[Senate Hearing 114-428]
[From the U.S. Government Publishing Office]




                                                        S. Hrg. 114-428
 
 THE IRS DATA BREACH: STEPS TO PROTECT AMERICANS' PERSONAL INFORMATION

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS


                             FIRST SESSION

                               __________

                              JUNE 2, 2015

                               __________

        Available via the World Wide Web: http://www.fdsys.gov/

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
        
        
        
        
        
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
 
 
        
        
        
        
        
                 U.S. GOVERNMENT PUBLISHING OFFICE
                   
 95-655 PDF                 WASHINGTON : 2016       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001                 
       
        
        
        
        
        
        
        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin Chairman
JOHN McCAIN, Arizona                 THOMAS R. CARPER, Delaware
ROB PORTMAN, Ohio                    CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky                  JON TESTER, Montana
JAMES LANKFORD, Oklahoma             TAMMY BALDWIN, Wisconsin
MICHAEL B. ENZI, Wyoming             HEIDI HEITKAMP, North Dakota
KELLY AYOTTE, New Hampshire          CORY A. BOOKER, New Jersey
JONI ERNST, Iowa                     GARY C. PETERS, Michigan
BEN SASSE, Nebraska

                    Keith B. Ashdown, Staff Director
             Gabe Sudduth, Senior Professional Staff Member
              Gabrielle A. Batkin. Minority Staff Director
           John P. Kilvington, Minority Deputy Staff Director
     Stephen R. Vina, Minority Chief Counsel for Homeland Security
                     Laura W. Kilbride, Chief Clerk
                   Lauren M. Corcoran, Hearing Clerk
                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Johnson..............................................     1
    Senator Carper...............................................     2
    Senator Ernst................................................    14
    Senator Ayotte...............................................    16
Prepared statements:
    Senator Johnson..............................................    47
    Senator Carper...............................................    49

                               WITNESSES
                         Tuesday, June 2, 2015

Michael Kasper, Poughkeepsie, New York...........................     4
Kevin Fu, Ph.D., Associate Professor, Department of Electrical 
  Engineering and Computer Science, University of Michigan.......     6
Jeffrey E. Greene, Director, Government Affairs, North America, 
  and Senior Policy Counsel, Symantec Corporation................     8
Hon. John A. Koskinen, Commission Internal Revenue Services, U.S. 
  Department of the Treasury; accompanied by Terence V. 
  Millholland Chief Technology Officer, Internal Revenue 
  Services, U.S. Department of the Treasury......................    22

                     Alphabetical List of Witnesses

Fu, Kevin, Ph.D.:
    Testimony....................................................     6
    Prepared statement with attachment...........................    53
Greene, Jeffrey E.:
    Testimony....................................................     8
    Prepared statement with attachment...........................    66
Kasper, Michael:
    Testimony....................................................     4
    Prepared statement...........................................    51
Koskinen, Hon. John A.:
    Testimony....................................................    22
    Prepared statement...........................................    79

                                APPENDIX

Chart referenced by Senator Johnson..............................    85
Krebs Article....................................................    86
Nextgov Article..................................................    89
Response to post-hearing questions submitted by Hon. Koskinen....    92

 
 THE IRS DATA BREACH: STEPS TO PROTECT AMERICANS' PERSONAL INFORMATION

                              ----------                              


                         TUESDAY, JUNE 2, 2015

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:03 p.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson, 
Chairman of the Committee, presiding.
    Present: Senators Johnson, Ayotte, Ernst, Carper, Baldwin, 
Booker, and Peters.

