[Senate Hearing 114-428]
[From the U.S. Government Publishing Office]
S. Hrg. 114-428
THE IRS DATA BREACH: STEPS TO PROTECT AMERICANS' PERSONAL INFORMATION
=======================================================================
HEARING
before the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
JUNE 2, 2015
__________
Available via the World Wide Web: http://www.fdsys.gov/
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
95-655 PDF WASHINGTON : 2016
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin Chairman
JOHN McCAIN, Arizona THOMAS R. CARPER, Delaware
ROB PORTMAN, Ohio CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky JON TESTER, Montana
JAMES LANKFORD, Oklahoma TAMMY BALDWIN, Wisconsin
MICHAEL B. ENZI, Wyoming HEIDI HEITKAMP, North Dakota
KELLY AYOTTE, New Hampshire CORY A. BOOKER, New Jersey
JONI ERNST, Iowa GARY C. PETERS, Michigan
BEN SASSE, Nebraska
Keith B. Ashdown, Staff Director
Gabe Sudduth, Senior Professional Staff Member
Gabrielle A. Batkin. Minority Staff Director
John P. Kilvington, Minority Deputy Staff Director
Stephen R. Vina, Minority Chief Counsel for Homeland Security
Laura W. Kilbride, Chief Clerk
Lauren M. Corcoran, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Johnson.............................................. 1
Senator Carper............................................... 2
Senator Ernst................................................ 14
Senator Ayotte............................................... 16
Prepared statements:
Senator Johnson.............................................. 47
Senator Carper............................................... 49
WITNESSES
Tuesday, June 2, 2015
Michael Kasper, Poughkeepsie, New York........................... 4
Kevin Fu, Ph.D., Associate Professor, Department of Electrical
Engineering and Computer Science, University of Michigan....... 6
Jeffrey E. Greene, Director, Government Affairs, North America,
and Senior Policy Counsel, Symantec Corporation................ 8
Hon. John A. Koskinen, Commission Internal Revenue Services, U.S.
Department of the Treasury; accompanied by Terence V.
Millholland Chief Technology Officer, Internal Revenue
Services, U.S. Department of the Treasury...................... 22
Alphabetical List of Witnesses
Fu, Kevin, Ph.D.:
Testimony.................................................... 6
Prepared statement with attachment........................... 53
Greene, Jeffrey E.:
Testimony.................................................... 8
Prepared statement with attachment........................... 66
Kasper, Michael:
Testimony.................................................... 4
Prepared statement........................................... 51
Koskinen, Hon. John A.:
Testimony.................................................... 22
Prepared statement........................................... 79
APPENDIX
Chart referenced by Senator Johnson.............................. 85
Krebs Article.................................................... 86
Nextgov Article.................................................. 89
Response to post-hearing questions submitted by Hon. Koskinen.... 92
THE IRS DATA BREACH: STEPS TO PROTECT AMERICANS' PERSONAL INFORMATION
----------
TUESDAY, JUNE 2, 2015
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 2:03 p.m., in
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson,
Chairman of the Committee, presiding.
Present: Senators Johnson, Ayotte, Ernst, Carper, Baldwin,
Booker, and Peters.
OPENING STATEMENT OF CHAIRMAN JOHNSON
Chairman Johnson. This hearing is called to order.
I want to thank the witnesses for appearing here today and
for your thoughtful testimony. I am looking forward to it as
well as your answers to our questions.
We are going to have a little bit of a scheduling struggle
here. We have some votes at 2:30, and I think we will try and
keep the hearing going as best as possible, depending on what
Members we have that can maybe fill the chair. But, again, this
hearing is all brought about by the revelations last week. I
got a call from the Commissioner of the IRS informing me of
the--it is not necessarily a breach. I guess you could call it
a breach, but it is not your standard cyber attack that we have
been talking about. This is just simply a breach of
confidentiality in a system that is meant to assist taxpayers,
and it brought all kinds of questions to mind: What type of
authentication system, what kind of security system is being
utilized here, not only within the Internal Revenue Service
(IRS) but also other agencies in the government? And what we
are starting to find out is, well, different agencies--the
Social Security Administration (SSA), we have the Centers for
Medicare and Medicaid Services (CMS) with Healthcare.gov,
similar types of systems. I know the IRS now has shutdown the
Get Transcript program. These are some serious issues that we
need to address.
Because we are short on time, I will have my opening
statement entered into the record,\1\ without objection.
---------------------------------------------------------------------------
\1\The prepared statement of Senator Johnson appears in the
Appendix on page 47.
---------------------------------------------------------------------------
Senator Carper. Without objection.
Chairman Johnson. Senator Carper is generally pretty good
about that. But, again, these are serious issues. Because we
had the compromise of about 100,000 taxpayer Get Transcript
accounts, the IRS has already tracked that we have had about
13,000 questionable tax returns filed, and that is, of course,
why the hackers are doing this, is to get the information to
quickly file a tax return with good information so it is not
flagged by the IRS so they can claim tax refunds and obtain
those before the taxpayer whose identity has been stolen even
knows about it.
According to my briefing here, about $39 million has
already been transferred from the IRS to those criminals. We do
not know how much more widespread this will be, not only in the
IRS but also Social Security, CMS, the Consumer Financial
Protection Board (CFPB). We have a lot of questions that will--
this is just the beginning hearing to get to the bottom of it.
With that, I will turn it over to our Ranking Member,
Senator Carper.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. Thanks, Mr. Chairman. Thanks for holding
the hearing, and to each of our witnesses, thanks so much for
joining us.
I had a Finance Committee hearing earlier today, and John
Koskinen, who is the Commissioner of the IRS, was one of our
two witnesses, joined by the Inspector General (IG) for the IRS
as well, General George, so I am getting a full dose of this
today. In fact, we are getting a full dose of this across
America. And it is a timely hearing. Sorry we have to have this
kind of hearing, but it is important that we do have a number
of them.
Nearly every day, we learn of another major cyber attack or
data breach on an American company or organization. In many
ways, we are dealing with what is really an epidemic of online
theft and fraud. That epidemic is growing at an alarming rate
and continues to victimize and frustrate more and more of us,
including my own family.
Over the past several months, for example, we witnessed
several major companies in the health care sector suffer major
data breaches. And, of course, we know that our government
networks are under constant attack in cyberspace. These attacks
are growing ever more sophisticated, too. That is happening at
least in part because our defenses are getting better. Still,
we must do more to stay ahead of those that would do us harm.
And we must learn from those instances when criminals have been
successful in getting past the protections we have put into
place and can create havoc for us.
Today we are going to take a closer look at the recent
cyber attack on the IRS. We will examine what went wrong, how
the IRS is trying to repair the damage, and what we can do to
reduce the likelihood that something like this does not happen
again, either at the IRS or some other place.
From what we know so far, though, the attack on the IRS
appears to have been an especially sophisticated one. We also
know that the IRS had defenses and fraud prevention measures in
place at the time of the attack. Yet despite the precautions
that were taken, skilled criminals were able to use innovative
tactics to trick the IRS system into releasing past tax
returns. Given the vast amounts of sensitive information the
IRS possesses, it is critical that the agency continues to do
more to protect the American taxpayer. In fact, all agencies
need to step up their efforts and improve their cybersecurity
posture. The wake-up call has been ringing for years now, and
we need an all-hands-on-deck effort to respond to it.
As we know, cybersecurity is a shared responsibility. Those
of us here in Congress have an obligation to ensure that
agencies have the funding, the tools, and the authority that
they need to adequately protect their systems from attack.
Unfortunately, Congress has significantly reduced IRS funding
in recent years, and we have done so while also tasking the
agency with far greater responsibilities. In fact, the IRS is
operating at its lowest level of funding since fiscal year (FY)
2008. These cuts have had real consequences for the agency and
for American taxpayers. I look forward to hearing from the
Commissioner today about what he needs to better protect his
agency from fraud and cyber attacks.
Here in the Committee, we have been working hard to address
our country's cybersecurity challenges, I think to good effect.
Last year, our efforts led to the enactment of four key pieces
of cybersecurity legislation. One of these bills updated the
Federal Information Security Management Act (FISMA), to better
protect Federal agencies from cyber attacks. Another codified
the DHS cyber operations center. And two others strengthened
the cyber workforce at the Department of Homeland Security
(DHS).
This year, I introduced an information-sharing bill and
have been working closely on this issue with our colleagues on
the Senate Intelligence Committee. I have also been working
closely with Senator Blunt on data breach legislation that will
create a national standard for how we protect data and
consumers.
We must move these important pieces of legislation and
provide our agencies with the resources they need to tackle the
growing cyber threats.
With that, let me thank you again for joining us here
today. We all look forward to your testimony.
Thank you, Mr. Chairman.
Chairman Johnson. Thank you, Senator Carper.
It is the tradition of this Committee to swear in
witnesses, so if you will all stand and raise your right hand.
Do you swear that the testimony you will give before this
Committee will be the truth, the whole truth, and nothing but
the truth, so help you, God?
Mr. Kasper. I do.
Dr. Fu. I do.
Mr. Greene. I do.
Chairman Johnson. Please be seated.
Our first witness is Michael Kasper. Mr. Kasper is a
software engineer from Poughkeepsie, New York--love that name--
testifying as a victim of identity theft in the IRS data breach
that is the subject of this hearing. Mr. Kasper.
TESTIMONY OF MICHAEL KASPER,\1\ POUGHKEEPSIE, NEW YORK
Mr. Kasper. Yes, I should clarify. I am one of those 13,000
who had their transcript and their refund stolen. But before I
launch into my story, I want to share a few of the things I
learned along the way, specifically that the Get Identity
personal identification number (PIN) function on the IRS
website uses the same authentication as the Get Transcript, so
I think that that should also be investigated before any of the
victims are hit 2 years in a row. E-file PINs are even easier
to get. In my opinion, PIN numbers should probably only be sent
by mail, like banks and credit cards do at this point.
---------------------------------------------------------------------------
\1\The prepared statement of Mr. Kasper appears in the Appendix on
page 51.
---------------------------------------------------------------------------
I do not believe that punishing the IRS by cutting funds is
the answer. Indiana is an example where they spent $8 million
on ID theft and saved $88 million as a result, preventing that.
So I think you could see a large return because there is so
much of this going on. Over a million people were victims of
stolen identity refund fraud last year, $5.8 billion lost. I
was trying to look for analogies for that. There are usually
around 5,000 bank robberies a year averaging a similar amount,
$6,000 each. So this is equivalent to 1 million bank robberies
every year. In other words, those 5,000 banks are each getting
robbed again 200 times. It is a massive problem. If the IRS
cannot handle investigating these cases, maybe they should be
given to the Federal Bureau of Investigations (FBI). I mean,
single-digit audit rates for taxpayers make sense, but I do not
think single-digit criminal investigation rates for these cases
do make sense. I have heard that that is around what they do. I
have a source I can give you offline.
The other thing they could do, which the Senator from New
Hampshire brought up, about sharing information with the
taxpayers so that they can pursue it themselves, like I did,
giving you a copy of the tax return so you can call the bank,
call the local police. It is important when they share those
that they do not redact the payment address or bank account
information, because that is how I was able to get a result in
my case.
On February 6, I tried to file my taxes. Later that night,
Friday evening, I got a rejection. Someone had already filed.
So on Monday morning, I called the IRS, and they confirmed
my identity by asking tax history-related questions and showed
me that a deposit was being made the same day that I was
calling into somebody's account, but that it was too late to
stop it at that point. And because I had not called a day
earlier, now they had to wait until all my paperwork was
processed by mail, which could take up to 6 months.
They said they would not contact the bank to tell them
about it, and they would not tell me what the bank account
information was so I could do that myself. So I was frustrated
by that. That is when I tried the Get Transcript function on
the IRS website to see if I could get a transcript and found
out someone else had already registered their e-mail address
with my Social Security number (SSN). IRS e-Services was able
to disable online access to my account, but they would not tell
me what the e-mail address was, but they did think it was
suspicious for some reason. So that was February 9 when I
called and talked to them about that.
I was able to get a transcript by mail, though, which is
when I found out that whoever had filed had seen my 2013 return
because the information was almost identical. It was kind of
scary.
So then I found out I could get a photocopy for $50. They
had been telling me I could not get the information, but if I
paid $50, I could get it. So March 17, I got a photocopy of the
return and saw the bank account number. I also saw they filed a
corrected W-2 to get $6,000 more, almost $9,000 total.
But I contacted the bank in Pennsylvania. They confirmed a
deposit was made in--I guess the meta data in the deposit
actually showed my name and my Social Security going into
someone else's checking account. So they told me the location,
Williamsport, Pennsylvania, where all the money was withdrawn,
and I contacted the local police there. The bank fraud
department also investigated and asked them to return it. But
the local police called me back right away, actually, and went
and interviewed the person, and it was ironic because the same
day that they interviewed the suspect, I got a letter in the
mail from the IRS that they had 6 weeks later received my
documentation and that they would get back to me in 6 months.
So it was a pretty stark contrast.
I also got a letter that week from Anthem Health Care
offering me free credit monitoring. I do not really know if
that is related to how my information was obtained. But at this
point, it seemed like the case was solved, but it turned out to
be more complicated because the account holder claimed she had
responded to a Craigslist ad offering a job opportunity. Money
was deposited into her account, and then she wired large
amounts of it to Nigeria through Western Union, apparently not
really suspecting there was anything wrong, or at least not at
first. But she also got someone's deposit from South Dakota.
I finally got my refund check on May 12. I really think
contacting the bank myself helped make a difference. The woman
who got my refund has been arrested by the Williamsport police,
so that is some progress on my case. But I have heard from the
IRS my case is confirmed, but I do not know if they
investigated it criminally.
Chairman Johnson. Thank you, Mr. Kasper.
Our next witness is Dr. Kevin Fu. He is an associate
professor of electrical engineering and computer science at the
University of Michigan where he specializes in cybersecurity
and trustworthy computing. Dr. Fu.
