[Senate Hearing 114-580]
[From the U.S. Government Publishing Office]








                                                        S. Hrg. 114-580

                     CYBERSECURITY AND PROTECTING 
                          TAXPAYER INFORMATION

=======================================================================

                                HEARING

                               before the

                          COMMITTEE ON FINANCE
                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 12, 2016

                               __________






 
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                                    





                                     

            Printed for the use of the Committee on Finance

                                   ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

24-730-PDF                     WASHINGTON : 2017 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001














                          COMMITTEE ON FINANCE

                     ORRIN G. HATCH, Utah, Chairman

CHUCK GRASSLEY, Iowa                 RON WYDEN, Oregon
MIKE CRAPO, Idaho                    CHARLES E. SCHUMER, New York
PAT ROBERTS, Kansas                  DEBBIE STABENOW, Michigan
MICHAEL B. ENZI, Wyoming             MARIA CANTWELL, Washington
JOHN CORNYN, Texas                   BILL NELSON, Florida
JOHN THUNE, South Dakota             ROBERT MENENDEZ, New Jersey
RICHARD BURR, North Carolina         THOMAS R. CARPER, Delaware
JOHNNY ISAKSON, Georgia              BENJAMIN L. CARDIN, Maryland
ROB PORTMAN, Ohio                    SHERROD BROWN, Ohio
PATRICK J. TOOMEY, Pennsylvania      MICHAEL F. BENNET, Colorado
DANIEL COATS, Indiana                ROBERT P. CASEY, Jr., Pennsylvania
DEAN HELLER, Nevada                  MARK R. WARNER, Virginia
TIM SCOTT, South Carolina

                     Chris Campbell, Staff Director

              Joshua Sheinkman, Democratic Staff Director

                                  (ii)






















                            C O N T E N T S

                              ----------                              

                           OPENING STATEMENTS

                                                                   Page
Hatch, Hon. Orrin G., a U.S. Senator from Utah, chairman, 
  Committee on Finance...........................................     1
Wyden, Hon. Ron, a U.S. Senator from Oregon......................     8

                               WITNESSES

Koskinen, Hon. John, Commissioner, Internal Revenue Service, 
  Washington, DC; accompanied by Terence V. Milholland, Chief 
  Technology Officer, Internal Revenue Service, Washington, DC...     2
George, Hon. J. Russell, Treasury Inspector General for Tax 
  Administration, Department of the Treasury, Washington, DC; 
  accompanied by Michael E. McKenney, Deputy Inspector General 
  for Audit, Treasury Inspector General for Tax Administration, 
  Department of the Treasury, Washington, DC.....................     5
Dodaro, Hon. Gene L., Comptroller General of the United States, 
  Government Accountability Office, Washington, DC; accompanied 
  by Gregory C. Wilshusen, Director, Information Security Issues, 
  Government Accountability Office, Washington, DC...............     7

               ALPHABETICAL LISTING AND APPENDIX MATERIAL

Dodaro, Hon. Gene L.:
    Testimony....................................................     7
    Prepared statement...........................................    33
George, Hon. J. Russell:
    Testimony....................................................     5
    Prepared statement...........................................    43
Hatch, Hon. Orrin G.:
    Opening statement............................................     1
    Prepared statement...........................................    49
Koskinen, Hon. John:
    Testimony....................................................     2
    Prepared statement...........................................    50
Wyden, Hon. Ron:
    Opening statement............................................     8
    Prepared statement...........................................    60

                             Communication

Gyamfi, Kwame....................................................    63

                                 (iii)

 
           CYBERSECURITY AND PROTECTING TAXPAYER INFORMATION

                              ----------                              


                        TUESDAY, APRIL 12, 2016

                                       U.S. Senate,
                                      Committee on Finance,
                                                    Washington, DC.
    The hearing was convened, pursuant to notice, at 10:13 
a.m., in room SD-215, Dirksen Senate Office Building, Hon. 
Orrin G. Hatch (chairman of the committee) presiding.
    Present: Senators Grassley, Crapo, Thune, Portman, Coats, 
Heller, Scott, Wyden, Stabenow, Cantwell, Nelson, Carper, 
Cardin, Brown, Bennet, and Casey.
    Also present: Republican Staff: Chris Armstrong, Deputy 
Chief Oversight Counsel; Eric Oman, Senior Policy Advisor for 
Tax and Accounting; and Mark Prater, Deputy Staff Director and 
Chief Tax Counsel. Democratic Staff: David Berick, Chief 
Investigator; Michael Evans, General Counsel; Daniel Goshorn, 
Investigative Counsel; and Tiffany Smith, Senior Tax Counsel.

 OPENING STATEMENT OF HON. ORRIN G. HATCH, A U.S. SENATOR FROM 
              UTAH, CHAIRMAN, COMMITTEE ON FINANCE

    The Chairman. The committee will come to order. I will 
mention that Senator Wyden is delayed. He will be here a little 
later. He has asked that I proceed without him, and we will be 
happy to have him participate when he comes.
    Well, good morning. It is a pleasure to welcome everyone to 
today's hearing, which we have entitled, ``Cybersecurity and 
Protecting Taxpayer Information.''
    Now, these are really important issues that the Finance 
Committee has been working on for some time. In June of last 
year, for example, we had a hearing on the theft of Internal 
Revenue Service data affecting taxpayer information. Much has 
happened since that time.
    At the urging of the Finance Committee, the IRS, State 
revenue commissioners, and leaders in the tax return 
preparation industry came together last year to convene a 
Security Summit, which resulted in new information-sharing 
agreements to help identify suspicious activity in the tax 
filing and refund process. We look forward to hearing more 
about that effort today.
    But in the face of this progress, we have also seen 
unprecedented growth in the scope and scale of cyber-attacks 
aimed at stealing personal information and billions of dollars 
from our taxpayers. Last year alone, cyber-criminals obtained 
access to sensitive personal information from several large 
health insurers, exposing tens of millions of Americans to 
potential identity theft. Foreign governments gained access to 
poorly protected Federal Government databases, including a 
treasure trove of information at the Office of Personnel 
Management.
    Today, we will focus on three separate aspects of this 
problem. First, we will consider the ways the IRS authenticates 
taxpayer identities to prevent data thieves from using 
authentication information to gain access to even more 
information about taxpayers or to file false returns and obtain 
refunds under stolen identities.
    Second, we will examine how the IRS uses its resources to 
improve cybersecurity. This will include some discussion about 
the IRS Future State plan, which the agency has developed in 
order to adapt to the realities of the 21st century.
    Third and finally, we will consider the ongoing joint 
efforts of the IRS, State revenue collectors, and private tax 
preparers to see what can be accomplished to better secure 
taxpayer information and protect taxpayers from fraud.
    Taking a look at our witness table, it is clear that this 
is not a typical lineup of witnesses. Challenges to 
cybersecurity require not only smart and persistent leadership 
up at the top, but also technological expertise and up-to-date 
skills down on the ground.
    So today, we not only have with us the heads of the IRS, 
the Government Accountability Office, and the Treasury 
Inspector General for Tax Administration, but we have invited 
subject matter experts on the relevant issues from each of 
those agencies to testify as well.
    That is a total of six witnesses, and I suspect each of 
them will bring unique and important insights to this 
discussion.
    In closing, I will just say that while we are clearly 
making real progress in this area, the challenges are 
continuing to grow and criminals behind this kind of data theft 
are getting more sophisticated and aggressive, seemingly by the 
day, and American taxpayers and their livelihoods are their 
targets.
    In other words, we have a lot of work to do. My hope is 
that we will continue to be able to work on these issues on a 
bipartisan basis in order to do right by the American people.
    Now, with that, I would like to turn it over to Senator 
Wyden, when he gets here, for any opening remarks he might 
have.
    [The prepared statement of Chairman Hatch appears in the 
appendix.]
    The Chairman. Our first witness will be John Koskinen, 
Commissioner of the IRS. We will start with you first, Mr. 
Koskinen, and go from there.

STATEMENT OF HON. JOHN KOSKINEN, COMMISSIONER, INTERNAL REVENUE 
SERVICE, WASHINGTON, DC; ACCOMPANIED BY TERENCE V. MILHOLLAND, 
CHIEF TECHNOLOGY OFFICER, INTERNAL REVENUE SERVICE, WASHINGTON, 
                               DC

    Commissioner Koskinen. Good morning, Chairman Hatch, 
Ranking Member Wyden, and members of the committee. Thank you 
for the opportunity to discuss the IRS's ongoing efforts in 
regard to cybersecurity and identity theft. As the chairman 
noted, I am delighted to have Terry Milholland, our Chief 
Technology Officer, here with me today for any specific 
technical questions you may have.
    Securing our systems and taxpayer data continues to be a 
top priority for the IRS. Even with our constrained resources, 
we devote significant time and attention to this challenge. We 
work continuously to protect our main computer systems from 
cyber-attack and to safeguard taxpayer information stored in 
our database.
    The systems withstand more than 1 million malicious 
attempts to access them each day. We are also continuing to 
battle the growing problem of stolen identity refund fraud. 
Over the past few years, we have made steady progress in 
protecting against fraudulent refund claims and criminally 
prosecuting those who engage in this crime, but we have found 
the type of criminal we are dealing with has changed.
    The problem used to be random individuals filing a few 
dozen or a few hundred false tax returns at a time. Now, we are 
dealing more and more with organized crime syndicates here and 
in other countries. They are gathering, as the chairman noted, 
almost unimaginable amounts of personal data from sources 
outside the IRS so they can do a better job of impersonating 
taxpayers, evading our return processing filters, and obtaining 
fraudulent refunds.
    To improve our efforts against this complex and evolving 
threat, in March 2015, we joined with leaders of the electronic 
tax industry, the software industry, and the States to create 
the Security Summit group. This is an unprecedented partnership 
that is focused on making the tax filing experience safer and 
more secure for taxpayers in 2016 and beyond.
    Our collaborative efforts have already shown concrete 
results this filing season. For example, Security Summit 
partners have helped us improve our ability to spot potentially 
false returns before they are processed.
    Over the past year, we have seen three examples of what 
identity thieves are capable of and why we cannot let up in 
this fight. In each case, we detected and stopped unauthorized 
attempts to access online services on our website, IRS.gov, by 
criminals masquerading as legitimate taxpayers. One of the 
services targeted was our Get Transcript online application, 
used by taxpayers to quickly obtain a copy of their prior year 
return.
    Another was an online tool to retrieve a lost Identity 
Protection Personal Identification Number, or IP PIN. Taxpayers 
who previously were victims of identity theft use these PINs to 
prove their identity when they file a return.
    The third was a tool that some people use to generate a PIN 
number when they e-file their tax return. In all three cases, 
criminals were trying to use our online tools to help them 
pretend to be legitimate taxpayers and sneak false returns past 
our fraud filters. These incidents, which, unfortunately, in 
the case of the Get Transcript access, resulted in the loss of 
taxpayer information for thousands of taxpayers before the 
applications were disabled, have shown us that improving our 
reaction time to suspicious activity is not enough.
    We need to be able to anticipate the criminals' next moves 
and attempt to stay ahead of them. The ongoing work of the 
Security Summit group will be critical to our success here.
    As we confront the challenge of identity theft, we are also 
working to expand and improve our ability to interact with 
taxpayers online to meet taxpayers' increasing demand for 
digital services. We are aware, however, that in building 
toward this enhanced online experience, we must continuously 
upgrade and improve our ability to verify the identity of 
taxpayers using these services.
    Taxpayers will only use these services if they are 
confident that they are safe and secure. So we are in the 
process of developing a strong, coordinated authentication 
framework. We have a delicate balance to maintain here. We need 
to keep the criminals out while letting the legitimate 
taxpayers in. Our goal is to have the strongest possible 
authentication process for our online services while 
maintaining the ability of taxpayers to access their data and 
use IRS services online.
    Congress can provide critical support by providing adequate 
resources for these efforts. We appreciate the $290 million in 
additional funding for fiscal year 2016, which included funds 
to improve cybersecurity and fight identity theft. Sustaining 
and increasing funding in this area will be critical as we move 
forward.
    Another way Congress helps us is by passing legislative 
proposals to improve tax administration and cybersecurity. One 
of the most important requests we have made is for the 
reauthorization of streamlined critical pay authority, the loss 
of which has made it very difficult, if not impossible, to 
recruit and retain employees with expertise in highly technical 
areas, such as information technology.
    Chairman Hatch, Ranking Member Wyden, and members of the 
committee, this concludes my statement, and Mr. Milholland and 
I would be happy to take your questions.
    [The prepared statement of Commissioner Koskinen appears in 
the appendix.]
    The Chairman. Thank you so much.
    Today's panel is a little bit unorthodox, at least as far 
as our typical hearings in this committee are concerned. In 
order to ensure that we have the most robust discussion 
possible--and I put that discussion into the record--we have 
invited the heads of three vital government offices to testify, 
as well as the subject matter experts in the relevant areas 
from each agency.
    Now, we have heard from the first witness, John Koskinen, 
who has a tremendous reputation and background for the job that 
he is doing.
    Our second witness will be Inspector General J. Russell 
George from the Treasury Inspector General for Tax 
Administration.
    Mr. George was confirmed to his current position in 
November 2004. Prior to that, he served as the Inspector 
General of the Corporation for National and Community Services.
    Mr. George began his career as a prosecutor in the Queens 
County District Attorney's Office in New York, following which 
he served as Assistant General Counsel in the Counsel's Office 
in the White House Office of Management and Budget.
    Mr. George also has served as the Associate Director for 
Policy in the Office of National Service, after which he moved 
to the private sector, where he practiced law at Kramer, Levin, 
Naftalis, Nessen, Kamin, and Frankel.
    Then in 1995, Mr. George returned to Washington, DC to join 
the Committee on Government Reform and Oversight as the Staff 
Director and Chief Counsel of the Government Management, 
Information, and Technology Subcommittee.
    Mr. George received his bachelor of arts degree from Howard 
University and his law degree from Harvard University School of 
Law.
    He will be joined by Deputy Inspector General for Audit, 
Michael McKenney. Mr. McKenney is responsible for providing 
audit oversight of IRS operations related to the preparation 
and processing of tax returns and the issuing of refunds to 
taxpayers.
    Then finally, from the Government Accountability Office, we 
welcome back Comptroller General Gene Dodaro. Mr. Dodaro was 
confirmed as the eighth Comptroller General of the United 
States and head of the U.S. Government Accountability Office in 
December 2010. Mr. Dodaro was confirmed to this position after 
serving as the Acting Comptroller General since March 2008. 
Including these 7 years of dedicated service, Mr. Dodaro has 
served the country for more than 40 years at the GAO. He served 
most recently as the Chief Operating Officer and is also head 
of GAO's Accounting and Information Management Division, where 
he directed the first-ever audit of the comprehensive financial 
statements covering all Federal departments and agencies.
    Mr. Dodaro has also worked closely with Congress in several 
administrations on major management reform initiatives, 
including the 1994 Government Management Reform Act, the 
revised 1995 Paperwork Reduction Act, and the Clinger-Cohen Act 
of 1996.
    He received a bachelor's degree in accounting from Lycoming 
College in Pennsylvania.
    Mr. Dodaro is joined by Information Security Issues 
Director Gregory Wilshusen, who leads cybersecurity and 
privacy-related studies and audits of the Federal Government.
    I want to thank all of you for coming. I know that this is 
an expansive topic, and the more insight and perspective we can 
get, the better off we will be.
    We will hear the witness testimonies in the order that I 
just introduced them.
    Mr. George, we will turn to you at this time.

STATEMENT OF HON. J. RUSSELL GEORGE, TREASURY INSPECTOR GENERAL 
FOR TAX ADMINISTRATION, DEPARTMENT OF THE TREASURY, WASHINGTON, 
   DC; ACCOMPANIED BY MICHAEL E. McKENNEY, DEPUTY INSPECTOR 
     GENERAL FOR AUDIT, TREASURY INSPECTOR GENERAL FOR TAX 
   ADMINISTRATION, DEPARTMENT OF THE TREASURY, WASHINGTON, DC

    Mr. George. Thank you, Chairman Hatch, members of the 
committee, for the opportunity to testify today on the IRS's 
processes to protect sensitive taxpayer information.
    As you noted, Mr. Chairman, I am joined by the Deputy 
Inspector General for Audit, Michael McKenney.
    Cybersecurity threats against the Federal Government 
continue to grow, and the IRS is a very prime target for 
attacks because of the extensive amount of taxpayer data it 
stores. As such, the security of taxpayer data is one of the 
top concerns facing the IRS.
    TIGTA has identified a number of areas in which the IRS 
could better protect taxpayer data. For example, TIGTA recently 
reported that the IRS is working towards continuous monitoring 
of its overall information security posture. This effort will 
eventually allow the IRS to perform ongoing real-time 
assessments of information security so that it knows when and 
where security vulnerabilities exist.
    We also reported that the IRS needs to fully implement 
unique user identification and authentication that complies 
with the Department of Homeland Security directives. Full 
implementation and integration of personal identity 
verification cards will help to ensure only authorized 
personnel can access computer systems and facilities.
    Further, TIGTA has evaluated the effectiveness of the 
security patch management process. This process is key to 
mitigating the security risks associated with known 
vulnerabilities to computer systems. We found the IRS is still 
working to expand a standard automated process needed to ensure 
that all IRS systems are patched timely and are operating 
securely.
    Web applications that provide online services are 
significantly vulnerable, because even without penetrating 
network security, hackers can and have cleared the 
authentication process to gain access to and steal valuable 
taxpayer information.
    The IRS has established processes and procedures to 
authenticate individuals requesting online access to IRS 
services; however, these processes and procedures do not comply 
with government standards. For example, the processes that the 
IRS used to authenticate users of its Get Transcript and 
Identity Protection Personal Identification Number, IP PIN, 
applications, required only single-factor authentication.
    Government standards require multi-factor authentication 
for such high-risk applications. Moreover, the authentication 
framework used for these applications did not comply with the 
government standards for a single-factor authentication.
    In August 2015, the IRS reported that unauthorized users 
had been successful in obtaining tax information on the Get 
Transcript application for an estimated 334,000 taxpayer 
accounts. To prevent further unauthorized access, the IRS 
removed the application from its website. Unfortunately, 
TIGTA's current review of the Get Transcript breach identified 
additional suspicious accesses to taxpayers' accounts that the 
IRS had not identified.
    Based on TIGTA's analysis, the IRS reported on February 
26th of this year that potentially unauthorized users had been 
successful in obtaining access to an additional 390,000 
taxpayer accounts.
    We also reported in November 2015 that the IRS did not 
complete the required authentication risk assessment for its IP 
PIN application and recommended that the IRS not reactivate 
this application for the 2016 filing season. However, the IRS 
reactivated the application on January 19, 2016.
    We issued a second recommendation to the IRS on February 
24th, advising it to remove the IP PIN application from its 
public website. On March 7th, the IRS reported that it was 
temporarily suspending use of the IP PIN application as part of 
an ongoing security review.
    The IRS does not anticipate having the technology in place 
for either the Get Transcript or IP PIN application to provide 
multi-factor authentication capability before the summer of 
2016.
    The number and sophistication of threats to taxpayer 
information will likely continue to increase, and these threats 
will be a continued focus of our audit and investigative 
activity.
    Chairman Hatch, Ranking Member Wyden, members of the 
committee, thank you for the opportunity to share my views.
    [The prepared statement of Mr. George appears in the 
appendix.]
    The Chairman. Thank you so much. We appreciate having your 
views.
    We will now turn to Mr. Dodaro, and then I understand the 
other two witnesses will be here to answer questions, if 
necessary.
    Mr. Dodaro, we will turn to you.

 STATEMENT OF HON. GENE L. DODARO, COMPTROLLER GENERAL OF THE 
 UNITED STATES, GOVERNMENT ACCOUNTABILITY OFFICE, WASHINGTON, 
DC; ACCOMPANIED BY GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION 
SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE, WASHINGTON, 
                               DC

    Mr. Dodaro. Thank you very much, Mr. Chairman. Good morning 
to you, Ranking Member Wyden, members of the committee.
    Greg and I are very pleased to be here today to discuss 
GAO's work related to computer security at IRS and identity 
theft refund fraud.
    Our most recent audit showed that IRS had instituted 
controls over its financial and tax processing systems. 
However, there were numerous weaknesses that we identified due 
to the inconsistent application of its information security 
program across IRS. These weaknesses included easily guessed 
passwords to gain access to servers supporting key systems at 
IRS, including those to access and manage taxpayer accounts, 
and users at the IRS who were given rights and privileges 
beyond what they needed to carry out their responsibilities, 
including access to electronic tax payment systems.
    We found that key systems that should have been encrypted 
were not. We found in other cases there were applications where 
user activity was not being logged so that IRS could 
potentially investigate or know who was using those systems, 
including those that were used to transfer financial data and 
to manage and access taxpayer accounts. Also, we found that 
software patches were not being implemented in a timely fashion 
in a couple key instances.
    Now, to address these weaknesses and strengthen IRS's 
security program, GAO made 45 new recommendations to the IRS. 
In addition, we reemphasized the importance of implementing 49 
recommendations that we had made previously that were not yet 
implemented. One area we were concerned about with this most 
recent audit was that in 28 instances, IRS asserted that it had 
implemented our prior recommendations, but our subsequent 
testing showed that in nine of those 28 instances, the problem 
had not been fixed. So we are very concerned about that.
    This included access by employees and visitors to one of 
IRS's computing facilities where access lists had not been 
updated as appropriate.
    So we made many recommendations to strengthen IRS's 
computer security program. We are hopeful that IRS will 
rigorously implement our recommendations over the next few 
years, all 94 recommendations that we have outstanding.
    Now, with regard to identity theft, I am very pleased to 
report that the Congress has acted on the recommendations that 
we had made to allow for more timely filing by employers of W-2 
data.
    As you recall, Mr. Chairman, I was here last year before 
this committee talking about the importance of providing 
earlier W-2 information to the IRS. In past years, IRS only 
received the W-2 information from employers in April. Having it 
earlier to match against early income tax filing will allow IRS 
to better detect tax returns that are filed using fake 
identities.
    The new law now gives IRS the ability to have that W-2 
information at the end of January. We think it is very 
important for IRS to implement changes to its processes and 
systems in order to take advantage of the new, earlier 
information.
    We also think that IRS needs to continue to test and assess 
the costs, benefits, and risks of different authentication 
techniques that could be used. This has been a key weakness in 
the past on Get Transcript and the IP authorizations. IRS also 
needs to give better feedback to those who provide external 
leads to them, such as tips that they can follow up to further 
identify identity theft cases.
    We also have a recommendation for the Congress. We think 
Congress should lower the requirement for electronic filing of 
W-2 data by employers from 250 employees down to a much lower 
number. This would give IRS more electronic information that it 
could use to match to help avoid identity theft in the future.
    So, again, thank you for the opportunity to be here today. 
GAO is very committed to computer security in the Federal 
Government. We actually designated it as a high-risk area 
across the entire Federal Government in 1997. We have been 
working on it since then and made thousands of recommendations.
    I am pleased to be here today to participate in this 
hearing, along with Mr. Wilshusen.
    Thank you very much, Mr. Chairman.
    [The prepared statement of Mr. Dodaro appears in the 
appendix.]
    The Chairman. Thank you so much.
    I want to apologize to Senator Wyden. I should have called 
on him right away, but we are going to call on him at this 
time.