             OPENING STATEMENT OF CHAIRMAN JOHNSON

    Chairman Johnson. This hearing is called to order.
    I want to thank the witnesses for appearing here today and 
for your thoughtful testimony. I am looking forward to it as 
well as your answers to our questions.
    We are going to have a little bit of a scheduling struggle 
here. We have some votes at 2:30, and I think we will try and 
keep the hearing going as best as possible, depending on what 
Members we have that can maybe fill the chair. But, again, this 
hearing is all brought about by the revelations last week. I 
got a call from the Commissioner of the IRS informing me of 
the--it is not necessarily a breach. I guess you could call it 
a breach, but it is not your standard cyber attack that we have 
been talking about. This is just simply a breach of 
confidentiality in a system that is meant to assist taxpayers, 
and it brought all kinds of questions to mind: What type of 
authentication system, what kind of security system is being 
utilized here, not only within the Internal Revenue Service 
(IRS) but also other agencies in the government? And what we 
are starting to find out is, well, different agencies--the 
Social Security Administration (SSA), we have the Centers for 
Medicare and Medicaid Services (CMS) with Healthcare.gov, 
similar types of systems. I know the IRS now has shutdown the 
Get Transcript program. These are some serious issues that we 
need to address.
    Because we are short on time, I will have my opening 
statement entered into the record,\1\ without objection.
---------------------------------------------------------------------------
    \1\The prepared statement of Senator Johnson appears in the 
Appendix on page 47.
---------------------------------------------------------------------------
    Senator Carper. Without objection.
    Chairman Johnson. Senator Carper is generally pretty good 
about that. But, again, these are serious issues. Because we 
had the compromise of about 100,000 taxpayer Get Transcript 
accounts, the IRS has already tracked that we have had about 
13,000 questionable tax returns filed, and that is, of course, 
why the hackers are doing this, is to get the information to 
quickly file a tax return with good information so it is not 
flagged by the IRS so they can claim tax refunds and obtain 
those before the taxpayer whose identity has been stolen even 
knows about it.
    According to my briefing here, about $39 million has 
already been transferred from the IRS to those criminals. We do 
not know how much more widespread this will be, not only in the 
IRS but also Social Security, CMS, the Consumer Financial 
Protection Board (CFPB). We have a lot of questions that will--
this is just the beginning hearing to get to the bottom of it.
    With that, I will turn it over to our Ranking Member, 
Senator Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thanks, Mr. Chairman. Thanks for holding 
the hearing, and to each of our witnesses, thanks so much for 
joining us.
    I had a Finance Committee hearing earlier today, and John 
Koskinen, who is the Commissioner of the IRS, was one of our 
two witnesses, joined by the Inspector General (IG) for the IRS 
as well, General George, so I am getting a full dose of this 
today. In fact, we are getting a full dose of this across 
America. And it is a timely hearing. Sorry we have to have this 
kind of hearing, but it is important that we do have a number 
of them.
    Nearly every day, we learn of another major cyber attack or 
data breach on an American company or organization. In many 
ways, we are dealing with what is really an epidemic of online 
theft and fraud. That epidemic is growing at an alarming rate 
and continues to victimize and frustrate more and more of us, 
including my own family.
    Over the past several months, for example, we witnessed 
several major companies in the health care sector suffer major 
data breaches. And, of course, we know that our government 
networks are under constant attack in cyberspace. These attacks 
are growing ever more sophisticated, too. That is happening at 
least in part because our defenses are getting better. Still, 
we must do more to stay ahead of those that would do us harm. 
And we must learn from those instances when criminals have been 
successful in getting past the protections we have put into 
place and can create havoc for us.
    Today we are going to take a closer look at the recent 
cyber attack on the IRS. We will examine what went wrong, how 
the IRS is trying to repair the damage, and what we can do to 
reduce the likelihood that something like this does not happen 
again, either at the IRS or some other place.
    From what we know so far, though, the attack on the IRS 
appears to have been an especially sophisticated one. We also 
know that the IRS had defenses and fraud prevention measures in 
place at the time of the attack. Yet despite the precautions 
that were taken, skilled criminals were able to use innovative 
tactics to trick the IRS system into releasing past tax 
returns. Given the vast amounts of sensitive information the 
IRS possesses, it is critical that the agency continues to do 
more to protect the American taxpayer. In fact, all agencies 
need to step up their efforts and improve their cybersecurity 
posture. The wake-up call has been ringing for years now, and 
we need an all-hands-on-deck effort to respond to it.
    As we know, cybersecurity is a shared responsibility. Those 
of us here in Congress have an obligation to ensure that 
agencies have the funding, the tools, and the authority that 
they need to adequately protect their systems from attack. 
Unfortunately, Congress has significantly reduced IRS funding 
in recent years, and we have done so while also tasking the 
agency with far greater responsibilities. In fact, the IRS is 
operating at its lowest level of funding since fiscal year (FY) 
2008. These cuts have had real consequences for the agency and 
for American taxpayers. I look forward to hearing from the 
Commissioner today about what he needs to better protect his 
agency from fraud and cyber attacks.
    Here in the Committee, we have been working hard to address 
our country's cybersecurity challenges, I think to good effect. 
Last year, our efforts led to the enactment of four key pieces 
of cybersecurity legislation. One of these bills updated the 
Federal Information Security Management Act (FISMA), to better 
protect Federal agencies from cyber attacks. Another codified 
the DHS cyber operations center. And two others strengthened 
the cyber workforce at the Department of Homeland Security 
(DHS).
    This year, I introduced an information-sharing bill and 
have been working closely on this issue with our colleagues on 
the Senate Intelligence Committee. I have also been working 
closely with Senator Blunt on data breach legislation that will 
create a national standard for how we protect data and 
consumers.
    We must move these important pieces of legislation and 
provide our agencies with the resources they need to tackle the 
growing cyber threats.
    With that, let me thank you again for joining us here 
today. We all look forward to your testimony.
    Thank you, Mr. Chairman.
    Chairman Johnson. Thank you, Senator Carper.
    It is the tradition of this Committee to swear in 
witnesses, so if you will all stand and raise your right hand. 
Do you swear that the testimony you will give before this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you, God?
    Mr. Kasper. I do.
    Dr. Fu. I do.
    Mr. Greene. I do.
    Chairman Johnson. Please be seated.
    Our first witness is Michael Kasper. Mr. Kasper is a 
software engineer from Poughkeepsie, New York--love that name--
testifying as a victim of identity theft in the IRS data breach 
that is the subject of this hearing. Mr. Kasper.