TESTIMONY OF KEVIN FU, PH.D.,\1\ ASSOCIATE PROFESSOR,
DEPARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE,
UNIVERSITY OF MICHIGAN
Dr. Fu. Good afternoon, Chairman Johnson, Ranking Member
Carper, and distinguished Members of the Committee. I am
testifying before you today on the use of what is known as
``secret questions and instant knowledge-based authentication
(KBA), related to the recent IRS breach. I will explain the key
properties of instant KBA and try to give you a better
understanding of the current challenges and vulnerabilities,
and I will close with some recommendations on what can be done
in the future to avoid similar large-scale breaches.
---------------------------------------------------------------------------
\1\The prepared statement of Dr. Fu appears in the Appendix on page
53.
---------------------------------------------------------------------------
At Michigan, we teach programming to over 1,300
undergraduates each year, but we teach a rigorous course in
computer security to just slightly more than 400 students, and
I regret that means most of these programmers have no formal
security training in case you are wondering how the security
vulnerabilities are born.
But there are three basic ways to authenticate an identity;
that is, something you are, such as a fingerprint; something
you have, such as mobile phone; or something you know, like a
password or, in this case, a secret question. Or as we like to
say in the academic circles, it is something you were,
something you lost, or something you forgot. But today we will
talk mostly about knowledge-based authentication, and financial
websites often ask users to opt in to store answers to personal
questions, such as ``Where did you meet your spouse?'' to serve
as a backup mechanism to reset lost or stolen passwords.
However, this is not the kind of instant KBA we are talking
about today.
In instant knowledge-based authentication, there is no opt-
in process. Instead, the website--in this case, the IRS Get
Transcript site--quizzes a user with information gathered from
credit reports and other sources to gain confidence in a
claimed identity. For example, a user might be asked to
identify the bank holding their mortgage from a multiple choice
list.
Now, let me highlight some of the strengths and weaknesses
of instant KBA. The main strength is that it is fairly easy to
use, relatively easy to use. However, the major limitation is
that the security rests on the crumbling assumption that
personal information is secret.
Now, instant KBA does increase the difficulty of attack,
but sophisticated adversaries can, nonetheless, circumvent the
protections at unprecedented scale. A seemingly unrelated
compromise at one site, such as Target or Anthem, could affect
the security at a different site, such as IRS.
Now, only using a stolen wallet, an attacker may struggle
to answer four instant KBA questions like you will find on the
IRS website. Unfortunately, this threat model is no longer
realistic as countless databases of personal information have
been breached.
Also, taxpayers get no chance to opt out of the risks of
instant KBA, and let me point out that the National Institute
of Standards and Technology (NIST) explains in a technical
report--I will just cite one phrase--that they write that it is
``inappropriate to involuntarily expose the privacy of
unknowing citizens to the risks of an instant KBA
authentication scheme unless the risks for any individual
citizen is very close to zero.''
Now, there are alternatives that might improve the
effectiveness of the authentication at IRS and other Federal
agencies serving the citizens of this country. One example is
what is known as ``second-factor authentication.'' The use of a
second factor paired with instant KBA can make it more
difficult for an adversary to impersonate a taxpayer. So a
popular second factor is possession of a mobile phone, proving
that you have a mobile phone associated with your account.
Now, notification is also a challenge. The IRS could
attempt to use contact information from tax returns to reach
out to the taxpayer or the accountant to warn of an attempted
download of a transcript, but such systems are still subject to
things known as ``phishing attacks'' or ``social engineering''
and also would remove the instant gratification of the
download.
Now, NIST launched the National Strategy for Trusted
Identities in Cyberspace (NSTIC) to improve authentication of
identities, and has a 10-year road map that may help the IRS to
develop a more cost-effective authentication strategy that
works well.
I would like to draw attention to what is used in the
financial sector, which has been subject to widespread fraud by
callers on the phone who attempt to engage in identity theft.
One novel approach already being used today is to identify
repeat fraudsters by the manner in which they speak and their
cadence. So it makes it harder for an adversary to impersonate
100,000 people at once.
Now, let me summarize and I will leave the rest for my
written testimony. There will always be fraud, but a reasonable
goal is to make it difficult for a single adversary to commit
wide-scale automated fraud. Some recommendations include asking
NIST to help develop KBA security and performance standards so
that Federal agencies can more meaningfully debate acceptable
residual risk to avoid using Social Security numbers or
financial records as secrets for single-factor authentication
and consider pairing KBA with a second factor of
authentication, such as Short Message Service (SMS) messages or
voice-based fraud detection.
Finally, encourage research collaboration between
cybersecurity experts and social and behavioral science to
carry out human subjects experiments that help to measure the
risks and benefits of knowledge-based authentication.
Thank you. I am happy to answer any questions you may have.
Thank you.
Chairman Johnson. Thank you, Dr. Fu.
Our next witness is Jeff Greene. Mr. Greene is the Director
of government affairs, North America, and senior policy counsel
at Symantec Corporation where he focuses on cybersecurity, the
Internet of Things, and privacy issues. Mr. Greene.
TESTIMONY OF JEFFREY E. GREENE,\1\ DIRECTOR, GOVERNMENT
AFFAIRS, NORTH AMERICA, AND SENIOR POLICY COUNSEL, SYMANTEC
CORPORATION
Mr. Greene. Chairman Johnson, Ranking Member Carper,
Members of the Committee, thank you for the opportunity to
testify. I am going to talk a little bit about the broader
cyber threat environment to put this particular attack into
context.
---------------------------------------------------------------------------
\1\The prepared statement of Mr. Greene appears in the Appendix on
page 66.
---------------------------------------------------------------------------
As the largest security software company in the world, our
global intelligence network is made up of millions of sensors,
so we have a pretty broad perspective on what is going on in
the Internet today and the Internet threat landscape.
Recent headlines about cyber attacks have focused a lot on
data breaches across the spectrum of industries. These
compromises have deep impacts on individuals who have their
identities compromised and have to worry about it, companies
that have their systems penetrated, and also government worried
about protecting their citizens and also about how to catch the
criminals.
The magnitude of the theft of personally identifiable
information (PII), is really unprecedented. Over the past 3
years, approximately 1 billion identities have been exposed,
and those are just from the breaches that we know about today.
The attackers run the gamut. They can include highly
sophisticated, highly organized criminal enterprises,
individual cyber criminals, so-called hactivists, or State-
sponsored groups. Different attacks range from distributed
denial of service (DDoS), attacks to highly targeted to widely
distributed financial fraud schemes.
Now, a DDoS attack is an attempt to overwhelm a system with
data. Targeted attacks will typically try to trick someone into
opening either an infected file, go to a bad link, or something
similar. And, of course, there are scams and blackmail schemes
trying to gain money that are still out there.
Some of these will fill your screen with pop-ups telling
you that your computer is infected with a fake virus. Other of
them will lock your computer, purport to be from law
enforcement, and assert that you have some type of illegal
content, asking for a fine to be paid in order to regain your
computer.
The most recent scheme, though, has gone from trickery to
straight-up blackmail. Your computer will be locked. You will
get a screen saying your hard drive is encrypted. Typically it
will be, and the only way you get access to your data is by
paying a ransom.
We are also seeing increasingly complex and sophisticated
efforts by criminal syndicates to use personal information,
some stolen, some publicly available, to perpetrate a variety
of different scams, and that is what happened here with the
IRS.
Critical infrastructure like the power grid, the water
system, and mass transit are also at risk. Last year, we issued
a report about an attack that we called ``DragonFly'' that was
focused on the energy sector. It was not the first we have seen
on the energy sector. In fact, in 2012, cyber attackers mounted
a campaign against the Saudi Arabian national oil company and
destroyed 30,000 computers. They essentially wiped them and had
them display an image of a burning American flag.
Last year, the German Government disclosed that there was a
cyber attack on a steel plant that resulted in massive physical
damage. So we are seeing it across sectors.
Most of these attacks start with a common factor, a
compromised computer, and we frequently hear about advance
persistent threats (APTs). But the discussion of cyber attacks
too often ignores the psychology of the exploit. Most rely, as
Dr. Fu said, on social engineering, essentially trying to trick
you into doing something that you would never do if you were
fully aware of the import of your actions. In short, a
successful attack is usually as much psychology as it is
technology.
Good security stops most of these attacks, which often seek
to exploit older, known vulnerabilities. But many organizations
and individuals do not have security in place or have not
patched their systems, and they remain vulnerable to existing
problems.
Systems that use these knowledge-based authentication
systems, or KBA, are increasingly under attack, and we are
seeing an uptick of these second-generation compromises where
attackers are using this personal information previously stolen
or publicly available, harvesting it and using it to either
access data or establish new accounts for future fraud or
direct theft.
To combat these threats, we work with government and
industry across the world. We have been involved in several
major botnet takedowns. These are networks of zombie computers
that have led to some prosecutions. And we also are part of
what we call the ``Cyber Threat Alliance.'' We joined with the
Palo Alto Networks, McAfee, Fortinet last year to co-found
this. This is a group of cybersecurity providers. We share
advance cyber threat information, at the same time protecting
the privacy of our customers.
So what can all of us do at an individual level? Good
protection requires a plan. Strong security should include
intrusion protection, reputation-based security, behavioral
based blocking, data encryption backup, and data loss
prevention tools. That is organizationally. While the
criminals' tactics are constantly evolving, basic cyber hygiene
is still the simplest and the most cost-effective way to stop a
lot of the attacks out there.
In fact, early this year, the Online Trust Alliance issued
a report that showed that 90 percent of the major breaches from
last year would have been prevented if businesses had
implemented basic cyber best practices.
With that, I appreciate the opportunity. I am happy to take
any questions you may have.
Chairman Johnson. Thank you, Mr. Greene.
I will start the questioning with Dr. Fu or Mr. Greene,
whoever can answer the question. Where does the IRS obtain the
information they use for the knowledge-based authentication?
Where is all the data coming from?
Dr. Fu. So I am not entirely familiar with where IRS
obtains its data. I am familiar with sister sites where they
obtain their data.
Chairman Johnson. OK, go ahead. I just want to know where
most people obtain this, because this is all commercially
available, correct?
Dr. Fu. Correct. The private sector offers services for
this instant KBA. For instance, one provider, Experian, is used
by some Federal sites to do exactly the same kind of purpose as
the Get Transcript, for instance, the Social Security
Administration.
Chairman Johnson. And where does Experian get all the data
from?
Dr. Fu. I believe they obtain it from credit reports and
other financial data.
Chairman Johnson. Does anybody else want to add to that? Go
ahead, Mr. Greene----
Mr. Kasper. On the IRS website, if you have an Equifax
credit freeze, they will not get asked the questions, which
makes me suspect it might come from Equifax for the IRS.
Chairman Johnson. OK. What I am trying to get at is where
do the data mining companies obtain the information from. Every
time you click on an app, agree to the privacy contracts,
applications, the cookies? In other words, there is a constant
flow of information and personally identifiable information
when we are all using our iPhones and our mobile devices.
Correct?
Mr. Greene. Sure. The individual app will depend upon what
is in the end-user license agreement. There are data
aggregators whose business it is to aggregate data from
whatever sources and to sell it. And as Dr. Fu said, a lot of
it is available from credit reports and elsewhere. So the data
aggregators put that together, and they use that. And most,
whether government or private companies, that use KBA use one
of the credit bureaus or some similar type of data aggregator
for their KBA services.
Chairman Johnson. What I would like to do, because I think,
Dr. Fu, you have been prepped for this, we have a chart\1\ here
of four questions this was taken from the Healthcare.gov
website in terms of the authentication we are talking about
here. Let us just go through and can you describe for the
audience and for the Members here exactly how easy this is to
defeat with very limited information or knowledge? The first
question is, ``Please select the county for the address you
provided.''
---------------------------------------------------------------------------
\1\The chart referenced by Senator Johnson appears in the Appendix
on page 85.
---------------------------------------------------------------------------
Dr. Fu. Right. So I think some context is important. This
is the screen presented for the instant KBA. You get four
questions about your personal finances to answer, but before
you get to this page, you first have to enter your name, your
Social Security number, and your address. So the adversary who
has already reached this stage already has quite a bit of
personal information.
So, for instance, if you already know the address of the
taxpayer, it is very easy to figure out where the taxpayer
lives, in what county.
Chairman Johnson. So not a real challenge.
Second question: ``According to our records, you previously
lived in Pickwick. Please choose the city from the following
list where the street is located.''
Dr. Fu. Yes, so in this particular case, you could rule out
streets that make no sense in the particular address of the
taxpayer and basically have a very good chance of getting the
correct answer.
Chairman Johnson. No. 3: ``Please select the city you
previously resided in.''
Dr. Fu. Right. So because these are culled from financial
records and if the adversary does have access to breach data,
this will be readily available.
Chairman Johnson. And, ``According to our records, you
graduated from which of the following high schools?''
Dr. Fu. Right. So with Facebook accounts today, it is
fairly trivial to figure out a high school somebody goes to.
Moreover, if one of your friends posts something about you and
you can figure out their high school, there you have it as
well.
Chairman Johnson. Again, when we go back to just these
highly publicized cyber attacks where all this PII has been
mined, an earlier witness--I cannot remember which one--said
about a billion individuals with their PII compromised, within
the criminal networks, this is the kind of information that a
criminal would have. They would basically have all this
information already, correct? Because it is the exact same
information that these data mining companies are already
obtaining. So you have a perfect match of the information that
the data mining companies are using with the information that
has been criminally obtained through these attacks. Is that
roughly correct?
Mr. Greene. Roughly correct, yes. As more PII is stolen,
the effectiveness of the KBA is going to go down, and you need
to look at other steps to--you can still use KBA as part of the
security procedure, but there are new steps, there are
additional steps you can put in place to try to raise the level
of security there. And Mr. Kasper mentioned out-of-band of
communication like mail. So you go through these steps. You get
to the end of it. Instead of saying, OK, we now know you are
Jeff Greene, it says we are going to send a piece of mail to
Jeff Greene's address with a PIN number or some identifying
number, and that would make it much more difficult for the
criminals because that relies on the known address.