             OPENING STATEMENT OF HON. RON WYDEN, 
                   A U.S. SENATOR FROM OREGON

    Senator Wyden. Mr. Chairman, thank you. And to colleagues, 
my apologies for being late as well. I was at the public 
proceeding to look at steel overcapacity. We care a great deal 
about enforcing the trade laws on this committee, particularly 
the ENFORCE Act and the Leveling the Playing Field Act.
    We are dealing with a steel overcapacity that would really 
cost us family-wage jobs, family-wage jobs in Oregon and across 
the country. We worked on this in a bipartisan way, and I was 
at the USTR's proceeding to make sure that they move 
aggressively to enforce the law.
    Now, we turn to the question of IRS cybersecurity, and it 
is pretty obvious that hackers and crooks, including many who 
work for foreign crime syndicates, are jumping at every 
opportunity to steal hard-earned money and sensitive personal 
data from American taxpayers. It happens online, and it happens 
in the real world.
    In my view, taxpayers have been failed by the agencies, the 
companies, and the policymakers here in the Congress that they 
are counting on to protect them.
    It was unacceptable for the IRS to leave the front door 
open to hackers by using a weak authentication process for its 
Get Transcript system. It meant that thieves could walk through 
the door and steal the tax information of three-quarters of a 
million taxpayers.
    To make matters worse, after the IRS mailed the special 
Identity Protection PIN numbers to the hacking victims, it 
repeated its mistake and used lax security online. For the tax 
scammers, once again, it was as easy as going online, plugging 
in the personal data you have already stolen, and pretending to 
be somebody who lost their IP PIN.
    So after leaving the front door open, the IRS left the back 
door open as well. There is simply no excuse for this.
    But poor protection of taxpayer information is not just a 
problem at the IRS. There is plenty of blame to go around. 
Already this tax season, hackers have gotten into the 
inadequately guarded system of private software companies and 
stolen personal information from thousands of people. And it is 
my judgment that you cannot have an honest discussion about 
protecting taxpayer information without including the 
vulnerabilities from the e-file providers, as well as crooked 
return preparers who operate in the shadows and steal from 
customers.
    For years, Republicans and Democrats have agreed on the 
need for minimum standards for return preparers, but the 
Congress has sat back and watched while criminals have come in 
and preyed on taxpayers. When it comes to blocking hackers, 
Congress has done next to nothing while the IRS loses its 
ability to hire the experts who can keep taxpayer information 
safe.
    If you are a top-notch tech expert, you already are taking 
a pay cut to work in public service compared to what you would 
earn at firms in Oregon or California. Now, without what is 
called streamlined critical pay authority, it can take 4 to 6 
months to bring a new hire on board at the IRS.
    So I want to be clear as we go to questions. Taxpayer 
information is under assault every single day, but the IRS does 
not have the legal authority it needs from the Congress to 
build a cybersecurity team that can beat back the crooks.
    Already there has been an exodus of high-ranking IRS tech 
staff. The Director of Cybersecurity Operations left 1 month 
ago. The terms for the remaining employees working under this 
authority continue to expire, including for one of our 
witnesses, Chief Technology Officer Terence Milholland. Come 
2017, there are not going to be any left.
    So today, instead of rehashing the past and just beating up 
on one agency or one firm, to me, the priority ought to be to 
focus on how to step up the fight against attackers and crooks 
across the board. It is my view that streamlined critical pay 
authority is a key part of the solution. There was a bipartisan 
bill, colleagues, ready to go last fall, and this committee 
ought to move forward on it as soon as possible.
    Furthermore, the Congress needs to make more than token 
investments in IT at the IRS. Congress has held the IRS tech 
budget below where it was 6 years ago, but you can bet that the 
hackers have not backed down since then.
    Next, the IRS and private firms need to do more to keep 
taxpayer information safe inside their systems. The Get 
Transcript hack I mentioned earlier has been well documented.
    A recent audit by the Online Trust Alliance found that the 
security maintained by private free-file services did not meet 
expectations. It is unacceptable for troves of taxpayer data to 
be more vulnerable to hacking than many social media or e-mail 
accounts, and the committee ought to consider whether the IRS 
has the authority it needs to guarantee that the security used 
by private software firms is up to snuff.
    While many tax preparers are honest practitioners, we know 
that there are always some bad apples in the barrel. Last year, 
Senator Cardin and I introduced a bill giving the IRS the 
authority to have basic minimum standards over these tax return 
preparers. We have worked to create a bipartisan identity theft 
bill for markup in the Finance Committee, which I had very much 
hoped would include at least these minimum standards for return 
preparers.
    It is still my view that people handling sensitive taxpayer 
information should have to meet what are minimum standards and 
that the committee should vote to require it. Anybody who 
thinks that Western civilization is going to end if we have 
minimum standards can come to my home State, because we have 
them, and it is working well, and we heard testimony from a 
preparer that that was the case.
    It is open season for hackers to steal money and data from 
hardworking Americans, so congressional inaction should not 
make this situation worse. With tax day approaching, millions 
of Americans are filing their returns online, through the mail, 
or with a private return preparer.
    The committee has a responsibility to protect taxpayers, no 
matter what filing method they choose. So I see this hearing as 
an opportunity to find some bipartisan solutions to do what the 
Finance Committee has always done best, which is to find common 
ground.
    I thank our witnesses, Mr. Chairman, and I look forward to 
working with you and our colleagues.
    [The prepared statement of Senator Wyden appears in the 
appendix.]
    The Chairman. Thank you, Senator. I appreciate it.
    Let me begin by asking this. The IRS is working with State 
revenue commissioners and the private tax industry in the so-
called Security Summit and has made an agreement to create an 
information-sharing and analysis center, or ISAC, to facilitate 
the sharing of actionable information to prevent refund fraud 
and identity theft.
    Now, I understand the agency has made progress on this, but 
it remains incomplete. It hope that it moves forward as quickly 
as possible.
    I have two questions for the IRS and anyone else who would 
care to comment.
    One, when do you anticipate the ISAC will be up and 
running? What impediments are delaying its launch?
    Mr. Commissioner, given that we are nearing the end of the 
2016 tax filing season, describe the extent to which the IRS 
and its partners are currently sharing information to prevent 
stolen identity refund fraud and how you measure whether that 
is working or not.
    Commissioner Koskinen. Thank you, Mr. Chairman.
    The Security Summit has been thus far a great success. In 
fact, part of the indication of its success is that the 
private-sector members have requested, which we have honored, 
that we make it a permanent partnership going forward, because 
it has already demonstrated its great utility.
    We have been able to receive information from State tax 
commissioners, as well as preparers, about suspicious patterns. 
We have been able to exchange information, give them notice 
when we see suspicious patterns or Social Security numbers that 
have been abused, and we have been able to share that 
information in real time with the private sector and with State 
tax preparers.
    As you noted, we agreed early on that an information-
sharing center would be very helpful to increase the utility of 
that information and its availability.
    I would stress the private sector and the IRS and the 
States are all protective of individual taxpayer information, 
so the information we are sharing is about patterns, it is 
about activities going on; but basically, we are not sharing 
individual taxpayer information, except in situations where we 
know there have been fraudulent attempts to access those 
accounts.
    We measure it. Thus far, we have had a significant increase 
in the amount of leads provided. We have had a significant 
increase in the volume of refund fraud stopped. We have stopped 
over a million tax returns this year that were suspicious. We 
identified thousands of them that were fraudulent.
    We have shared all that information back and forth. We do 
think that as soon as we can, we will try to implement the 
ISAC. It will take some time for this unique opportunity. We 
are funding it with some of the money that we were given out of 
the $290 million the Congress provided us additionally this 
year. Some of it is going, in fact, to the development of the 
ISAC.
    We hope to have it up and running as soon as we can. It is 
not clear that we will be able to get it fully operational by 
next tax season, but I would stress that we are already 
exchanging information back and forth in real time, and it has 
been very helpful.
    The Chairman. Thank you. This is a question for all of the 
witnesses regarding unimplemented recommendations related to 
information technology, cybersecurity, and identity theft.
    In a report released last month on IRS information 
security, GAO identified specific IRS vulnerabilities that 
leave the sensitive taxpayer information of millions of 
Americans ``unnecessarily vulnerable to inappropriate and 
undetected use, modification, or disclosure.'' GAO made 45 new 
recommendations on how to better protect this data and 
identified 49 prior information security recommendations that 
the IRS has failed to implement.
    Last year, Chairman Brady, Senator Rubio, Congressman Yoho, 
and I wrote to the IRS requesting an update on TIGTA 
recommendations relevant to today's hearing, and I was 
disappointed to learn that several continue to remain 
unimplemented.
    I would just like to ask both TIGTA and GAO to detail the 
recommendations that you deem most important and discuss 
whether incidents like the unauthorized access of the Identity 
Protection Personal Identification Number tool would have 
occurred had these recommendations been implemented.
    I would also ask the IRS to respond to the status of these 
recommendations.
    Mr. George. Mr. Chairman, as it relates to the latter 
point, we believe that if our recommendations had been 
implemented, while we could not guarantee that the breach would 
not have occurred, it would have been much more difficult for 
that to have happened.
    But I would like to defer to my colleague, Michael 
McKenney, for the additional response.
    Mr. McKenney. One thing, especially in the area of 
authentication, that is probably one of the more important 
recommendations to improve its authentication, is to move to 
the multi-factor authentication.
    There are also some concerns we have expressed in the past 
that I think are really primary here, such as the IRS's 
willingness to accept risks in these areas without really very 
well following a process to document why they have accepted 
those risks and the rationale for what they have done to 
mitigate those risks.
    So one of the most significant concerns we have is the 
agency itself, when it decides to accept risk. It is 
unavoidable, but it should be kept to a minimum, and when they 
do accept risk, they should thoroughly document why, the 
rationale, and what they will eventually be able to do to 
overcome those risks.
    The Chairman. Senator Wyden, we will turn to you now for 
your questions.
    Senator Wyden. Thank you very much, Mr. Chairman.
    Commissioner Koskinen, it seems to me you do not fight the 
cheats and the rip-off artists by osmosis. You do it by having 
the right kind of experts, the talent that you need to take 
them on.
    Many of those experts were hired using streamlined critical 
pay, including the head IRS official who is sitting next to 
you, Mr. Milholland. But that authority expired in 2013, and 
the IRS has already lost many of these experts.
    I think it would be very helpful if you laid out for the 
committee what are going to be the consequences of the Congress 
failing to renew this key tool, the streamlined critical pay 
authority, so you can go out there and get people who know how 
to beat the crooks.
    Commissioner Koskinen. Well, we are concerned about it. 
That is the reason I have been talking about it for the last 
2\1/2\ years, because what it gives us is the ability to find 
top-notch IT people and hire them, with suitable background 
checks, without going through the 3- to 6-month normal 
government application process--and these are all highly 
desirable people.
    Our people are being recruited every day, and when you tell 
somebody, ``We would love to hire you; we have a great position 
for you; now, if you will just sit around for 3 to 6 months, we 
will get back to you and, in the meantime, fill out the 
applications and apply for the job,'' needless to say, most of 
those people are not around when we come back.
    Now, there are good people who are willing to work through 
that process, but at the top of the heap, cybersecurity 
experts, people expert at development of new techniques and 
technologies, like Mr. Milholland, they simply do not need to 
go through that entire process.
    So authority was provided in the Restructuring Act of 1998, 
was renewed every 4 years, and the IG reviewed the program a 
year and a half ago and found that we had used it 
appropriately. It only applies to 40 slots, and we never used 
the full 40.
    But if we continue to lose people--we have 10 last IT 
people on the list--and by this time next year, they will all 
be gone, and our ability to replace them is very questionable.
    Senator Wyden. All right. Inspector George, we always value 
your work. I gather that you all have looked at this issue as 
well, and you largely agree with what the Commissioner has 
said, that these were justifiable hires, that these are 
exceptionally well-
qualified individuals, and that this was something that really 
worked.
    Is that true?
    Mr. George. It is true, and it was actually even under 
budget. This is one of the programs implemented by the IRS that 
we have to say works. It is very successful and justified.
    Senator Wyden. I am going to repeat that for my colleagues. 
So here we have something that has been an essential tool. We 
are not going to have it any longer absent Congress getting 
serious on a bipartisan basis to renew it. And Inspector 
George, whose views we have long admired on both sides of the 
aisle, said the program came in under budget.
    I appreciate your doing that, Inspector, because if that is 
not a wakeup call to the Congress, I do not know what is. This 
is something that works, and if we are going to beat the 
crooks, we ought to have it.
    Now, Commissioner Koskinen, let me ask you about the 
private e-file providers, because I think we all understand 
that the IRS is not the only place where the bad guys, the 
crooks, can go after innocent taxpayers.
    In January, two e-file providers revealed that roughly 
16,000 taxpayer accounts had been breached. The Independent 
Online Trust Alliance concluded that 6 of 13 private online 
free-file tax preparation services failed the best practice 
assessment with respect to these cybersecurity tests.
    Are e-file providers doing enough to keep taxpayer 
information safe, and, in your view, what needs to be done on 
this issue--again, with the Finance Committee, Democrats and 
Republicans, working together to ensure that we are using the 
tools that are essential.
    Commissioner Koskinen. That is an important question. One 
of the great outcomes of the Security Summit, the partnership 
we have with the private sector, is from the start, in our 
meetings with them, all of the preparers and providers and 
software developers agreed that they would all meet the NIST 
standards of operation. Most of them already met them.
    So it has not been a question of our having to require it. 
They have actually voluntarily agreed to a standard system of 
security, and they have gone beyond that. They have agreed to 
standard authentication procedures for taxpayers who use their 
services.
    So it is one of the great examples of what happens if you 
have a public-private partnership where both sides are working 
together to solve a problem. You can make great progress, and 
we feel comfortable that our partners in the private sector see 
this as an important problem. They want to protect their 
clients. None of them wants to have a breach. And they have all 
been willing to work cooperatively with us to set appropriate 
standards and agree to them.
    Senator Wyden. So the last leg of this game plan, in 
addition to critical pay authority and the tools to deal with 
these e-file rip-offs, is tax preparers.
    Once again, Chairman Hatch and I have had bipartisan 
legislation on this ready to go, and, for the life of me, I 
cannot understand, when taxpayers are ripped off, why we cannot 
have minimum standards.
    Where you all are sitting, we had a witness from Oregon who 
made it very clear the sky is not going to fall, Western 
civilization is not going to end, if we have minimum standards.
    I just want to wrap up with a question for Mr. Koskinen and 
Mr. Dodaro, whose work we also have long appreciated.
    My understanding is, you both think that there should be 
minimum standards over preparers based on what you have seen 
over the years, with all the problems that stem from the fact 
that, while most preparers are honest and reputable business 
leaders, we, unfortunately, have some bad apples.
    So is that your judgment, gentlemen, that there need to be 
some minimum standards over these preparers?
    Mr. Dodaro. Yes, Senator Wyden, I believe that. We have 
recommended that Congress give IRS the authority to regulate 
paid tax preparers, and I say that for several reasons.
    One, we did an undercover investigation that sent teams out 
to 19 paid tax preparers. Only two of the 19 paid tax preparers 
gave us correct answers, and some were very wrong.
    We also looked at 3 years of data at that time and found 
that paid tax preparers made errors 60 percent of the time 
versus 50 percent of the time for taxpayers who filed on their 
own behalf.
    IRS found that paid tax preparers file about 68 percent of 
the Earned Income Tax Credit returns in a 1-year or 2-year 
period of time, and about 48 to 53 percent of those returns 
over-claimed the tax credit.
    I definitely think there needs to be authority given IRS to 
set minimum standards for paid tax preparers.
    I would also comment that we think the IRS should have more 
monitoring and oversight of the security and privacy standards 
that paid tax preparers agree to use. We have had an open 
recommendation in this area since 2009.
    Senator Wyden. Thank you for your professional work.
    Thank you, Mr. Chairman.
    The Chairman. Thank you, Senator.
    I would just say we have heard a lot today from the IRS and 
the ranking member regarding streamlined critical pay 
authority.
    As Senator Wyden noted, re-implementing this authority is 
included in a bipartisan bill the committee introduced last 
year, and we will be moving to consider this particular bill in 
the near future. So hopefully we can resolve some of these 
problems.
    Senator Grassley, we will turn to you.
    Senator Grassley. I am going to start with Director 
Wilshusen, please. I spent a little time comparing your 2015-
2016 reports on information security at the IRS. Let me take a 
couple of examples.
    In 2015, one specific observation was that on two 
databases, account passwords were not set to expire every 90 
days, as they should be.
    In 2016, the report says two of the 13 databases reviewed 
again had passwords that did not expire every 90 days, as they 
should have.
    Do you know if these were the same two databases?
    Mr. Wilshusen. Yes, sir, they were.
    Senator Grassley. It is common to hear that the lack of 
funding is why we cannot have better cybersecurity. So I might 
ask you, what is the approximate cost of setting up a password 
to expire every 90 days?
    Mr. Wilshusen. It would be negligible, sir. It would not be 
a high-cost issue. It would be very low-cost, indeed.
    Senator Grassley. Again, both the 2015 and 2016 reports had 
a section dedicated to physical access control procedures that 
were not consistently implemented. The 2016 report observes 
that security guards control physical access to each IRS 
computing center.
    Quoting now from the 2016 report, quote, ``IRS has yet to 
address weaknesses pertaining to its review of its authorized 
access lists to sensitive areas for both employees and visitors 
at one of its computing centers.''
    So it is not an either/or. But I wonder if you could 
compare the cost of a dedicated guard force to the cost of 
reviewing a list of people who appropriately have access to the 
facility.
    Mr. Wilshusen. Well, certainly, employing and deploying a 
guard force would cost significantly more than what it would to 
just review an access list on a periodic basis. That would be 
basically very low-cost, and it is something that should be 
done as a normal course of business.
    Senator Grassley. Your 2015 report found the agency did not 
always ensure that contractors received security awareness 
training within 5 business days, as required.
    The 2016 report found the same problem and noted that the 
IRS acknowledged it had not addressed the issue.
    Could you say if this contractor problem is that they get 
the training, but that they get it late, or do they just not 
get it at all?
    Then I will follow that up right now. How expensive would 
it be to get the training in a timely manner rather than late?
    Mr. Wilshusen. Well, first of all, it is that they do not 
receive it in a timely manner. The contractors do not receive 
this training, for the most part, in a timely manner.
    And in terms of cost, if it is a web-based training, it 
should not cost much additional money to ensure that they 
receive it within the 5 days of gaining access to IRS systems.
    Senator Grassley. A couple of questions about mainframe 
security policy. Both your 2015 and 2016 reports say that, 
according to the mainframe manufacturer, policy should address 
who can administer the security software configurations that 
control access to mainframe programs.
    Is that correct?
    Mr. Wilshusen. Yes, sir.
    Senator Grassley. And both reports indicate that the IRS 
mainframe security policy does not address who can administer 
these configurations. Is that correct?
    Mr. Wilshusen. Yes, sir.
    Senator Grassley. What would be the cost of naming the 
person or persons who can administer the software 
configurations that control access to mainframe programs?
    Mr. Wilshusen. There should really not be much of any cost 
associated with that. It is just an assignment of 
responsibilities that IRS should make to assure that those 
individuals have been designated and take the appropriate steps 
to limit access as appropriate to those mainframes.
    Senator Grassley. So I would like to ask, Commissioner 
Koskinen, as you heard me ask Mr. Wilshusen about findings and 
recommendations that appear over and over in the GAO report--or 
at least each of the last 2 years--about cybersecurity at your 
agency, I took special note of four areas: setting passwords to 
expire every 90 days; two, a monthly review of lists of who 
should have access to computer centers; three, timely security 
awareness training for contractors; and, fourthly, the naming 
of administrators for software security on mainframe programs.
    Would you agree that these are low-cost changes that could 
improve cybersecurity, and if they are, then why have they not 
been done?
    Commissioner Koskinen. They are low-cost. I would note that 
we value highly both the reports and recommendations from GAO 
and from the IG, particularly in cybersecurity areas.
    In the last several years, we have counted up over 2,000 
GAO recommendations, of which we have already implemented about 
80 percent.
    In the internal security--and these are important internal 
security issues, not external, but they could become external, 
obviously--one of the things we are moving toward in terms of 
access is that passwords themselves turn out to be somewhat 
questionable, and we are moving toward what we call PIC cards, 
where you can actually only access servers--right now, you can 
only access e-mail with a Personal Identity Card you put into 
the computer.
    We are moving toward having that be the system for access 
to all servers, all mainframes, and security online, so that it 
does not matter if you have given away your password or 
somebody seeks it, they will not be able to have access without 
the card.
    But I agree, to the extent we can--we have a wide range and 
a large number of recommendations from both the IG and GAO. We 
do not disagree with those. We are working as quickly as we can 
to implement them, and these are particular ones internally to 
make sure that--we worry a lot about external threats. We also 
need to worry about internal threats, inadvertent or otherwise, 
and that is a high priority for us.
    Senator Grassley. Then I would expect that these will not 
be in the 2017 report.
    Commissioner Koskinen. I can almost guarantee you, working 
with GAO, they will not be. But GAO, I would note, has done a 
very important thing for us. Out of their range of 
recommendations, they have given us their priorities or what 
they think are the highest priority for us to do.
    Because there are limitations of time and resources, the 
ability to identify which of the recommendations have the 
highest priority is very helpful to us, and GAO has been very 
good about giving us that guidance.
    Senator Grassley. Thank you.
    The Chairman. Thank you, Senator.
    Senator Carper?
    Senator Carper. Thanks, Mr. Chairman.
    I want to associate myself with the comments of Senator 
Wyden earlier. I thought he nailed it with his comments with 
respect to the streamlined critical pay program. Mr. Chairman, 
you mentioned in your comments that legislation had been 
introduced, bipartisan legislation was introduced last 
Congress. I just think it is critical that we follow through on 
that.
    Year after year, Mr. Koskinen and others come to us and 
say, ``Please do this to enable us to do our jobs more 
effectively,'' and a lot of times we point the finger at them 
and say, ``You know, you screw up here and you screw up there, 
your people have as well.'' We have some responsibilities in 
this too, and one of the things that we could do to help out is 
to provide for the reestablishment of the streamlined critical 
pay program.
    Mr. Chairman, you are going to hear a lot from me in the 
months to come, saying we should do this, let us do it, let us 
get it done. We need to do our job. We need to do our job.
    We hear a lot about that lately. We need to do our job. 
This is another area where we need to do our job.
    Mr. Dodaro, I want to ask you--I want to come back to this 
other point that Senator Wyden raised, and that is the minimum 
standards for paid tax preparers.
    Would you just give--I think you guys have looked at this 
before, you folks have looked at this before. Just give us a 
minute or so on what we should be doing in this regard.
    Mr. Dodaro. We made a recommendation several years ago that 
IRS institute regulations over paid tax preparers, which it 
did, and then those regulations were overturned by the court 
because it viewed that IRS did not have statutory authority to 
do this.
    As I mentioned earlier, our work has consistently shown 
that there are problems with some paid tax preparers. We sent 
teams of people to 19 paid tax preparers. We checked in advance 
with the IRS what the right answers should be to our tax 
scenarios. Only two of the 19 paid tax preparers gave us 
correct answers. Some were very far off, to the point where 
they could have resulted in penalties and interest, both for 
themselves as well as for the people whom they were filing for.
    We also looked at IRS data, at a 3-year period of time, and 
found that paid tax preparers made errors 60 percent of the 
time versus 50 percent of the time for taxpayers filing on 
their own behalf.
    Senator Carper. It was actually worse.
    Mr. Dodaro. Yes. Yes.
    Senator Carper. What should we do?
    Mr. Dodaro. Well, I think you need to give the IRS the 
authority, the statutory authority, to regulate paid tax 
preparers. They need to set minimum standards. They should go 
through a due process procedure just as you would with any 
regulatory approach and set the standards and enforce those 
standards.
    This is a particular problem because of IRS's resource 
levels. If the government is going to rely on paid tax 
preparers to largely carry out a very important function on 
behalf of the government, then it needs to make sure that they 
are properly carrying out their responsibilities. IRS could 
greatly leverage the preparers' activities as opposed to a need 
to continually beef up the IRS.
    Senator Carper. Thanks so much.
    Last year, Mr. Koskinen, I worked with a number of our 
colleagues, some on the Homeland Security and Governmental 
Affairs Committee, some on the Intelligence Committee, and 
others, to eventually pass the Federal Cybersecurity 
Enhancement Act of 2015. Among other things, the bill 
strengthened an important cybersecurity system at the 
Department of Homeland Security that is known as EINSTEIN 3A. 
The EINSTEIN program uses the best threat intelligence from our 
national security agencies to block cyber-threats before they 
can actually reach our Federal agencies in many instances.
    It is my understanding that EINSTEIN 3A is now available to 
all Federal agencies. However, not all agencies, including the 
IRS, are signed up for EINSTEIN 3A.
    The bill we passed last year also made participation in the 
program mandatory for all Federal civilian agencies.
    When will the IRS adopt EINSTEIN 3A and start receiving its 
protections?
    Commissioner Koskinen. I would like to give you Mr. 
Milholland.
    Senator Carper. Mr. Milholland?
    Mr. Milholland. We are very familiar with the EINSTEIN 
program, 1 and 2, and we are scheduled to receive the EINSTEIN 
3 equipment this year, and then there is the issue of 
implementing it.
    So certainly by next filing season, I suspect that we will 
have it all done.
    Senator Carper. So by next filing season, like a year from 
now?
    Mr. Milholland. Yes, sir. As I say, we have to schedule 
ourselves with DHS to receive the equipment, install it, test 
it, and then implement it. It is not something that is done 
overnight.
    Senator Carper. That is a lot of nights. We have 365 
nights.
    Mr. Milholland. Again, we are not yet scheduled from DHS. 
So it is something we have to work out with another agency as 
to when we actually get the equipment.
    Senator Carper. We are going to go to work on that and make 
sure that we do everything we can to move you up in the queue.
    Mr. Milholland. Thank you, sir.
    Senator Carper. You bet. Thanks so much.
    Thanks, Mr. Chairman.
    The Chairman. Thank you, Senator.
    Senator Scott?
    Senator Scott. Thank you, Mr. Chairman.
    Good morning to the panel and thank you for taking the time 
to be here, and we certainly appreciate your investment of time 
and your energies toward making sure that taxpayers' 
information is secure as possible.
    I certainly know firsthand that identity theft is a 
terrifying experience and one that we should all hope that all 
taxpayers have an opportunity to avoid. The reality of it is 
that what we have seen over the last several years is too many 
taxpayers having too much information exposed inappropriately 
and, frankly, very poor results.
    Unfortunately, there seems to be a systemic failure at the 
IRS in protecting taxpayer information, despite repeated 
warnings that the IRS needed to strengthen and modernize 
protection of taxpayer information. Due to these failures, I 
have received a number of e-mails from constituents throughout 
South Carolina, one in the last couple of days specifically 
from a taxpayer in Lexington, SC, who seems just bewildered at 
what the Federal Government, particularly the IRS, is doing to 
protect personal information.
    I am interested in learning more about what the IRS is 
doing, and we certainly have heard a number of presentations 
and a lot of information about some programs that would be 
successful.
    Other than what has already been mentioned, what else do 
you think should be done and can be done? If you can take maybe 
50 seconds to answer that one.
    Commissioner Koskinen. We are doing a wide range of things. 
One is, we are getting ready to establish a significantly 
increased authentication protocol. It will mean more taxpayers 
will not be able to answer the questions or get in, but it will 
make the system more secure.
    As noted, we are moving to protect the systems with PIC 
cards, so people can only access e-mails or servers with 
personal identity cards.
    We are working, and the private sector is working very 
closely with us--and we have a public relations campaign going 
with them out to taxpayers, trying to give them information on 
how to protect their data.
    I would stress the accesses that have been obtained at the 
IRS were by criminals able to masquerade as taxpayers because 
they already had the information on the taxpayers.
    So we think it is important for individuals to be careful 
what they do with their information, not to give out their 
Social Security numbers, not to use the same user ID and 
passwords all across the board, because we are all in it 
together.
    Senator Scott. Thank you very much. Another issue that we 
have had many conversations about, and certainly one that I 
think should be deeply troubling to all of us, is the ruling 
last month by the Sixth Circuit Court that basically, in United 
States v. NorCal Tea Party Patriots, demanded that the IRS stop 
their games of delaying and turn over the documents requested 
by the plaintiffs.
    In fact, the Sixth Circuit called the conduct displayed by 
the IRS attorneys outside the tradition of defending the 
Nation's interests in enforcing its laws. And while we spend a 
lot of time on cyber-breaches, the reality of it is that 
protecting all taxpayers should be one of our top priorities.
    Has the IRS complied with that court order?
    Commissioner Koskinen. We have complied with that court 
order. We have given the plaintiffs the information they 
requested, the names and addresses of the organizations.
    As you know, our strong view was, that was taxpayer 
information. We have a lot of applications for a lot of things, 
whether it is private letter rulings or applications to become 
a c(3), (4), (5), (6), or (7), and oftentimes people, when they 
apply, do not assume that the application will be made public.
    So we disagreed with the court, but we have complied with 
the court, because we have that order, but we have only 
