they were to adopt the NIST 
standard of multifactor authentication, which would have 
included--in addition to the basic information--utility bills 
and the like, that it would place an undue burden on taxpayers 
as they attempted to interact with the IRS. And while that is a 
laudable goal to make people's ability to comply with their 
taxes as easy as possible, it also had the detrimental effect 
of subjecting the IRS to vulnerabilities, which obviously 
manifested themselves with the IP PIN and with the Get 
Transcript application.
    Mr. Lipinski. So, Commissioner, so was there a decision 
made to go forward with less cybersecurity, less security 
protection than the NIST requirements?
    Mr. Koskinen. The NIST requirements start with, you know, 
you have to show up in person is their fourth level. The third 
level is you have to have multifactor authentication. The 
second level is other identification. And then the NIST process 
calls for them--there's no easy way to put everybody into one 
of those categories for a risk assessment to be made and the 
agency to decide at what level the risk is appropriately dealt 
with. As we said earlier, if you're making an online payment, 
that's a different risk issue.
    When the system was developed, the determine--the review 
and a determination was made that a standard used for 
authentication, short of multifactor in the 2011 and '12 area, 
was use of out-of-wallet questions in addition to other 
identifiers. And in light of that and in light of the 
effectiveness of the system, it was determined that that would 
be an appropriate way to proceed pursuant to the NIST 
standards.
    And I would note in the last filing season 7 million people 
downloaded 23 million legitimate transcripts. So----
    Mr. Lipinski. Well, I want to--well, Mr. George had said 
that a risk assessment was not done for IP PIN. Is that 
correct, Mr. George? Is that----
    Mr. George. A risk assessment was not done to the extent 
that it should have been is--and that----
    Mr. Lipinski. Okay.
    Mr. George. --and what I was really referring to was that a 
risk assessment was done for the Get Transcript, and they made 
the wrong call. They--that's what I stated earlier----
    Mr. Lipinski. Okay.
    Mr. George. --in my testimony. But they made--they 
considered----
    Mr. Lipinski. The risk assessment----
    Mr. George. --a very low risk----
    Mr. Lipinski. --in your opinion, it seems like, from 
experience, was not----
    Mr. George. They made the wrong call.
    Mr. Lipinski. --was--okay. I'll just use your words. They 
made the wrong call. But there was a--so it wasn't just a--
because back in 2011, 2012 that NIST wasn't saying you should 
have more. Obviously, after that and when this was in place 
NIST was saying there should be higher requirements if this 
needs level 3, if this reaches level 3, and it would seem that 
it would because of the, you know--the type of information 
that's at risk here. But the decision was made by the IRS to--
because of the inconvenience, that that wouldn't be required.
    Now, is there a different opinion now moving forward on 
this? And I think this is important not just for the IRS but 
across federal agencies about having a risk assessment that, 
you know, seems to be obviously in hindsight certainly and 
maybe in foresight it should have an obvious that there should 
have been a level 3 situation.
    Mr. Koskinen. No, I think it's important, one of the things 
we've done over the last 2-1/2 years since I've been there is 
set up an enterprise-wide risk assessment program because the 
point is exactly what's happened here. You may make a risk 
decision and an assessment on any risk at a given point in 
time. The question is you need to continue to review that at 
least annually to see have the circumstances changed? Has the 
nature of the risk changed? Has the risk-reward ratio changed?
    To say we made a judgment that IG thought we made--should 
have made a different judgment, but hindsight is always the 
question of whether, you know--if we knew then what we know 
now, we'd do a whole lot of things different. The real question 
is, and I think we have a process now to do that, is on a 
regular basis you should always review your risk assessments 
because the circumstances will change. And clearly in 
cybersecurity with the vast amount of personal data out there, 
the level of authentication you need today is significantly 
different than you would have needed four or five years ago.
    Mr. Lipinski. Mr. George?
    Mr. George. And just to clarify my statement a moment ago, 
Congressman, the IRS did not complete an authentication risk 
assessment for the identity--personal identification number, 
the identity protection personal identification number. And 
again, it was their thinking that it would be very burdensome 
on taxpayers had they done so and implemented a process as a 
result of that.
    Mr. Lipinski. But I think sort of the bottom line of this 
part right here, not just for the IRS but for all departments, 
agencies across federal government is to do a good risk 
assessment and to continue to consider that--reconsider that 
and where it's been as things move very quickly. And I think 
it's very important that that does occur everywhere as we move 
forward.
    So thank you. I yield back.
    Mr. Hultgren. [Presiding] The gentleman from Illinois 
yields back.
    Chairwoman Comstock apologizes. She had a commitment in 
Transportation Committee that she had to run to, but I will 
yield myself five minutes for questions.
    Just to follow up on Mr. Lipinski's question, Mr. George, 
if the IG says that even at the lower risk level the IRS 
process is not NIST-compliant, is that correct?
    Mr. George. Repeat your question.
    Mr. Hultgren. If the IG says that--yes, so if you say that 
at the lower risk level the IRS process is not NIST-compliant, 
is that what you're saying?
    Mr. George. It is--correct, because they would not require 
the additional information that NIST requested or mandated.
    Mr. Hultgren. Okay. Let me get to some of my other 
questions. First, I do want to thank you all for being here. 
The federal government certainly does have a massive 
cybersecurity problem, as we've seen most visibly with the OPM 