Chairman Johnson. So, again, the point of this is if a
criminal has all that personal information, they have all this
information already, basically. So this is very easy for them
to accomplish what they did with the IRS. Correct?
Mr. Greene. Yes----
Chairman Johnson. And, obviously, it is pretty simple,
because they attempted 200,000 accounts, and they got into
100,000.
Mr. Greene. Correct, on an individual level, yes.
Chairman Johnson. Mr. Kasper, I would like to just have you
describe your frustration in trying to deal with the IRS once
you understood--which, by the way, your case was first
published, what, March 15?
Mr. Kasper. Well, March 30. I think it was March 30.
Chairman Johnson. OK. But, again, it was somewhat
publicized. I know we have either from the testimony and
discussions with the IRS, they were fully aware of this, and
yet they made a decision to continue with this type of
authentication.
Mr. Kasper. I remember Brian Krebs said that the U.S.
Treasury Inspector General for Tax Administration (TIGTA) web
was a frequent visitor to his site in his refers when he posted
the article. So I think TIGTA was aware.
Chairman Johnson. So, again, just describe to us, kind of
tell your story in terms of when you found out about this, you
started contacting the IRS, how they responded.
Mr. Kasper. Yes, it was frustrating not being able to find
out who had stolen my information because I did not know how
they had gotten it. I did not know if there was a virus on my
computer. I did not know if someone had stolen something from
my home. I did not know how the information had gotten out
there. And there was nothing that I could do about it other
than wait 6 months. I went to my local IRS office. They said,
``We cannot help you.'' They literally, could not give me any
more information now that I had reported it as fraud.
Chairman Johnson. Did they give you any reason why they
could not help you further?
Mr. Kasper. They said privacy rules. At every step of the
case, when I tried to get more information, they would say
privacy rules prevented them from doing that, when the person
who they were protecting had already taken advantage of my
privacy.
Chairman Johnson. OK. Well, we will have the Commissioner
here in the next panel, so we will ask him exactly what those
privacy rules are. Senator Carper.
Senator Carper. Thanks, Mr. Chairman.
Mr. Kasper, you talked about what might not be helpful in
deterring similar attacks in the future, and I think you
mentioned the amount of resources that we, the Congress,
provide to the IRS to do the job. Would you just go back and
sort of revisit what you said to us?
Mr. Kasper. Yes, I was referring to how in Indiana they
were using analytics-based methods of detecting fraud and
additional verification, and basically had invested $8 million
additionally into trying to prevent this thing; whereas, at the
IRS I understand they have had like a 5-year hiring freeze, 20-
percent budget cuts, so that they are not doing those types of
things, as far as I understand.
Senator Carper. Commissioner Koskinen was before us today
in the Finance Committee this morning, and we talked a little
bit about this. We talked about cost-benefit payoffs, and he
was talking about fairly senior-level IRS employees that are
schooled in the cyber world, cyber warfare, and that they are
unable to retain a lot of them. These people are highly in
demand. And for a relatively modest amount of money, we will
say in the million dollars or two, they were--instead of paying
that money in order to attract and retain the kind of talent
that they needed, they incurred losses many times that amount.
How does that strike you?
Mr. Kasper. Yes, it seems like there could be a very big
return on investment for trying to prevent this fraud more, and
especially in the technology industry, there is a lot of
competition for talent. And going to work for the IRS is not on
the top of people's list when they are looking at which high-
tech company they want to go work for, when you have the budget
restrictions and just other factors with trying to get people
to go and work there and help them with this problem--although,
they have a lot of people working on it who are doing a lot of
good things, but they are not able to keep up with the cyber
criminals.
Senator Carper. All right. When we had Commissioner
Koskinen before us this morning, I asked him, in terms of the
way the IRS is treating folks who are victimized, if you will,
because of these attacks, I asked him how the Golden Rule
played into that in terms of treating people, in this case
those who were victimized. How do we treat them in a way that
is consistent with the Golden Rule, treat other people the way
we want to be treated? Would you just maybe draw on your own
experience and see if the way you were treated was consistent
with treating others the way we would want to be treated?
Mr. Kasper. Well, I made the analogy to my contact with the
local police department, which was not even in the same State
where I lived, but the IRS has an identity theft hotline
dedicated for all the people who call, but all they do is sort
of like empathize with you, tell you, the different steps you
can take to put a freeze on your account. They cannot really do
anything for you. So you really cannot get any help directly
from the IRS. They go off and they investigate your case, which
they tell you right off the bat could take 6 months, and you
really do not get any more information than that once you
report it. It either gets resolved or it does not. They never
tell you why. Wanting to know is a big part of the problem. You
want to know what happened, and you cannot find out.
Senator Carper. Let me ask Dr. Fu and Jeff Greene, and we
will come back to you, Mr. Kasper. But if you were in our shoes
and you were a member of the Homeland Security Committee
interested and concerned about these issues, maybe you know
people who have been hacked, maybe you have been hacked
yourself, give us one or two things that you would do if you
were in our shoes. I think one of you maybe once worked over in
the House and had a chance to wrestle with these kinds of
policy issue. So, Dr. Fu, give us one or two things that we
ought to be doing in response.
Dr. Fu. Well, from a policy point, actually I will refer to
Mr. Greene; he talked about the psychology of the exploit. And
one of the problems is on the science and engineering side
there is very little understanding about how to measure these
kinds of authentication systems, how well they work. There are
quite a few negative results about how they do not work, but
there is very little on the instant KBA. So encouraging those
in academia, for instance, who work in cybersecurity to also
work with those in the social and behavioral sciences could be
helpful in discovering what kinds of authentications will work
well for the entire U.S. population. That is one example.
Senator Carper. OK. Do you have another one?
Dr. Fu. Well, on the technological side, there are issue
approaches like the two-factor authentication I mentioned. It
is interesting to note that IRS did use a second factor of e-
mail confirmation and, in fact, Google in a recent report
published last week has recommended that you do that. And so
the IRS did follow that recommendation, yet the intruders did
still circumvent it.
Senator Carper. How do you suppose they did that?
Dr. Fu. I would imagine----
Senator Carper. They work for Google?
Dr. Fu. No, I do not work for Google.
Senator Carper. No, I was saying that----
Dr. Fu. Oh, I am sorry. My understanding when you register
on the Get Transcript site is that you register an e-mail
address, and you have to wait to receive a confirmation before
you can go to the next step of filling out those four personal
questions. So the adversary had to set up presumably a large
number of e-mail accounts in order to receive that confirmation
code to go to the next step. However, had they instead also
paired it with some kind of phone number, it would increase the
difficulty of having to compromise multiple systems.
Senator Carper. All right. Thanks.
Mr. Greene, let us just say you are back in your old job
over in the House and giving advice to guys and gals like us.
What advice would you have for us?
Mr. Greene. I think on the technical side, Dr. Fu said
about encouraging two-factor authentication and recognizing
there is a difference between identity verification when you
initially set up an account. If you are sending the
confirmation to the e-mail you asked for when they set up the
account, it is circular. So you are still dealing with the same
person, some type of out-of-band communication, whether through
the phone or through a letter. So that is on the front end.
On the back end, once you have established the account,
using some kind of two-factor authentication to make sure that
no one has the stolen information the Chairman was talking
about is important on the policy side. Research and development
(R&D) and technical experts, the Science, Technology,
Engineering and Math (STEM) training, I am sure you have heard
that frequently we need more STEM experts. Information-sharing
legislation will help, it will not be a panacea. We do
encourage it. We just caution that it is incremental steps to
fighting this. Those are several of the things that we would
like to see. The government can set an example. If we can
improve the use of KBA through two-factor in the government, I
think the market and the private sector will follow.
Senator Carper. All right. Thank you so much.
Chairman Johnson. Senator Ernst.
OPENING STATEMENT OF SENATOR ERNST
Senator Ernst. Thank you, Mr. Chairman, and thanks to our
panelists for being here today. This is a very timely issue. I
am glad we are able to discuss it right away, so I thank the
Chairman and the Ranking Member for calling this hearing.
I do have, as I am sure most folks do, very serious
concerns about the implications of this type of data getting
out there and how easily it seems to be obtained by these
people hacking into different systems. So I look forward to
learning more about it and hearing your additional thoughts on
it.
But what I would like to find out just from you, either Dr.
Fu or Mr. Greene, is: Are there readily available private
sector solutions for this that could be compared? The website
you talk about the KBA. Are there private sector firms that use
this type of information? And what is the best way to replace
what we are doing now with a better, more secure system?
Mr. Greene. So there are security measures, certainly,
Senator, you can put in place. Many of the KBA back ends are
provided by the private sector and, in fact, are used by the
private sector. The security that worked 3 to 5 years ago is
not working as well today because of the information that was
stolen.
Through the initial log-in process, when you are setting up
the account, there are two ways I look at it. One is: How do
you prevent a fraudulent account from being set up? How do you
stop it before it happens? And that would be through some form
of two-factor authentication, improving KBA, and there are
different ways to do it, one of which we have talked about, the
phone or a letter.
On the back end, to try to see who is doing this activity,
there are ways to basically take the data logs from the servers
that are logged in, perform analytics on them, and see if you
are seeing a pattern of activity that is indicative of some
level of fraud.
Now, to some degree, for a few people, the horse is going
to be out of the barn at that point, because you may already
have some false log-ins. But you need to be looking at it from
both ends, and we are never going to be able to stop 100
percent of it. But as the criminals get more sophisticated, the
tools that worked well become less effective. And I think that
is where we are with KBA, and there are ways to improve it
going forward.
Senator Ernst. Dr. Fu.
Dr. Fu. Well, let us see. I think I have two different
responses. One is NIST, so NIST actually has proposed this 10-
year road map called the National Strategy for Trusted
Identities in Cyberspace, and, in fact, they already have given
advice to IRS, and there is a published report. And I think
that the Federal systems will find better authentication
systems if they do engage with NIST and take the advice of
NIST's independent, non-regulatory experts. They have a wealth
of information on the technologies, the risks, the benefits.
There is also a number of companies working in the two-
factor authentication space. I do not know any that
specifically work on, for instance, protecting taxpayer
information, but one company local in Ann Arbor, Duo Security,
for instance, uses a mobile phone as a second factor. So when
they attempt to have their customers log in to some kind of
service, not only do you need to have a password, but you need
to have a mobile phone present, and the idea is that it is more
difficult for an intruder to physically steal your mobile phone
if they are somewhere in a foreign country.
There is also some interesting innovation by a company that
I believe had come out of Georgia Tech, PinDrop Security. They
actually work for financial services companies. They listen to
the audio of the phone calls as people call in, and they are
able to actually identify the repeat offenders who are calling
in pretending to be other people based on the delay in the
phone line from what country they are coming from, some
interesting characteristics of the copper wires. You could use
some of these advanced technologies not to eliminate but at
least reduce the risk of fraudsters trying to go from one
fraudster doing 100,000 accounts to at least making it more
difficult to scale up to so many different accounts from one
adversary.
Senator Ernst. Thank you. And, Mr. Kasper, I am sorry you
have had to go through this experience, as so many others have.
You had indicated that the IRS thought the e-mail account--and
maybe I read this somewhere, that the e-mail account was
suspicious. Was that from your testimony or was that somewhere
else that I read that?
Mr. Kasper. Yes, I do not remember the exact words that
they used, but when I was on the phone with them, they said,
``Hmm, yes, that does not seem right,'' or something like that.
Senator Ernst. Yes, it makes me wonder, especially if these
are coming from foreign adversaries, that if they have a
different e-mail address that indicates it is coming from,
originating from a foreign nation, that that is something that
could be flagged to require additional information. I do not
know if that is something else that could be considered.
Mr. Kasper. Yes, there are probably some analytics they
could do just on the domain name, because they highlighted that
200,000 had these suspicious domain names. But it is also very
easy to get a Hotmail or Yahoo e-mail account and automate that
and have some type of process for taking advantage of it.
So there are things that it seems like they were not doing
with monitoring those servers and transactions that they could
have been doing.
Senator Ernst. Well, thank you.
Mr. Kasper. Like the Internet Protocol (IP) addresses and
all that.
Senator Ernst. Exactly. And do any of you know, has the IRS
reached out to any private sector providers to try and correct
the system that they have now or done any sort of control
measures? Do any of you know?
[No response.]
OK. That is a question for our next panel. Well, I
appreciate it very much. I thank you for your time, and
hopefully we can get to the bottom of this and find better ways
of utilizing our information systems. Thank you.
OPENING STATEMENT OF SENATOR AYOTTE
Senator Ayotte [Presiding.] While the Chairman is voting, I
am going to sit here, but it is my turn to ask questions, so I
actually wanted to ask you, Mr. Kasper, you referenced the
recent response I got from the Commissioner of the IRS, and
what actually prompted me to write this letter, similar to your
experience, is that I have had a number of constituents come to
me and some really troubling cases where they just were getting
the runaround from the IRS, that they could not actually get
the fraudulent return so that they could then pursue protecting
themselves in the way that you did. And so I was glad,
obviously, to hear that the Commissioner is now--they are going
to change their policy, and I am going to have some followup
questions on how they intend to implement that going forward in
the next panel. But what I wanted to ask you about was a couple
of things.
First of all, you referenced a $50 fee. Who did you have to
pay the $50 to?
Mr. Kasper. Well, the check was to the U.S. Treasury, but
it was IRS Form 4506, and I mailed it to Missouri or somewhere,
or Kansas City, and paid $50. It was an IRS fee to get that
photocopy.
Senator Ayotte. So you had to pay the $50 to get what you
were able to get about your return?
Mr. Kasper. To get a photocopy of the return which showed
the account number, I had to pay the $50.
Senator Ayotte. And then, also, how were you originally
notified that you were a victim of identity theft?
Mr. Kasper. On February 6, I got the e-mail notice that my
attempt to file was rejected. So I got the rejection notice,
and there was a code in there and an explanation that it was a
duplicate tax identifier, which just a little time on Google I
figured out that is identity theft, so I need to call the
identity theft hotline.
Senator Ayotte. And when you called, how many different
people did you deal with?