complied with the information specifically in that case, and we 
have only done it in that case. We have not made a decision 
about any other case.
    Senator Scott. Thank you.
    The Chairman. Senator Coats, you are next.
    Senator Coats. Thank you, Mr. Chairman.
    I would like to direct my question to Mr. George. Mr. 
George, I raised the issue of employment-related identity theft 
with the Commissioner the last time he testified before the 
committee here, and I know that TIGTA has done a lot of work on 
this issue.
    These are cases in which someone uses someone else's 
identity, their name or their Social Security number, to get a 
job illegally, on the employment side. A W-2 form with this 
false information is then sent to IRS and the Social Security 
Administration by an employer, or the W-2 may be attached to 
the tax return of the undocumented worker.
    Our staffs met to try to work this out. It was a couple of 
months ago. What we learned is that, one, the IRS continues to 
process tax returns with false W-2 information and issues 
refunds as if they were routine tax returns, saying, ``That is 
not really our job; we are there to process the returns and 
issue the refunds or collect what is overdue.''
    We also learned the IRS ignores notifications from the 
Social Security Administration that a name does not match a 
Social Security number, and you use your own system to 
determine whether or not a number is valid.
    We learned that employers are liable for IRS fines and 
penalties if they submit false W-2 information, yet neither the 
IRS nor SSA is notifying employers that the information they 
are submitting is false.
    We learned that IRS identified 200,000 new cases of 
employment-related identity theft last year and marked victims' 
accounts, yet did not notify the victims, again, saying, ``That 
is really not our job.'' In fact, the IRS forbids its employees 
from notifying victims that their information has been stolen. 
The IRS does not examine returns submitted on paper for 
employment-related identity theft.
    Lastly, we learned that when the IRS marks the account of a 
victim, it does not notify the Social Security Administration 
that the victims did not earn the income reported on the W-2, 
and, as a result, the victims could lose income-related 
benefits because their Social Security earnings are not 
corrected.
    My question to you is, one, have we made some progress 
since we met, on the basis of what we learned; and secondly, if 
you do not have the authority to better inform victims or 
connect with SSA on the potential fraud and notify each other, 
do you need authority to be able to do that? Do you need a 
statutory mandate here from the Congress to do that? Where do 
we go from here?
    I think all of us can agree that victims need to know that 
they are victims, and they need to know that an agency of the 
Federal Government, whether it is IRS or whether it is SSA, or 
both, ought to have some ability to talk to each other to make 
sure that they do not run afoul of one or the other.
    I am happy to hear your response.
    Mr. George. Thank you, Senator. What you stated at the 
outset of your question is completely accurate.
    I would note the IRS did have a pilot program to address 
this issue. That program ended. So they are not providing the 
information that you pointed out, but we are literally, sir, in 
the process now of assessing this overall issue and expect to 
issue our report in June of this year.
    Senator Coats. Well, I am glad to hear that, but was the 
pilot program false? I mean, it just did not work out, is 
that----
    Mr. George. I will defer to the Commissioner to describe 
whether or not he thinks it was--was it false? No, but they 
made a decision not to continue it, and I do not know whether 
it was resource-driven or what factors they took into 
consideration, Senator.
    Senator Coats. Commissioner, I would be happy to have your 
response.
    Commissioner Koskinen. Surely. Again, as you know, what 
happens in these situations is, someone is using a Social 
Security number to get a job, but they are filing their tax 
return with their ITIN--they are undocumented aliens. And so on 
that ground, they file taxes. It is in everybody's interest to 
have them pay the taxes they owe.
    The question is whether the Social Security number they are 
using to get the job has been stolen, though it is not the 
normal identity theft situation. We did run a pilot, and we are 
looking at--and I appreciated your discussions about this--
whether there is a way we could simply advise people.
    A lot of times, those Social Security numbers are, in fact, 
borrowed from friends or acquaintances, and people know they 
have been used. Other times, they do not.
    So we are looking at--and one of the reasons for the pilot 
was--what is the most effective way to deal with this without 
necessarily having people decide not to file their taxes--
obviously a priority for taxpayers and the IRS, which is 
collecting those taxes.
    So I would be delighted to have us get back to you with 
more detail on exactly where we are. And in some cases, there 
may be a need for statutory authority, and we are very 
sensitive about protecting taxpayer information on both sides.
    But we will be delighted to give you the update on what we 
have learned and what we might be able to do going forward.
    Senator Coats. Mr. George?
    Mr. George. Thank you, Senator. I just wanted to add that 
there was a bill introduced entitled the Social Security 
Identity Defense Act that would require the IRS to inform an 
individual whether their SS number has been fraudulently used. 
I do not know where it stands now in terms of the legislative 
process.
    Senator Coats. Well, we can check that out.
    Commissioner Koskinen. But I would note specifically, we do 
advise taxpayers, when there has been any kind of access to one 
of our online applications, that their Social Security number 
is in the hands of criminals.
    What we are talking about here is a very limited case of 
people filing taxes with an ITIN, but it is clear that they 
used the Social Security number to get the job.
    But in all the other cases, we have sent out hundreds of 
thousands of letters, even when our system has not been 
accessed, warning taxpayers, no information was obtained from 
us, but you should know criminals have your Social Security 
number and other identifiers, so you should take whatever 
actions you can to protect that information.
    Senator Coats. If I could, Mr. Chairman, just one last 
question.
    My tax preparer, by the way, who is fully certified, just 
sent me an e-mail asking would I prefer to have my tax returns 
filed electronically or by paper. How am I safer--which way?
    Commissioner Koskinen. You are actually safer 
electronically, because we can mark accounts. The only 
difference is, when you file on paper, it just takes longer to 
process, takes longer to get a refund.
    We get fraudulent paper returns. So it is not as if the 
criminals do not file paper as well.
    So we encourage everyone to e-file. Over 86 percent filed 
last year electronically, and as noted, it does give us the 
ability to track patterns more easily, and it is part of the 
data we share with the private sector and the States.
    So our advice to you is, file electronically.
    Senator Coats. Any other answer would probably flood your 
agency with a lot of paper. [Laughter.]
    I will put that in that context. Anyway, I ended up doing 
it electronically. I hope it works.
    Thank you, Mr. Chairman.
    The Chairman. Thank you, Senator.
    Senator Cardin, you are next.
    Senator Cardin. Thank you, Mr. Chairman. I thank all of our 
witnesses today in regards to the integrity of the system.
    We are very concerned about the recent warning that was 
given to Maryland, Virginia, and DC taxpayers, due to the 
phishing scams, trying to trick victims into verifying the last 
four digits of their IRS number in order to get unsuspecting 
taxpayers' information that can be used to compromise their 
privacy and their financial integrity.
    I guess I will go with the Commissioner. Could you just 
update us as to the status of that particular concern and 
whether there should still be high alert in our region in 
regard to this scam?
    Commissioner Koskinen. I think there should be. One of the 
things I think everyone should be aware of is--people should be 
aware of all the possible scams out there. There are the phone 
scams, where people call you and pretend to be from the IRS and 
threaten you, and we keep telling people, if you are surprised 
to be hearing from us, you are not hearing from us, and you 
should report that call. We work with the IG very closely on 
that.
    There are phishing expeditions of all kinds, from 
masquerading as coming from financial institutions to the IRS 
seeking information or personal information. A lot of times you 
will get a note that says your account is frozen, click here 
and you can unfreeze your account. You should never do that. No 
bank or financial institution will put you through that system.
    So this one is the most recent. We have had a couple new 
ones this year. We have had private-sector companies, where it 
would appear to be an e-mail from the CEO asking for personal 
information about employees, but it turns out to be an e-mail 
that is a phishing expedition from criminals.
    So in this area, we are encouraging people to always 
remember that no one is asking legitimately for any personal 
information like Social Security numbers online or on the 
phone, and so you should not either click on the link and you 
should not provide that information.
    Senator Cardin. Do you know why this has been 
geographically in this region that this particular scam is 
being used?
    Commissioner Koskinen. We do not. We know ID theft began, 
kind of flourished in Florida. We have a pilot program for IP 
PINs that has run for a couple of years in Florida, Georgia, 
and the District of Columbia.
    Why those were the three areas where we have had more 
identity theft is hard to know, but the District has always 
been one of the areas that has been most prone to identity 
theft. And so it is not unusual for a permutation on that scam 
or scheme to happen in the same geographic area, but there is 
no other indication.
    We cannot even tell you why the District of Columbia and 
Georgia are on the high end of identity theft. It just turns 
out to be one of those things that develops.
    Senator Cardin. One of the challenges in this environment 
is that we have to use all the resources we have at our 
disposal. That is, the Federal agencies need to work with the 
States and need to work with private entities and need to work 
with taxpayers.
    What efforts are underway to try to coordinate the 
resources to go after those who are committing these frauds?
    Commissioner Koskinen. We have a great effort--as I say, we 
work very closely with TIGTA. They have been tracking down 
people who are participating in phone scams. We have prosecuted 
and thrown in jail about 2,000 people for identity theft. We 
have about 1,700 investigations going on right now. We work 
closely with the Department of Justice in those areas.
    In more general phishing expeditions, they are harder to 
track down. We work with the Federal Trade Commission and 
others to make sure that that information is readily available 
to the public.
    As I said, the partnership we created a year ago with the 
private sector and the States has been a great vehicle for us, 
not only exchanging information about taxpayers, but exchanging 
information about fraud.
    We learned about the private-sector company CEO e-mail from 
one of our partners, and what has happened is, we all then can 
publicize that and put it out.
    So it is, I think, a significant step forward, but your 
point is well taken. We need everybody working together on this 
matter. As I told the States and the private sector when we 
brought them together, it is clear no one of us by ourselves is 
going to be able to successfully deal with this problem.
    Senator Cardin. Mr. George, do you want to respond?
    Mr. George. Senator, just to give you a sense, as of this 
week, we at TIGTA received approximately 1.2 million calls 
concerning impersonation cases, with approximately $31 million 
having been sent by people in scams.
    So as the Commissioner noted, we at TIGTA have engaged in 
public service announcements. We are doing as much local media 
as possible. The key is getting the word out, and you would be 
shocked how difficult it is sometimes to convince people that, 
as the Commissioner indicated, if you do not think you have an 
IRS problem and someone calls you out of the blue, you should 
hang up immediately, and they fail to do so.
    Senator Cardin. Let me just make one final point, and that 
is working with our State, in Maryland, our Comptroller has the 
ability to deal with paid preparers and is able to suspend 
their rights in Maryland. That, of course, has been compromised 
by the Supreme Court interpretation, and there will be an 
effort made to give the IRS the ability to regulate again those 
who are paid preparers.
    Mr. Commissioner, I know you have supported that, and 
hopefully we can use that as an opportunity to work more 
closely with our States.
    Commissioner Koskinen. Yes. We look forward to that. As I 
would say, the regulation is basically just requiring minimum 
standards in information, your ability to process tax returns. 
We are not talking about all sorts of other regulations.
    So it really is appropriately described as requiring 
minimum standards of paid preparers.
    Senator Cardin. Thank you, Mr. Chairman.
    The Chairman. Thank you.
    Senator Casey?
    Senator Casey. Mr. Chairman, thank you very much. I want to 
thank the panel for being here and for your public service.
    I am going to be addressing my question to Commissioner 
Koskinen. But I do want to say, because Mr. Dodaro has great 
Pennsylvania roots, that I apologize for probably not getting 
to you today, but I will tell everyone at Belle Vernon High 
School that you said hello. Is that okay?
    Mr. Dodaro. That is fine.
    Senator Casey. Thanks. And the chairman, of course, has 
Pennsylvania roots as well. So we want to highlight that.
    I want to start with, Commissioner, some of the data points 
that you had in your testimony. I know I missed your 
presentation, but the written testimony highlights a number of 
things we should focus on in terms of the volume of your work.
    In fiscal year 2015, you processed 244 million returns, 
issued more than $400 billion in refunds. Your new filters 
stopped 1.4 million returns filed by identity thieves, thereby 
preventing $8.7 billion in fraudulent returns.
    So I wanted to state that for the record, because I know 
those numbers bear repeating. But I want to focus on two areas. 
One is cyber-criminals and the Security Summit, if you can 
comment on that, and also on tax scams.
    With regard to the Security Summit itself, if you can just 
reiterate or amplify some of the earlier comments about some of 
the recommendations that came out of that Security Summit and, 
secondarily, how IRS can be more adaptive in terms of dealing 
with some of those security recommendations.
    Commissioner Koskinen. What we all agreed on at our first 
meeting of the Security Summit--and we have been developing it 
since then--was that it would be critical to exchange 
information in real time. We are very sensitive about 
protecting taxpayer information and as a result, over the 
years, have not been particularly forthcoming with our partners 
about sharing information back.
    One of their concerns was, they would give us leads and 
then we never told them whether the leads were good, and we 
never built on that.
    So one of the purposes of the summit was to change all that 
and to have a robust exchange back and forth about patterns of 
activities, suspicious activities. We created a rapid response 
team with representatives from the States, the private sector, 
and the IRS. If there ever is a significant incident--and there 
have been a couple of them--we immediately have a way of 
getting that information out simultaneously.
    They gave us and we all agreed on 20 different data points 
that we would get, what IP is being used on a computer, how 
long people are using it. If you are filing several returns 
very quickly, it is pretty clear you are not checking your 
deductions, you probably are a criminal filing.
    So all of that has helped significantly. The additional 
funding we got from the Congress allows us to fund the 
development of the information center for analysis, which will 
simply facilitate more quickly the ability for States and the 
private sector to access the data rather than having it come in 
to us and then have us push it back out.
    So we think that it is significant. It is important for it 
to be an ongoing partnership. One of the things that has been 
interesting to me was, at the first meeting, the private-sector 
preparers and software developers said that we, the IRS, are 
the only people who could set standards, and I told them that 
was fine as long as they worked with us to establish the 
standards as opposed to us just imposing them.
    That is how we ended up with security standards; it is how 
we ended up with increased authentication standards that all 
the preparers are using this year.
    We are working together to broaden those activities as we 
go forward. We will have more data points used in the next 
filing season, and we already see an up to 40 percent increase 
in the refund fraud stopped as a result of just sharing the 
information about leads.
    Senator Casey. Well, I appreciate that, and I hope as you 
begin to implement recommendations, that you keep us updated. 
Number two, if you find any either institutional obstacles or 
policy gaps that we can help with, I hope you tell us that.
    I want to move, in the remaining seconds I have, to tax 
scams. I went across the State on our break and held a number 
of roundtables regarding senior scams more broadly, a lot of 
them having their origin in IRS impersonation or tax scams.
    What can you tell us about that in terms of your recent 
work and what taxpayers should be focused on as we approach tax 
day?
    Commissioner Koskinen. As we approach tax day, I think the 
most important thing for taxpayers to focus on is, if you are 
surprised to be hearing from us and you have not gotten a 
letter before--you should have gotten several letters--then you 
are not hearing from us. We never threaten people. We never 
tell you you are going to jail the next day, and we never tell 
you to make your payment to a bank account or a debit card.
    If you are going to pay taxes, you pay them to the United 
States Treasury. If I could just get people--we have been 
working on this for over 2 years--to understand, (a) we do not 
threaten you; (b) we do not surprise you; and (c) if you are 
going to pay your taxes, make sure they go in a check payable 
to the United States Treasury.
    TIGTA has been very good at working with us; the private-
sector partnership has been good at working with us. They were 
the ones who said we have to have a public campaign to get 
taxpayers to pay attention to all of this.
    Senator Casey. Well, that ``IRS will never do'' list is 
something we read at various meetings, but we need to 
reemphasize that to give people the information so they 
understand that.
    Commissioner Koskinen. The marketers say you have to make 
seven impressions before anybody hears you. We have tried to 
make more than seven impressions. TIGTA has been a wonderful 
partner with us with their work as well.
    We have had very good coverage from the media, local and 
national media, over the last couple of years. But the people 
most vulnerable are elderly, are immigrants, low-income people 
who kind of live in a state of worry or fear, and they are the 
most likely to be prey to these kinds of events, which is why 
we are so concerned.
    Senator Casey. Thank you, Commissioner.
    The Chairman. Senator Portman?
    Senator Portman. Thank you, Mr. Chairman. Thanks for 
holding this important hearing today. It is a topic that 
affects all of our constituents, I am sure.
    I will tell you that in 2014, we had one case, one 
constituent case, of identity fraud. In 2015, we had 32. I do 
not know if that is consistent across the States, but that kind 
of an increase, unfortunately, is an indication of the growing 
problem that we are all facing.
    I am very concerned particularly about, Mr. George, your 
report, as the Inspector General for Tax Administration, 
indicating that the IRS has not established an IRS-wide 
approach to authenticating someone's identity.
    I am open to more funding. I, for one, believe, as you 
know--we have talked about this--that more funding may be 
appropriate, as we did at year end, but I want to be sure the 
money is well spent. So I look forward to following up with you 
on that.
    But I want to, if I could, shift to another issue this 
morning. It has to do, Commissioner Koskinen, with a very 
urgent issue for a group of our constituents. And Senator Brown 
and I have worked closely on this issue, and I think he has 
similar concerns to mine. I look forward to hearing from him on 
it in a moment.
    But this has to do with the health coverage tax credit. As 
you know, section 407 of what is called the Trade Preferences 
Extension Act last year reinstated that health coverage tax 
credit through 2019. Basically, it extended the advance monthly 
payment program, which is essential. It is a program that gives 
advance premium payments to these HCTC recipients.
    In that statute, the program was to be in place 1 year from 
the date of enactment. So in this case, we enacted it in June 
of 2015. We said that it would have to be in place by June 
2016, this year, 1 year.
    We were, unfortunately, told on March 7th of this year, 9 
months after the bill had originally passed, by way of a letter 
from you, Mr. Commissioner, that the IRS would not be starting 
the advance monthly payment program by June, as required under 
law, but that you all hoped to start making advance payments by 
January of next year, so January of 2017.
    So this has caused a huge problem. Six months go by, we do 
not hear anything, and then all of a sudden, taxpayers are told 
that the rug is being pulled out from under them and that we 
are not going to go ahead with this required advance payment 
program.
    Expecting that they are going to get this advance monthly 
payment starting in mid-year, a lot of these taxpayers signed 
up for the health coverage in December and January. They 
thought they could get premium assistance, of course, starting 
on July 1st, as required under law.
    This is not an easy decision to make. These premiums, as 
you know, are thousands of dollars per month. In some cases, 
taxpayers had to borrow money from family and friends, borrow 
from a bank, or take money from their retirement accounts 
early, to pay for these full premium prices in the first 6 
months of this year, knowing that help was coming.
    Furthermore, in some cases, these taxpayers had the option 
of receiving premium subsidies for plans on the health-care 
exchanges, but they turned down that opportunity because they 
wanted to stay in their private plans, which a lot of people 
do, and because they expected to get this 72.5-percent premium 
starting in July.
    So, by the time the middle of March 2016 rolls around, 
these taxpayers have made a lot of life-altering decisions 
based on the fact that these advance payments are going to be 
there, and, again, they have the rug pulled out from under 
them.
    These are resilient folks. They have been through a lot. 
These are people who were left behind, frankly, by our own 
Federal Government in terms of their health care and pensions. 
They can plan for stuff and they have done this.
    When the HCTC was unavailable in 2014 and 2015, they made 
sacrifices and they got by, but, again, to pull a rug out from 
under them 3 months before they are expecting this help is 
unacceptable, completely unacceptable.
    The fact that the IRS had July, August, September, October, 
November, and December of last year to provide them with some 
sort of notice, to me, is also unacceptable. And the option 
left to these taxpayers now of trying to find another way to 
fund these premiums for the next 6 months or to have to drop 
health-care plans altogether because they cannot afford them is 
also unacceptable.
    So I understand our staffs--Senator Brown's staff and 
mine--have been working to try to find some sort of solution so 
that these advance monthly payment programs can get up and 
running by July. We have been having discussions about 
alternative methods of administering the advance monthly 
payment system so they are ready to go by July, as required by 
law.
    I would just ask today, Mr. Commissioner, that, as you have 
in the past on some issues, you get personally involved in this 
and help us to work out an arrangement so that we can be sure 
that we do not have an unacceptable result.
    Commissioner Koskinen. I have actually been personally 
involved since it was passed, because it is a critical program, 
and one of our obligations, we feel, is a high commitment to 
implement statutory mandates.
    As we advised people when they were considering this, the 
last time the program was initiated, we got a $74-million 
appropriation to go with it, and that allowed us to hire a 
contractor to set the program up, and it ran well.
    This time, we got no money, but we said, we are going to 
work to do our best. The reason we did not notify people until 
the 1st of March was, we worked very hard trying to see if, in 
addition to allowing people, which they can, to file in 2014 
and 2015 for reimbursement, we could get the advance payment up 
and running, and as soon as we figured out that we would not be 
able to be up in June, we notified you and everyone else.
    But I understand. Your points are well taken, and we do not 
take them lightly. If there were a way to do it, we would.
    I would say in addition to the $74 million, the last time 
the program was set up, it took 2 years. If we can get it up 
and running by January--and we are committed to doing that--it 
will be a year and a half. So without any funding at all, we 
will be 6 months faster than the last time.
    But your point is still valid. It does not necessarily help 
people who are, in fact, waiting for those payments. The fact 
that we will reimburse them after the fact is still a burden 
for them, and we regret that.
    We are delighted to work with you and Senator Brown to find 
any way to get there before January, but we have to build 
systems to make payments. We normally do not make monthly 
payments. So we have no system to do it.
    We can do the credit at the end of the year, because we 
give credits, which is why we could get 2014 and 2015 up and 
running. But we are delighted to work with you. We recognize 
that this is a burden on a number of people who have had a lot 
of other problems as well.
    Senator Portman. Well, it is a burden. Again, Mr. Chairman, 
thank you for your indulgence. But nothing you have said 
explains to me why we wait until March, mid-March of 2016, to 
tell people that these life-altering decisions that they made 
are not going to work out for them and they have to now find 
some alternative, which, in many cases, is going to mean, 
again, they are not going to have health-care coverage that 
they fully expected under law.
    So I do hope that you will instead work with Senator 
Brown's staff and my staff to come up with an acceptable 
solution so that we can get these people some sort of coverage 
through this advance health-care payment.
    Commissioner Koskinen. I would do that. The reason it took 
until February is, we actually made a good faith effort to see 
if we could get it done. We thought there was one possibility 
we could get it up and running. We worked on that and finally 
decided in February that the IT systems just would not be 
ready. But it was not because we did not care about it. It was 
because we were actually trying to see if we could make the 
one-year deadline. But we will work with you. We are delighted 
to do that.
    The Chairman. Senator Nelson?
    Senator Nelson. Thank you, Mr. Chairman.
    Mr. Commissioner, you were kind enough to respond to my 
March letter on April 1st. I hope that it was not an April 
fool's joke. But here was one of the questions in the letter, 
and let me read to you your office's response to me, and I need 
a clarification.
    The question was, under 26 CFR 1.501(c)(4)-1, the promotion 
of social welfare does not include direct or indirect 
participation or intervention in political campaigns on behalf 
or in opposition to any candidate for public office.
    Given these requirements, please provide examples, Mr. 
Commissioner, of when it is permissible for 501(c)(4), 
501(c)(5), or 501(c)(6) organizations to run ads supporting or 
attacking the positions of a candidate for elected office. 
Please provide examples of when this activity would be 
impermissible.
    Now, I know this is a delicate subject, especially in front 
of the chairman and those of us over here. This was your 
answer, and I think it is quite clear, quote: ``Unlike section 
501(c)(3) charitable organizations, organizations described in 
section 501(c)(4), 501(c)(5), and 501(c)(6) are not prohibited 
from engaging in political campaign intervention. However, 
section 501(c) organizations that engage in political campaign 
intervention may be subject to tax under 527(f) on their exempt 
function expenditures. Whether an organization is engaged in 
political campaign intervention depends upon all the facts and 
circumstances of each case.
    ``Revenue ruling'' such-and-such ``2004-6 provides six 
examples illustrating facts and circumstances to be considered 
in determining whether a section 501(c) organization that 
engages in public policy advocacy has expended funds for a 
section 527 exempt function; that is, influencing or attempting 
to influence the selection, nomination, election, or 
appointment of any individual to public office.''
    The final couple of sentences read: ``Revenue ruling 2007-
41 provides an additional 21 examples illustrating facts and 
circumstances to be considered in determining whether a 
501(c)(3) organization's activities result in political 
campaign intervention. The analysis reflected in these revenue 
rulings for determining whether an organization has engaged in 
political campaign intervention or has expended funds for a 
section 527 exempt function is fact-intensive. A copy of both 
revenue rulings is enclosed with this letter.''
    That was a very extensive answer, and I want you to know I 
appreciate it.
    Now, here is the clarification that I need, please. So if 
that is the case, and if the IRS is really enforcing the law, 
how much tax revenue have you collected for political 
expenditures of 501(c)(4) groups this year or last year--or any 
year?
    I fully do not expect you to have that on the top of your 
head, but I would like you to give the answer to this member of 
the committee.
    Commissioner Koskinen. I carry around a lot of numbers in 
my head, but that is not one of them, as you suspected.
    Senator Nelson. Understandably.
    Commissioner Koskinen. Yes. We will be delighted to get you 
that information as quickly as we can, because it is important 
and we should be able to answer quickly.
    Senator Nelson. That is great. Thank you, Mr. Chairman.
    The Chairman. Thank you, Senator Nelson.
    Senator Cantwell?
    Senator Cantwell. Thank you, Mr. Chairman. I thank the 
Senator for his work on this issue.
    I wanted to ask of the Commissioner, one of the issues that 
I think all government faces is the shortage of highly skilled 
IT personnel, and we previously had support that would allow 
you to streamline the pay and authority so that you could get 
the skill level that you need.
    My understanding is, though, that this legislative 
authority has expired and we need to re-legislate that 
streamlined authority so that you can have the critical pay.
    So how much is this affecting us in getting the workers 
that we need at the IRS?
    Commissioner Koskinen. Well, it is a significant challenge 
for us. We have only 13 or 14 people left. There were 40 slots. 
We never used more than 34 of that. There are 13 or 14 left; 10 
are senior IT people working on cybersecurity, online services.
    By this time next year, they will all be gone. Replacing 
them is very challenging for us at the IRS, although a lot of 
people want to come to us because we have very interesting 
challenges.
    IT people, high-level people, are in great demand, and 
putting them through the hiring process--we find you, we like 
you, yet you get to wait for 3 to 6 months while we put you 
through an application process. Our people are being recruited 
every day. Those people whom we are recruiting are being 
recruited every day.
    So saying, ``We really like you; we would like you to come 
work; sit still for 3 to 6 months, and we will get back to 
you,'' does not work. And so our concern is--and it is a 
serious concern--in the areas of information technology 
particularly, where we are talking about attracting the best in 
the country, without the authority--and we have not had it 
since 2013--it has made it almost impossible for us to recruit 
and retain at the level that we need to.
    Senator Cantwell. Is this affecting cybersecurity at the 
IRS?
    Commissioner Koskinen. Our head of cybersecurity left 
recently rather than wait until his term ran out. The reason it 
is four plus two would allow us, for the people remaining, to 
have 2 years to, in fact, replace them as we go forward. But it 
is a critical need. It is not a major expenditure. It is not a 
lot of people. But it is critical to us, because it is focused 
on an area of high need for us.
    Senator Cantwell. Well, the competition for people 
knowledgeable in cybersecurity in general is very high, and IT 
still also remains very high.
    So the fact is that, even in an ``I can hire you tomorrow'' 
environment, you are facing very, very stiff competition.
    So I think, Mr. Chairman, this legislation--I think it 
keeps getting delayed or postponed based on markup, or maybe it 
is going to be on the next legislative schedule--it is really 
important for us to make sure that we have the flexibility.
    I think the issue for all of our government is to continue 
to make sure that we have the best technology people, which is 
challenging for a whole lot of reasons. But I think that this 
authority to help you streamline that hiring and pay is 
something that we need to do as quickly as possible. So thank 
you.
    Thank you, Mr. Chairman.
    Commissioner Koskinen. Thank you, Senator.
    The Chairman. I thank all of you for appearing here today. 
I also want to thank my colleagues for their participation.
    Considering that tax day is just a few days away, I hope 
this hearing has helped us better understand the current 
environment for all taxpayers, and I hope to continue working 
with my colleagues from both sides of the aisle as we continue 
to examine ways to improve cybersecurity and better protect 
taxpayer information at the IRS.
    I would ask that any questions for the record be submitted 
by Tuesday, April 26, 2016, and if you folks could get your 
answers back to us promptly, it would be very meaningful to us.
    So with that, we will recess until further notice.
    [Whereupon, at 11:54 a.m., the hearing was concluded.]