     TESTIMONY OF MICHAEL KASPER,\1\ POUGHKEEPSIE, NEW YORK

    Mr. Kasper. Yes, I should clarify. I am one of those 13,000 
who had their transcript and their refund stolen. But before I 
launch into my story, I want to share a few of the things I 
learned along the way, specifically that the Get Identity 
personal identification number (PIN) function on the IRS 
website uses the same authentication as the Get Transcript, so 
I think that that should also be investigated before any of the 
victims are hit 2 years in a row. E-file PINs are even easier 
to get. In my opinion, PIN numbers should probably only be sent 
by mail, like banks and credit cards do at this point.
---------------------------------------------------------------------------
    \1\The prepared statement of Mr. Kasper appears in the Appendix on 
page 51.
---------------------------------------------------------------------------
    I do not believe that punishing the IRS by cutting funds is 
the answer. Indiana is an example where they spent $8 million 
on ID theft and saved $88 million as a result, preventing that. 
So I think you could see a large return because there is so 
much of this going on. Over a million people were victims of 
stolen identity refund fraud last year, $5.8 billion lost. I 
was trying to look for analogies for that. There are usually 
around 5,000 bank robberies a year averaging a similar amount, 
$6,000 each. So this is equivalent to 1 million bank robberies 
every year. In other words, those 5,000 banks are each getting 
robbed again 200 times. It is a massive problem. If the IRS 
cannot handle investigating these cases, maybe they should be 
given to the Federal Bureau of Investigations (FBI). I mean, 
single-digit audit rates for taxpayers make sense, but I do not 
think single-digit criminal investigation rates for these cases 
do make sense. I have heard that that is around what they do. I 
have a source I can give you offline.
    The other thing they could do, which the Senator from New 
Hampshire brought up, about sharing information with the 
taxpayers so that they can pursue it themselves, like I did, 
giving you a copy of the tax return so you can call the bank, 
call the local police. It is important when they share those 
that they do not redact the payment address or bank account 
information, because that is how I was able to get a result in 
my case.
    On February 6, I tried to file my taxes. Later that night, 
Friday evening, I got a rejection. Someone had already filed.
    So on Monday morning, I called the IRS, and they confirmed 
my identity by asking tax history-related questions and showed 
me that a deposit was being made the same day that I was 
calling into somebody's account, but that it was too late to 
stop it at that point. And because I had not called a day 
earlier, now they had to wait until all my paperwork was 
processed by mail, which could take up to 6 months.
    They said they would not contact the bank to tell them 
about it, and they would not tell me what the bank account 
information was so I could do that myself. So I was frustrated 
by that. That is when I tried the Get Transcript function on 
the IRS website to see if I could get a transcript and found 
out someone else had already registered their e-mail address 
with my Social Security number (SSN). IRS e-Services was able 
to disable online access to my account, but they would not tell 
me what the e-mail address was, but they did think it was 
suspicious for some reason. So that was February 9 when I 
called and talked to them about that.
    I was able to get a transcript by mail, though, which is 
when I found out that whoever had filed had seen my 2013 return 
because the information was almost identical. It was kind of 
scary.
    So then I found out I could get a photocopy for $50. They 
had been telling me I could not get the information, but if I 
paid $50, I could get it. So March 17, I got a photocopy of the 
return and saw the bank account number. I also saw they filed a 
corrected W-2 to get $6,000 more, almost $9,000 total.
    But I contacted the bank in Pennsylvania. They confirmed a 
deposit was made in--I guess the meta data in the deposit 
actually showed my name and my Social Security going into 
someone else's checking account. So they told me the location, 
Williamsport, Pennsylvania, where all the money was withdrawn, 
and I contacted the local police there. The bank fraud 
department also investigated and asked them to return it. But 
the local police called me back right away, actually, and went 
and interviewed the person, and it was ironic because the same 
day that they interviewed the suspect, I got a letter in the 
mail from the IRS that they had 6 weeks later received my 
documentation and that they would get back to me in 6 months. 
So it was a pretty stark contrast.
    I also got a letter that week from Anthem Health Care 
offering me free credit monitoring. I do not really know if 
that is related to how my information was obtained. But at this 
point, it seemed like the case was solved, but it turned out to 
be more complicated because the account holder claimed she had 
responded to a Craigslist ad offering a job opportunity. Money 
was deposited into her account, and then she wired large 
amounts of it to Nigeria through Western Union, apparently not 
really suspecting there was anything wrong, or at least not at 
first. But she also got someone's deposit from South Dakota.
    I finally got my refund check on May 12. I really think 
contacting the bank myself helped make a difference. The woman 
who got my refund has been arrested by the Williamsport police, 
so that is some progress on my case. But I have heard from the 
IRS my case is confirmed, but I do not know if they 
investigated it criminally.
    Chairman Johnson. Thank you, Mr. Kasper.
    Our next witness is Dr. Kevin Fu. He is an associate 
professor of electrical engineering and computer science at the 
University of Michigan where he specializes in cybersecurity 
and trustworthy computing. Dr. Fu.

     TESTIMONY OF KEVIN FU, PH.D.,\1\ ASSOCIATE PROFESSOR, 
  DEPARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE, 
                     UNIVERSITY OF MICHIGAN