Mr. Kasper. At least four or five. It was about 1 or 2
hours on hold each time that I called.
Senator Ayotte. So four or five different people and each
time 1 or 2 hours on hold?
Mr. Kasper. That is correct.
Senator Ayotte. And so did you have to retell your story
each time to each new individual?
Mr. Kasper. I believe so. I mean, like I said, they were
very sympathetic, but they really could not do much for me.
Senator Ayotte. You really used your own thought process
and investigating your own case. I mean, you did a really good
job investigating your own case.
Mr. Kasper. So far. It was really bothering me not knowing
who had gotten this information.
Senator Ayotte. Right. But the IRS would not give any
information about what they were actually doing to pursue the
case?
Mr. Kasper. Correct, other than that it seemed very
unlikely they were investigating it.
Senator Ayotte. Did they tell you even that they had
reported it to law enforcement?
Mr. Kasper. No. They never told me they had reported it to
law enforcement or even to the bank. When I contacted the bank,
the bank specifically said 6 weeks later, ``The IRS never
contacted us about this deposit.''
Senator Ayotte. And, obviously, then they said that they
did not give you any followup of whether there was any kind of
investigation conducted or any outcome of it?
Mr. Kasper. No, I got a letter saying they had received my
fraud affidavit, which was the one I got the same day the
police were interviewing the person. And then at the end, after
the bank had reported it to the IRS and then the case was
resolved, the day after I got the check, I got a letter saying,
``Your identity theft case has been confirmed,'' the day after
I got the check.
Senator Ayotte. After you got the check?
Mr. Kasper. Yes.
Senator Ayotte. And one of the things that, as I listen to
what you have to say, this is something I have been hearing
time and time again, and obviously I think why we are having
this hearing and how important it is that we get to the bottom
of not only preventing these types of thefts, but also a better
response to them from the IRS. And what I wanted to followup
with, Dr. Fu and Mr. Greene, is on the issue of--you mentioned,
Dr. Fu, one potential third-party fraud prevention tool based
on voice analysis, as I understand it. What other fraud
prevention tools exist in the private sector could the IRS
harness potentially to help us address this? And was this
something you think that we should be pursuing as we talk to
the IRS about this issue? Because it seems to me that there is
already a lot being done in the private sector that could be
transported to the government sector as we look at this growing
challenge.
Dr. Fu. Well, I think one of the challenges for the Federal
Government is that--especially the IRS, you cannot deny any
particular customer, so you have a very diverse customer base
compared perhaps to the typical private sector enterprises.
Now, there are a number of fraud detection systems out there,
but it would be difficult to legislate technological solutions.
But I think it would be worth at least conducting studies to
understand if some of these approaches might work at all, a
pilot program, for instance.
NIST in particular has quite a bit of expertise in carrying
out pilot programs and making strategic recommendations on
authentication in particular.
Senator Ayotte. Do you have any thoughts on that?
Mr. Greene. The IRS Commissioner, this morning when he
spoke, recognized that prior security measures become obsolete
pretty quickly, and it is the proverbial race. You are
constantly needing to improve, going beyond. KBA may have
worked well in the past. Going beyond that in the future to
step it up, there are ways. You can add the other factors. You
can add the type of data analytics that Mr. Kasper talked
about. Putting some of that in place can help you detect it a
little sooner. Looking for patterns with certain e-mails, if
they are very similar--if an e-mail has a string of letters or
numbers and you keep seeing incremental increases and you see a
pattern like that, those are the types of tools that you can
put in place monitoring on the back end.
Senator Ayotte. I thank you all. We are at the tail end of
a vote here, so I am going to adjourn this, and I believe
Chairman Johnson will be back. But we will be right back in the
Committee, and we will take a recess, not adjournment. Sorry.
Thank you.
[Recess.]
Chairman Johnson [Presiding.] We would like to call the
hearing back to order.
What we would like to do is just give the witnesses an
opportunity, if there is something that you have not been
asked, if there is another comment or another piece of
information you would like to provide in testimony, why don't
you do that right now? Then we will dismiss you and seat the
next panel.
So we will start with you, Mr. Kasper.
Mr. Kasper. I just wanted to mention that I have been
watching a lot of the hearings on the subject, and John
Valentine from the State of Utah had testified previously that
he had talked to someone at the IRS who told him they were
seeing a pattern of previous years' tax information being used
to submit fraudulent returns as early as last year, which,
coincidentally, is the same time the Get Transcript function
was introduced.
Chairman Johnson. Who is Mr. Valentine?
Mr. Kasper. I do not remember the name of the agency, but
it is the agency that handles the State taxes for Utah. He had
testified in the Senate Finance Committee about that issue and
about their lack of getting information from the IRS at that
time.
Chairman Johnson. OK.
Mr. Kasper. Because they noticed a bunch of these
suspicious returns this year and reported them to the IRS that
they had this pattern. Data from last year was being used this
year, and they reported that to them early in February of this
year that that was going on.
Chairman Johnson. OK. Well, thank you, Mr. Kasper. Dr. Fu.
Dr. Fu. Yes, well, I would like to just comment that with
regards to the sample four questions to authenticate with this
instant KBA, I think it would be rather relatively easy to
actually write a program to rule all this out, and perhaps that
is actually what was done to accomplish this particular breach.
And in computer security, we often refer to these technologies
as sort of ``security theater'' where they can give a sort of
happy, squishy feeling for the consumer because you are doing
some action to make you feel good, but it is always hard to
know whether it is actually improving your security. And, in
particular, with instant KBA there is very little understanding
right now about how to measure the quality of the security of
KBA, and I think we need improvements in that space if we are
going to continue to use it.
Chairman Johnson. Let me quickly ask you, because I
actually had a conversation with another Senator on the walk
down, in terms of what happened here, would there be computer
programs that are programmed to utilize all this personal
information and do this quickly? Or is this going to be a very
manual process in terms of logging on to Get Transcript and
logging in the information? Do you understand the question?
Dr. Fu. Are you asking me----
Chairman Johnson. Can this be----
Dr. Fu. The attacker, how automated it is?
Chairman Johnson. Yes.
Dr. Fu. I believe this can be fairly automated. In fact,
when I used to work in the industry, we would write scripts to
automate filling out web forms. So this is something you would
almost be taught as an undergraduate. So I would expect a
sophisticated adversary to be able to do it quite well.
Chairman Johnson. And then because the IRS was having that
second layer--I forget exactly what you called it, but they
were asking the hacker to enter----
Dr. Fu. An e-mail address.
Chairman Johnson. An e-mail address, and then that was
reauthenticated. Would they had to have separate e-mail
addresses? Would they had to have 200,000?
Dr. Fu. I do not know the answer to that. My guess would be
that--you would have to talk to the IRS, but I would imagine
they would be very easily able to audit if somebody reuses an
e-mail address. But as we know, it is fairly easy to create a
new e-mail address, and I have to say so many of them are just
gmail.com that the domain is not always going to be too
telling.
Chairman Johnson. OK. So they would not necessarily have to
be real e-mail accounts--or they would have to be real e-mail
accounts, so you would just be setting these things up by
literally hundreds of thousands if not millions to do this.
Dr. Fu. Correct.
Chairman Johnson. OK. Mr. Greene.
Mr. Greene. Senator, your question about automating, I
asked that precise question of some of our experts who spend
their days analyzing attacks and malware. They did not have any
specific knowledge of this attack, but their response was this
would be very easy to automate soup to nuts.
Now, it still is a complex logistical effort. There was a
big effort involved, but the tack of writing the scripts was
not--they expect it was automated and do not believe that it
was not the most highly sophisticated scripting. I guess what I
would add is this is not the first successful compromise of
KBA, but it has certainly received the most publicity, and most
people do not get into crime to work hard. Copycats are pretty
common. So I think we are likely to see more KBA attacks both
on the private sector entities that use it and the government.
Now is the time, I think, to look at your organization, if you
are using it, to make sure that you have some type of second
factor or are dialing up the sensitivity of your monitors, of
your sensing, to look for anomalous activity, because I suspect
that there are criminals out there right now looking at this
successful attack and saying, ``How can I duplicate that
somewhere else?'' They are going to reuse what they can.
Chairman Johnson. This really does answer the question why
are these cyber attackers accessing this PII from all these
different companies, accumulating it. This is the reason why,
so they can utilize it this way. Correct?
Mr. Greene. Well, and the information itself has value.
This is an interesting attack, and this is different in kind
than a lot of the major breaches we have seen in the sense
that--I view this as not a breach, but 100,000 individual
compromises. There are major breaches that have led to the
release of millions of identities. These attackers stole money.
In a lot of the breaches, they are stealing identity
information to sell it. But at the same time they stole the
money, they also acquired a lot of information. Mr. Kasper's
tax records, his tax transcript has information that has--it is
akin to breaking--if I broke into your house to steal $1,000
and I saw a valuable ring, I am going to grab the ring, too,
and then try to sell that. So they stole the money, but they
now have more data that they will sell to others to use. There
are very active black markets trading in this information.
Chairman Johnson. And, again, what is the use for that
personal information then?
Mr. Greene. It can be anything from future tax fraud to
trying to open credit cards. Health care records are now very
valuable. We have seen the value of them jump up dramatically.
Some health care records we have seen are worth 2 to 10 times
as much as a credit card nowadays.
I joke that if, I carry a Fitbit that transmits my data of
my steps. That is not the Fitbit specifically, but there is a
lot of data being transmitted that is not particularly secure.
But if there is a way to monetize it, there is a criminal out
there trying to figure out how to do it.
Chairman Johnson. And, again, once you automate an attack
like this or a breach like this, you have already got the
automated program; you have the software. It is very easy to
replicate it or modify it for a new type of criminal scheme.
Correct?
Mr. Greene. Correct, to modify it, and most of the data
that was used for these 100,000 compromises was probably
previously stolen or just sucked off of a public website. It is
a combination. We are all putting information out there that we
do not even know about. Dr. Fu said our friends post stuff.
Chairman Johnson. So, again, with the software program, one
individual could have pulled this thing off.
Mr. Greene. I think it would probably be a more
sophisticated, more organized effort than that, from soup to
nuts, to go through it. It might have been only one----
Chairman Johnson. How many people?
Mr. Greene. I would be happy to get back to you. I can
check with some of our experts to see what they would say.
Chairman Johnson. OK. Again, I am just trying to get, the
scope of this, the ease, how to replicate this. Is this a
harbinger of things to come? Is it just the tip of the iceberg?
Again, we have a billion people who have had their PII stolen,
and this is what it is being used for, among many other things.
Mr. Greene. The experts in our response team thought that
this is most likely, again, from reading the outside reports, a
criminal organization. So this is--and they have business
plans. They have organizations set up to do all this, and they
are looking, I am sure, at their next target.
Chairman Johnson. OK. Again, I want to thank all three of
you for your thoughtful testimony, your thoughtful answers to
our questions, and we appreciate it. This will be very helpful
in terms of us building the record of exactly why this Congress
really needs to pass a bill that at least takes the first steps
in providing, for example, the information sharing or the
threat signatures, these types of attacks, so that when other
people experience something similar, we can maybe prevent some
of these things.
So, again, thank you for your testimony, and have a good
day. And we will call the next panel.
[Pause.]
This is perfect. Welcome back.
Senator Carper. Thank you.
Chairman Johnson. I will have to be leaving here pretty
quickly myself.
Again, I would like to thank the Commissioner and Mr.
Millholland for coming to testify. It is the tradition of this
Committee to swear our witnesses in, so if you would rise. I
should be able to have this thing memorized. That is OK. There
we go.
Do you swear the testimony you will give before this
Committee will be the truth, the whole truth, and nothing but
the truth, so help you, God?
Mr. Koskinen. Yes.
Mr. Millholland. I do.
Chairman Johnson. Thank you. Please be seated. I really do
have that memorized, but I like to get it accurate.
Our first witness will be John Koskinen. Mr. Koskinen is
the 48th Commissioner of the Internal Revenue Service, a
position he has held since his confirmation in December 2013.
Previously, Commissioner Koskinen served as the non-executive
chairman of Freddie Mac from 2008 to 2012. Mr. Commissioner.
TESTIMONY OF HON. JOHN A. KOSKINEN,\1\ COMMISSIONER, INTERNAL
REVENUE SERVICE, U.S. DEPARTMENT OF THE TREASURY; ACCOMPANIED
BY TERENCE V. MILLHOLLAND, CHIEF TECHNOLOGY OFFICER, INTERNAL
REVENUE SERVICE, U.S. DEPARTMENT OF THE TREASURY
Mr. Koskinen. Chairman Johnson, Ranking Member Carper, and
Members of the Committee, thank you for the opportunity to
appear before you today to provide information on the recent
unauthorized attempts to obtain taxpayer data through the IRS's
``Get Transcript'' online application.
---------------------------------------------------------------------------
\1\The prepared statement of Mr. Koskinen appears in the Appendix
on page 79.
---------------------------------------------------------------------------
Securing our systems and protecting taxpayers' information
is a top priority of the IRS. Even with our constrained
resources as a result of repeatedly decreased funding over the
past few years, we continue to devote significant time and
attention to the challenge. At the same time, it is clear that
criminals have been able to gather increasing amounts of
personal data as the result of data breaches at sources outside
the IRS, which makes protecting taxpayers increasingly
challenging and difficult.
The unauthorized attempts to access information using the
Get Transcript application were made on approximately 200,000
taxpayer accounts from questionable e-mail domains, and the
attempts were complex and sophisticated in nature. These
attempts were made using taxpayers' personal information
already obtained from sources outside the IRS.
It should be noted that the third parties who made these
unauthorized attempts to obtain tax account information did not
attempt to gain access to the main IRS computer system that
handles tax filing submissions. The main IRS computer system
remains secure, as do other online IRS applications such as,
``Where's My Refund?''
To access Get Transcript, taxpayers must go through a
multistep authentication process to prove their identity. They
must first submit personal information, such as their Social
Security number, date of birth, tax filing status, and home
address. The taxpayer then receives an e-mail from the Get
Transcript system containing a confirmation code that they
enter to access the application and request a transcript.