                            A P P E N D I X

              Additional Material Submitted for the Record

                              ----------                              


 Prepared Statement of Hon. Gene L. Dodaro, Comptroller General of the 
            United States, Government Accountability Office

                              GAO-16-589T

                             April 12, 2016

                          INFORMATION SECURITY

 IRS Needs to Further Improve Controls Over Taxpayer Data and Continue 
                 to Combat Identity Theft Refund Fraud

                             what gao found
    In March 2016, GAO reported that the Internal Revenue Service (IRS) 
had instituted numerous controls over key financial and tax processing 
systems; however, it had not always effectively implemented other 
controls intended to properly restrict access to systems and 
information, among other security measures. In particular, while IRS 
had improved some of its access controls, weaknesses remained in key 
controls for identifying and authenticating users, authorizing users' 
level of rights and privileges, encrypting sensitive data, auditing and 
monitoring network activity, and physically securing facilities housing 
its information technology resources. These weaknesses were due in part 
to IRS's inconsistent implementation of its 
agency-wide security program, including not fully implementing prior 
GAO recommendations. GAO concluded that these weaknesses collectively 
constituted a significant deficiency for the purposes of financial 
reporting for fiscal year 2015. As a result, taxpayer and financial 
data continue to be exposed to unnecessary risk.

    Identity theft refund fraud also poses a significant challenge. IRS 
estimates it paid $3.1 billion in these fraudulent refunds in filing 
season 2014, while preventing $22.5 billion (see figure). The full 
extent is unknown because of the challenges inherent in detecting this 
form of fraud.



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




    IRS has taken steps to combat identity theft refund fraud such as 
improving phone service for taxpayers to report suspected identity 
theft and working with industry, States, and financial institutions to 
detect and prevent it. However, as GAO reported in August 2014 and 
January 2015, additional actions can further assist the agency in 
addressing this crime, including pre-refund matching of taxpayer 
returns with information returns from employers, and assessing the 
costs, benefits, and risks of improving methods for authenticating 
taxpayers. In addition, the Consolidated Appropriations Act 2016 
includes a provision that would help IRS with pre-refund matching and 
also includes an additional $290 million to enhance cybersecurity, 
combat identity theft refund fraud, and improve customer service.

    According to IRS and industry partners, the 2016 filing season has 
generally gone smoothly, with about 95 million returns and $215 billion 
in refunds processed through April 1, 2016. In addition, IRS increased 
its level of phone service to taxpayers, although it has not developed 
a comprehensive strategy for customer service as GAO recommended in 
December 2015.
_______________________________________________________________________

    Chairman Hatch, Ranking Member Wyden, and members of the committee:

    Thank you for the opportunity to testify on cybersecurity and 
protecting taxpayer information. As taxpayers file their returns for 
2015, it is especially important that the Internal Revenue Service 
(IRS) ensure that adequate protections are in place to secure the 
sensitive information entrusted to the agency by members of the public.

    The Federal Government faces an evolving array of cyber-based 
threats to its systems and data. Reported incidents and data breaches 
at Federal agencies, including IRS, have affected millions of people 
through the compromise of sensitive personal information and underscore 
the continuing and urgent need for effective information security. We 
initially designated Federal information security as a government-wide 
high-risk area in 1997, and in 2003 we expanded this area to include 
computerized systems supporting the Nation's critical infrastructure. 
In 2015 we added the protection of personally identifiable information 
(PII)\1\ that is collected, maintained, and shared by both Federal and 
nonfederal entities.\2\
---------------------------------------------------------------------------
    \1\ PII is information about an individual, including information 
that can be used to distinguish or trace their identity, such as name, 
Social Security number, mother's maiden name, or biometric records, as 
well as any other personal information that is linked or linkable to an 
individual.
    \2\ See GAO, High-Risk Series: An Update, GAO-15-290 (Washington, 
DC: Feb. 11, 2015).

    In carrying out its mission to collect taxes, process tax returns, 
and enforce U.S. tax laws, IRS relies extensively on computerized 
systems and on information security controls to protect the 
confidentiality, integrity, and availability of sensitive personal and 
financial information for each U.S. taxpayer. Recent information 
security incidents at IRS further highlight the importance of ensuring 
---------------------------------------------------------------------------
that these controls are effectively implemented.

    As you know, the filing season is the time when most taxpayers 
interact with IRS. As in previous years, a major challenge during the 
filing season is protecting taxpayers' information and addressing 
identity theft (IDT) refund fraud, which occurs when a refund-seeking 
fraudster obtains an individual's Social Security number, date of 
birth, or other PII and uses it to file a fraudulent tax return seeking 
a refund.\3\ This crime burdens honest taxpayers because authenticating 
their identities is likely to delay processing their returns and 
refunds. Moreover, the victim's PII can potentially be used to commit 
other crimes. Given current and emerging risks, in 2015 we expanded the 
enforcement of our tax laws high-risk area to include IRS's efforts to 
address IDT refund fraud.\4\
---------------------------------------------------------------------------
    \3\ This statement discusses IDT refund fraud and not employment 
fraud. IDT employment fraud occurs when an identity thief uses a 
taxpayer's name and Social Security number to obtain a job.
    \4\ GAO-15-290.

    My statement today focuses on opportunities to assist IRS in 
addressing (1) information security weaknesses we have identified and 
(2) the challenge of identity theft refund fraud. I will also discuss 
---------------------------------------------------------------------------
the status of selected IRS filing season operations.

    Within the context of my testimony, it is important to note that, 
for fiscal year 2016, IRS received about $290 million in additional 
funding to support these areas. Specifically, the funding was intended 
to improve customer service, IDT identification and prevention, and 
cybersecurity efforts.\5\ According to IRS's spending plan this funding 
will be used to invest in (1) increased telephone level of service, 
including reduced wait times and improved performance on IRS's Taxpayer 
Protection Program/Identity Theft Toll Free Line ($178.4 million); (2) 
cybersecurity including network security improvements, protection from 
unauthorized access, and enhanced insider threat detection ($95.4 
million); and (3) IDT refund fraud prevention ($16.1 million).
---------------------------------------------------------------------------
    \5\ Consolidated Appropriations Act, 2016, Pub. L. No. 114-113, 
div. E, Sec. 113, 129 Stat. 2242 (Dec. 18, 2015).

    My statement is based in part on our previous reports issued 
between August 2014 and March 2016. We updated selected data in this 
statement with 2016 data from IRS on individual income tax return 
processing and telephone service, as well as IRS's fiscal year 2016 
spending plan for the additional $290 million in appropriated funds. We 
also incorporated IRS statements on recent data breaches and IRS 
actions to address our past recommendations. To assess data 
reliability, we reviewed IRS data and documentation and assessed 
documentation for data limitations. We found the data to be 
sufficiently reliable for our purposes. All the work on which this 
statement is based was conducted in accordance with generally accepted 
government auditing standards. Those standards require that we plan and 
perform audits to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objectives.
                               background
    IRS's mission is to provide America's taxpayers top-quality service 
by helping them to understand and meet their tax responsibilities and 
to enforce the law with integrity and fairness to all. During fiscal 
year 2015, IRS collected more than $3.3 trillion; processed more than 
243 million tax returns and other forms; and issued more than $403 
billion in tax refunds. IRS employs about 90,000 people in its 
Washington, DC, headquarters and at more than 550 offices in all 50 
States, U.S. territories, and some U.S. embassies and consulates. Each 
filing season IRS provides assistance to tens of millions of taxpayers 
over the phone, through written correspondence, online, and face-to-
face. The scale of these operations alone presents challenges.

    In carrying out its mission, IRS relies extensively on computerized 
information systems, which it must effectively secure to protect 
sensitive financial and taxpayer data for the collection of taxes, 
processing of tax returns, and enforcement of Federal tax laws. 
Accordingly, it is critical for IRS to effectively implement 
information security controls and an agency-wide information security 
program in accordance with Federal law and guidance.\6\
---------------------------------------------------------------------------
    \6\ In particular, the Federal Information Security Modernization 
Act of 2014 (FISMA), among other things, requires the head of each 
agency to provide information security protections commensurate with 
the risk and magnitude of harm resulting from unauthorized access, use, 
disclosure, disruption, modification, or destruction of the agency's 
information or information systems. Pub. L. No. 113-283, Sec. 2(a), 128 
Stat. 3074 (Dec. 18, 2014), codified at 44 U.S.C. Sec. 3554(a).

    Cyber incidents can adversely affect national security, damage 
public health and safety, and compromise sensitive information. 
Regarding IRS specifically, two recent incidents illustrate the impact 
---------------------------------------------------------------------------
on taxpayer and other sensitive information:

      In June 2015, the Commissioner of the IRS testified that 
unauthorized third parties had gained access to taxpayer information 
from its Get Transcript application.\7\ According to officials, 
criminals used taxpayer-specific data acquired from non-department 
sources to gain unauthorized access to information on approximately 
100,000 tax accounts. These data included Social Security information, 
dates of birth, and street addresses. In an August 2015 update, IRS 
reported this number to be about 114,000, and that an additional 
220,000 accounts had been inappropriately accessed. In a February 2016 
update, the agency reported that an additional 390,000 accounts had 
been accessed. Thus, about 724,000 accounts were reportedly affected. 
The online Get Transcript service has been unavailable since May 2015.
---------------------------------------------------------------------------
    \7\ This application provides users, via the IRS website, the 
ability to view, print, and download tax account, tax return, and 
record of account transcripts; wage and income documents; and proof of 
non-filing transcripts.

      In March 2016, IRS stated that as part of its ongoing security 
review, it had temporarily suspended the Identity Protection Personal 
Identification Number (IP PIN) service on IRS.gov. The IP PIN is a 
single-use identification number provided to taxpayers who are victims 
of identity theft (IDT) to help prevent future IDT refund fraud.\8\ The 
service on IRS's website allowed taxpayers to retrieve their IP PINs 
online by passing IRS's authentication checks. These checks confirm 
taxpayer identity by asking for personal, financial and tax-
related information. The IRS stated that it was conducting further 
review of the IP PIN service and is looking at further strengthening 
the security features before resuming service. As of April 7, the 
online service was still suspended.
---------------------------------------------------------------------------
    \8\ In January 2014, IRS offered a limited IP PIN pilot program to 
eligible taxpayers in Florida, Georgia, and the District of Columbia. 
Taxpayers must confirm their identities with IRS to receive an IP PIN. 
IP PINs help prevent future IDT refund fraud because, once issued, the 
IP PIN must accompany their electronically filed tax return or else IRS 
will reject the return. If a paper return has a missing or incorrect IP 
PIN, IRS delays processing the return while the agency determines if it 
was filed by the legitimate taxpayer. See GAO, Identity Theft: 
Additional Actions Could Help IRS Combat the Large, Evolving Threat of 
Refund Fraud, GAO-14-633 (Washington, DC: Aug. 20, 2014), for more 
details on IRS's IP PIN service.

    The Commissioner of Internal Revenue has overall responsibility for 
ensuring the confidentiality, integrity, and availability of the 
information and systems that support the agency and its operations. 
Within IRS, the senior agency official responsible for information 
security is the Associate CIO, who heads the IRS Information Technology 
Cybersecurity organization.
  although irs has made improvements, information security weaknesses 
         continue to place taxpayer and financial data at risk
    As we reported in March 2016,\9\ IRS has implemented numerous 
controls over key financial and tax processing systems; however, it had 
not always effectively implemented access and other controls,\10\ 
including elements of its information security program.
---------------------------------------------------------------------------
    \9\ GAO, Information Security: IRS Needs to Further Improve 
Controls Over Financial and Taxpayer Data, GAO-16-398 (Washington, DC: 
Mar. 28, 2016).
    \10\ Information security controls include logical and physical 
access controls, configuration management, and continuity of 
operations. These controls are designed to ensure that access to data 
is properly restricted, physical access to sensitive computing 
resources and facilities is protected, systems are securely configured 
to avoid exposure to known vulnerabilities, and backup and recovery 
plans are adequate and tested to ensure the continuity of essential 
operations.

    Access controls are intended to prevent, limit, and detect 
unauthorized access to computing resources, programs, information, and 
facilities. These controls include identification and authentication, 
authorization, cryptography, audit and monitoring, and physical 
security controls, among others. In our most recent review we found 
---------------------------------------------------------------------------
that IRS had improved access controls, but some weaknesses remain.

      Identifying and authenticating users--such as through user 
account-password combinations--provides the basis for establishing 
accountability and controlling access to a system. IRS established 
policies for identification and authentication, including requiring 
multifactor authentication \11\ for local and network access accounts 
and establishing password complexity and expiration requirements. It 
also improved identification and authentication controls by, for 
example, expanding the use of an automated mechanism to centrally 
manage, apply, and verify password requirements. However, weaknesses in 
identification and authentication controls remained. For example, the 
agency used easily guessable passwords on servers supporting key 
systems.
---------------------------------------------------------------------------
    \11\ Multifactor authentication involves using two or more factors 
to achieve authentication. Factors include something you know (password 
or personal identification number), something you have (cryptographic 
identification device or token), or something you are (biometric).