    Dr. Fu. Good afternoon, Chairman Johnson, Ranking Member 
Carper, and distinguished Members of the Committee. I am 
testifying before you today on the use of what is known as 
``secret questions and instant knowledge-based authentication 
(KBA), related to the recent IRS breach. I will explain the key 
properties of instant KBA and try to give you a better 
understanding of the current challenges and vulnerabilities, 
and I will close with some recommendations on what can be done 
in the future to avoid similar large-scale breaches.
---------------------------------------------------------------------------
    \1\The prepared statement of Dr. Fu appears in the Appendix on page 
53.
---------------------------------------------------------------------------
    At Michigan, we teach programming to over 1,300 
undergraduates each year, but we teach a rigorous course in 
computer security to just slightly more than 400 students, and 
I regret that means most of these programmers have no formal 
security training in case you are wondering how the security 
vulnerabilities are born.
    But there are three basic ways to authenticate an identity; 
that is, something you are, such as a fingerprint; something 
you have, such as mobile phone; or something you know, like a 
password or, in this case, a secret question. Or as we like to 
say in the academic circles, it is something you were, 
something you lost, or something you forgot. But today we will 
talk mostly about knowledge-based authentication, and financial 
websites often ask users to opt in to store answers to personal 
questions, such as ``Where did you meet your spouse?'' to serve 
as a backup mechanism to reset lost or stolen passwords. 
However, this is not the kind of instant KBA we are talking 
about today.
    In instant knowledge-based authentication, there is no opt-
in process. Instead, the website--in this case, the IRS Get 
Transcript site--quizzes a user with information gathered from 
credit reports and other sources to gain confidence in a 
claimed identity. For example, a user might be asked to 
identify the bank holding their mortgage from a multiple choice 
list.
    Now, let me highlight some of the strengths and weaknesses 
of instant KBA. The main strength is that it is fairly easy to 
use, relatively easy to use. However, the major limitation is 
that the security rests on the crumbling assumption that 
personal information is secret.
    Now, instant KBA does increase the difficulty of attack, 
but sophisticated adversaries can, nonetheless, circumvent the 
protections at unprecedented scale. A seemingly unrelated 
compromise at one site, such as Target or Anthem, could affect 
the security at a different site, such as IRS.
    Now, only using a stolen wallet, an attacker may struggle 
to answer four instant KBA questions like you will find on the 
IRS website. Unfortunately, this threat model is no longer 
realistic as countless databases of personal information have 
been breached.
    Also, taxpayers get no chance to opt out of the risks of 
instant KBA, and let me point out that the National Institute 
of Standards and Technology (NIST) explains in a technical 
report--I will just cite one phrase--that they write that it is 
``inappropriate to involuntarily expose the privacy of 
unknowing citizens to the risks of an instant KBA 
authentication scheme unless the risks for any individual 
citizen is very close to zero.''
    Now, there are alternatives that might improve the 
effectiveness of the authentication at IRS and other Federal 
agencies serving the citizens of this country. One example is 
what is known as ``second-factor authentication.'' The use of a 
second factor paired with instant KBA can make it more 
difficult for an adversary to impersonate a taxpayer. So a 
popular second factor is possession of a mobile phone, proving 
that you have a mobile phone associated with your account.
    Now, notification is also a challenge. The IRS could 
attempt to use contact information from tax returns to reach 
out to the taxpayer or the accountant to warn of an attempted 
download of a transcript, but such systems are still subject to 
things known as ``phishing attacks'' or ``social engineering'' 
and also would remove the instant gratification of the 
download.
    Now, NIST launched the National Strategy for Trusted 
Identities in Cyberspace (NSTIC) to improve authentication of 
identities, and has a 10-year road map that may help the IRS to 
develop a more cost-effective authentication strategy that 
works well.
    I would like to draw attention to what is used in the 
financial sector, which has been subject to widespread fraud by 
callers on the phone who attempt to engage in identity theft. 
One novel approach already being used today is to identify 
repeat fraudsters by the manner in which they speak and their 
cadence. So it makes it harder for an adversary to impersonate 
100,000 people at once.
    Now, let me summarize and I will leave the rest for my 
written testimony. There will always be fraud, but a reasonable 
goal is to make it difficult for a single adversary to commit 
wide-scale automated fraud. Some recommendations include asking 
NIST to help develop KBA security and performance standards so 
that Federal agencies can more meaningfully debate acceptable 
residual risk to avoid using Social Security numbers or 
financial records as secrets for single-factor authentication 
and consider pairing KBA with a second factor of 
authentication, such as Short Message Service (SMS) messages or 
voice-based fraud detection.
    Finally, encourage research collaboration between 
cybersecurity experts and social and behavioral science to 
carry out human subjects experiments that help to measure the 
risks and benefits of knowledge-based authentication.
    Thank you. I am happy to answer any questions you may have. 
Thank you.
    Chairman Johnson. Thank you, Dr. Fu.
    Our next witness is Jeff Greene. Mr. Greene is the Director 
of government affairs, North America, and senior policy counsel 
at Symantec Corporation where he focuses on cybersecurity, the 
Internet of Things, and privacy issues. Mr. Greene.

    TESTIMONY OF JEFFREY E. GREENE,\1\ DIRECTOR, GOVERNMENT 
  AFFAIRS, NORTH AMERICA, AND SENIOR POLICY COUNSEL, SYMANTEC 
                          CORPORATION