Before the request is processed, the taxpayer must respond
to several out-of-wallet questions designed to elicit
information that only the taxpayer would normally know, such as
the amount of their monthly mortgage or car payment.
During the middle of May, our cybersecurity team noticed
unusual activity on the Get Transcript application. At the time
our team thought this might be a ``denial of service attack,''
where hackers try to disrupt a website's normal functioning.
They ultimately uncovered questionable attempts to access the
Get Transcript application.
Of the approximately 100,000 successful attempts to access
the application, only 13,000 possibly fraudulent returns were
filed for tax year 2014 for which the IRS issued refunds
totaling about $39 million. We are still determining how many
of these returns were filed by the actual taxpayers and which
were filed using stolen identities.
For now, our biggest concern is for the affected taxpayers
to make sure they are protected against fraud in the future. We
have marked the accounts of the 200,000 taxpayers whose
accounts were attacked by outsiders to prevent someone else
from filing a tax return in their names, both now and in 2016.
Letters have already gone out to the approximately 100,000
taxpayers whose tax information was successfully obtained by
unauthorized third parties. We are offering credit monitoring
at our expense to this group of taxpayers. We are also giving
them the opportunity to obtain an identity protection personal
identification number (IP PIN) as it is known. This will
further safeguard their IRS accounts.
We are also in the process of writing to the 100,000
taxpayers whose accounts were not accessed to let them know
that third parties appear to have gained access from outside
the IRS to personal information such as their Social Security
numbers. We want these taxpayers as well to be able to take
steps to safeguard that data. The Get Transcript application
has been taken down while we review options to make it more
secure without rendering it inaccessible to legitimate
taxpayers.
The problem of criminals using stolen personal information
to impersonate taxpayers is not a new one. The problem of tax
refund fraud exploded from 2010 to 2012. Since then we have
been making steady progress both in terms of protecting against
fraudulent refund claims and prosecuting those who engage in
this crime. Over the past few years, almost 2,000 individuals
were convicted in connection with refund fraud connected with
identity theft.
Additionally, as our processing filters have improved, we
have also been able to stop more suspicious returns at the
door. This past filing season our fraud filters stopped almost
3 million suspicious returns before processing, an increase of
over 700,000 from the year before. But the criminals continue
to become more sophisticated and creative. For that reason, we
recently held a sit-down meeting with the leaders of the tax
software and payroll industries and State tax administrators.
We all agreed to build on our cooperative efforts of the past
and find new ways to leverage this public-private partnership
to help battle identity theft. We expect to announce more
details shortly.
Congress plays an important role as well and can help by
approving the President's fiscal year 2016 budget request,
which provides for $101 million specifically devoted to
identity theft and refund fraud. A key legislative request,
among others in the budget, is a proposal to accelerate
information return filing dates generally to January 31. This
would assist the IRS in identifying fraudulent returns and
reduce refund fraud related to identity theft.
Ranking Member Carper, Members of the Committee, this
concludes my statement, and I would be happy to take your
questions.
Senator Carper [Presiding.] Mr. Commissioner, I do not want
you to assume that because all of my colleagues have left that
we are not interested in what you and Mr. Millholland have to
say. We are very much interested. We have a series of five or
six votes in a row, and we are voting about every 10 minutes,
and we are trying to keep this moving. This bipartisan
cooperation, this is what happens when you can collaborate. We
will see if we can keep it going, but thank you for bearing
with us, and hopefully we will be able to sit back down and ask
some questions when we are all together.
All right. Mr. Millholland, nice to see you. Thanks for
joining us. I have not seen Commissioner Koskinen since this
morning. He testified before the Finance Committee.
Mr. Koskinen. I am fondly referring to this as a ``double
header.''
Senator Carper. There you go. Day-night. What did Ernie
Banks used to say? Remember Ernie Banks, great shortstop for
the Chicago Cubs, on weekends when they played Sunday double
headers, he would say to his teammates before the game would
start, he would say, ``Let us play two.''
Mr. Koskinen. That is exactly where I picked it up.
Senator Carper. Go ahead.
Mr. Millholland. Sir, I do not have an opening statement.
Senator Carper. All right. Mr. Commissioner--are you here
to correct his answers? Is that what your role is? OK. He is
actually pretty good, so you may not have much to do.
As we have discussed a time or two before, Congress has not
given the IRS the funding that you need to fulfill your
missions, have not done it for a while, and I think that is
unfortunate because every additional dollar spent by the IRS,
as we know, to ensure tax accuracy and improve program
integrity brings in at least $6, and I have heard even greater
amounts than that. We had some conversation today about what
investments in compensation, ways to attract and retain some of
the senior-level, most difficult to hire and find skill sets in
cybersecurity, how those investments pay way more than $6 for
every dollar we invest.
But what has been the practical impact of the budget cuts
on your operations, such as staffing levels, investments in
technology, and your ability to engage in program oversight and
integrity activities, please?
Mr. Koskinen. Well, I would stress that the particular
challenge we are faced with the Get Transcript application was
not a result of a budget issue.
Senator Carper. I understand.
Mr. Koskinen. It is an authentication question that we need
to continue to deal with. Authentication is a challenge for us
across the entire spectrum.
The budget challenge is that this is really a shot across
the bow. As noted, this attack was sophisticated, complicated,
run by apparently organized crime syndicates who operate here
and around the world. And the challenge for us is not just the
authentication for this application, which has now been taken
down and which we will improve. The challenge is the continual
attempts and attacks the agency is under with regard to its
basic database. As noted, our basic filing system was not
affected by this attack, and it is secure. But we run an
antiquated system, and over the last several years, the
underfunding of the information technology (IT) investment has
meant that we have been able to replace a lot of antiquated
systems less quickly, less rapidly as we would like. It leaves
us more vulnerable. We are running some applications that have
been running for 50 years. We are running other applications
that are no longer supported by the software developers and
manufacturers.
So we have a difficult challenge competing with organized
criminals who have resources and have turned this into a
business. They have collected almost unbelievable amounts of
personal information from people here and around the world in
massive databases, and they have one commitment, which is to
attack not just the IRS but attack across the board other
financial institutions and individuals.
I referred to a website yesterday that has indications,
reports of 25 data breaches and identity theft activities that
took place in May. We are one of the 25. There are 24 others
that took place around the world. So it gives you an idea of
the magnitude of the challenge we are facing. It continues to
be one of our highest priorities to make sure we do everything
we can to protect taxpayers, but that means we are going to
have to continue to invest in the system and in the people who
run those systems to make sure they are as secure as possible.
Senator Carper. OK. Thank you. You spoke to us earlier
before the Finance Committee today about the streamlined
critical pay program. You may have alluded to that in your
comments here before this Committee. But could you talk a
little bit about why that program is worthwhile and why
investing in it can pay way more dividends in terms of reducing
the impact on the Treasury, adverse impact on the Treasury?
Mr. Koskinen. When the restructuring act for the IRS was
passed in 1998, the agency was given the ability to hire up to
40 executives with streamlined critical pay.
Senator Carper. Tell us what that means. I think I know.
Mr. Koskinen. Streamlined critical pay means much as if you
were in the private sector, you can find someone, as we did
with the head of our Information Technology, Mr. Millholland,
you can find them in the private sector, you can recruit them,
select them, offer them a job. They can take it immediately and
begin to work immediately. That is the streamlined part.
The critical pay part allows you to pay, if necessary,
above the Senior Executive Service (SES) level, although a
number of people that participated in that program did not get
additional pay, but that is the critical pay aspect of it. It
has been used primarily for information technology and other
critical technological and intellectual capacity. The Inspector
General issued a report last December in which he noted the
program had been run appropriately over the period of time.
Mr. Millholland was telling me recently that we had two
senior IT executives we wanted to hire, who were willing to
come work for us, but were not willing to participate and wait
for the several months it takes to be approved for government
employment as a career employee, and also were not satisfied
with the maximum compensation we could offer absent the
critical pay aspect.
So presently we have people across the IT spectrum who are
on critical pay. We have lost almost half of the people on
critical pay when I began a year and a half ago because their
term ran out. The three critical data, compliance data
analytics people, including our expert in authentication, left
the agency at the end of last year because his term ran out. We
have not been able to replace him appropriately.
We hope that we will be able to get the authorization to
resume the program which would allow us to recruit the kinds of
people, a handful of them, that we need at the top of IT, that
we need at the top of international tax administration.
Senator Carper. Good. Thank you. I said this morning, Mr.
Millholland--I do not know if you were in the audience when the
Commissioner spoke before the Finance Committee, but I said in
my life sometimes people ask me why I have had some success,
modest as it is. And I always say because I picked the right
parents, and the other thing is because I have always
surrounded myself with people smarter than me. And if you look
at some of the people that we are trying to attract and retain
at IRS to help us deal with these cyber issues, they could make
a whole lot more money in the private sector, as you know, and
are, but the reason why they are serving where they are is
because they are doing something for their country, and they
feel a need to do that.
Mr. Millholland, just very briefly, there was some
discussion earlier, I think in the first panel, about two-
factor methods, and I think with respect to using stronger
authentication technologies, and they talked about, for
example, two-factor methods like sending a letter with a
password or calling an individual's phone with a password.
Facebook, Google, and Bank of America are just a few of the
major names.
How are you moving forward in using the so-called two-
factor authentication technology? And when will you have it
fully implemented, please? Just very briefly. Thank you.
Mr. Millholland. Sure. I want to distinguish between inside
use and use of somebody connecting to the website. Inside use,
we already use two-factor authentication, with variations of
those,
including personal identity verification (PIV) cards, for
example--that is, the Homeland Security Presidential Directive
12 (HSPD-12) cards. And there are a number of ways to implement
two-factor authentication.
For the external, we fundamentally have to decide are we
going to set up accounts for taxpayers so that they can file
directly. If we were to do that, and discussions have started
with the Commissioner and others about should the IRS deal
directly with taxpayers in the filing of their returns, we
would want to set up accounts like you would have with a
financial institution. If we were to do that, we would go with
multifactor authentication; that is, certainly an ID, a
verification that the person is who they say they are, with far
more confidence than what we did with this particular Get
Transcript application, perhaps use of biometrics, perhaps use
of something like Connect.gov, something else that gives us
that additional proof that the person is who they say they are.
Senator Carper. OK. Thanks so much. My time has expired.
Senator Ayotte.
Senator Ayotte. Thank you so much.
Senator Carper. Thank you.
Senator Ayotte. I want to thank both of you for being here.
Commissioner Koskinen, let me just thank you up front for your
response to my letter of May 28, and I think this is really
important that you are going to change the policy that you have
in terms of providing tax returns to those who find themselves
to be victims of identity theft. And what prompted me to write
you that letter is I am sure many of my colleagues could share
similar stories, but one was a woman, the Weeks family, and
they learned last year, when they went to file their tax
return, a month after their 7-year-old daughter had been killed
in a car crash that, in fact, someone had claimed their
deceased child as a dependent. In fact, what the IRS told Mrs.
Weeks was that their deceased child's Social Security number
had been used three times, and then she had a really hard time
getting any more information. She could not get any information
from the IRS, and, similarly, in terms of who used it, what
happened, even getting copies of the returns and trying to
understand what happened.
Another family I had, after having surgery and
complications that prevented one of the members of the family
from returning to work for 3 months, she filed their tax
returns, this family did as soon as they could, and they really
needed the return because they were in jeopardy of losing their
home. And what they found out when they filed their return, the
wife discovered that someone had already filed a tax return
with using her Social Security number, and she was told that it
would take her 4 to 6 months to process any kind of refund
because of this identity theft. And they became delinquent on
their home and faced foreclosure, and this was one where my
staff was able to intervene and help them in time to save their
home.
And I wanted to use these real stories because your
response to me is very important. What we heard earlier today
from Mr. Michael Kasper--and perhaps you had a chance to hear
what he had to say as a victim of identity theft--who testified
before this Committee is that the process of not being able to
get a return or information, it makes these victims--obviously
puts them in a worse position, because Mr. Kasper went through
a long process, finally had to pay $50 and got information that
allowed him to go to the bank and to try to protect himself and
actually resulted in finding out who did this.
So what I wanted to understand is with this new procedure,
how long do you think it will take to put this in place? And
will all victims of tax-related identity fraud be able to
request copies of their fraudulent returns? And can you give me
a sense--I have constituents coming to my office. Do you have a
sense of how big this problem would be in New Hampshire and
across the country? And those are some of the first questions I
have.
Mr. Koskinen. First of all, I appreciated your letter, and
I was delighted that we were able to review the situation and
remedy it. We hope to in a very short period of time have the
new process up where we can redact any information that might
look like it would be a violation of the so-called 6103 and
give taxpayers access to the false return so they can get an
idea of exactly what it looked like and what they have to deal
with, and we should be able, as I say, to have that system up
and running within a matter of no more than 3 weeks, to be able
to do that.
As I have said in other contexts, the access to Get
Transcript is really just another form manifestation of
identity theft. These are criminals who already knew and had
enough information to file a false return. What they were
trying to do was get more information so they could file a
better false return. As noted, the reason we have stopped 3
million returns, suspicious returns at the door is because we
keep improving the sophistication of our filters which detect
anomalies. So if you can eliminate the anomalies, you are
better off.
But we continue to try to do whatever we can to help
taxpayers. For instance, as I said, the notification to the
104,000 who had data access, those letters are out. They should
have those already in the next few days. But we need to, as
quickly as we can, provide support to taxpayers. When the
problem exploded 4 or 5 years ago, it would take us up to a
year to be able to straighten out a taxpayer's account. We now
have it down to an average of 120 days. Our goal really is to
get it even shorter than that as we go.