      Authorization controls limit what actions users are able to 
perform after being allowed into a system and should be based on the 
concept of ``least privilege,'' granting users the least amount of 
rights and privileges necessary to perform their duties. While IRS 
established policies for authorizing access to its systems, it 
continued to permit excessive access in some cases. For example, users 
were granted rights and permissions in excess of what they needed to 
perform their duties, including for an application used to process 
electronic tax payment information and a database on a human resources 
---------------------------------------------------------------------------
system.

      Cryptography controls protect sensitive data and computer 
programs by rendering data unintelligible to unauthorized users and 
protecting the integrity of transmitted or stored data. IRS policies 
require the use of encryption and it continued to expand its use of 
encryption to protect sensitive data. However, key systems we reviewed 
had not been configured to encrypt sensitive user authentication data.

      Audit and monitoring is the regular collection, review, and 
analysis of events on systems and networks in order to detect, respond 
to, and investigate unusual activity. IRS established policies and 
procedures for auditing and monitoring its systems and continued to 
enhance its capability by, for example, implementing an automated 
mechanism to log user activity on its access request and approval 
system. But it had not established logging for two key applications 
used to support the transfer of financial data and access and manage 
taxpayer accounts; nor was the agency consistently maintaining key 
system and application audit plans.

      Physical security controls, such as physical access cards, limit 
access to an organization's overall facility and areas housing 
sensitive IT components. IRS established policies for physically 
protecting its computer resources and physical security controls at its 
enterprise computer centers, such as a dedicated guard force at each of 
its computer centers. However, the agency had yet to address weaknesses 
in its review of access lists for both employees and visitors to 
sensitive areas.

    IRS also had weaknesses in configuration management controls, which 
are intended to prevent unauthorized changes to information system 
resources (e.g., software and hardware) and provide assurance that 
systems are configured and operating securely. Specifically, while IRS 
developed policies for managing the configuration of its information 
technology (IT) systems and improved some configuration management 
controls, it did not, for example, ensure security patch updates were 
applied in a timely manner to databases supporting 2 key systems we 
reviewed, including a patch that had been available since August 2012.

    To its credit, IRS had established contingency plans for the 
systems we reviewed, which help ensure that when unexpected events 
occur, critical operations can continue without interruption or can be 
promptly resumed, and that information resources are protected. 
Specifically, IRS had established policies for developing contingency 
plans for its information systems and for testing those plans, as well 
as for implementing and enforcing backup procedures. Moreover, the 
agency had documented and tested contingency plans for its systems and 
improved continuity of operations controls for several systems.

    Nevertheless, the control weaknesses can be attributed in part to 
IRS's inconsistent implementation of elements of its agency-wide 
information security program. The agency established a comprehensive 
framework for its program, including assessing risk for its systems, 
developing system security plans, and providing employees with security 
awareness and specialized training. However, IRS had not updated key 
mainframe policies and procedures to address issues such as 
comprehensively auditing and monitoring access.

    In addition, the agency had not fully addressed previously 
identified deficiencies or ensured that its corrective actions were 
effective. During our most recent review, IRS told us it had addressed 
28 of our prior recommendations; however, we determined that 9 of these 
had not been effectively implemented.

    The collective effect of the deficiencies in information security 
from prior years that continued to exist in fiscal year 2015, along 
with the new deficiencies we identified, are serious enough to merit 
the attention of those charged with governance of IRS and therefore 
represented a significant deficiency in IRS's internal control over 
financial reporting systems as of September 30, 2015.\12\
---------------------------------------------------------------------------
    \12\ A significant deficiency is a deficiency, or a combination of 
deficiencies, in internal control that is less severe than a material 
weakness, yet important enough to merit the attention of those charged 
with governance. A material weakness is a deficiency, or combination of 
deficiencies, in internal control such that there is a reasonable 
possibility that a material misstatement of the entity's financial 
statements will not be prevented, or detected and corrected, on a 
timely basis. A deficiency in internal control exists when the design 
or operation of a control does not allow management or employees, in 
the normal course of performing their assigned functions, to prevent, 
or detect and correct, misstatements on a timely basis.
---------------------------------------------------------------------------
Implementing GAO Recommendations Can Help IRS Better Protect Sensitive 
        Taxpayer and Financial Data
    To assist IRS in fully implementing its agency-wide information 
security program, we made two new recommendations to more effectively 
implement security-related policies and plans. In addition, to assist 
IRS in strengthening security controls over the financial and tax 
processing systems we reviewed, we made 43 technical recommendations in 
a separate report with limited distribution to address 26 new 
weaknesses in access controls and configuration management.\13\
---------------------------------------------------------------------------
    \13\ GAO, Information Security: IRS Needs to Further Improve 
Controls Over Financial and Taxpayer Data, GAO-16-397SU (Washington, 
DC: Mar. 28, 2016).

    Implementing these recommendations--in addition to the 49 
outstanding recommendations from previous audits--will help IRS improve 
its controls for identifying and authenticating users, limiting users' 
access to the minimum necessary to perform their job-related functions, 
protecting sensitive data when they are stored or in transit, auditing 
and monitoring system activities, and physically securing its IT 
---------------------------------------------------------------------------
facilities and resources.

    Table 1 below provides the number of our prior recommendations to 
IRS that were not implemented at the beginning of our fiscal year 2015 
audit, how many were resolved by the end of the audit, new 
recommendations, and the total number of outstanding recommendations at 
the conclusion of the audit.


   Table 1: Status of GAO's Information Security Recommendations at the PConclusion of Fiscal Year 2015 Audit
----------------------------------------------------------------------------------------------------------------
                                  Prior       Recommendations       Prior                             Total
                             recommendations   implemented or  recommendations        New          outstanding
                             not implemented   considered no      not fully     recommendations  recommendations
        Control area              at the      longer relevant   implemented at    made during         at the
                               beginning of    at the end of      the end of      fiscal year     conclusion of
                               fiscal year      fiscal year      fiscal year       2015 audit      fiscal year
                                2015 audit       2015 audit       2015 audit                        2015 audit
----------------------------------------------------------------------------------------------------------------
Information security                      12                3                9                2               11
 program
----------------------------------------------------------------------------------------------------------------
Access controls
----------------------------------------------------------------------------------------------------------------
    Identification and                     6                1                5                9               14
     authentication
----------------------------------------------------------------------------------------------------------------
    Authorization                         10                4                6               12               18
----------------------------------------------------------------------------------------------------------------
    Cryptography                           8                3                5               14               19
----------------------------------------------------------------------------------------------------------------
    Audit and monitoring                   6                1                5                3                8
----------------------------------------------------------------------------------------------------------------
    Physical Security                      4                2                2                0                2
----------------------------------------------------------------------------------------------------------------
Other security controls
----------------------------------------------------------------------------------------------------------------
    Configuration                         21                5               16                5               21
     management
----------------------------------------------------------------------------------------------------------------
    Segregation of duties                  1                0                1                0                1
----------------------------------------------------------------------------------------------------------------
    Contingency planning                   2                2                0                0                0
----------------------------------------------------------------------------------------------------------------
Total:                                    70               21               49               45               94
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis of IRS data. | GAO-16-589T


    In commenting on drafts of our reports presenting the results of 
our fiscal year 2015 audit, the IRS Commissioner stated that while the 
agency agreed with our new recommendations, it will review them to 
ensure that its actions include sustainable fixes that implement 
appropriate security controls balanced against IT and human capital 
resource limitations.

    In addition, IRS can take steps to improve its response to data 
breaches. Specifically, in December 2013 we reported on the extent to 
which data breach policies at eight agencies, including IRS, adhered to 
requirements and guidance set forth by the Office of Management and 
Budget and the National Institute of Standards and Technology.\14\ 
While the agencies in our review generally had policies and procedures 
in place that reflected the major elements of an effective data breach 
response program, implementation of these policies and procedures was 
not consistent. With respect to IRS, we determined that its policies 
and procedures generally reflected key practices, although the agency 
did not require considering the number of affected individuals as a 
factor when determining if affected individuals should be notified of a 
suspected breach. In addition, IRS did not document lessons learned 
from periodic analyses of its breach response efforts. We recommended 
that IRS correct these weaknesses, but the agency has yet to fully 
address them.
---------------------------------------------------------------------------
    \14\ GAO, Information Security: Agency Responses to Breaches of 
Personally Identifiable Information Need to Be More Consistent, GAO-14-
34 (Washington, DC: Dec. 9, 2013).
---------------------------------------------------------------------------
 billions of dollars have been lost to idt refund fraud, and irs faces 
              challenges in combating this evolving threat
    The importance of protecting taxpayer information is further 
highlighted by the billions of dollars that have been lost to IDT 
refund fraud, which continues to be an evolving threat. IRS develops 
estimates of the extent of IDT refund fraud to help direct its efforts 
to identify and prevent the crime. While its estimates have inherent 
uncertainty, IRS estimated that it prevented or recovered $22.5 billion 
in fraudulent IDT refunds in filing season 2014 (see figure 1).\15\ 
However, IRS also estimated, where data were available, that it paid 
$3.1 billion in fraudulent IDT refunds. Because of the difficulties in 
knowing the amount of undetectable fraud, the actual amount could 
differ from these estimates.
---------------------------------------------------------------------------
    \15\ IRS's 2014 estimates cannot be compared to 2013 estimates 
because of substantial methodology changes to better reflect new IDT 
refund fraud schemes and to improve the accuracy of its estimates, 
according to IRS officials. GAO is reviewing IRS's IDT refund fraud 
estimates as part of ongoing work.


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    IRS has taken steps to address IDT refund fraud; however, it 
remains a persistent and continually changing threat. IRS recognized 
the challenge of IDT refund fraud in its fiscal year 2014-2017 
strategic plan and increased resources dedicated to combating IDT and 
other types of refund fraud.\16\ In fiscal year 2015, IRS reported that 
it staffed more than 4,000 full-time equivalents and spent about $470 
million on all refund fraud and IDT activities.\17\ As described above, 
IRS received an additional $290 million for fiscal year 2016 to improve 
customer service, IDT identification and prevention, and cybersecurity 
efforts and the agency plans to use $16.1 million of this funding to 
help prevent IDT refund fraud, among other things. The administration 
requested an additional $90 million and an additional 491 full-time 
equivalents for fiscal year 2017 to help prevent IDT refund fraud and 
reduce other improper payments.\18\ IRS estimates that this $90 million 
investment in IDT refund fraud and other improper payment prevention 
would help it protect $612 million in revenue in fiscal year 2017, as 
well as protect revenue in future years.
---------------------------------------------------------------------------
    \16\ IRS, Strategic Plan: FY 2014-2017, (Washington, DC: June 
2014).
    \17\ IRS officials told us they do not track spending for identity 
theft activities separately from other types of refund fraud. A full-
time equivalent reflects the total number of regular straight-time 
hours (i.e., not including overtime or holiday hours) worked by 
employees divided by the number of compensable hours applicable to each 
fiscal year.
    \18\ Improper payments are payments that should not have been made 
or that were made in an incorrect amount (including overpayments and 
underpayments).

    IRS has taken action to improve customer service related to IDT 
refund fraud. For example, between the 2011 and 2015 filing seasons, 
IRS experienced a 430 percent increase in the number of telephone calls 
to its Identity Theft Toll Free Line--as of March 19, 2016, IRS had 
received over 1.1 million calls to this line.\19\ Moreover, 77 percent 
of callers seeking assistance on this telephone line received it 
compared to 54 percent during the same period last year. Average wait 
times during the same period have also decreased--taxpayers are waiting 
an average of 14 minutes to talk to an assistor, a decrease from 27 
minutes last year.
---------------------------------------------------------------------------
    \19\ Total call volume to IRS's identity theft protection toll free 
telephone line includes automated and assistor calls answered, as well 
as those that received a busy signal or were abandoned or disconnected.

    IRS also works with third parties, such as tax preparation industry 
participants, States, and financial institutions to try to detect and 
prevent IDT refund fraud. In March 2015, the IRS Commissioner convened 
a Security Summit with industry and States to improve information 
sharing and authentication. IRS officials said that 40 State 
departments of revenue and 20 tax industry participants have officially 
signed a partnership agreement to enact recommendations developed and 
agreed to by summit participants. IRS plans to invest a portion of the 
$16.1 million it received in fiscal year 2016 into identity theft 
prevention and refund fraud mitigation actions from the Security 
Summit. These efforts include developing an Information Sharing and 
Analysis Center where IRS, States, and industry can share information 
---------------------------------------------------------------------------
to combat IDT refund fraud.

    Even though IRS has prioritized combating IDT refund fraud, 
fraudsters adapt their schemes to identify weaknesses in IDT defenses, 
such as gaining access to taxpayers' tax return transcripts through 
IRS's online Get Transcript service.\20\ According to IRS officials, 
with access to tax transcripts, fraudsters can create historically 
consistent returns that are hard to distinguish from a return filed by 
a legitimate taxpayer, potentially making it more difficult for IRS to 
identify and detect IDT refund fraud.
---------------------------------------------------------------------------
    \20\ As mentioned above, the online Get Transcript service has been 
unavailable since May 2015.

Implementing Past GAO Recommendations Could Help IRS Combat IDT Refund 
        Fraud
    Without additional action by IRS and Congress, the risk of issuing 
fraudulent IDT refunds could grow. We previously made recommendations 
to IRS to help it better combat IDT refund fraud:

      Authentication. In January 2015, we reported that IRS's 
authentication tools have limitations and recommended that IRS assess 
the costs, benefits and risks of its authentication tools.\21\ For 
example, individuals can obtain an e-file PIN by providing their name, 
Social Security number, date of birth, address, and filing status for 
IRS's e-file PIN application. Identity thieves can easily find this 
information, allowing them to bypass some, if not all, of IRS's 
automatic checks, according to our analysis and interviews with tax 
software and return preparer associations and companies. After filing 
an IDT return using an e-file PIN, the fraudulent return would proceed 
through IRS's normal return processing.
---------------------------------------------------------------------------
    \21\ GAO, Identity Theft and Tax Fraud: Enhanced Authentication 
Could Combat Refund Fraud but IRS Lacks an Estimate of Costs, Benefits 
and Risks, GAO-15-119, (Washington, DC: Jan. 20, 2015).

       In November 2015, IRS officials told us that the agency had 
developed guidance for its Identity Assurance Office to assess costs, 
benefits, and risk, and that its analysis will inform decision-making 
on authentication-related issues. IRS also noted that the methods of 
analysis for the authentication tools will vary depending on the 
different costs and other factors for authenticating taxpayers in 
different channels, such as online, phone, or in-person. In February 
2016, IRS officials told us that the Identity Assurance Office plans to 
complete a strategic plan for taxpayer authentication across the agency 
in September 2016. While IRS is taking steps, it will still be 
vulnerable until it completes and uses the results of its analysis of 
---------------------------------------------------------------------------
costs, benefits, and risk to inform decision-making.

      Form W-2, Wage and Tax Statement (W-2) Pre-refund Matching. In 
August 2014 we reported that the wage information that employers report 
on Form W-2 is not available to IRS until after it issues most refunds, 
and that if IRS had access to W-2 data earlier, it could match such 
information to taxpayers' returns and identify discrepancies before 
issuing billions of dollars of fraudulent IDT refunds.\22\ We 
recommended that IRS assess the costs and benefits of accelerating W-2 
deadlines.
---------------------------------------------------------------------------
    \22\ GAO, Identity Theft: Additional Actions Could Help IRS Combat 
the Large, Evolving Threat of Refund Fraud, GAO-14-633 (Washington, DC: 
Aug. 20, 2014).

    In response to our recommendation, IRS provided us with a report in 
September 2015 discussing (1) adjustments to IRS systems and work 
processes needed to use accelerated W-2 information, (2) the potential 
impacts on internal and external stakeholders, and (3) other changes 
needed to match W-2 data to tax returns prior to issuing refunds, such 
as delaying refunds until W-2 data are available. In December 2015, the 
Consolidated Appropriations Act of 2016 amended the tax code to 
accelerate W-2 filing deadlines to January 31.\23\ IRS's report will 
help IRS determine how to best implement pre-refund W-2 matching, given 
the new January 31st deadline for filing W-2s. Additionally, we 
suggested that Congress should consider providing the Secretary of the 
Treasury with the regulatory authority to lower the threshold for 
electronic filing of W-2s, which could make more W-2 information 
available to IRS earlier.
---------------------------------------------------------------------------
    \23\ Pub. L. No. 114-113, div. Q, Sec. 201, 129 Stat. 2242 (Dec. 
18, 2015). This change goes into effect for W-2s reporting payments 
made in 2016 and filed in 2017.

      External Leads. IRS partners with financial institutions and 
other external parties to obtain information about emerging IDT refund 
trends and fraudulent returns that have passed through IRS detection 
systems. In August 2014, we reported that IRS provides limited feedback 
to external parties on IDT external leads they submit and offers 
external parties limited general information on IDT refund fraud trends 
and recommended that IRS provide actionable feedback to all lead 
generating third parties.\24\
---------------------------------------------------------------------------
    \24\ GAO-14-633.

       In November 2015, IRS reported that it had developed a database 
to track leads submitted by financial institutions and the results of 
those leads. IRS also stated that it had held two sessions with 
financial institutions to provide feedback on external leads provided 
to IRS. In December 2015, IRS officials stated that the agency sent a 
customer satisfaction survey asking financial institutions for feedback 
on the external leads process and was considering other ways to provide 
feedback to financial institutions. In April 2016, IRS officials stated 
they plan to analyze preliminary survey results by mid-April 2016. 
Additionally, IRS officials reported that the agency shared information 
with financial institutions in March 2016 and plans to do so on a 
quarterly basis, with the next information sharing session scheduled in 
June 2016.
           the 2016 filing season has generally been smooth, 
                   and telephone service has improved
    IRS and industry partners have characterized that returns 
processing and refund issuance during this filing season has been 
generally smooth. Through April 1, 2016, IRS had processed about 95 
million returns and issued 76 million refunds totaling about $215 
billion. While IRS experienced a major system failure in February that 
halted returns processing for about a day, the agency reported that it 
had minimal effect on overall processing of returns and refunds.

    In addition to filing returns, many taxpayers often call IRS for 
assistance. IRS's telephone service has generally improved in 2016 over 
last year. From January 1 through March 19, 2016 IRS received about 
35.4 million calls to its automated and live assistor telephone lines, 
about a 2 percent decrease compared to the same period last year.\25\ 
Of the 13.4 million calls seeking live assistance, IRS had answered 9.1 
million calls--a 75 percent increase over the 5.2 million calls 
answered during the same period last year.
---------------------------------------------------------------------------
    \25\ Total call volume to IRS's toll free telephone lines include 
automated and assistor calls answered, as well as those that received a 
busy signal or were abandoned or disconnected.

    IRS anticipated that 65 percent of callers seeking live assistance 
would receive it this filing season, which runs through April 18, and 
47 percent of callers would receive live assistance through the entire 
2016 fiscal year.\26\ As of March 19, 2016, 75 percent of callers had 
received live assistance, an increase from 38 percent during the same 
period last year. Further, the average wait time to speak to an 
assistor also decreased from 24 to 9 minutes. As we reported in March 
2016, however, IRS's telephone level of service for the full fiscal 
year has yet to reach the levels it had achieved in earlier years.\27\
---------------------------------------------------------------------------
    \26\ This year, most taxpayers have until April 18 to file a tax 
return with IRS. IRS's projected telephone level of service for the 
filing season covers the period between January 1, 2016 and April 23, 
2016.
    \27\ GAO, Internal Revenue Service: Preliminary Observations on the 
Fiscal Year 2017 Budget Request and 2016 Filing Season Performance, 
GAO-16-459R (Washington, DC: Mar. 8, 2016).

    IRS attributed this year's service improvement to a number of 
factors. Of the additional $290 million IRS received in December 2015, 
it allocated $178.4 million (61.5 percent) for taxpayer services to 
make measurable improvements in its telephone level of service. With 
the funds, IRS hired 1,000 assistors who began answering taxpayer calls 
in March, in addition to the approximately 2,000 seasonal assistors it 
had hired in fall 2015.\28\ To help answer taxpayer calls before March, 
IRS officials told us that they detailed 275 staff from one of its 
compliance functions to answer telephone calls.\29\ IRS officials said 
they believe this step was necessary because the additional funding 
came too late in the year to hire and train assistors to fully cover 
the filing season. IRS also plans to use about 600 full-time 
equivalents of overtime for assistors to answer telephone calls and 
respond to correspondence in fiscal year 2016, compared to fewer than 
60 full-time equivalents of overtime used in fiscal year 2015.
---------------------------------------------------------------------------
    \28\ In contrast, IRS reduced the number of assistors answering 
telephone calls between fiscal years 2010 and 2015, which contributed 
to the lowest level of telephone service in fiscal year 2015 compared 
to recent years.
    \29\ IRS has not yet determined the amount of foregone revenue from 
taking this action.

    In December 2014, we recommended that IRS systematically and 
periodically compare its telephone service to the best in business to 
identify gaps between actual and desired performance.\30\ IRS disagreed 
with this recommendation, noting that it is difficult to identify 
comparable organizations. We do not agree with IRS's position; many 
organizations run call centers that would provide ample opportunities 
to benchmark IRS's performance.
---------------------------------------------------------------------------
    \30\ GAO, Tax Filing Season: 2014 Performance Highlights the Need 
to Better Manage Taxpayer Service and Future Risks, GAO-15-163 
(Washington, DC: Dec. 16, 2014).

    In fall 2015, Department of the Treasury (Treasury) and IRS 
officials said they had no plans to develop a comprehensive customer 
service strategy or specific goals for telephone service tied to the 
best in the business and customer expectations. Without such a 
strategy, Treasury and IRS can neither measure nor effectively 
communicate to Congress the types and levels of customer service 
taxpayers should expect and the resources needed to reach those levels. 
Therefore, in December 2015 we suggested that Congress consider 
requiring that Treasury work with IRS to develop a comprehensive 
customer service strategy.\31\ In April 2016, IRS officials told us 
that the agency established a team to consider our prior work in 
developing this strategy or benchmarking its telephone service.
---------------------------------------------------------------------------
    \31\ GAO, 2015 Tax Filing Season: Deteriorating Taxpayer Service 
Underscores Need for a Comprehensive Strategy and Process Efficiencies, 
GAO-16-151 (Washington, DC: Dec. 16, 2015).

    In summary, while IRS has made progress in implementing information 
security controls, it needs to continue to address weaknesses in access 
controls and configuration management and consistently implement all 
elements of its information security program. The risks IRS and the 
public are exposed to have been illustrated by recent incidents 
involving public-facing applications, highlighting the importance of 
securing systems that contain sensitive taxpayer and financial data. In 
addition, fully implementing key elements of a breach response program 
will help ensure that when breaches of sensitive data do occur, their 
---------------------------------------------------------------------------
impact on affected individuals will be minimized.

    Weaknesses in information security can also increase the risk posed 
by identity theft refund fraud. IRS needs to establish an approach for 
addressing identity theft refund fraud that is informed by assessing 
the cost, benefits, and risks of IRS's various authentication options 
and improving the reliability of fraud estimates.

    While this year's tax filing season has generally gone smoothly and 
IRS has improved customer service, it still needs to develop a 
comprehensive approach to customer service that will meet the needs of 
taxpayers while ensuring that their sensitive information is adequately 
protected.

    Chairman Hatch, Ranking Member Wyden, and members of the committee, 
this concludes my statement. I look forward to answering any questions 
that you may have at this time.

                                 ______
                                 
   Prepared Statement of Hon. J. Russell George, Treasury Inspector 
       General for Tax Administration, Department of the Treasury
    Chairman Hatch, Ranking Member Wyden, and members of the committee, 
thank you for the opportunity to testify on the Internal Revenue 
Service's (IRS) controls to protect sensitive taxpayer information.