    Mr. Greene. Chairman Johnson, Ranking Member Carper, 
Members of the Committee, thank you for the opportunity to 
testify. I am going to talk a little bit about the broader 
cyber threat environment to put this particular attack into 
context.
---------------------------------------------------------------------------
    \1\The prepared statement of Mr. Greene appears in the Appendix on 
page 66.
---------------------------------------------------------------------------
    As the largest security software company in the world, our 
global intelligence network is made up of millions of sensors, 
so we have a pretty broad perspective on what is going on in 
the Internet today and the Internet threat landscape.
    Recent headlines about cyber attacks have focused a lot on 
data breaches across the spectrum of industries. These 
compromises have deep impacts on individuals who have their 
identities compromised and have to worry about it, companies 
that have their systems penetrated, and also government worried 
about protecting their citizens and also about how to catch the 
criminals.
    The magnitude of the theft of personally identifiable 
information (PII), is really unprecedented. Over the past 3 
years, approximately 1 billion identities have been exposed, 
and those are just from the breaches that we know about today.
    The attackers run the gamut. They can include highly 
sophisticated, highly organized criminal enterprises, 
individual cyber criminals, so-called hactivists, or State-
sponsored groups. Different attacks range from distributed 
denial of service (DDoS), attacks to highly targeted to widely 
distributed financial fraud schemes.
    Now, a DDoS attack is an attempt to overwhelm a system with 
data. Targeted attacks will typically try to trick someone into 
opening either an infected file, go to a bad link, or something 
similar. And, of course, there are scams and blackmail schemes 
trying to gain money that are still out there.
    Some of these will fill your screen with pop-ups telling 
you that your computer is infected with a fake virus. Other of 
them will lock your computer, purport to be from law 
enforcement, and assert that you have some type of illegal 
content, asking for a fine to be paid in order to regain your 
computer.
    The most recent scheme, though, has gone from trickery to 
straight-up blackmail. Your computer will be locked. You will 
get a screen saying your hard drive is encrypted. Typically it 
will be, and the only way you get access to your data is by 
paying a ransom.
    We are also seeing increasingly complex and sophisticated 
efforts by criminal syndicates to use personal information, 
some stolen, some publicly available, to perpetrate a variety 
of different scams, and that is what happened here with the 
IRS.
    Critical infrastructure like the power grid, the water 
system, and mass transit are also at risk. Last year, we issued 
a report about an attack that we called ``DragonFly'' that was 
focused on the energy sector. It was not the first we have seen 
on the energy sector. In fact, in 2012, cyber attackers mounted 
a campaign against the Saudi Arabian national oil company and 
destroyed 30,000 computers. They essentially wiped them and had 
them display an image of a burning American flag.
    Last year, the German Government disclosed that there was a 
cyber attack on a steel plant that resulted in massive physical 
damage. So we are seeing it across sectors.
    Most of these attacks start with a common factor, a 
compromised computer, and we frequently hear about advance 
persistent threats (APTs). But the discussion of cyber attacks 
too often ignores the psychology of the exploit. Most rely, as 
Dr. Fu said, on social engineering, essentially trying to trick 
you into doing something that you would never do if you were 
fully aware of the import of your actions. In short, a 
successful attack is usually as much psychology as it is 
technology.
    Good security stops most of these attacks, which often seek 
to exploit older, known vulnerabilities. But many organizations 
and individuals do not have security in place or have not 
patched their systems, and they remain vulnerable to existing 
problems.
    Systems that use these knowledge-based authentication 
systems, or KBA, are increasingly under attack, and we are 
seeing an uptick of these second-generation compromises where 
attackers are using this personal information previously stolen 
or publicly available, harvesting it and using it to either 
access data or establish new accounts for future fraud or 
direct theft.
    To combat these threats, we work with government and 
industry across the world. We have been involved in several 
major botnet takedowns. These are networks of zombie computers 
that have led to some prosecutions. And we also are part of 
what we call the ``Cyber Threat Alliance.'' We joined with the 
Palo Alto Networks, McAfee, Fortinet last year to co-found 
this. This is a group of cybersecurity providers. We share 
advance cyber threat information, at the same time protecting 
the privacy of our customers.
    So what can all of us do at an individual level? Good 
protection requires a plan. Strong security should include 
intrusion protection, reputation-based security, behavioral 
based blocking, data encryption backup, and data loss 
prevention tools. That is organizationally. While the 
criminals' tactics are constantly evolving, basic cyber hygiene 
is still the simplest and the most cost-effective way to stop a 
lot of the attacks out there.
    In fact, early this year, the Online Trust Alliance issued 
a report that showed that 90 percent of the major breaches from 
last year would have been prevented if businesses had 
implemented basic cyber best practices.
    With that, I appreciate the opportunity. I am happy to take 
any questions you may have.
    Chairman Johnson. Thank you, Mr. Greene.
    I will start the questioning with Dr. Fu or Mr. Greene, 
whoever can answer the question. Where does the IRS obtain the 
information they use for the knowledge-based authentication? 
Where is all the data coming from?
    Dr. Fu. So I am not entirely familiar with where IRS 
obtains its data. I am familiar with sister sites where they 
obtain their data.
    Chairman Johnson. OK, go ahead. I just want to know where 
most people obtain this, because this is all commercially 
available, correct?
    Dr. Fu. Correct. The private sector offers services for 
this instant KBA. For instance, one provider, Experian, is used 
by some Federal sites to do exactly the same kind of purpose as 
the Get Transcript, for instance, the Social Security 
Administration.
    Chairman Johnson. And where does Experian get all the data 
from?
    Dr. Fu. I believe they obtain it from credit reports and 
other financial data.
    Chairman Johnson. Does anybody else want to add to that? Go 
ahead, Mr. Greene----
    Mr. Kasper. On the IRS website, if you have an Equifax 
credit freeze, they will not get asked the questions, which 
makes me suspect it might come from Equifax for the IRS.
    Chairman Johnson. OK. What I am trying to get at is where 