It is a problem. We have IP PINs in the hands of about a
million and a half taxpayers who have had fraudulent, false
returns filed. They are spread across the country, and, again,
it is an ongoing challenge for us. One of the issues we need to
continue to do as much as we can is develop filters at the back
end to stop returns, but increasingly do authentication of the
front end, and that is why we have this partnership with the
private sector and the States. When I pulled them together 3
months ago, H&R Block into it and others, I said, ``The purpose
of this meeting is not for me to tell you what to do. The
purpose of this meeting is start a discussion where we can work
together, the private sector, the States, and the IRS, to
figure out how jointly we can do a better job of protecting
taxpayers.'' Because as you know with your cases, there is
nothing more traumatic to an individual than to feel that their
data has been violated, has been stolen. And it is not only the
difficulty of getting a refund--70 percent of people who file
with us get refunds--that you may need immediately, but it is
that lack of certainty of where else is this information
available.
Senator Ayotte. Right, and that is why I think it is
important that the taxpayer be given as much information as
possible to protect their own financial interests. And one of
the things we heard from Mr. Kasper, who was here, but it is
also a similar experience that I have heard a lot about--in
fact, Nina Olson, the Taxpayer Advocate, noted in her annual
report that victims often must ``navigate a labyrinth of IRS
operations'' and recount their experience time and time again
to different employees. And so Mr. Kasper's experience was four
to five different people, waiting an hour or two on the phone
for each. Has thought been given to assigning one person when
someone becomes an identity theft victim to that individual
rather than, calling back up again and being put back sort of
in----
Mr. Koskinen. It is a problem that we have been focused on.
When we started, ID theft was spread around various parts of
the agency. We have now consolidated all ID theft issues,
particularly for taxpayers, into one location so that they will
actually be able to go one place and tell their story once. The
Taxpayer Advocate, whom I work with closely and I have great
admiration for, and I have a disagreement about whether there
should be a single individual, because the problem with a
single individual as opposed to a single entity is that if you
call, they could be on vacation, they could be at lunch, they
could be somewhere else. Most call centers, if you call any
commercial enterprise and then call back, you do not get a name
to talk to. What you do get when you call back is they know
what your call is about. They have a record of what you said.
And that is the system that we are building. So that a taxpayer
can call a special number for ID theft. They do not have to
battle through the lack of service we are able to provide
generally. And when they call the second time, if they have to,
they will not have to repeat the story. The record of what
their situation is will be readily available to the next
available operator for them. And I think our experience is and
the private sector experience is that is a more efficient way
to provide the service to taxpayers rather than for them to
have to depend upon the location of a given individual.
But the point that the Taxpayer Advocate raised initially
was extremely right, that we cannot have taxpayers have to
themselves navigate the various aspects of the IRS operations,
and we are working to, in fact, as I say, consolidate that to
give taxpayers one-stop shopping, as it were.
Senator Ayotte. Thank you. I know my time has expired, and
I will stick around for another round when we get through our
votes. But thank you.
Chairman Johnson [Presiding.] Thank you, Senator Ayotte.
Mr. Commissioner, we had Mr. Michael Kasper, and in his
closing comments, he talked about a gentleman named John
Valentine--I believe he must be working for the Utah Department
of Revenue--that apparently contacted the IRS in February of
this year, talking about seeing returns with prior years'
information, very close, basically looked like fraudulent
returns. Were you aware of that? Or were you, Mr. Millholland?
Mr. Koskinen. We were aware, obviously, of the difficulties
with filings that basically took place in a number of States,
including Utah and Wisconsin and others, in January, had a
symptom identified with them, and that is that they had access
to the prior year's returns, and those returns primarily were
filed only at the State not at the Federal level. But it was
out of that concern that I pulled together what is called the
``Security Summit'' in March to pull everybody together to say,
OK, what is going on and, most importantly, what can we do
together that we cannot do separately.
So we were aware of that situation, and we have been
working with the States and with the private sector since then.
Chairman Johnson. You were aware of Mr. Kasper's situation
then? I guess Krebs on Security had a blog posting on March 30.
Mr. Koskinen. Yes.
Chairman Johnson. You were aware of that personally as well
as the IRS was.
Mr. Koskinen. Yes, we were. And, in fact, as we have been
tracking back through everything, I am not allowed to talk
about particular taxpayers, but as a general matter, let me
just say that we took all of that information into
consideration and were in the process in April of beginning to
take a look at adjustments, made some adjustments already
during the filing season to issues around Get Transcript, and,
in fact, were developing and are developing with the States a
protocol that will, in fact, improve the security significantly
as we go forward. But we will not put the site back up until we
are confident with its security.
Chairman Johnson. But you were aware at the end of March,
but you decided not to make any changes at that point in time.
Mr. Koskinen. I know we made some changes, which I would be
happy to talk to you about more privately, but we did not
change the fundamental security aspect of Get Transcript. Our
plan was to take a look at that and roll it out toward the
middle or the end of June.
Chairman Johnson. You were made aware of the actual breach
of a couple hundred thousand--well, 100,000, but an attempt on
200,000 different accounts on about May 18th. Is that correct?
Mr. Koskinen. Yes, it would have been about May 18, and it
was mid-May when we thought it was a denial of service, and
then on Thursday--someplace around here I know where that date
is. I can tell you for sure.
Chairman Johnson. OK. But then about 2 weeks later, you
decided to shut down----
Mr. Koskinen. Actually, we knew there was a denial of
service attack on May 14th--or we suspected that. We then knew
and I was advised by Thursday, May 21, that, in fact, there had
been--less than a week ago, 10 days ago, I was advised that
there had been a breach. We continued to investigate that. We
had already notified Homeland Security and other security
people, as well as the Inspector General. And then the
following Tuesday, it was the Memorial Day weekend, as we got
more details and knew what we were dealing with, we made an
announcement to the public and started mailing out letters.
Chairman Johnson. OK. And you shut down the site then with
how many----
Mr. Koskinen. We shut down the site probably on Tuesday or
Wednesday----
Mr. Millholland. It was Thursday morning.
Mr. Koskinen. I guess the Thursday morning before the
meeting with me they had shut down the site.
Chairman Johnson. So within a week or so, something like
that. OK.
Mr. Koskinen. From the time there was an indication of a
problem until the time--which was originally thought to be a
security problem, until the site was taken down was a week.
Chairman Johnson. OK. Mr. Kasper was talking about his
frustration that he had contacted the IRS and could not get any
information on this, that it would take about 6 months. And
there are always privacy concerns. That was the reason why the
IRS could not give him more information. Can you talk about,
why would it take 6 months? What are those privacy laws you are
dealing with that you could not communicate with the taxpayer
whose identity had been stolen through an IRS system? Why the
time lag? What are those privacy laws that prevent the IRS
from----
Mr. Koskinen. Privacy laws that we are concerned about--and
as Senator Ayotte raised issues with us, Section 6103 says we
cannot reveal to anyone any taxpayer information. We cannot
share it even with other government agencies unless there is a
statutory exception that allows us to do that.
So the challenge we had when taxpayer information--
fraudulent returns were filed, first you have to determine who
is the fraudster and who is the legitimate taxpayer. Second,
there was a concern that if we issued a copy even of a
fraudulent return, it could have other taxpayer information
that had been stolen in that return, and technically it is a
criminal violation for us to reveal that.
I do not know why it took anybody 6 months. It should never
take you 6 months to get through the system. But basically what
we have set up is a situation where we can simply redact any
third-party information in a return and give the taxpayer a
copy of the fraudulent return so they will know exactly what
was in there.
Chairman Johnson. And how long a time do you think that
process should take then?
Mr. Koskinen. That process, we have a special hotline for
identity theft, and if you get a notice that you have been
returned, there is no reason you should not be able to get a
copy of that return promptly.
Chairman Johnson. Promptly means?
Mr. Koskinen. Promptly within--if you call us, I do not
know why you could not have that return within a week.
Chairman Johnson. OK. In Wisconsin the Guenterbergs had
their identities stolen quite a few years ago. Again, the IRS
could not--even though they knew they were fraudulent returns,
they understood there was identity theft, they were prevented,
again, under apparently the same privacy statute, from
contacting the Guenterbergs, and as a result, they continued to
have their identity being stolen and victims of that.
I have introduced a piece of legislation. It is called
``The Social Security Identity Defense Act of 2015,'' to allow
you to provide that information of identity theft. Is that a
piece of legislation you will support?
Mr. Koskinen. We would be delighted to be able to. Our
biggest problem, for instance, with law enforcement is when
there has been identity theft, we cannot give the law
enforcement authorities that information without the approval
of the taxpayer involved. So to the extent that for law
enforcement purposes, for protection against identity theft, we
are allowed to provide information to either law enforcement
authorities or others who need to know to prevent further
identity theft, that would be helpful.
Chairman Johnson. Mr. Millholland, I am actually surprised
that having noticed, found out about this breach on May 18, you
already know that there have been 13,000 fraudulent returns
filed from those same breached accounts and $39 million of tax
refunds have been sent to those criminals. How did the IRS get
that information so quickly?
Mr. Millholland. Part of our analysis was to go in and look
at every one of these attempts and see what they were doing and
such. And, thus, the mapping process, the data analysis process
of taking each one of these e-mails, tracking down what domains
those e-mails were going to, determining how many Social
Security numbers had different e-mail addresses, all that then
were worked so we could block those particular Social Security
numbers from getting any more information. But it also allowed
us then to go dive into the IRS master file and associated
systems to say, all right, how many of these people actually
filed returns? How many of them did not file returns? The
Commissioner provided some numbers on that. That has led us
down to this approximate 13,000 that may or may not be
fraudulent. We are not sure yet.
Chairman Johnson. As long as we are talking about those e-
mails, so you have that two-step authentication that required
the criminals to get another--a signal from or a text or an e-
mail to that account. Did those have to be separate e-mail
accounts?
Again, the 100,000 accounts that were successfully
breached, that was a two-step process. Did those have to be
separate e-mail accounts? Were they separate e-mail accounts?
Mr. Millholland. They did not have to be. It was one of the
design flaws.
Chairman Johnson. OK. So that is a design flaw.
Mr. Millholland. Absolutely.
Chairman Johnson. OK.
Mr. Koskinen. But part of our problem is because we do not
communicate with taxpayers yet electronically, so we never send
e-mails back or forth because we have no security for them. If
we could as part of our development and refinement of our
systems be able to communicate electronically, it would
accomplish a lot of goals, one of which would be the two-factor
authentication then would be much more significant. Financial
institutions and others, when you want to change your password,
they send you a key to your e-mail address because they know it
is your e-mail address.
Chairman Johnson. That is a relatively significant flaw and
a pretty easy fix that, each e-mail, in terms of this
authentication, has to be a unique e-mail. Correct?
Mr. Millholland. That would be going forward, is absolutely
correct.
Chairman Johnson. OK. So that is a corrective item that
needs to be done almost immediately.
Mr. Millholland, knowing that this authentication process
is being used by Healthcare.gov, the Social Security
Administration, and other agencies in the Federal Government,
have any of those agencies or departments been in contact with
you to discuss what happened at the IRS? And are they
considering shutting down their sites?
Mr. Millholland. I cannot speak to whether they are
shutting down or not, but we have had conversations, just most
recently this last Friday, with the Social Security
Administration on what do they do to authenticate. So that kind
of conversation is going on there.
In addition, we have had, although it has been a bit of
time, with the VA, again, how do they authenticate. So I will
call it ``best practices'' amongst government is much better
known.
Chairman Johnson. So Healthcare.gov, CMS, the U.S.
Department of Health and Human Services (HHS) has not been in
contact with you in terms of their authentication and their
concern about similar type of breach of their system?
Mr. Millholland. Not with me. Perhaps with other parts of
the IRS, but not with me.
Chairman Johnson. OK. I would like to find out whether they
have. I think that is pretty serious.
[Pause.]
I do know that, Mr. Commissioner, you did mention budget
cuts as one of the potential problems, but this really had
nothing to do with budget cuts. Correct?
Mr. Koskinen. In my testimony, as I have said, this issue
was not a budget issue. I have tried to make that clear all
along. I do not want anybody to think--while we have
significant budget challenges, I do not want anybody to think
that every problem we have is a budget problem. There are
issues and challenges we have that are management questions.
There are other issues. Our problem here for the budget is not
fixing the authentication on this side. Our challenge for the
budget is, in fact, upgrading and protecting our entire system,
which is at this point secure, but under continual attack.
Chairman Johnson. Mr. Millholland, this knowledge-based
authentication, you are using an outside vendor to provide you
this type of information. Correct? That was from
Healthcare.gov, but yours is very similar. Correct?
Mr. Millholland. We use a third-party source for
information beyond the type of questions that--if someone
called, they are asked a series of questions. Then we go to
these out-of-wallet questions to a credit scoring agency.
Chairman Johnson. Again, that taxpayer personally
identifiable information, that is not held within the IRS
anywhere. Correct? That is all held by an outside vendor?
Mr. Millholland. That is correct.
Mr. Koskinen. That is correct.
Chairman Johnson. Is there any personal information that
the IRS stores that is not obtained by the IRS directly from
the taxpayer? Do you go to any outside vendor anywhere in the
IRS and then store it within the IRS' system?
Mr. Millholland. I do not believe so, but possibly Criminal
Investigation (CI), maybe.
Mr. Koskinen. That is a good catch. As a general matter, we
have no personal information from people that they have not
provided us. The Criminal Investigation Division does in its
investigations pursuing criminal cases accumulate data and
information that they go after. If we do an audit of someone,
an examination where we are actually examining their records,
we may accumulate information about demonstrating whether they
are following the tax laws. But even that is not in a database
that the IRS is keeping on individuals. The only data we have
in our major database is the information that comes from filing
of taxes. And that is lot.
Chairman Johnson. Again, that is simply on a case-by-case
basis, that information .
Mr. Koskinen. That is right. Both the investigations and
the examination are just on case-by-case pursuit of particular
issues.
Chairman Johnson. Is the IRS in any kind of analytics
utilizing information from credit card companies, Mr.
Millholland or Mr. Commissioner?
Mr. Koskinen. Yes. Under a statute provided by Congress, as
individuals we all at the end of the year get a credit card
summary of your expenses. We get on what is called the 1099-K,
we get that information for all merchants. So for the first
time in history, we have third-party information about what
small and medium-sized, even larger businesses are doing as far
as credit card receipts. So that comes in. Then we have to
decide what to make of it because all it tells us is what the
credit card receipts are.