    The Treasury Inspector General for Tax Administration (TIGTA) is 
statutorily mandated to provide independent audit and investigative 
services necessary to improve the economy, efficiency, and 
effectiveness of IRS operations, including the IRS Chief Counsel. 
TIGTA's oversight activities are designed to identify high-risk 
systemic inefficiencies in IRS operations and to investigate exploited 
weaknesses in tax administration. TIGTA's role is critical in that we 
provide the American taxpayer with assurance that the approximately 
86,000 IRS employees \1\ who collected over $3.3 trillion in tax 
revenue, processed over 244 million tax returns, and issued more than 
$400 billion in tax refunds during Fiscal Year (FY) \2\ 2015,\3\ have 
done so in an effective and efficient manner while minimizing the risks 
of waste, fraud, and abuse.
---------------------------------------------------------------------------
    \1\ Total IRS staffing as of October 3, 2015. Included in the total 
are approximately 15,400 seasonal and part-time employees.
    \2\ The Federal Government's fiscal year begins on October 1 and 
ends on September 30.
    \3\ IRS, Management's Discussion and Analysis, Fiscal Year 2015.

    TIGTA's Office of Audit (OA) reviews all aspects of the Federal tax 
administration system and provides recommendations to: improve IRS 
systems and operations; ensure the fair and equitable treatment of 
taxpayers; and detect and prevent waste, fraud, and abuse in tax 
administration. The Office of Audit has examined specific high-risk 
issues such as identity theft, refund fraud, improper payments, 
information technology, security vulnerabilities, complex modernized 
computer systems, tax collections and revenue, and waste and abuse in 
---------------------------------------------------------------------------
IRS operations.

    TIGTA's Office of Investigations (OI) protects the integrity of the 
IRS by investigating allegations of IRS employee misconduct, external 
threats to IRSemployees and facilities, and other attempts to impede or 
otherwise interfere with the IRS's ability to collect taxes. 
Specifically, the Office of Investigations investigates misconduct by 
IRS employees which manifests itself in many ways, including 
unauthorized access to taxpayer information and the use of the 
information for the purposes of identity theft; extortion; theft of 
government property; taxpayer abuses; false statements; and other 
financial fraud. The Office of Investigations is statutorily charged to 
investigate threats made against the IRS's employees, facilities and 
data. We are committed to ensuring the safety of IRS employees and the 
taxpayers who conduct business at more than 670 IRS facilities 
nationwide.

    TIGTA's Office of Inspections and Evaluations performs responsive, 
timely, and cost-effective inspections and evaluations of challenging 
areas within the IRS, providing TIGTA with additional flexibility and 
capability to produce value-added products and services to improve tax 
administration. Inspections are intended to monitor compliance with 
applicable laws, regulations, and/or policies; assess the effectiveness 
and efficiency of programs and operations; and inquire into allegations 
of waste, fraud, abuse, and mismanagement. Evaluations, on the other 
hand, are intended to provide in-depth reviews of specific management 
issues, policies, or programs.

    Cybersecurity threats against the Federal Government continue to 
grow. According to the Department of Homeland Security's U.S. Computer 
Emergency Readiness Team, Federal agencies reported 77,183 cyberattacks 
in FY 2015, an increase of more than 10 percent from FY 2014.\4\ The 
IRS reported that more than 1,000 security incidents occurred to its 
systems during the period August 1, 2014, to July 31, 2015.
---------------------------------------------------------------------------
    \4\ Office of Management and Budget, Annual Report to Congress: 
Federal Information Security Management Act (Mar. 2016).

    The IRS, the largest component of the Department of the Treasury, 
has primary responsibility for administering the Federal tax system. 
The IRS's role is unique within the Federal Government in that it 
administers the Nation's tax laws and collects the revenue that funds 
the Government. It also works to protect Federal revenue by detecting 
and preventing the growing risk of fraudulent tax refunds and other 
improper payments. The IRS relies extensively on its computer systems 
to support both its financial and mission-related operations. These 
computer systems collect and process extensive amounts of taxpayer 
data, including Personally Identifiable Information. For Calendar Year 
2015, the IRS processed more than 150 million individual tax returns 
and more than 55 million business tax returns that contain taxpayers' 
---------------------------------------------------------------------------
sensitive financial data.

    TIGTA has identified a number of areas in which the IRS could 
better protect taxpayer data and improve its overall security position. 
My comments today will focus on our work related to the IRS's ability 
to prevent and detect breaches to its computer systems and the IRS's 
processes to authenticate users accessing its online services.
              data security remains a top concern of tigta
    Since FY 2011, TIGTA has designated the security of taxpayer data 
as the top concern facing the IRS based on the increased number and 
sophistication of threats to taxpayer information and the need for the 
IRS to better protect taxpayer data and improve its enterprise security 
program. To provide oversight of the IRS's Information Security 
program, TIGTA conducts ongoing audit coverage of various security 
programs, systems, and solutions. As of March 2016, 14 TIGTA audits 
still have 23 recommendations that have yet to be implemented. These 
recommendations address weaknesses related to connections with external 
partners, continuous efforts to monitor information security, 
implementation of the Homeland Security Presidential Directive 12 
initiative,\5\ and information technology asset management.
---------------------------------------------------------------------------
    \5\ Homeland Security Presidential Directive 12, Policy for a 
Common Identification Standard for Federal Employees and Contractors, 
requires agencies to follow specific technical standards and business 
processes for the issuance and routine use of Federal identity 
credentials to ensure that only authorized personnel have access to 
Government systems and applications.

    TIGTA continues to identify significant security weaknesses that 
could affect the confidentiality, integrity, and availability of 
financial and sensitive taxpayer data. For example, during our most 
recent Federal Information Security Modernization Act \6\ evaluation of 
the IRS's information security programs and practices,\7\ we found 
three security program areas, i.e., Continuous Monitoring Management, 
Identity and Access Management, and Configuration Management, that did 
not meet the level of performance specified by the Department of 
Homeland Security.\8\
---------------------------------------------------------------------------
    \6\ Pub. L. No. 113-283, 128 Stat. 3073 (2014). This bill amended 
chapter 35 of title 44 of the United States Code to provide for reform 
to Federal information security.
    \7\ TIGTA, Ref. No. 2015-20-092, Treasury Inspector General for Tax 
Administration--Federal Information Security Modernization Act Report 
for Fiscal Year 2015 (Sept. 2015).
    \8\ To assist the Inspectors General in evaluating Federal 
agencies' compliance with the Federal Information Security 
Modernization Act, the Department of Homeland Security issued the 
Fiscal Year 2015 Inspector General Federal Information Security 
Modernization Act Reporting Metrics, which specified 10 information 
security program areas and listed specific attributes within each area 
for evaluation.

    One of the Federal Government's latest security initiatives is the 
implementation of continuous monitoring of information security, which 
is defined as maintaining ongoing, real-time awareness of information 
security, vulnerabilities, and threats to support organizational risk 
decisions. While the IRS has made progress and is in compliance with 
guidelines from the Department of Homeland Security and the Department 
of the Treasury, we found that the IRS is still in the process of 
implementing its Information Security Continuous Monitoring program 
required by the Office of Management and Budget to automate asset 
management and maintain the secure configuration of assets in real 
---------------------------------------------------------------------------
time.

    Specifically, we reported that the IRS Continuous Monitoring 
Management program is at a maturity level of one on a scale of one to 
five, where one is the least mature and five is the most mature. In 
July 2014, the Department of the Treasury decided to adopt a uniform 
approach across the Department and to use the toolset selected by the 
Department of Homeland Security to meet the program requirements. The 
Department of Homeland Security is currently in the process of 
procuring a standard set of cybersecurity tools and services for use by 
Federal agencies. These tools will include sensors that perform 
automated searches for known cyber flaws and send the results to 
dashboards that inform system managers in real time of cyber risks that 
need remediation.

    The Identity and Access Management program ensures that only those 
with a business need are able to obtain access to IRS systems and data. 
However, we found that this program did not meet a majority of the 
attributes specified by the Department of Homeland Security, largely 
due to the IRS's failure to achieve Government-wide goals set for 
implementing logical (system) and physical access to facilities in 
compliance with Homeland Security Presidential Directive 12 
requirements. Homeland Security Presidential Directive 12 requires 
Federal agencies to issue personal identity verification cards to 
employees and contractors for accessing agency systems and facilities.

    Configuration Management ensures that settings on IRS systems are 
maintained in an organized, secure, and approved manner that includes 
the timely installation of patches to resolve known security 
vulnerabilities. We found that the IRS has not fully implemented 
enterprise-wide automated processes to identify computer assets, 
evaluate compliance with configuration policies, and deploy security 
patches. Specifically, these processes have not been fully implemented 
enterprise-wide and still rely on many tedious manual procedures. 
Eventually, the IRS's Configuration Management program will benefit 
from the implementation of the Information Security Continuous 
Monitoring program, which is intended to automate configuration 
management in real time for the universe of IRS assets.

    Patch \9\ management is an important element in mitigating the 
security risks associated with known vulnerabilities to computer 
systems. This is critical to prevent intrusions by unauthorized 
individuals or entities. TIGTA evaluated the effectiveness of the IRS 
security patch management process, which has been an ongoing challenge 
for the IRS.\10\ In 2012, we found that the IRS had made progress in 
automating installation and monitoring in a large segment of its 
computers, but it had not yet implemented key patch management policies 
and procedures needed to ensure that all IRS systems are patched timely 
and operating securely. Any significant delays in patching software 
with critical vulnerabilities provides ample opportunity for persistent 
attackers to gain control of vulnerable computers and get access to the 
sensitive data the computer systems may contain, including taxpayer 
data. The Government Accountability Office reported in March 2015 that 
the IRS was still not effectively applying security patches in a timely 
manner.\11\ We also reported in September 2015 that the IRS is still 
working to expand a standard automated process to deploy operating 
system patches enterprise-wide.\12\
---------------------------------------------------------------------------
    \9\ A patch fixes a design flaw in a computer program. Patches must 
be installed or applied to the appropriate computer for the flaw to be 
corrected.
    \10\ TIGTA, Ref. No. 2012-20-112, An Enterprise Approach Is Needed 
to Address the Security Risk of Unpatched Computers (Sept. 2012).
    \11\ GAO-15-337, IRS Needs to Continue Improving Controls over 
Financial and Taxpayer Data (Mar. 2016).
    \12\ TIGTA, Ref. No. 2015-20-092, Treasury Inspector General for 
Tax Administration--Federal Information Security Modernization Act 
Report for Fiscal Year 2015 (Sept. 2015).

    We have also identified other areas that would improve the IRS's 
ability to defend its systems against cyberattacks. Monitoring IRS 
networks 24 hours a day, year-round, for cyberattacks and responding to 
various computer security incidents is the responsibility of the IRS's 
Computer Security Incident Response Center (CSIRC). TIGTA evaluated the 
effectiveness of the CSIRC at preventing, detecting, reporting, and 
responding to computer security incidents targeting IRS computers and 
data, and identified areas for improvement.\13\ At the time of our 
review, the CSIRC's host-based intrusion detection system was not 
monitoring a significant percentage of IRS servers, which leaves that 
portion of the IRS network and data at risk. In addition, the CSIRC was 
not reporting all computer security incidents to the Department of the 
Treasury, as required. Finally, incident response policies, plans, and 
procedures were nonexistent, inaccurate, or incomplete. We are 
currently evaluating the effectiveness of the CSIRC at preventing, 
detecting, reporting, and responding to computer security incidents 
targeting IRS computers and data, and plan to issue our report later 
this year.\14\
---------------------------------------------------------------------------
    \13\ TIGTA, Ref. No. 2012-20-019, The Computer Security Incident 
Response Center Is Effectively Performing Most of Its Responsibilities, 
but Further Improvements Are Needed (Mar. 2012).
    \14\ TIGTA, Audit No. 201620003, Effectiveness of the Computer 
Security Incident Response Center, report planned for September 2016.

    TIGTA also found that many interconnections \15\ in use at the IRS 
do not have proper authorization or are not covered by security 
agreements. Although the IRS has established an office to provide 
oversight and guidance for the development of security agreements, that 
office is not responsible for managing or monitoring agreements for all 
external interconnections in use in the IRS environment. TIGTA believes 
the lack of a centralized inventory and of an enterprise-level approach 
to ensure that all external interconnections are monitored have 
contributed to interconnections that are active but lack proper 
approvals and assurances necessary to meet current security 
requirements.\16\
---------------------------------------------------------------------------
    \15\ The National Institute of Standards and Technology defines a 
system interconnection as the direct connection of two or more 
information technology systems for the purpose of sharing data and 
other information resources.
    \16\ TIGTA, Ref. No. 2015-20-087, Improvements Are Needed to Ensure 
That External Interconnections Are Identified, Authorized, and Secured 
(Sept. 2015).

    In addition, TIGTA reported \17\ that the IRS was unable to upgrade 
all of its workstations with the most current Windows' 
operating system.\18\ Because of their importance, operating systems 
must be updated on a regular basis to patch security vulnerabilities 
and, if necessary, upgraded completely in order to fix crucial 
weaknesses or to address new threats to their functionality. TIGTA 
found that the IRS did not follow established policies with respect to 
project management and provided inadequate oversight and monitoring of 
the Windows upgrade early in its effort. As a result, the IRS had not 
accounted for the location or migration status of approximately 1,300 
workstations and had upgraded only about one-half of its applicable 
servers at the conclusion of our audit.
---------------------------------------------------------------------------
    \17\ TIGTA, Ref. No. 2015-20-073, Inadequate Early Oversight Led to 
Windows Upgrade Project Delays (Sept. 2015).
    \18\ The software that communicates with computer hardware to 
allocate memory, process tasks, access disks and peripherals, and 
serves as the user interface.

             irs authentication processes need improvement
    The increasing number of data breaches in the private and public 
sectors means more personal information than ever before is available 
to unscrupulous individuals. Much of these data are detailed enough to 
enable circumvention of most authentication processes. Therefore, it is 
critical that the methods the IRS uses to authenticate individuals' 
identities provide a high level of confidence that tax information and 
services are provided only to individuals who are entitled to receive 
them.

    The risk of unauthorized access to tax accounts will continue to 
grow as the IRS focuses its efforts on delivering online tools to 
taxpayers. The IRS plans to increase the availability and quality of 
self-service interactions, allowing it to free up in-
person resources for taxpayers who truly need them. The IRS's goal is 
to eventually provide taxpayers with dynamic online account access that 
includes viewing their recent payments, making minor changes and 
adjustments to their accounts, and corresponding digitally with the 
IRS. As tax administration evolves, the challenge of providing adequate 
data security will continue.

    The IRS recognized that there was a lack of consistency in the 
techniques it had employed for authentication; therefore, in June 2014, 
it established the Authentication Group. In a report issued in November 
2015, TIGTA found that although the IRS recognizes the growing 
challenge it faces in establishing effective authentication processes 
and procedures, the IRS has not established a Service-wide approach to 
managing its authentication needs.\19\ As a result, the level of 
authentication the IRS uses for its various services is not consistent. 
TIGTA found that while the Authentication Group is evaluating potential 
improvements to existing authentication methods for the purpose of 
preventing identity theft, it is not developing overall strategies to 
enhance authentication methods across IRS functions and programs. TIGTA 
recommended that the IRS develop a Service-wide strategy that 
establishes consistent oversight of all authentication needs across IRS 
functions and programs. In addition, the IRS should ensure that 
responsibility for implementing the strategy is optimally aligned to 
provide centralized oversight and facilitate decision making for the 
development and integration of all forms of authentication, including 
frameworks, policies, and processes across the IRS.
---------------------------------------------------------------------------
    \19\ TIGTA, Ref. No. 2016-40-007, Improved Tax Return Filing and 
Tax Account Access Authentication Processes and Procedures Are Needed 
(Nov. 2015).

    Office of Management and Budget (OMB) Memorandum M-04-04, E-
Authentication for Federal Agencies,\20\ establishes criteria for 
determining the risk-based level of authentication assurance required 
for specific electronic applications and transactions. E-Authentication 
is the process of establishing confidence in user identities 
electronically presented to an information system. The OMB guidance 
requires agencies to review new and existing electronic transactions to 
ensure that authentication processes provide the appropriate level of 
assurance. This guidance is intended to help agencies identify and 
analyze the risks associated with each step of the authentication 
process. As the outcome of an authentication error becomes more 
serious, the required level of assurance increases.
---------------------------------------------------------------------------
    \20\ OMB, M-04-04, E-Authentication for Federal Agencies (Dec. 
2003).

    In addition, the U.S. Department of Commerce National Institute of 
Standards and Technology (NIST) Special Publication 800-63-2, 
Electronic Authentication Guideline \21\ provides the technical 
requirements for the four levels of assurance defined in OMB guidance 
as shown in the following table.
---------------------------------------------------------------------------
    \21\ NIST, NIST SP-800-63-2, Electronic Authentication Guideline 
(Aug. 2013).


                 Table 1--Levels of Electronic Assurance
------------------------------------------------------------------------
 Level of  Assurance          Requirements          Level of Confidence
------------------------------------------------------------------------
Level 1               No identity proofing is      Provides little or no
                       required.                    confidence.
------------------------------------------------------------------------
Level 2               Requires basic identity      Provides some
                       proofing data, a valid       confidence in the
                       current Government           validity of an
                       identification number, and   individual's
                       a valid financial or         identity.
                       utility account number.
                       Access occurs only after
                       identity proofing data and
                       either the Government
                       identification number or
                       financial/utility account
                       number are verified by the
                       agency.
------------------------------------------------------------------------
Level 3               Requires basic identity      Provides high
                       proofing data, a valid       confidence in the
                       current Government           validity of an
                       identification number, and   individual's
                       a valid financial or         identity.
                       utility account number as
                       well as the use of a
                       second authentication
                       factor such as a one-time
                       supplemental code issued
                       via text message or e-mail
                       to the telephone number or
                       e-mail address associated
                       with the individual.
------------------------------------------------------------------------
Level 4               Requires in-person identity  Provides very high
                       proofing and verification.   confidence in the
                                                    validity of an
                                                    individual's
                                                    identity.
------------------------------------------------------------------------


    OMB standards require Federal agencies to conduct an assessment of 
the risk of authentication error for each online service or application 
they provide. An authentication error occurs when an agency confirms 
the identity provided by an individual when in fact the individual is 
not who he or she claims to be. In addition, NIST Special Publication 
800-63 establishes specific requirements that agencies' authentication 
processes must meet to provide a specific level of authentication 
assurance. However, we found that, although the IRS has established 
processes and procedures to authenticate individuals requesting online 
access to IRS services, these processes and procedures do not comply 
with Government standards for assessing authentication risk and 
establishing adequate authentication processes.

    Our analysis of the e-Authentication processes used to authenticate 
users of the IRS's online Get Transcript and Identity Protection 
Personal Identification Number (IP PIN) \22\ applications found that 
these authentication methods provide only 
single-factor authentication despite NIST standards requiring 
multifactor authentication for such high-risk applications.
---------------------------------------------------------------------------
    \22\ To provide relief to tax-related identity theft victims, the 
IRS issues IP PINs to taxpayers who are confirmed by the IRS as victims 
of identity theft, taxpayers who are at a high risk of becoming a 
victim such as taxpayers who call reporting a lost or stolen wallet or 
purse, as well as taxpayers who live in three locations that the IRS 
has identified as having a high rate of identity theft (Florida, 
Georgia and the District of Columbia).

    The IRS assessed the risk of the Get Transcript application as 
required. However, the IRS determined that the authentication risk 
associated with Get Transcript was low to both the IRS and taxpayers. 
The IRS defines a low risk rating as one in which the likelihood of an 
imposter obtaining and using the information available on an 
application is low. In addition, a low risk rating indicates that 
controls are in place to prevent, or at least significantly impede, an 
imposter from accessing the information. As a result, the IRS 
implemented single-factor authentication to access the Get Transcript 
---------------------------------------------------------------------------
application.

    The IRS's current e-Authentication framework also does not comply 
with NIST standards for single-factor authentication. Specifically, the 
e-Authentication framework does not require individuals to provide 
Government identification or a financial or utility account number, as 
required by NIST standards. According to IRS management, the IRS 
decided to not request financial or utility account information because 
the information cannot currently be verified. IRS management informed 
us that the IRS obtained and verified the taxpayer filing status to 
mitigate the risk of its being unable to use financial information to 
authenticate individuals.

    Although the IRS required taxpayers to provide a filing status, 
this requirement does not bring it into compliance with NIST standards, 
and the IRS remains noncompliant with single-factor authentication 
requirements. The IRS received guidance from the NIST at the time the 
e-Authentication framework was being developed indicating that a 
Taxpayer Identification Number (TIN) was an acceptable form of 
identification. However, in August 2015, the NIST informed us that a 
TIN is not currently an acceptable Government identification number for 
the purpose of authentication. We brought this discrepancy to the IRS's 
attention and IRS management agreed that a TIN is no longer an 
acceptable form of identification. Management also indicated that the 
IRS would take steps to conform to NIST standards for verifying an 
individual's identity.

    In August 2015, the IRS indicated that unauthorized users had been 
successful \23\ in obtaining tax information \24\ on the Get Transcript 
application for an estimated 334,000 taxpayer accounts. According to 
the IRS, one or more individuals succeeded in clearing the IRS's 
authentication process that required knowledge of information about the 
taxpayer, including Social Security information, date of birth, tax 
filing status, and street address. To prevent further unauthorized 
accesses, the IRS removed the application from its website.
---------------------------------------------------------------------------
    \23\ A successful access is one in which the unauthorized users 
successfully answered identity proofing and knowledge-based 
authentication questions required to gain access to taxpayer account 
information.
    \24\ The tax information that can be accessed on the Get Transcript 
application can include the current and 3 prior years of tax returns, 9 
years of tax account information, and wage and income information.

    TIGTA's current review \25\ of the Get Transcript breach identified 
additional suspicious accesses to taxpayers' accounts that the IRS had 
not identified. Based on TIGTA's analysis of Get Transcript access 
logs, the IRS reported on February 26, 2016 that potentially 
unauthorized users had been successful in obtaining access to an 
additional 390,000 taxpayer accounts. The IRS also reported that an 
additional 295,000 taxpayer transcripts had been targeted but the 
access attempts had not been successful. TIGTA was able to identify the 
additional unauthorized accesses due to our use of advanced analytics 
and cross-discipline approaches. The IRS had not previously identified 
these accesses because of limitations in the scope of its analysis, 
including its method of identifying suspicious e-mail accounts and the 
time frame it analyzed.
---------------------------------------------------------------------------
    \25\ TIGTA, Audit No. 201540027, Evaluation of Assistance Provided 
to Victims of the Get Transcript Data Breach, report planned for May 
2016.

    In response to TIGTA's identification of the additional accesses, 
the IRS started on February 29, 2016 mailing notification letters to 
the affected taxpayers and placing identity theft markers on their tax 
accounts. It should be noted that the actual number of individuals 
whose personal information was available to the potentially 
unauthorized individuals accessing these tax accounts is significantly 
greater than the number of taxpayers whose accounts were accessed 
because the tax accounts accessed include certain information on other 
---------------------------------------------------------------------------
individuals listed on a tax return (e.g., spouses and dependents).

    We are currently evaluating the appropriateness of the IRS's 
response to the Get Transcript incident and the IRS's proposed 
solutions to address the authentication weakness that allowed the 
incident to occur.\26\ To date, we have learned that the IRS is working 
with the U.S. Digital Service \27\ on its new e-authentication and 
authorization policies and procedures. In addition, TIGTA is 
participating in a multi-agency investigation into this matter, and we 
have provided the IRS with some of our investigative observations to 
date in order to help them secure the e-authentication environment in 
the future.
---------------------------------------------------------------------------
    \26\ TIGTA, Audit No. 201520006, Review of Progress to Improve 
Electronic Authentication, report planned for July 2016.
    \27\ The U.S. Digital Service is part of the Executive Office of 
the President. Its goal is to improve and simplify the digital services 
that people and businesses have with the Government.