do the data mining companies obtain the information from. Every 
time you click on an app, agree to the privacy contracts, 
applications, the cookies? In other words, there is a constant 
flow of information and personally identifiable information 
when we are all using our iPhones and our mobile devices. 
Correct?
    Mr. Greene. Sure. The individual app will depend upon what 
is in the end-user license agreement. There are data 
aggregators whose business it is to aggregate data from 
whatever sources and to sell it. And as Dr. Fu said, a lot of 
it is available from credit reports and elsewhere. So the data 
aggregators put that together, and they use that. And most, 
whether government or private companies, that use KBA use one 
of the credit bureaus or some similar type of data aggregator 
for their KBA services.
    Chairman Johnson. What I would like to do, because I think, 
Dr. Fu, you have been prepped for this, we have a chart\1\ here 
of four questions this was taken from the Healthcare.gov 
website in terms of the authentication we are talking about 
here. Let us just go through and can you describe for the 
audience and for the Members here exactly how easy this is to 
defeat with very limited information or knowledge? The first 
question is, ``Please select the county for the address you 
provided.''
---------------------------------------------------------------------------
    \1\The chart referenced by Senator Johnson appears in the Appendix 
on page 85.
---------------------------------------------------------------------------
    Dr. Fu. Right. So I think some context is important. This 
is the screen presented for the instant KBA. You get four 
questions about your personal finances to answer, but before 
you get to this page, you first have to enter your name, your 
Social Security number, and your address. So the adversary who 
has already reached this stage already has quite a bit of 
personal information.
    So, for instance, if you already know the address of the 
taxpayer, it is very easy to figure out where the taxpayer 
lives, in what county.
    Chairman Johnson. So not a real challenge.
    Second question: ``According to our records, you previously 
lived in Pickwick. Please choose the city from the following 
list where the street is located.''
    Dr. Fu. Yes, so in this particular case, you could rule out 
streets that make no sense in the particular address of the 
taxpayer and basically have a very good chance of getting the 
correct answer.
    Chairman Johnson. No. 3: ``Please select the city you 
previously resided in.''
    Dr. Fu. Right. So because these are culled from financial 
records and if the adversary does have access to breach data, 
this will be readily available.
    Chairman Johnson. And, ``According to our records, you 
graduated from which of the following high schools?''
    Dr. Fu. Right. So with Facebook accounts today, it is 
fairly trivial to figure out a high school somebody goes to. 
Moreover, if one of your friends posts something about you and 
you can figure out their high school, there you have it as 
well.
    Chairman Johnson. Again, when we go back to just these 
highly publicized cyber attacks where all this PII has been 
mined, an earlier witness--I cannot remember which one--said 
about a billion individuals with their PII compromised, within 
the criminal networks, this is the kind of information that a 
criminal would have. They would basically have all this 
information already, correct? Because it is the exact same 
information that these data mining companies are already 
obtaining. So you have a perfect match of the information that 
the data mining companies are using with the information that 
has been criminally obtained through these attacks. Is that 
roughly correct?
    Mr. Greene. Roughly correct, yes. As more PII is stolen, 
the effectiveness of the KBA is going to go down, and you need 
to look at other steps to--you can still use KBA as part of the 
security procedure, but there are new steps, there are 
additional steps you can put in place to try to raise the level 
of security there. And Mr. Kasper mentioned out-of-band of 
communication like mail. So you go through these steps. You get 
to the end of it. Instead of saying, OK, we now know you are 
Jeff Greene, it says we are going to send a piece of mail to 
Jeff Greene's address with a PIN number or some identifying 
number, and that would make it much more difficult for the 
criminals because that relies on the known address.
    Chairman Johnson. So, again, the point of this is if a 
criminal has all that personal information, they have all this 
information already, basically. So this is very easy for them 
to accomplish what they did with the IRS. Correct?
    Mr. Greene. Yes----
    Chairman Johnson. And, obviously, it is pretty simple, 
because they attempted 200,000 accounts, and they got into 
100,000.
    Mr. Greene. Correct, on an individual level, yes.
    Chairman Johnson. Mr. Kasper, I would like to just have you 
describe your frustration in trying to deal with the IRS once 
you understood--which, by the way, your case was first 
published, what, March 15?
    Mr. Kasper. Well, March 30. I think it was March 30.
    Chairman Johnson. OK. But, again, it was somewhat 
publicized. I know we have either from the testimony and 
discussions with the IRS, they were fully aware of this, and 
yet they made a decision to continue with this type of 
authentication.
    Mr. Kasper. I remember Brian Krebs said that the U.S. 
Treasury Inspector General for Tax Administration (TIGTA) web 
was a frequent visitor to his site in his refers when he posted 
the article. So I think TIGTA was aware.
    Chairman Johnson. So, again, just describe to us, kind of 
tell your story in terms of when you found out about this, you 
started contacting the IRS, how they responded.
    Mr. Kasper. Yes, it was frustrating not being able to find 
out who had stolen my information because I did not know how 
they had gotten it. I did not know if there was a virus on my 
computer. I did not know if someone had stolen something from 
my home. I did not know how the information had gotten out 
there. And there was nothing that I could do about it other 
than wait 6 months. I went to my local IRS office. They said, 
``We cannot help you.'' They literally, could not give me any 
more information now that I had reported it as fraud.
    Chairman Johnson. Did they give you any reason why they 
could not help you further?
    Mr. Kasper. They said privacy rules. At every step of the 
case, when I tried to get more information, they would say 
privacy rules prevented them from doing that, when the person 
who they were protecting had already taken advantage of my 
privacy.
    Chairman Johnson. OK. Well, we will have the Commissioner 
here in the next panel, so we will ask him exactly what those 
privacy rules are. Senator Carper.
    Senator Carper. Thanks, Mr. Chairman.
    Mr. Kasper, you talked about what might not be helpful in 
deterring similar attacks in the future, and I think you 
mentioned the amount of resources that we, the Congress, 
provide to the IRS to do the job. Would you just go back and 