Now, the really out of it small businesses are filing
returns with less revenues than their credit card receipts, so
those are sort of low-hanging fruit. But beyond that, we do not
know what their expenses are. More importantly, we do not know
what their cash receipts are. So that data needs to be
analyzed. We need to try to figure out what do we know as a
result of that data. How can we begin to model what an average
business in a certain industry in a certain area ought to look
like based on the data we are getting out of those credit
cards? And we think the biggest part of the tax gap is an
estimated $135 billion of underreporting by small and medium-
sized, some large businesses, and this is the first time we
have ever had third-party information. So there is a
significant amount of data analytics around that information.
Chairman Johnson. Are you getting individual transaction
information? Or are you just getting a summary of----
Mr. Koskinen. We are getting summary data. It is obviously
voluminous. It is as a result of a year's transactions. We do
not know what an individual bought, whether they bought, had
their car washed or had it serviced or whatever else. What we
are getting is, in fact, the receipts, this many credit cards,
this many dollars in funding provided to that organization.
Chairman Johnson. So is this kind of akin to a 1099 then?
You are using this--so you can trace the fact that if it is a
small business who is obviously receiving revenue through
credit cards, you are matching what that business has reported
for income versus the----
Mr. Koskinen. The summary amount--exactly.
Chairman Johnson. So that is what this is being used for.
Mr. Koskinen. Yes, exactly.
Chairman Johnson. OK. Mr. Millholland, I see that you used
to be chief technology officer at Visa International. Is there
any government agency taking a look at individual transactions
from the credit card companies that you are aware of?
Mr. Millholland. Not that I am aware of, no.
Chairman Johnson. Because we do hear that the CFPB, is
looking at individual transactions and trying to come up with,
for some purpose.
Mr. Millholland. Again, not to my knowledge, sir.
Chairman Johnson. OK. Senator Carper, do you have further
questions? Thank you.
Senator Carper. Mr. Millholland, do you feel up to one
more? All right. We want to get our money's worth out of you
today. Here is the chance to do it.
Again, thank you both for being here and for your hard
work. We are lucky to have you serve our country. We are
grateful.
It seems that there are some valuable lessons to be learned
from this incident. We have talked about some of them this
afternoon, and we certainly talked about them this morning
before the Finance Committee with the Commissioner. But I would
just ask you, Mr. Millholland, what are your plans for ensuring
that breaches like this do not happen again or at least we
reduce significantly the likelihood that they will happen
again? And have you updated your security procedures in fraud
prevention methods to account for this particular attack?
Mr. Millholland. I call it a work in progress at the
current point in time. As I say, the Commissioner pointed out
the timeframes. It has only been a week since we shut the site
down. We are completing our data analysis of what happened and
when did it happen. Did the problem extend beyond this group of
200,000? So we can get basically all the facts and data in one
place.
In addition, there are investigations outside of the IRS
going on that we have to, let us just say, maintain the
environment for.
But beyond that is then what could we have done
differently? This particular application was designed the way
that the phone system was designed; that is, we make a phone
call. We designed it very much that same way in the sense of
provide an easy way for the taxpayer to get a copy of their
information. We extended it because it was electronic to these
out-of-wallet questions as such. The debate inside was how many
of those should we have. What degree of confidence would we
have if, instead of asking 4 or 5, we asked 15 or 16? Each one
of those questions that you ask can increase the confidence
level that it really is the person who you think it is. I think
if you ask 16, you are in the 99-percent range of confidence.
But that is then a burden on the taxpayer and such. So the
decision point inside is how easy do you make it versus the
risk that you are wrong kind of thing.
The one aspect I would say that in hindsight I think we
should have looked at a little bit better was the method of
this particular attack. We sort of, as I say, built it the way
the phone system was built, whereas if you want to get
someone's tax return, you would call up and fake it and
hopefully you would get through. An individual would do it.
That is the mind-set we had with the electronic version. It
would only be one person attempting to get it instead of what
happened was, appears to be an organized criminal activity.
That in hindsight one we had to--we should have thought better
about. But, again, it is a hindsight question.
In addition, one could argue should we have put other
authentication factors in like some other method that would
provide the way we set up an e-mail account, for example, is to
write a letter to the taxpayer instead to say, ``This is your
code for your e-mail address.'' That, of course, adds time and
burden to people who want their transcripts very fast.
But it is those kind of debates that we had inside. A risk
decision was made back in 2013 about the level of risk we were
willing to take, and as I say, for a lot of people it has been
very successful. I believe the Commissioner remarked it was
some 23 million people who got their transcripts successfully.
But then, again, we had this incident, and that is the dilemma.
Senator Carper [Presiding.] All right. Thanks.
And the question I asked of the Commissioner this morning,
he used the term ``IP PIN,'' and I asked him just to drill down
and explain to our Committee this morning what was the
relevance of that and why was that important. Would you just
tell us what you think? And we will compare answers. Go ahead,
Mr. Millholland.
Mr. Koskinen. No pressure. [Laughter.]
Mr. Millholland. The use of an IP PIN is an additional flag
that we can provide to those who have demonstrated an ID theft
issue. In that case, then, within the--I will just say the
master file of the IRS, their account, their return, all the
information about them has that flag on it to say this person
had a theft and, therefore, needs to be treated differently. We
would then look for returns that come in allegedly from that
person that do not have that IP PIN with them.
This, of course, necessitates a lot more work from the
point of view of, well, what do you do when the person loses
the PIN? And then you have to have another validation procedure
on top of the one you had to give them still another PIN. Thus,
again, it complicates life, so to speak, but this is all part
of the Digital Age where one has to think through all of those
use cases. What will you do about it if something goes wrong?
And then how do you provision it in a way that for the taxpayer
is relatively easy but yet still maintains the security that
you want to have around such a request?
Senator Carper. OK. Good. Let me ask, Commissioner one last
question, and it is kind of a wrap-up question for me, and you
answered this this morning and this afternoon as well. I am
going to ask you to do it again, and just tell us what can
Congress, particularly this Committee, do to help prevent
future breaches like the one we are talking about, both at the
IRS but also at other organizations.
Repetition is good.
Mr. Koskinen. We need third-party information, particularly
W-2s, earlier. We need to get them when the employees get them
in January so we can match the taxpayer's return with third-
party information.
We need legislation that allows us to mask or put hashtags,
as they are called, on those W-2s and then limit the number of
people who can prepare those by an appropriate competitive
process, because criminals now are so creative, they are
creating false corporations, false W-2s, and then filing
false----
Senator Carper. These guys are not stupid.
Mr. Koskinen. No. They have made enough money and have
enough money that they are a multi-billion-dollar operation out
there with an unbelievable amount of information on individuals
across the world. So if we could get the W-2s earlier, if we
could make sure the W-2s were accurate, if we could increase
the penalties for identity theft and refund fraud----
Senator Carper. By what magnitude? Any idea?
Mr. Koskinen. We have proposals in there to, not make it
unreasonable, but make it unreasonable enough that it increases
the penalties significantly. Those are in our proposals for
this year for legislation that would be very helpful. And then
ultimately, as we talked about earlier, reauthorizing
streamlined critical pay. We always had it for 40. We never
used it for more than 34. It would allow us to continue to
recruit and retain directly the smartest, best people we can
like Mr. Millholland.
Senator Carper. So that you can continue to surround
yourself, as I do, with people smarter than you?
Mr. Koskinen. Smarter than you are, yes.
Senator Carper. There we go. All right. That is good.
Senator Ayotte.
Senator Ayotte. Thank you very much, Senator Carper.
I just wanted to followup, actually. I know that you were
just discussing the IP PIN program, and I believe you also
testified that over a million taxpayers already, as I
understand it, are in this program. But I also, in looking at
the TIGTA report, said that there is still a big gap in terms
of at least for 2013 what we could see that when TIGTA had
looked at it, there were still over a half million eligible
taxpayers, looking at processing year 2013, that the IRS did
not give the IP PIN to.
So can you help me understand, are you sort of overwhelmed
at this point that everyone who wants one cannot have one? Or
is there a reason for that?
Mr. Koskinen. No; there was a reason. At that point, those
were returns a little like the 200,000 we have today--the
100,000 that did not have any access to their accounts, so they
have not been victims of identity theft from the standpoint of
the IRS. So we have indicators on a number of accounts where
there is an indication that there may be an issue, and the IG
raised in that report that we should for those--actually a
total of about 1,700,000 people had some, sometimes minor,
sometimes more significant, indications.
We have historically been careful about the IP PINs. As Mr.
Millholland said earlier, when we issue them, if you lose it,
then we have to go through validating you again, and it is a
burden on the taxpayers. But we took the IG's recommendation to
heart, as we often do, generally do with the IG
recommendations, and this before this filing season we offered,
besides mailing out a million and a half PINs to people who had
them before and got them again, we offered the 1.7 million the
opportunity to get a PIN.
We also have a pilot program that ran this year for the
second year, in Florida, Georgia, and the District, which are
the three major kind of hotbeds historically of ID theft, and
offered taxpayers there, even if they did not have an indicator
of tax identity theft, to apply for an IP PIN if they would
like. And it is a pilot to see what the burden is on the
taxpayers, what the burden is on the IRS, and how effective
that can be.
Senator Ayotte. Well, that was going to be my follow-up
question. Is this something that we can offer opt-in for
everyone?
Because I think there are definitely some of my
constituents that would choose to opt in on this.
Mr. Koskinen. The reason we ran this pilot was to see how
it would work if we offered people the PINs. One of the things
we are looking at right now--if you get an IP PIN, the
requirement is you have to get a new one every year, and you
have to file forever with your IP PIN. One of the things we are
looking at now as a result of evaluating the process is could
we allow people after 3 or 4 years, if they wanted to, to drop
their IP PIN and go back to their Social Security number if
they feel that by this time it is all right?
The other thing is, can we give the IP PIN and have it last
for more than a year? In other words, could we give it to you
for 3 years so that we and the taxpayer do not have the burden
of sending them back and forth? We started initially that way
just to try to get control of them.
So as we get that refined, then we will take a look at is
there a way we could offer more people IP PINs. As you can
imagine, though, if we had 100 million people with IP PINs out
there and they start losing them, which people inevitably do,
we then suddenly have a major influx of calls and revalidations
that go on that would be almost impossible for us in our
present resource-constrained situation to handle.
But we are kind of gradually working into it because, for
someone who has an IP PIN, it is added security. That is why
the 104,000 who had data illegally obtained are being offered
the opportunity to get an IP PIN if they would like.
Senator Ayotte. And as I understand it, you cannot e-file
with an IP PIN, too, so----
Mr. Koskinen. Pardon?
Senator Ayotte. You cannot e-file when you have an IP PIN.
Is that true?
Mr. Koskinen. No; you can. I e-filed this year. I actually
live in the District of Columbia and thought, well, as the
Commissioner, I ought to try the pilot program.
Senator Ayotte. So you can do it with----
Mr. Koskinen. Yes. You can file. Our joint return with IP
PINs for the two of us went through.
Senator Ayotte. So one of the things I wanted to
understand, too, is do you feel you have the legal authority
today to contract with any fraud prevention tools that you
might think are effective for the agency? Or is that authority
that you need from us? Obviously, I know the resources need to
be there, but----
Mr. Koskinen. Right. I have not been made aware of any
legal restrictions on our ability to actually take advantage of
external things. In fact, already, as Mr. Millholland said, for
the out-of-wallet authentication, those questions come from a
third party that we selected by route of a competitive
contract. So at this point, nobody has told me that we are
hamstrung in any way that way, and, in fact, we have spent a
lot of time over the last 4 or 5 years in consultation with
financial institutions and others about what their
authentication is. And as I say, we just spent the last 3
months with States and with the private sector tax preparers
and software developers sharing information about existing
authentication regimes and what we can do among the three of us
to deal with it better.
One of the things we can do, we are thinking about--that I
have always been intrigued by is we could charge you $1 for
your transcript, and then you would pay for it with a credit
card, and that would be a multifactor verification because you
would have to have the credit card handy. Now, of course, there
is enough data out there, some criminals have your credit cards
as well, but they would not necessarily know which one to use
and which one was available. So there are different elements of
that that we are looking into.
Senator Ayotte. You think about the challenges that people
are facing. Right now, on the refund issue, do you screen
refunds for last known bank accounts or mailing addresses which
are consistent with past returns before checks are mailed out?
Mr. Koskinen. We have a whole series of filters in our
system that we generally do not talk a lot about for obvious
reasons.
Senator Ayotte. Sure.
Mr. Koskinen. One thing we have looked at, you have to
understand with addresses, is we are little less mobile than we
used to be. It used to be 20 percent of people moved every
year. And, in fact, therefore, if we never got anybody moving
with new addresses, we would be suspicious.
Senator Ayotte. Well, and also if you have a multiple
refund situation, it strikes me as being able to look at, where
has there been some consistency on mailing address or bank
accounts, because the multiple refund issue has to obviously
raise a big flag.
Mr. Koskinen. And we cut that. It took us a little while to
catch up with that, but this year, for instance, we would only
send three refunds to a bank account. Beyond that, if whoever
was collecting them, preparers or otherwise, we mailed the
checks.
Senator Ayotte. So one other thing that I wanted to ask
about was what you tell victims, because it strikes me what we
heard from Mr. Kasper who was here, but also have heard this
from other of my constituents, that the IRS did not tell Mr.
Kasper whether his case would be investigated, whether law
enforcement would be notified, or whether there was any action
taken on his case. So if I am a victim and I am trying to
contact the IRS, what is the IRS taking in terms of telling me?
And then for this category of people that you have some
kind of red flag, where there may be an indicator, are you
affirmatively notifying anyone that we are seeing something on
our end that should cause you to examine your financial
records?
Mr. Koskinen. We are. That is one of the reasons we are
writing letters to the 100,000 that did not lose any
information, because we know that there are indications that
criminals have at least some of their personal----
Senator Ayotte. And if they do not use it now, they could
use it in the future.