data breach. We need to be doing more across the board to 
prevent, identify, and thwart cybersecurity attacks.
    I had the opportunity to visit the Department of Energy's 
Cybersecurity Team at Germantown to get a crash course on the 
bad actors that exist. I also saw how easily a company or 
agency can find itself vulnerable. NIST develops the guidelines 
that all federal nondefense agencies must follow. For industry, 
they are minimal, a voluntary floor for our security. And it 
seems to me, however, that an agency can just ignore these 
rules, placing massive amounts of sensitive private information 
of my constituents at risk.
    Mr. Koskinen, if I can address this to you. In regular 
business someone is usually responsible to accomplish their 
task and are held responsible for their failure to do so. IRS 
unfortunately has an abysmal record in holding their officials 
accountable, as we saw with the Lois Lerner incident a few 
years back. If you don't get fired for discriminating against 
political organizations and destroying evidence, I don't know 
how you would ever get fired at the IRS.
    Mr. Wilshusen spoke about the enforcement actions that the 
federal government and said that he does not know that OMB has 
ever taken any action.
    I appreciate your seemingly lamenting statement about the 
burden of mandates such as ObamaCare that they have on your 
agency, but all agencies have been strapped. And I think 
keeping my constituents' private information safe should be one 
of the highest priorities you have.
    What internal actions have you taken considering you are 
still noncompliant with basic NIST and OMB standards?
    Mr. Koskinen. I think we are compliant with NIST standards, 
as the Inspector General said. The prior authentication systems 
are no longer appropriate, and we agree with that and have 
taken those down. And in fact, with regard to go back in 
history about what happened in the past, the entire chain of 
command in the (c)(4) issues with regard to social welfare 
organizations is shortly thereafter--none of them were in place 
at the IRS. And so I don't think you can say people didn't 
leave, were not held accountable.
    But I do think it is important for people to be 
accountable. I am actually talking to another Congressman now. 
We have any number of people who are in fact dismissed every 
year. For instance, we dismiss automatically anyone who uses 
improper access to any taxpayer information, any IRS employee. 
We discipline employees for being in default on their taxes. We 
have the highest compliance rate of any federal agency by a 
long shot, but even then, we take that very seriously. So I 
think it's not fair to imply that in fact people are not held 
accountable.
    In cybersecurity we are dealing with a rapidly changing 
circumstance fighting increasingly organized and sophisticated 
criminal elements around the world. We are--as you say, we 
regret that we've had the difficulties we've had. We've had 
significant successes at the same time. We value the 
partnerships we have with the IG and the GAO and we're working 
to implement their security suggestions as quickly as we can.
    Mr. Hultgren. I would say in certainly the most high-
profile situations we haven't seen that accountability and my 
constituents haven't, and they still are very fearful of their 
information.
    Let me address--I just have a minute left--to Mr. George. 
In your prior testimony, Mr. Koskinen had stated that access to 
the ``Get Transcript'' application requires multistep 
authentication. Is multistep the same as multifactor 
authentication? If not, what is the difference, and could the 
use of the term multistep be disingenuous as it might confuse 
people into thinking they are the same?
    Mr. George. They're the same. They're the same so----
    Mr. Koskinen. And if I said multistep, multifactor is the 
term of art, and that's what we're working toward.
    Mr. Hultgren. Okay. Well, again, thank you all for being 
here, appreciate your work. This is obviously an ongoing 
concern for our constituents. They're frightened, quite 
honestly, of what could happen and might happen if their 
information is compromised. So I want to thank you all for 
being here.
    And I'll yield back the balance of my time and I will thank 
the witnesses for their testimony and the members for their 
questions. The record will remain open for two weeks for 
additional written comments and written questions from members.
    The hearing is adjourned.
    [Whereupon, at 11:51 a.m., the Subcommittee was adjourned.]

                               Appendix I

                              ----------                              


                   Answers to Post-Hearing Questions




                   Answers to Post-Hearing Questions
Responses by The Honorable John Koskinen,

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



Responses by The Honorable J. Russell George

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


Responses by Mr. Gregory Wilshusen

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




                              Appendix II

                              ----------                              


                   Additional Material for the Record




               Report submitted by Subommittee Chairwoman
                            Barbara Comstock
                            
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                            
                            
                            


               Report submitted by Subommittee Chairwoman
                            Barbara Comstock
                            
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                            
                            
                            


               Report submitted by Subommittee Chairwoman
                            Barbara Comstock
                            
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                            
                            



            Statement submitted by Committee Ranking Member
                         Eddie Bernice Johsnon
                         
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]