    We also reported in November 2015 that the IRS did not complete the 
required authentication risk assessment for its IP PIN application. In 
addition, on January 8, 2016, we recommended that the IRS not 
reactivate its online IP PIN application for the 2016 Filing Season, 
due to concerns that the IP PIN authentication process requires 
knowledge of the same taxpayer information that was used by 
unscrupulous individuals to breach the Get Transcript application. 
However, the IRS reactivated the application on January 19, 2016. We 
issued a second recommendation to the IRS on February 24, 2016, 
---------------------------------------------------------------------------
advising it to remove the IP PIN application from its public website.

    On March 7, 2016, the IRS reported that it was temporarily 
suspending use of the IP PIN application as part of an ongoing security 
review. The IRS reported that it is conducting a further review of the 
application that allows taxpayers to retrieve their IP PINs online and 
is looking at further strengthening its security features. The IRS does 
not anticipate having the technology in place for either the Get 
Transcript or IP PIN application to provide multifactor authentication 
capability before the summer of 2016.

    On February 9, 2016, the IRS announced that it had identified and 
halted an automated botnet \28\ attack on its Electronic Filing (e-
file) PIN application on IRS.gov. Using personal data stolen elsewhere 
outside the IRS, identity thieves used malware in an attempt to 
generate e-file PINs for stolen Social Security Numbers (SSN). An e-
file PIN is used in some instances to electronically file a tax return. 
While no personal taxpayer data was compromised or disclosed by IRS 
systems in the attack, the IRS did identify unauthorized attempts 
involving approximately 464,000 unique SSNs, of which 101,000 were used 
to successfully access an e-file PIN.
---------------------------------------------------------------------------
    \28\ A botnet is a number of Internet computers that, although 
their owners are unaware of it, have been set up to forward 
transmissions (including spam or malware) to other computers on the 
Internet, usually for the purpose of a cyberattack or denial of service 
attack.

    No single authentication method or process will prevent 
unscrupulous individuals from filing identity theft tax returns or 
attempting to inappropriately access IRS services. However, strong 
authentication processes can reduce the risk of such activity by making 
it harder and more costly for such individuals to gain access to 
resources and information. Therefore, it is important that the IRS 
ensure that its authentication processes are in compliance with NIST 
standards in order to provide the highest degree of assurance required 
and to ensure that authentication processes used to verify individuals' 
identities are consistent among all methods used to access tax account 
---------------------------------------------------------------------------
information.

    In response to concerns expressed by the IRS Commissioner during 
2015, the IRS received an additional $290 million in appropriated funds 
for FY 2016. The IRS plans to use $111.5 million of the additional 
funding to enhance cybersecurity to safeguard taxpayer data. 
Specifically, the IRS plans to increase staffing, replace outdated 
equipment, and make network improvements for monitoring and analyzing 
data traffic. In addition, the IRS plans to implement actions from the 
Security Summit \29\ and to relaunch the Get Transcript application. We 
are planning a review to assess IRS's use of these funds to improve 
cybersecurity.
---------------------------------------------------------------------------
    \29\ On March 19, 2015, the IRS Commissioner convened a meeting 
with IRS officials, the chief executive officers of the leading tax 
preparation firms, software developers, payroll and tax financial 
product processors, and representatives from 22 States to discuss 
common challenges and ways to leverage their collective resources and 
efforts for identity theft detection and prevention.

    We at TIGTA take seriously our mandate to provide independent 
oversight of the IRS in its administration of our Nation's tax system 
and will continue to expand our oversight related to cybersecurity. 
Based on the increased number and sophistication of threats to taxpayer 
information and the need for the IRS to better protect taxpayer data 
and improve its enterprise security program, we plan to provide 
continuing audit and investigative coverage of the IRS's efforts to 
---------------------------------------------------------------------------
protect the confidentiality of taxpayer information.

    Chairman Hatch, Ranking Member Wyden, and members of the committee, 
thank you for the opportunity to share my views.

                                 ______
                                 
              Prepared Statement of Hon. Orrin G. Hatch, 
                        a U.S. Senator From Utah
WASHINGTON--Senate Finance Committee Chairman Orrin Hatch (R-Utah) 
today delivered the following opening statement at a hearing examining 
how the Internal Revenue Service (IRS) is safeguarding private taxpayer 
information this filing season and to determine what improvements may 
be necessary for the agency to fully protect taxpayers from 
cybercriminals:

    Good morning. It's a pleasure to welcome everyone to today's 
hearing, which we've titled ``Cybersecurity and Protecting Taxpayer 
Information.''

    These are important issues that the Finance Committee has been 
working on for some time. In June of last year, for example, we held a 
hearing on the theft of Internal Revenue Service data affecting 
taxpayer information. Much has happened since that time.

    At the urging of the Finance Committee, the IRS, State revenue 
commissioners, and leaders in the tax return preparation industry came 
together last year to convene a Security Summit, which resulted in new 
information-sharing agreements to help identify suspicious activity in 
the tax filing and refund process. We look forward to hearing more 
about that effort today.

    But in the face of this progress, we have also seen unprecedented 
growth in the scope and scale of cyber-attacks aimed at stealing 
personal information and billions of dollars from taxpayers.

    Last year alone, cyber-criminals obtained access to sensitive 
personal information from several large health insurers, exposing tens 
of millions of Americans to potential identity theft. Foreign 
governments gained access to poorly protected Federal Government 
databases, including a treasure trove of information at the Office of 
Personnel Management.

    Today we will focus on three separate aspects of this problem.

    First, we will consider the ways the IRS authenticates taxpayer 
identities to prevent data thieves from using authentication 
information to gain access to even more information about taxpayers or 
to file false returns and obtain refunds under stolen identities.

    Second, we will examine how the IRS uses its resources to improve 
cybersecurity. This will include some discussion about the IRS Future 
State plan, which the agency has developed in order to adapt to the 
realities of the 21st century.

    Third and finally, we will consider the ongoing joint efforts of 
the IRS, State revenue collectors, and private tax preparers to see 
what can be accomplished to better secure taxpayer information and 
protect taxpayers from fraud.

    Taking a look at our witness table, it is clear that this is not a 
typical lineup of witnesses. Challenges to cyber-security require not 
only smart and persistent leadership up at the top, but also 
technological expertise and up-to-date skills down on the ground. So 
today, we not only have with us the heads of the IRS, the Government 
Accountability Office, and the Treasury Inspector General for Tax 
Administration, we've invited subject matter experts on the relevant 
issues from each of those agencies to testify as well.

    That's a total of six witnesses. And, I suspect each of them will 
bring unique and important insights to this discussion.

    In closing, I'll just say that, while we are clearly making real 
progress in this area, the challenges are continuing to grow and 
criminals behind this kind of data theft are getting more sophisticated 
and aggressive, seemingly by the day. And, American taxpayers--and 
their livelihoods--are their targets.

    In other words, we have a lot of work to do. My hope is that we'll 
continue to be able to work on these issues on a bipartisan basis in 
order to do right by the American people.

                                 ______
                                 
        Prepared Statement of Hon. John Koskinen, Commissioner, 
                        Internal Revenue Service
                              introduction
    Chairman Hatch, Ranking Member Wyden, and members of the committee, 
thank you for the opportunity to discuss the IRS's ongoing efforts to 
safeguard our systems and protect taxpayer information from 
cybersecurity threats, as well as our work to combat stolen identity 
refund fraud.

    Securing our systems and taxpayer data continues to be a top 
priority for the IRS. Even with our constrained resources as a result 
of repeatedly decreased funding over the past few years, we continue to 
devote significant time and attention to this challenge, which is 
twofold.

    First, the IRS works continuously to protect our main computer 
systems from cyber incidents, intrusions and attacks, but our primary 
focus is to prevent criminals from accessing taxpayer information 
stored in our databases. These core tax processing systems remain 
secure, through a combination of cyber defenses, which currently 
withstand more than 1 million attempts to maliciously access our 
systems each day. Second, the IRS is waging an ongoing battle to 
protect taxpayers and their information as we confront the growing 
problem of stolen identity refund fraud. Our multipronged approach to 
this problem is discussed in more detail below.

    As we confront these challenges, the IRS has also been working to 
expand and improve our ability to interact with taxpayers online. While 
we already engage taxpayers across numerous communications channels, we 
realize the need to meet taxpayers' increasing demand for digital 
services.

    We are aware, however, that in building toward this enhanced online 
experience, we must continuously upgrade and improve our authentication 
protocols. The reality is criminals are becoming increasingly 
sophisticated and are gathering vast amounts of personal information as 
the result of data breaches at sources outside the IRS. We must balance 
the strongest possible authentication processes with the ability of 
taxpayers to legitimately access their data and use IRS services 
online. It is important to note that cybercrime (theft by unauthorized 
access) and privacy breaches are increasing across the country in all 
areas ofgovernment and industry. Cyber criminals and their methods 
continue to grow in sophistication, frequency, brazenness, volume and 
impact. IRS will continue to be challenged in our ability to maintain 
currency with latest technologies, processes and counter-measures.
                 making progress against identity theft
    Discovering that your identity has been stolen by having your tax 
return rejected because someone else has already filed a return using 
your name and Social Security Number (SSN) can be a personal and 
traumatic experience. We are constantly working to improve our 
processes and methods to protect taxpayers from this situation. The 
problem of personal data being used to file fraudulent tax returns and 
illegally obtain refunds exploded from 2010 to 2012, and for a time 
overwhelmed private industry, law enforcement, and government agencies 
such as the IRS. Since then, we have been making steady progress within 
our reduced resources, both in terms of protecting against fraudulent 
refund claims and criminally prosecuting those who engage in this 
crime.

    Thanks to the work of our Criminal Investigation Division, about 
2,000 individuals have been convicted on Federal charges related to 
refund fraud involving identity theft over the past few years. We 
currently have about 1,700 open investigations being worked by more 
than 400 IRS criminal investigators.

    Meanwhile, we continue to improve our efforts at stopping 
fraudulent refunds from going out the door. For example, we have 
improved the filters that help us spot suspicious returns before they 
can be processed. Using those filters, we stopped 1.4 million returns 
last year that were confirmed to have been filed by identity thieves. 
By stopping those returns, we kept criminals from collecting about $8.7 
billion in fraudulent refunds.

    Importantly, the IRS also continues to help taxpayers who have been 
victims of identity theft. Last year, the IRS worked with victims to 
close more than 700,000 such cases.

    But while we have stopped many crimes, we find that the type of 
criminal we are dealing with constantly evolves. Previously we were 
dealing with individuals stealing personal information and filing a few 
dozen or maybe a few hundred false tax returns, and while we still see 
this, the threat has grown to include organized crime syndicates here 
and in other countries.
Security Summit Group
    To improve our efforts against this complex and evolving threat, 
the IRS held a sit-down meeting in March 2015 with leaders of the 
electronic tax industry, software industry and State tax officials. We 
agreed to build on our past cooperative efforts and find new ways to 
leverage our public-private partnership to help battle stolen identity 
refund fraud. Motivating us was the understanding that no single 
organization can fight this type of fraud alone.

    This meeting led to the development of the Security Summit group, 
an unprecedented partnership that has focused our joint efforts on 
making sure the tax filing experience would be safer and more secure 
for taxpayers in 2016 and beyond. This is an important step for 
taxpayers and for tax administration, because the critical work being 
done by this group is giving everyone involved a better defense against 
stolen identity refund fraud.

    Over the past year, the Security Summit group has made progress on 
a number of initiatives including:

      Summit group members identified and agreed to share 20 data 
components from Federal and State tax returns to improve fraud 
detection and prevention this filing season. For example, group members 
are sharing computer device identification data tied to the return's 
origin, as well as the improper or repetitive use of the numbers that 
identify the Internet ``address'' from where the return originates.

      Tax software providers agreed to enhance identity requirements 
and strengthen validation procedures for new and returning customers to 
protect their accounts from being taken over by criminals. This change 
is one of the most visible to taxpayers during the 2016 filing season, 
because it includes new verification procedures they need to follow to 
log in to their accounts. These actions will serve as the baseline for 
ongoing discussions and additional enhancements for the 2017 filing 
season.

      The Summit group created a new memorandum of understanding (MOU) 
regarding roles, responsibilities and information sharing pathways 
currently in circulation with States and industry. So far, 40 State 
departments of revenue and 21 tax industry members have signed the MOU, 
along with the IRS and endorsing organizations.

      Tax industry participants have aligned with the IRS and the 
States under the National Institute of Standards and Technology (NIST) 
cybersecurity framework to promote the protection of information 
technology infrastructure. The IRS and States currently operate 
consistently with this framework, as do many in the tax industry. Next 
steps in this area include follow-up sessions to develop strategy for 
how the NIST cybersecurity framework will be employed by all 
organizations within the tax industry.

      Summit group members agreed on the need to create a tax 
administration Information Sharing and Analysis Center (ISAC) to 
centralize, standardize, and enhance data compilation and analysis to 
facilitate sharing actionable data and information.

      Recognizing the critical role that the Nation's tax 
professionals play within the tax industry in both the Federal and 
State arenas, the Summit group created a team that will examine issues 
related to return preparers, such as how the preparer community can 
help prevent identity theft and refund fraud.

    Our collaborative efforts are already showing concrete results this 
filing season. For example, Security Summit partners have helped the 
IRS improve its ability to spot potentially false returns before they 
are processed and thus before a possibly fraudulent refund is issued. 
Under our industry leads program, Security Summit partners and other 
external stakeholders such as banks provide information that allows us 
to improve our fraud filters, which in turn leads to more suspicious 
returns being identified for further review. In Calendar Year (CY) 2016 
through mid-March, leads from industry partners directly resulted in 
the suspension of 27,000 returns on which a total of $119 million in 
refunds was claimed, up from 8,000 returns claiming $57 million during 
the same period last year.
Identity Theft Public Awareness Campaign
    Despite the progress being made against stolen identity refund 
fraud, we recognized that we were missing an important partner in this 
effort--the taxpaying public. So in November 2015, with the strong 
support of all the Security Summit partners, we launched the ``Taxes, 
Security, Together'' campaign to raise awareness about actions people 
can take to protect themselves and avoid becoming victims of identity 
theft.

    Many of the steps are basic common sense, but given that 150 
million households file tax returns every year, we believe these steps 
cannot be stressed enough. People continue to fall prey to clever 
cybercriminals who trick them into giving up SSNs, bank account 
numbers, password information or other sensitive personal data. So 
having the public's help will greatly strengthen and improve our new 
tools we have to stop the crime of identity theft.

    As part of this public awareness campaign, the IRS, in the weeks 
leading up to the 2016 filing season, issued weekly tax tips describing 
the actions people could take to protect their data. We have updated 
several publications for taxpayers and tax professionals. We have 
posted YouTube videos on this subject, and public-
awareness information is being shared online across IRS.gov, State 
websites and platforms used by the tax software industry and many 
others in the private-sector tax community. I would note our public 
awareness campaign is not confined to the tax filing season, but is an 
ongoing effort.

    Our efforts to educate and inform members of the public about the 
need to protect themselves against identity thieves extend to 
businesses as well. Information returns, especially Form W-2, are 
becoming a major target of these criminals, as they seek new sources of 
information that will help them file false returns that have a better 
chance of going undetected by our fraud filters. In this effort, they 
attempt to trick companies into providing the information returns.

    One scheme uncovered recently involved identity thieves posing as a 
company's chief executive and sending a legitimate-looking e-mail to 
the payroll department requesting a list of all company employees and 
their Forms W-2. In March, the IRS issued an alert to payroll and human 
resources professionals warning them about this scam.

    Identity thieves' efforts to obtain Forms W-2 have not stopped 
there. We are increasingly concerned about efforts to create 
counterfeit Forms W-2 that are filed along with the false returns to 
make the return appear legitimate. That concern led the IRS to launch a 
pilot program earlier this year testing the idea of adding a 
verification code to Form W-2 that would verify the integrity of Form 
W-2 data being submitted to the IRS.

    For this pilot, the IRS partnered with four major payroll service 
providers. These providers added a special coded number on 
approximately 2 million individual Forms W-2 in a new box on the Form 
W-2 labeled ``Verification Code.'' Each coded number is calculated 
based on a formula and key provided by the IRS, using data from the 
Form W-2 itself, so that each number generated was known only to the 
IRS, the payroll service provider, and the individual who received the 
Form W-2. The verification code cannot be reverse engineered. Since 
this identifier is unique, any changes to the Form W-2 information 
provided when filed are detected by the IRS. Individuals whose Forms W-
2 were affected by the pilot and who used tax software to prepare their 
return entered the code when prompted to by the software program. The 
IRS plans to increase the scope of this pilot for the 2017 filing 
season by expanding the number and types of Form W-2 issuers involved 
in the test.
      verifying identities and stopping suspicious online activity
Following the OMB Guidance and NIST Standards
    The IRS continues to make every effort to ensure that we provide 
tax account-related services only after verifying the identity of 
individuals seeking those services. This is true for all of our 
communications channels, some of which allow for extremely strong 
assurance processes that are not possible in other channels.

    For example, IRS employees at our Taxpayer Assistance Centers 
provide face-to-face help to taxpayers, and thus can easily verify 
identity through photo identification. This method provides the 
strongest possible level of assurance, but is obviously not feasible 
with phone or online interactions. Additionally, in-person assistance 
is more time-consuming for the taxpayer and costly for the IRS than the 
help we provide through other communications channels.

    Given the ability of cybercriminals and identity thieves to evolve 
and improve their methods of stealing personal data, the need to 
properly verify the identity of taxpayers using online services is 
particularly great. In developing authentication procedures for online 
interactions with taxpayers, the IRS continues to follow the Office of 
Management and Budget (OMB) memorandum issued in 2003, E-Authentication 
for Federal Agencies.

    This memorandum establishes criteria for determining the risk-based 
level of authentication assurance required for specific electronic 
applications and transactions. It requires agencies to review new and 
existing electronic transactions, to ensure authentication processes 
provide the appropriate level of assurance from among four levels, 
which are as follows:

    Level 1: Little or no confidence in the asserted identity's 
validity;
    Level 2: Some confidence in the asserted identity's validity;
    Level 3: High confidence in the asserted identity's validity; and
    Level 4: Very high confidence in the asserted identity's validity.

    Each increase in level requires users to take additional steps to 
validate their identity and gain access to a given online transaction.

    In addition to the OMB memorandum, we also follow the technical 
requirements set by NIST for the four levels of assurance defined in 
the OMB guidance. It is important to note that the NIST standards 
anticipate and require varying levels of assurance depending on the 
nature of a given online transaction and the information being 
exchanged.

    In following the NIST standards, the IRS employs differing levels 
of authentication assurance among the various digital services used by 
taxpayers. For example, the level of authentication required for an 
online tool that only accepts payments from a taxpayer can reasonably 
be set lower than an application that provides the taxpayer with their 
personal tax information.

    Thus, in establishing a risk assurance level to a particular online 
digital service, the IRS, in addition to assigning one of the four 
numerical levels of risk assurance, also assigns a letter representing 
the amount and types of validation that a taxpayer would have to 
provide, in order to gain access to the digital service in question:

    A: No credential required (OMB Level 1);
    B: User ID and password required, but no identity proofing (OMB 
Level 1);
    C: User ID and password, plus basic identity proofing--providing 
information such as name, address, date of birth, SSN (OMB Level 2);
    D: Everything included in C above, plus knowledge-based 
authentication--answers to so-called ``out of wallet'' questions that 
only the legitimate taxpayer should know (OMB Level 2);
    E: Everything included in D above, plus financial validation, such 
as providing the taxpayer's prior-year adjusted gross income (OMB Level 
2);
    F: Everything included in C above, plus financial validation and an 
additional authentication factor, such an authentication code texted or 
mailed to the user--so-called multifactor identification (OMB Level 3); 
and
    G: In-person authentication.
Recent Unauthorized Attempts to Access IRS Online Services
    Over the past year, unauthorized attempts were made to access 
online services on our website, IRS.gov. These attempts were not on our 
main computer system, which remains secure. Instead, in each situation 
criminals were attempting to use taxpayer information they had stolen 
from other sources to access IRS services by impersonating legitimate 
taxpayers, in order to file false tax returns and claim fraudulent 
refunds.

    Each of the situations, which are described in more detail below--
involving the Get Transcript online application, the Identity 
Protection Personal Identification Number (IP PIN) retrieval tool and 
the Get Your Electronic Filing PIN tool--illustrate both the progress 
we have made and the challenges we continue to face in detecting 
suspicious activity and ensuring the digital services we provide are 
used only by taxpayers who legitimately seek them.

    For all three services, the improvements made to our system-
monitoring capabilities allowed the IRS to uncover the suspicious 
activity. We continue to improve these monitoring capabilities and 
enhance our return processing filters so that we can thwart criminal 
activity as quickly as possible.

    But improving our ability to react to these threats is not enough. 
The three situations are examples of how nimble criminals have become 
in attempting to access our systems by masquerading as legitimate 
taxpayers. In each case, those who were making the unauthorized 
attempts to gain access had already obtained vast amounts of stolen 
individual taxpayer data and were using it to help them get into our 
systems, with the ultimate goal of claiming a fraudulent refund. We are 
finding that, as the IRS improves monitoring capabilities and shuts off 
certain avenues of entry, identity thieves find new ways to file false 
returns. As the IRS enhances return processing filters and catches more 
fraudulent returns at the time of filing, criminals have become more 
sophisticated at faking taxpayers' identities so they can evade those 
filters and successfully obtain fraudulent refunds.

    Therefore, the IRS is working not just to react better and faster, 
but to anticipate the criminals' next moves and stay ahead of them. To 
fully protect taxpayers and the tax system, the IRS must not only keep 
pace with, but also get ahead of, criminals and criminal organizations, 
as they improve their efforts to obtain personal taxpayer information. 
The ongoing collaborative work of the Security Summit group along with 
additional funding received in FY 2016 as part of the Section 113 
Administrative Provision have been crucial. The FY 2017 budget requests 
additional funding including a Departmentally-managed Cybersecurity 
Enhancement account which allows the IRS and the Department to leverage 
enterprise-wise services and capabilities.

    Following are descriptions of the three situations referenced above 
involving suspicious online activity:

    Get Transcript Application. The Get Transcript online application 
allows taxpayers to view and print a copy of their prior-year tax 
information, also known as a transcript, in a matter of minutes. 
Taxpayers use tax transcript information for a variety of non-tax 
administration, financial activities, such as verifying income when 
applying for a mortgage or financial aid.

    Prior to the introduction of this online tool in January 2014, 
taxpayers needing a transcript had to order a transcript by mail, by 
phone, or in person at one of our Taxpayer Assistance Centers, and then 
have it mailed to them.

    The development of the Get Transcript online application began in 
2011. The IRS conducted a risk assessment and determined that the e-
authentication risk assurance level appropriate for this application 
was 2D, which required the taxpayer to provide basic items of personal 
information and also answer out-of-wallet questions. At that time, this 
type of authentication process was the industry standard, routinely 
used by financial institutions to verify the identity of their 
customers conducting transactions online.

    During the 2015 filing season, taxpayers used the Get Transcript 
online application to successfully obtain approximately 23 million 
transcripts. If this application had not existed and these taxpayers 
had to call or write us to order a transcript, it would have stretched 
the IRS's limited resources even further.