Mr. Koskinen. They could use it in the future. So we think
it is important for that second group of 100,000 to get a
notice from us to give them an opportunity to protect their
data and their identity to the extent they can. And we have
marked their accounts so that someone cannot file a fraudulent
return on their behalf as we go forward.
But it is important for us--we have a whole series of
people who have been delighted with their care. The people who
handle dealing with ID theft victims, our call center people,
are dedicated to helping them. They go out of their way to try
to be as helpful as they can. There have been, and particularly
early on when we were overwhelmed, 4 of 5 years ago, even up to
maybe 3 years ago, people just did not have a lot of time. But
we have tried to refine both single point of contact internally
but try to make sure that we respond quickly, that refunds are
issued, and that cases are resolved inside of 120 days, because
while people sometimes have a hard time understanding it, we
spend a lot of time trying to help taxpayers across the board
figure out what they owe, how to pay it. And so anything we can
do, particularly for taxpayers in this situation, to help them,
we are going to.
We cannot tell them, because we do not know, whether anyone
is going to actually be charged for that case. It is turned
over to our criminal investigators. They do not prosecute. They
then turn cases over----
Senator Ayotte. Well, and I know my time is up, but one
thing I wanted to understand fully is if you turn it over to
your criminal--I was a prosecutor before this, so if someone
came in to report a crime--and this is a crime, clearly.
Mr. Koskinen. Yes.
Senator Ayotte. We could not tell them all the information
on the ongoing investigation, but we could tell them that, yes,
this is going to be referred to law enforcement, and here is
the law enforcement agency that is going to be handling that. I
have not gotten that sense that that is happening with the IRS,
and is it or isn't it being--I know you have your own
investigators, but does it end there, or does it get referred
to--for example, Mr. Kasper was able to go to a local police
agency.
Mr. Koskinen. Well, one of the things that we advise
people, both on the website and when they call, is they should
actually go immediately and report the case to their local law
enforcement authorities, and they should report it to the
Federal Trade Commission as well, as well as to us, and we
report it--and TIGTA keeps track of all this. So we are
delighted to have as many law enforcement or other people
involved as possible.
So the taxpayers who are victims of identity theft, one of
the pieces of information they should be getting is that they
should themselves feel comfortable directly going and, in fact,
should go--and, in fact, for authentication sometimes we need
an affidavit that they have gone--to local law enforcement.
Senator Ayotte. Well, this is obviously a really important
issue. I want to thank the Chairman and Ranking Member for
holding this hearing. I have a number of questions I am going
to submit for the record, because this issue is one I hope
obviously the Committee works on with you to get this right for
taxpayers. So thank you both for being here.
Chairman Johnson [Presiding.] Thank you, Senator Ayotte.
I just have a couple closing questions, and then we will
give you an opportunity to make some final comments.
Mr. Millholland, when you were setting this thing up,
considering it in 2013 before you set it up in 2014, did you
ever review and take a look at utilizing for that second step
using a phone number or some identifier from an actual tax
return?
Mr. Millholland. There were a number of options we
considered as we were looking at how do you know this is the
person, if you like. Some of that information was considered. I
cannot remember all the factors, so to speak, but we really
came down to say let us use this out-of-wallet approach with a
third party. That seemed to be where the energy was, and it was
like more believable and such that these credit scoring
agencies would have a lot more information about the individual
than we would. And, thus, that is what we basically focused on.
Chairman Johnson. We did have Dr. Fu go through that list
of questions and just pretty well show how incredibly easy it
is to have that information, particularly in light of the fact
that we know we have a billion people whose identities have
been compromised and all that information with Social Security
numbers is readily available. I mean, did you factor that in?
Mr. Millholland. It was factored in in the following way:
Yes, the ease of use of the system for the taxpayer versus our
confidence level at least equivalent to the phone, if somebody
had called in, that this is the person who they say it would
be. I previously remarked that, of course, in hindsight we had
not thought about the mass attack like this. We thought of
individuals coming in to try to fake it, but not the mass. And,
frankly speaking, that is one of the mistakes we made in this.
Chairman Johnson. I appreciate the fact that the IRS has
taken the decision to shut this site down because of the
danger, the risk to taxpayers of losing even more information.
Are you surprised that none of the other government agencies
that are using this have not made that same decision?
Mr. Millholland. I really cannot comment on how they
balance their risks. The whole cyberspace, so to speak, with
these kind of applications, you always are making tradeoffs of
risks, how risky is it versus the benefit you are getting from
it. As I say, 23 million taxpayers got their transcripts
successfully. That is a tremendous saving in productivity for
them and, of course, a cost savings for the IRS.
Chairman Johnson. Yes, but the IRS has made a decision
because of the risk to taxpayers. What about the Social
Security Administration? What about CMS with Healthcare.gov?
OK, I can understand decisions being made and thinking this
will be secure enough. Now we know it is not secure enough. It
is highly vulnerable. And I guess I will ask you, Mr.
Commissioner, are you surprised that--have you been contacted
by any of these other Secretaries or department heads or agency
heads in terms of the decision you made? And are they mulling
the same decision?
Mr. Koskinen. We have had enough visibility with this issue
that I would assume that everybody is, but I have not been
contacted. And as Mr. Millholland said, they are all dealing
with a whole set of unique circumstances and challenges in
their agencies, and I am confident they will continue to make
the right decisions. And if they need information from us, we
obviously communicate and provide security information across
the government. So at this point, I do not know what they are
doing, and there is no way I can second-guess what they should
be doing or what they have been doing.
Chairman Johnson. So you have not been contacted by Sylvia
Burwell or none of the other agencies that are using this have
contacted you directly to just talk about your experience,
asking you the questions I am asking, and talk about the
decision you made?
Mr. Koskinen. None of them have, and none of them at the
technical level either.
Chairman Johnson. OK. Well, if they are watching here, I
would highly recommend that they get in touch with both of you
gentleman and start thinking long and hard about whether or not
they ought to be taking their websites down or changing this
very quickly.
Mr. Millholland, how quickly would you be able to set up a
new authentication system with multiple steps that would be
more secure?
Mr. Millholland. The question literally comes down to how
should we extend the multifactor approach into this application
and what level of confidence do we want to have that the person
is who they say they are. This will range from work that we
already have initiated. As I say, we are still doing the
analysis of what happened and such. We have to settle these
13,000 taxpayers right now, but then present the options and
debate it inside.
But I suspect that we will be bringing the decision to the
Commissioner before the end of June of here are the investments
we think we now want to make in hardening this, and then that
will go through a process of decisionmaking. It probably will
involve externals.
Chairman Johnson. How many months do you think it will take
you to actually implement increased security and be up and
running again? Do you have any kind of outside estimate? I am
not going to hold you to it. I mean, is this months or is this
going to be dragging to 2016?
Mr. Millholland. The way I would answer it is to provide a
reasonable level that the people are who they say they are.
Reasonable is in the eye of the beholder, actually, in this
beholder, that we think this person is who they say they are
with this level of confidence. Here is what it will take to do
that. It may involve things like, hey, if you are asking for a
transcript, maybe we ought to have you use your credit card,
another form of authentication, charge you $1 or whatever, so
that at least we now have that additional piece of information
about you. All those things can be done, I will say, in a
straightforward way. Certainly we will do this before the next
filing season.
Chairman Johnson. Through a third-party vendor, will you be
able to access a beefed-up security system other than this? Or
is this going to be something that you are going to have to use
a third-party vendor and implement something within your own
software system?
Mr. Millholland. My leaning right now today is beef up the
use of the tools that are already available from the out-of-
wallet provider. There are a number of technology things we can
do, like, for example, the IP address of the person that made
the request. Are they now switching devices when they make a
second request--that kind of information is known--and a number
of other, I will just say, technology approaches that are
available from that third party.
In addition, there are the other choices we have from a
technology view. What kind of blocks do we want to put on this?
As I said earlier, you only get one e-mail address with one
Social Security number, if you like. That has consequences. As
I say, well, suppose a person wants to change the address, how
easy do we make that? And all those what-ifs unfortunately, Mr.
Chairman, increases costs and the complexity of the solution we
want to put out.
In any case, I think we will be able to make significant
hardening of this particular application certainly before the
next filing season.
Chairman Johnson. So were those capabilities to harden this
security available from the third-party vendor when you were
going through this in 2013? Are these new capabilities? Or was
it primarily just a cost decision that it will harden our
capability but it is going to cost too much?
Mr. Millholland. I frankly do not remember all the
technology capabilities that this particular third party had at
the time. I do know that when we made considerations of the
tradeoffs, the tradeoffs were keeping it easy like it was on
the telephone versus adding this additional layer of questions
and complexity. And that was a frank and vigorous exchange of
views inside the agency about how we ought to do that.
Chairman Johnson. What is the cost of this outside vendor
for this application?
Mr. Millholland. I think it was around 10 cents per
transaction to get per question. I am not 100 percent positive
about that.
Chairman Johnson. It is a per question cost.
Mr. Millholland. Right.
Chairman Johnson. So that thing right there costs 40 cents,
and if you have 23 million accessing this----
Mr. Millholland. It is clearly one of these things that is
negotiable with the particular suppliers. You could say a
bundle of questions could be X amount. All those go into the
contract negotiations and such.
First is the cost of, well, suppose you just kept it the
normal way and let us say we mailed you your tax return. That
is 40 or 50 cents to do that. So all those go into those
tradeoff decisions of benefit versus the risks, and that is
going to be one of the things we have to weigh as we decide how
hardened do we want this.
Chairman Johnson. Mr. Kasper in his testimony said that
when he contacted the IRS and talked about the fact that
somebody had already filed a tax return on that, the IRS did
react by saying that there was something suspicious about the
address being used by the criminal. Do you know what that was?
Mr. Millholland. In Mr. Kasper's case, no, I do not.
Chairman Johnson. Those addresses used, were those easily
identifiable as Russian, or were they addresses in the United
States but somehow you were able----
Mr. Millholland. They were--go ahead.
Mr. Koskinen. I am going to say the IG has asked us not to
speculate in public about where the domains were set up. There
were domains that were set up for this purpose relatively
recently, and we would be delighted to give you that
information off the record.
Chairman Johnson. OK. That is really all the questions I
have. I am happy to give you gentlemen the opportunity to make
a final comment before we close the hearing.
Mr. Koskinen. I appreciate that, Mr. Chairman. First, as I
said to start my testimony, this is a serious issue. We take it
seriously. Protecting taxpayers and their information is a high
priority for us, in many ways the highest priority.
This is, as I said, in many ways a shot across the bow. The
issue we are dealing with here, critical to the taxpayers whose
accounts were accessed, is about a Web access, a Web program we
have that does not have anything to do with our system. But as
I say, we increasingly over the last 3 or 4 years have seen
that more and more of the identity theft we are seeing, more
and more of the attacks we are seeing are coming from organized
crime and syndicates around the world. So it is, as I fondly
say, no longer bean bag. We are actually in the middle of a war
with very sophisticated, well-funded, intelligent enemies.
And so the challenge for us all--and it is not just a
problem for the IRS, not just a problem for government
agencies. It is obviously a problem for everyone in the
financial services industry, everyone who has data, financial
or otherwise, on people, to try to figure out how to battle
this most effectively.
So to some extent, it is a question of funding for how do
we make sure our system is secure across the board as we go.
But it is not just a question of money. It is also a question
of just a continual attempt to assess where you are and where
you are going. So we should always assume that we have to get
better, which means as we get better over time, we will always
be better than we were in the past.
The system of out-of-wallet authentication, already 22
percent of taxpayers cannot answer their own questions. In some
cases it means that the criminals are better able at answering
the questions in some cases than the taxpayers. So to Mr.
Millholland's point, you are always doing that balancing act:
Do you make it inaccessible to taxpayers and increase the
burden, and at what cost? Clearly, I think that with all of the
breaches that have gone on, as I noted, I think--it is hard to
remember what I have noted here and earlier today. The IRS was
one breach out of 25 in the month of May across the world. So,
clearly, we are dealing with unknown volumes of information out
there that dwarf anything we could imagine.
So we are going to continue now, I think, to have to assume
that we are at risk. It is what we assume in our normal day
with our security for the overall cybersecurity issue of our
system, is to assume that we are at risk. So even as we harden
this program and put it back up--and we will not put it back up
until we feel comfortable with it, even then we will run on the
assumption that we are at risk. And we need to do that, and I
think that is the only way we are going to be able to continue
to make progress.
But it is not a simple problem. It is a complex one that is
going to take the best efforts of everyone, and that is why we
are delighted to have what I think is going to turn out to be a
very successful partnership as a result of the Security Summit
we put together with the private sector, because we all agreed
we can do a lot more together working with various levels and
layers of authentication and protection than any group, whether
it is the private sector or the States or the IRS, by
themselves can do, and that is what we are committed to doing
going forward.
Chairman Johnson. Thank you, Mr. Commissioner. Mr.
Millholland.
Mr. Millholland. I have no closing remarks.
Chairman Johnson. OK.
Mr. Millholland. Thank you, though.
Chairman Johnson. I would like to ask consent to enter into
the record two articles,\1\ Krebs on Security and Nextgov,
``Other Agencies Use Same Log-on Procedures As Exploited IRS
Site.'' Without objection, so ordered.
---------------------------------------------------------------------------
\1\The articles referenced by Senator Johnson appears in the
Appendix on page 86.
---------------------------------------------------------------------------
I want to thank both of you for your thoughtful testimony
and your answers to our questions.
Mr. Commissioner, I would ask that you take a serious look
at the Social Security Identity Defense Act of 2015. I think it
really would be a very helpful piece of legislation to allow,
actually require the IRS, when you are made aware of the fact
that identity theft has occurred, to notify the taxpayer as
well as Federal authorities so they can track down the
criminal, and we can, end those types of activities. So if you
could look at that, I would appreciate you working with our
staff, and hopefully you can be supportive of that.
With that, the hearing record will remain open for 15 days
until June 17 at 5 p.m. for the submission of statements and
questions for the record.
This hearing is adjourned.
[Whereupon, at 4:28 p.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]