sort of revisit what you said to us?
    Mr. Kasper. Yes, I was referring to how in Indiana they 
were using analytics-based methods of detecting fraud and 
additional verification, and basically had invested $8 million 
additionally into trying to prevent this thing; whereas, at the 
IRS I understand they have had like a 5-year hiring freeze, 20-
percent budget cuts, so that they are not doing those types of 
things, as far as I understand.
    Senator Carper. Commissioner Koskinen was before us today 
in the Finance Committee this morning, and we talked a little 
bit about this. We talked about cost-benefit payoffs, and he 
was talking about fairly senior-level IRS employees that are 
schooled in the cyber world, cyber warfare, and that they are 
unable to retain a lot of them. These people are highly in 
demand. And for a relatively modest amount of money, we will 
say in the million dollars or two, they were--instead of paying 
that money in order to attract and retain the kind of talent 
that they needed, they incurred losses many times that amount. 
How does that strike you?
    Mr. Kasper. Yes, it seems like there could be a very big 
return on investment for trying to prevent this fraud more, and 
especially in the technology industry, there is a lot of 
competition for talent. And going to work for the IRS is not on 
the top of people's list when they are looking at which high-
tech company they want to go work for, when you have the budget 
restrictions and just other factors with trying to get people 
to go and work there and help them with this problem--although, 
they have a lot of people working on it who are doing a lot of 
good things, but they are not able to keep up with the cyber 
criminals.
    Senator Carper. All right. When we had Commissioner 
Koskinen before us this morning, I asked him, in terms of the 
way the IRS is treating folks who are victimized, if you will, 
because of these attacks, I asked him how the Golden Rule 
played into that in terms of treating people, in this case 
those who were victimized. How do we treat them in a way that 
is consistent with the Golden Rule, treat other people the way 
we want to be treated? Would you just maybe draw on your own 
experience and see if the way you were treated was consistent 
with treating others the way we would want to be treated?
    Mr. Kasper. Well, I made the analogy to my contact with the 
local police department, which was not even in the same State 
where I lived, but the IRS has an identity theft hotline 
dedicated for all the people who call, but all they do is sort 
of like empathize with you, tell you, the different steps you 
can take to put a freeze on your account. They cannot really do 
anything for you. So you really cannot get any help directly 
from the IRS. They go off and they investigate your case, which 
they tell you right off the bat could take 6 months, and you 
really do not get any more information than that once you 
report it. It either gets resolved or it does not. They never 
tell you why. Wanting to know is a big part of the problem. You 
want to know what happened, and you cannot find out.
    Senator Carper. Let me ask Dr. Fu and Jeff Greene, and we 
will come back to you, Mr. Kasper. But if you were in our shoes 
and you were a member of the Homeland Security Committee 
interested and concerned about these issues, maybe you know 
people who have been hacked, maybe you have been hacked 
yourself, give us one or two things that you would do if you 
were in our shoes. I think one of you maybe once worked over in 
the House and had a chance to wrestle with these kinds of 
policy issue. So, Dr. Fu, give us one or two things that we 
ought to be doing in response.
    Dr. Fu. Well, from a policy point, actually I will refer to 
Mr. Greene; he talked about the psychology of the exploit. And 
one of the problems is on the science and engineering side 
there is very little understanding about how to measure these 
kinds of authentication systems, how well they work. There are 
quite a few negative results about how they do not work, but 
there is very little on the instant KBA. So encouraging those 
in academia, for instance, who work in cybersecurity to also 
work with those in the social and behavioral sciences could be 
helpful in discovering what kinds of authentications will work 
well for the entire U.S. population. That is one example.
    Senator Carper. OK. Do you have another one?
    Dr. Fu. Well, on the technological side, there are issue 
approaches like the two-factor authentication I mentioned. It 
is interesting to note that IRS did use a second factor of e-
mail confirmation and, in fact, Google in a recent report 
published last week has recommended that you do that. And so 
the IRS did follow that recommendation, yet the intruders did 
still circumvent it.
    Senator Carper. How do you suppose they did that?
    Dr. Fu. I would imagine----
    Senator Carper. They work for Google?
    Dr. Fu. No, I do not work for Google.
    Senator Carper. No, I was saying that----
    Dr. Fu. Oh, I am sorry. My understanding when you register 
on the Get Transcript site is that you register an e-mail 
address, and you have to wait to receive a confirmation before 
you can go to the next step of filling out those four personal 
questions. So the adversary had to set up presumably a large 
number of e-mail accounts in order to receive that confirmation 
code to go to the next step. However, had they instead also 
paired it with some kind of phone number, it would increase the 
difficulty of having to compromise multiple systems.
    Senator Carper. All right. Thanks.
    Mr. Greene, let us just say you are back in your old job 
over in the House and giving advice to guys and gals like us. 
What advice would you have for us?
    Mr. Greene. I think on the technical side, Dr. Fu said 
about encouraging two-factor authentication and recognizing 
there is a difference between identity verification when you 
initially set up an account. If you are sending the 
confirmation to the e-mail you asked for when they set up the 
account, it is circular. So you are still dealing with the same 
person, some type of out-of-band communication, whether through 
the phone or through a letter. So that is on the front end.
    On the back end, once you have established the account, 
using some kind of two-factor authentication to make sure that 
no one has the stolen information the Chairman was talking 
about is important on the policy side. Research and development 
(R&D) and technical experts, the Science, Technology, 
Engineering and Math (STEM) training, I am sure you have heard 
that frequently we need more STEM experts. Information-sharing 
legislation will help, it will not be a panacea. We do 
encourage it. We just caution that it is incremental steps to 
fighting this. Those are several of the things that we would 
like to see. The government can set an example. If we can 
improve the use of KBA through two-factor in the government, I 
think the market and the private sector will follow.
    Senator Carper. All right. Thank you so much.
    Chairman Johnson. Senator Ernst.