    In May 2015, the IRS announced that criminals, using taxpayer 
information stolen elsewhere, had been able to access the Get 
Transcript online application. Shortly thereafter, we disabled the 
application. We are now strengthening the authentication process and 
expect to bring the Get Transcript application back on-line, in the 
near future. In reevaluating the application, we have changed the risk 
assurance level for this application to 3F, which will require 
taxpayers toundergo a multifactor authentication process in order to 
gain access. In the meantime, taxpayers can still place an order for a 
transcript online, and have it mailed to their address of record.

    The IRS, immediately focusing on last year's filing season, 
initially identified approximately 114,000 taxpayers whose transcripts 
had been accessed and approximately 111,000 additional taxpayers whose 
transcripts were targeted but not accessed. We offered credit 
monitoring, at our expense, to the group of 114,000 for which the 
unauthorized attempts at access were successful. We also promptly sent 
letters to all of these taxpayers to let them know that third parties 
may have obtained their personal information from sources outside the 
IRS in an attempt to obtain their tax return data using the Get 
Transcript online application.

    Our review of the situation continued and, in August 2015, we 
identified another 220,000 taxpayers whose transcripts may have been 
accessed and approximately 170,000 taxpayers whose transcripts were 
targeted but not accessed. We again notified all of these taxpayers 
about the unauthorized attempts, and offered credit monitoring to the 
220,000.

    In addition, the Treasury Inspector General for Tax Administration 
(TIGTA) conducted a 9-month investigation looking back to the launch of 
the application in January 2014 for additional suspicious activity. 
This expanded review identified additional unauthorized attempts to 
access taxpayer information using the Get Transcript online 
application. This review found potential access of approximately 
390,000 additional taxpayer accounts during the period from January 
2014 through May 2015. An additional 295,000 taxpayer transcripts were 
targeted but access was not successful. Again, the IRS sent letters to 
these taxpayers alerting them to the unauthorized attempts, offering 
credit monitoring to those whose accounts were accessed.

    The additional attempts uncovered by TIGTA brought the total number 
of potential unauthorized accesses to the Get Transcript online 
application to 724,000. So far, we have identified approximately 
250,000 potentially fraudulent returns that were filed on behalf of 
these taxpayers, and we have stopped the majority of the known 
fraudulent refunds from going out.

    I would note that our analysis of the attempts to access the Get 
Transcript online application is ongoing, and we may yet discover that 
some accesses classified as unauthorized were, in fact, legitimate. For 
example, family members, tax return preparers or financial institutions 
could have been using a single e-mail address to attempt to access more 
than one account. However, in an abundance of caution, IRS notified any 
and all taxpayers whose accounts met these criteria.

    Additionally, as a result of the Get Transcript online application 
problem, we added an extra layer of protection for taxpayers who use 
our online services. We started sending a letter, known as a CP301 
notice, to taxpayers when they first create a login and password for 
any web application on IRS.gov. This notice tells the taxpayer that 
someone registered for an IRS online service using their information. 
If the taxpayer was not the one who registered, the notice instructs 
the taxpayer to contact the IRS. Mailing this notice conforms to NIST 
guidance, and is a best practice similar to that used by the Social 
Security Administration and other financial institutions.

    Since we began sending these notices, we have disabled 
approximately 5,100 online accounts at the request of taxpayers who 
received a CP301. The majority of these accounts were disabled between 
January and March of this year, and we estimate that approximately 80 
percent of these requests were related to the unauthorized attempts to 
access the IP PIN retrieval tool described below.

    IP PIN Retrieval Tool. One aspect of the IRS's efforts to help 
taxpayers affected by identity theft involves the IP PIN, a unique 
identifier that authenticates a return filer as the legitimate 
taxpayer. If the IRS identifies a return as fraudulently filed, the IRS 
offers the legitimate taxpayer the ability to apply for an IP PIN for 
use when filing their next return. The IRS mails the IP PIN to the 
taxpayer's address of record, and the IP PIN is valid for only one 
filing season.

    The IP PIN program began as a pilot in 2011, and since then has 
grown significantly. For the 2016 filing season, the IRS issued IP PINs 
to 2.7 million taxpayers previously identified by the IRS as victims of 
identity theft or participants in a pilot program. This pilot is for 
taxpayers living in Florida, Georgia and Washington, DC--three areas 
where there have been particularly high concentrations of stolen 
identity refund fraud--who can request an IP PIN regardless of whether 
the IRS has identified them as a victim of identity theft.

    In 2015, the IRS developed an online tool that allowed taxpayers 
who had received an IP PIN to retrieve it if they lost or misplaced the 
number before filing their return. Taxpayers accessed this tool on 
IRS.gov by entering personal information to authenticate their 
identity. The retrieval tool has been used by only a small subset of 
all taxpayers receiving an IP PIN: this filing season, out of the 2.7 
million who received an IP PIN, just 130,000, or about 5 percent, used 
the retrieval tool.

    After discovering the problems with the Get Transcript online 
application, we began in July 2015 to monitor every request to recover 
a forgotten or lost IP PIN. In February 2016, as part of this 
proactive, ongoing security review, the IRS temporarily suspended this 
retrieval tool after detecting potentially unauthorized attempts to 
obtain IP PINs using the tool. Thus far, the IRS has confirmed and 
stopped about 5,000 false returns using a fraudulently obtained IP PIN. 
While our analysis is ongoing, at this time we do not believe any 
fraudulent refunds were issued as a result of successful unauthorized 
attempts to retrieve an IP PIN.

    We are conducting a further review of this online tool and will 
strengthen its security features before bringing it back online. The 
IRS conducted an e-authentication risk assessment, following OMB 
guidelines, for the IP PIN retrieval tool, and has assigned an 
assurance level of 3F to this tool, so that taxpayers will have to 
undergo a multifactor authentication process to gain access once we 
bring the tool back online. Taxpayers who still need to retrieve a lost 
IP PIN in order to file their 2015 tax return can call the IRS, and we 
will mail the replacement IP PIN to the taxpayer's address of record.

    Get Your Electronic Filing PIN Online Tool. Another way in which 
the IRS employs personal identification numbers involves the electronic 
signature on a tax return. When taxpayers electronically file a return, 
they sign their return by obtaining one of several types of PINs 
available through IRS.gov.

    For example, the self-select PIN (SSP) method requires the taxpayer 
to use their prior-year adjusted gross income (AGI) or their prior-year 
SSP to authenticate their identity. They then select a five-digit PIN 
that can be any five numbers to enter as their electronic signature.

    The IRS also provides an alternative to taxpayers unable to access 
their prior-year tax year return information for electronic signature 
authentication purposes. Using the Get Your Electronic Filing PIN 
application, taxpayers can enter identifying information and receive a 
temporary electronic filing PIN that can be used only for the current 
tax filing season. During FY 2015, taxpayers obtained approximately 25 
million e-File PINs. On average, e-File PINs are used to sign about 12 
million returns a year.

    In January of this year, the IRS identified and halted an automated 
``bot'' intrusion upon the Get Your Electronic Filing PIN application. 
In this intrusion, identity thieves employed malicious software, 
commonly known as ``malware,'' to gain access to the application and 
generate e-File PINs for SSNs they had stolen from sources outside the 
IRS. Based on our review, we identified unauthorized attempts involving 
approximately 464,000 unique SSNs, of which 101,000 SSNs were used to 
successfully access an e-File PIN.

    Nonetheless, our analysis of the situation found that no personal 
taxpayer data was compromised or disclosed by IRS systems, and no 
fraudulent refunds were issued. The IRS has taken steps to notify 
affected taxpayers by mail that their personal information was used in 
an attempt to access this IRS application. The IRS has also put returns 
filed under these SSNs through additional scrutiny to protect against 
future tax-related identity theft.
                         looking to the future
Building an Authentication Framework
    These incidents illustrate the challenges we face in developing 
appropriate authentication procedures for online transactions. The IRS 
takes protection of taxpayer data very seriously, and with that in 
mind, we must constantly strike a balance between citizen convenience 
and strong authentication and security protocols in an ever-changing 
cybercrime environment. The incidents also illustrate a wider truth 
about identity theft in general, which is that there are no perfect 
systems. No one, either in the public or private sector, can give an 
absolute guarantee that a system will never be compromised. For that 
reason, we continue our comprehensive efforts to update the security of 
our systems, protect taxpayers and their data, and investigate crimes 
related to stolen identity refund fraud.

    We are reviewing our current e-authentication risk assessment 
process to ensure that the level of authentication risk for all current 
and future IRS online services accurately reflects the risk to the IRS 
and taxpayers should an authentication vulnerability occur.

    We also realize that more needs to be done. A key element in our 
efforts to improve protections for existing online tools and new ones 
contemplated for the future is the development of a strong, coordinated 
and evolving authentication framework. This framework, once fully 
developed, will enable us to require multifactor authentication for all 
online tools and applications that warrant a high level of assurance.

    To ensure proper development of our authentication framework, the 
IRS recently created a new position, the IRS Identity Assurance 
Executive. This executive will develop our Service-wide approach to 
authentication. In addition, we have engaged with the U.S. Digital 
Service (USDS), which uses the best of product design, engineering 
practices and technology professionals to build effective, efficient, 
and secure digital channels to transform the way government works for 
taxpayers.

    We are joining forces with a team from USDS as we develop the 
future taxpayer digital experience and the foundational authentication 
standards that will enable secure digital exchanges between the IRS and 
taxpayers. In addition, we will leverage NIST standards to ensure that 
authentication processes used for all current and future online 
applications provide the required level of assurance for the determined 
level of authentication risk.

    Going forward, we will continue to review and adjust our 
authentication protocols accordingly. The sophistication of today's 
cybercriminals and identity thieves requires us to continually reassess 
and modify these protocols.
Enhancing the Taxpayer Experience

    Our efforts to detect and stop suspicious online activity and to 
develop a strong authentication framework are especially critical now, 
as the IRS builds toward the future and works to improve the online 
taxpayer experience for those taxpayers who prefer to communicate with 
us this way.

    Within our tight budget constraints, the IRS has continued to 
analyze and develop plans for improving how the agency can fulfill its 
mission in the future, especially in delivering service to taxpayers.

    We are looking forward to a new and improved way of doing business 
that involves a more robust online taxpayer experience. This is driven, 
in part, by business imperatives, since it costs between $40 and $60 to 
interact with a taxpayer in person, and less than $1 to interact 
online. But we also need to provide the best possible taxpayer 
experience, in response to taxpayer expectations and demands.

    While we have spent the last several years developing new tools and 
applications to meet these taxpayer expectations and demands, we are 
now at the point where we believe the taxpayer experience needs to be 
taken to a new level. Our goal is to increase the availability and 
quality of self-service interactions, which will give taxpayers the 
ability to take care of their tax obligations online in a fast, secure 
and convenient manner.

    The idea is that taxpayers would have an account with the IRS where 
they, or their preparers, could log in securely, get all the 
information about their account, and interact with the IRS as needed. 
Most things that taxpayers need to do to fulfill their Federal tax 
obligations could be done virtually, and there would be much less need 
for in-person help, either by waiting in line at an IRS assistance 
center or calling the IRS.

    As we improve the online experience, we understand the 
responsibility we have to serve the needs of all taxpayers, whatever 
their age, income, or location. We recognize there will always be 
taxpayers who do not have access to the Internet, or who simply prefer 
not to conduct their transactions with the IRS online. The IRS remains 
committed to providing the services these taxpayers need. We do not 
intend to curtail the ability of taxpayers to deal with us by phone or 
in person.

    In building toward the future of taxpayer service, we will need to 
strike a delicate balance with our efforts to improve our 
authentication protocols described above. Authentication protocols will 
need to be high, but not so high as to preclude taxpayers from 
legitimately using the online services we provide. As criminals become 
increasingly sophisticated, we will need to continue recalibrating our 
approach to authentication to continue maintaining this balance.

    The Get Transcript online application is a good example of these 
tradeoffs. Under the original authentication method we required for the 
Get Transcriptonline application, we estimate that about 22 percent of 
legitimate taxpayers trying to access the application were unable to 
get through. We anticipate that under the multifactor authentication 
protocol to be implemented, an even higher percentage of taxpayers will 
be unable to use the tool. We will explain to taxpayers why these 
strong protections are necessary. All taxpayers will be able to order a 
transcript, online or by phone, and have it mailed to their address of 
record, if the online tool does not work for them, or if they prefer 
not to interact with us online.
Need for Adequate Resources and Legislative Solutions
    An important consideration as we move into the future is the need 
for adequate resources to continue improving our efforts against 
identity theft and protecting our systems against cybercrime involving 
incidents, intrusions, and attacks. The IRS has been operating in an 
extremely difficult budget environment for several years, as our 
funding has been substantially reduced. In FY 2016, our funding level 
is more than $900 million lower than it had been in FY 2010.

    Despite those reductions, the IRS still devotes significant 
resources to cybersecurity and identity theft, even though our total 
needs still exceeded our available funds.

    Congress provided $290 million in additional funding for FY 2016, 
to improve service to taxpayers, strengthen cybersecurity and expand 
our ability to address identity theft. This action by lawmakers was a 
helpful development for the IRS and for taxpayers, and we appreciate 
it. Sustaining and increasing funds available for cybersecurity efforts 
at the IRS is critical this year and in the future. The IRS is using 
the new resources wisely and efficiently. This includes:

      Cybersecurity. We are using approximately $95.4 million to 
invest in a number of critical security improvements, including more 
effective monitoring of data traffic and replacement of technology that 
supports the development, maintenance and operation of IRS applications 
to make processes more secure, reliable and efficient. The funding will 
help us to improve systems and defenses across the entire IRS, thereby 
helping to protect taxpayer data. We are also investing in systems to 
allow for enhanced network segmentation, which involves further 
subdividing our network, so that if any vulnerabilities occur, they 
would be contained to just one portion of the network.

      Identity Theft. We are using approximately $16.1 million to 
develop advanced secure access capabilities for applications such as 
Get Transcript, IP PIN and others. This will also fund advanced 
analytics and detection of anomalies in returns filed. In addition, 
this investment will allow the IRS to partner with private industry and 
State tax agencies through the Security Summit to, for the first time, 
share information systemically about suspicious activity in the tax 
system.

      Taxpayer Service. We are using approximately $178.4 million 
provided in the additional $290 million to add about 1,000 extra 
temporary employees to help improve our service on our toll-free phone 
lines. As a result, we are already seeing service improvements. So far 
this filing season, the telephone level of service (LOS) is nearly 75 
percent, and the average for the entire filing season will probably be 
above 70 percent, which is a vast improvement over last year. The IRS 
has prioritized LOS during filing season, and was operating at 
historically low levels up until the new appropriations were provided 
in December. In fact, we expect LOS for the full year to be about 47 
percent. The 2017 Budget provides LOS above 70 percent for the full 
year with an investment of $150 million above current levels, and by 
supplementing with user fees.

    The FY 2017 President's Budget sustains and bolsters funding for 
these important programs. This includes $90 million in additional 
funding to help prevent identity theft and refund fraud and to reduce 
improper payments. This funding will increase the capacity of our most 
important programs discussed above, including external leads and 
criminal investigations. New funds will allow the IRS to close almost 
100,000 additional identity theft cases per year by helping victimized 
taxpayers who have engaged the IRS for assistance. The number of 
identity theft cases has grown from 188,000 in FY 2010 to 730,000 in FY 
2014, and current resources can only close about 409,000 per year.

    The FY 2017 President's Budget also requests cybersecurity funds 
provided through a Department wide Cybersecurity Enhancement account, 
which will bolster Treasury's overall cybersecurity posture. Of the 
nearly $110 million requested in the account, $54.7 million will 
directly support IRS cybersecurity efforts by securing data, improving 
continuous monitoring, and other initiatives. An additional $7.4 
million will be used to continue development and implementation of 
electronic authentication systems currently being developed for the Get 
Transcript online application for our expanding set of digital 
services.

    While adequate funding is critical to improving our cybersecurity 
efforts, Congress also provides important support to the IRS by passing 
legislative proposals that improve tax administration. An excellent 
example is the enactment last December of the requirement for companies 
to file Form W-2s and certain other information returns earlier in the 
year than now. Having W-2s earlier will make it easier for the IRS to 
verify the legitimacy of tax returns at the point of filing and to spot 
fraudulent returns.

    Although the new law is not effective until the 2017 filing season, 
some employers that issue large volumes of W-2s agreed this year to 
voluntarily file them earlier in the year, so the benefit of the change 
is already beginning to be felt. This year we received early 
submissions of about 26 million W-2s, most of which came in by the end 
of January. The IRS is using this data in our program to verify claims 
of wages and withholding on individual income tax returns. We expect 
this to assist in the quicker release of refunds for those returns we 
are able to verify.

    We have asked Congress for other changes to enhance tax 
administration and help us in our efforts to improve cybersecurity. An 
important proposal is the reauthorization of so-called streamlined 
critical pay authority, originally enacted in 1998, to assist the IRS 
in bringing in individuals from the private sector with the skills and 
expertise needed in certain highly specialized areas, including IT, 
international tax and analytics support. This authority, which ran 
effectively for many years, expired at the end of FY 2013 and was not 
renewed.

    The loss of streamlined critical pay authority has created major 
challenges to our ability to retain employees with the necessary high-
caliber expertise in the areas mentioned above. In fact, out of the 
many expert leaders and IT executives hired under critical pay 
authority, there are only 10 IT experts remaining at the IRS, and we 
anticipate there will be no staff left under critical pay authority by 
this time next year. The President's FY 2017 Budget proposes 
reinstating this authority, and I urge the Congress to approve this 
proposal.

    Chairman Hatch, Ranking Member Wyden, and members of the committee, 
this concludes my statement. I would be happy to take your questions.

                                 ______
                                 
                 Prepared Statement of Hon. Ron Wyden, 
                       a U.S. Senator From Oregon
    Hackers and crooks, including many working for foreign crime 
syndicates, are jumping at every opportunity they have to steal hard-
earned money and sensitive personal data from U.S. taxpayers. It 
happens online and in the real world. And in my view, taxpayers have 
been failed by the agencies, the companies, and the policymakers here 
in Congress they rely on to protect them.

    It was unacceptable for the IRS to leave the front door open to 
hackers by using a weak authentication process for its Get Transcript 
system. It meant thieves could walk through the door and steal the tax 
information of three quarters of a million taxpayers.

    And to make matters worse, after the IRS mailed special Identity 
Protection PIN numbers to the hacking victims, it repeated its mistake 
and used lax security online. For the tax scammers, once again it was 
as easy as going online, plugging in the personal data you've already 
stolen, and pretending to be somebody who's lost their IP PIN. So after 
leaving the front door open, the IRS left the back door open, too. 
There is no excuse for this.

    But poor protection of taxpayer information is not just a problem 
at the IRS--there's a lot of blame to go around. Already this tax 
season, hackers have gotten into the inadequately guarded systems of 
private software firms and stolen personal information from thousands 
of people. And it's my judgement that you can't have an honest 
discussion about protecting taxpayer information without including the 
vulnerabilities from e-file providers, as well as crooked return 
preparers who operate in the shadows and steal from customers.

    For years Republicans and Democrats agreed on the need for minimum 
standards for return preparers, but Congress has sat back and watched 
while criminals have come in and preyed on taxpayers. When it comes to 
blocking hackers, Congress has done next to nothing while the IRS loses 
its ability to hire the experts who can keep taxpayer information safe.

    If you're a top-notch tech expert, you're already taking a pay cut 
to work in public service compared to what you'd earn at firms in 
Oregon or California. Now, without what's called ``streamlined critical 
pay authority,'' it can take 4 to 6 months to bring a new hire on board 
at the IRS. So let's be clear: taxpayer information is under assault 
every day, but the IRS does not have the legal authority it needs from 
Congress to build a cybersecurity team that can beat back the crooks.

    Already there's been an exodus of high-ranking IRS tech staff. The 
Director of Cybersecurity Operations left a month ago. The terms for 
the remaining employees working under this authority continue to 
expire, including for one of our witnesses, Chief Technology Officer 
Terence Milholland. Come 2017, there will not be any left.

    So today, instead of rehashing the past and beating up on one 
agency or one firm, this committee ought to focus on how to step up the 
fight against hackers and crooks across the board. It's my view that 
streamlined critical pay authority is a key part of the solution. There 
was a bipartisan bill ready to go last fall, and this committee ought 
to move forward on it as soon as possible. Furthermore, Congress needs 
to make more than token investments in IT at the IRS. Congress has held 
the IRS' tech budget below where it was 6 years ago, but you can bet 
that the hackers haven't backed down since then.

    Next, the IRS and private firms need to do much more to keep 
taxpayer information safe in their systems. The Get Transcript hack I 
mentioned earlier has been well documented. And a recent audit by the 
Online Trust Alliance found that the security maintained by private 
free-file services did not meet expectations. It is unacceptable for 
troves of taxpayer data to be more vulnerable to hacking than many 
social media or e-mail accounts. And the committee ought to consider 
whether the IRS has the authority it needs to guarantee that the 
security used by private software firms is up to snuff.

    While many tax preparers are honest practitioners, there are always 
some bad apples in the barrel. Last year Senator Cardin and I 
introduced a bill giving IRS the authority to regulate tax return 
preparers. Senator Hatch and I have worked to create a bipartisan 
identity theft bill for markup in the Finance Committee, which I had 
hoped would include the regulation of return preparers. It is still my 
view that people handling sensitive taxpayer information should meet 
minimum standards and that the committee should vote to require that.

    It's already open season for hackers to steal money and data from 
hard-working Americans, so congressional inaction should not make the 
situation worse. With tax day approaching, millions of Americans are 
filing their returns online, through the mail, or with a private return 
preparer. This committee has a responsibility to protect taxpayers no 
matter what filing method they choose. So I see this hearing as an 
opportunity to find bipartisan solutions on all fronts.

                                 ______
                                 

                             Communication

                              ----------                              


                Statement for the Record by Kwame Gyamfi

         ``Cybersecurity and Protecting Taxpayer Information''

                             April 12, 2016

Senate Committee on Finance
Dirksen Senate Office Building
Washington, DC 20510-6200

I had the opportunity to attend the ``Cybersecurity and Protecting 
Taxpayer Information'' panel discussion on April 12, 2016. The purpose 
of this statement is to bring to this committee's attention the 
importance of developing safeguards to protect the public after a data 
breach has been uncovered. As a matter of public record, the OPM data 
breach of former and present federal employees and contractors 
indicated that the personal and private information had been breached 
from the eQip system. The OPM then instituted an identity theft 
monitoring system designed to safeguard the victims of this data breach 
in the event their private information was used against them. 
Unfortunately, these traditional safeguards are antiquated and 
outdated.

Hence, cyber-criminals are far more sophisticated and have developed 
tools and applications to subvert the traditional methods of targeting 
fraud victims. Therefore, this honorable committee must consider 
encouraging the executive branch to consider monitoring sophisticated 
``shadow'' and ``ghost'' applications that act as front-end 
applications that mimic official government systems. Unfortunately, 
during the hearing the focus was primarily a discussion about hiring 
industry leaders in cybersecurity to assist the agency (IRS) in 
protecting the taxpayer information. However, this discussion did not 
take into consideration the ``real-world'' applications of how cyber-
criminals manage and process breached taxpayer data.

In closing, ``shadow''' and ``ghost'' applications are systems that 
simulate official government systems, but are instead fraudulent 
applications. These systems are able to process millions of taxpayer 
dollars via bogus government letterhead ``.us'' domains and skewed 
legal jargon designed to confuse the targeted victims in banking and 
private industries. Hence federal government agencies must be vigilant 
in leading the charge against cybersecurity fraud and not just focus on 
the breach within the agency, but consider the sophistication of cyber-
criminals that lay within and outside the federal government.

                                   [all]