               OPENING STATEMENT OF SENATOR ERNST

    Senator Ernst. Thank you, Mr. Chairman, and thanks to our 
panelists for being here today. This is a very timely issue. I 
am glad we are able to discuss it right away, so I thank the 
Chairman and the Ranking Member for calling this hearing.
    I do have, as I am sure most folks do, very serious 
concerns about the implications of this type of data getting 
out there and how easily it seems to be obtained by these 
people hacking into different systems. So I look forward to 
learning more about it and hearing your additional thoughts on 
it.
    But what I would like to find out just from you, either Dr. 
Fu or Mr. Greene, is: Are there readily available private 
sector solutions for this that could be compared? The website 
you talk about the KBA. Are there private sector firms that use 
this type of information? And what is the best way to replace 
what we are doing now with a better, more secure system?
    Mr. Greene. So there are security measures, certainly, 
Senator, you can put in place. Many of the KBA back ends are 
provided by the private sector and, in fact, are used by the 
private sector. The security that worked 3 to 5 years ago is 
not working as well today because of the information that was 
stolen.
    Through the initial log-in process, when you are setting up 
the account, there are two ways I look at it. One is: How do 
you prevent a fraudulent account from being set up? How do you 
stop it before it happens? And that would be through some form 
of two-factor authentication, improving KBA, and there are 
different ways to do it, one of which we have talked about, the 
phone or a letter.
    On the back end, to try to see who is doing this activity, 
there are ways to basically take the data logs from the servers 
that are logged in, perform analytics on them, and see if you 
are seeing a pattern of activity that is indicative of some 
level of fraud.
    Now, to some degree, for a few people, the horse is going 
to be out of the barn at that point, because you may already 
have some false log-ins. But you need to be looking at it from 
both ends, and we are never going to be able to stop 100 
percent of it. But as the criminals get more sophisticated, the 
tools that worked well become less effective. And I think that 
is where we are with KBA, and there are ways to improve it 
going forward.
    Senator Ernst. Dr. Fu.
    Dr. Fu. Well, let us see. I think I have two different 
responses. One is NIST, so NIST actually has proposed this 10-
year road map called the National Strategy for Trusted 
Identities in Cyberspace, and, in fact, they already have given 
advice to IRS, and there is a published report. And I think 
that the Federal systems will find better authentication 
systems if they do engage with NIST and take the advice of 
NIST's independent, non-regulatory experts. They have a wealth 
of information on the technologies, the risks, the benefits.
    There is also a number of companies working in the two-
factor authentication space. I do not know any that 
specifically work on, for instance, protecting taxpayer 
information, but one company local in Ann Arbor, Duo Security, 
for instance, uses a mobile phone as a second factor. So when 
they attempt to have their customers log in to some kind of 
service, not only do you need to have a password, but you need 
to have a mobile phone present, and the idea is that it is more 
difficult for an intruder to physically steal your mobile phone 
if they are somewhere in a foreign country.
    There is also some interesting innovation by a company that 
I believe had come out of Georgia Tech, PinDrop Security. They 
actually work for financial services companies. They listen to 
the audio of the phone calls as people call in, and they are 
able to actually identify the repeat offenders who are calling 
in pretending to be other people based on the delay in the 
phone line from what country they are coming from, some 
interesting characteristics of the copper wires. You could use 
some of these advanced technologies not to eliminate but at 
least reduce the risk of fraudsters trying to go from one 
fraudster doing 100,000 accounts to at least making it more 
difficult to scale up to so many different accounts from one 
adversary.
    Senator Ernst. Thank you. And, Mr. Kasper, I am sorry you 
have had to go through this experience, as so many others have. 
You had indicated that the IRS thought the e-mail account--and 
maybe I read this somewhere, that the e-mail account was 
suspicious. Was that from your testimony or was that somewhere 
else that I read that?
    Mr. Kasper. Yes, I do not remember the exact words that 
they used, but when I was on the phone with them, they said, 
``Hmm, yes, that does not seem right,'' or something like that.
    Senator Ernst. Yes, it makes me wonder, especially if these 
are coming from foreign adversaries, that if they have a 
different e-mail address that indicates it is coming from, 
originating from a foreign nation, that that is something that 
could be flagged to require additional information. I do not 
know if that is something else that could be considered.
    Mr. Kasper. Yes, there are probably some analytics they 
could do just on the domain name, because they highlighted that 
200,000 had these suspicious domain names. But it is also very 
easy to get a Hotmail or Yahoo e-mail account and automate that 
and have some type of process for taking advantage of it.
    So there are things that it seems like they were not doing 
with monitoring those servers and transactions that they could 
have been doing.
    Senator Ernst. Well, thank you.
    Mr. Kasper. Like the Internet Protocol (IP) addresses and 
all that.
    Senator Ernst. Exactly. And do any of you know, has the IRS 
reached out to any private sector providers to try and correct 
the system that they have now or done any sort of control 
measures? Do any of you know?
    [No response.]
    OK. That is a question for our next panel. Well, I 
appreciate it very much. I thank you for your time, and 
hopefully we can get to the bottom of this and find better ways 
of utilizing our information systems. Thank you.

              OPENING STATEMENT OF SENATOR AYOTTE

    Senator Ayotte [Presiding.] While the Chairman is voting, I 
am going to sit here, but it is my turn to ask questions, so I 
actually wanted to ask you, Mr. Kasper, you referenced the 
recent response I got from the Commissioner of the IRS, and 
what actually prompted me to write this letter, similar to your 
experience, is that I have had a number of constituents come to 
me and some really troubling cases where they just were getting 
the runaround from the IRS, that they could not actually get 
the fraudulent return so that they could then pursue protecting 
themselves in the way that you did. And so I was glad, 
obviously, to hear that the Commissioner is now--they are going 
to change their policy, and I am going to have some followup 
questions on how they intend to implement that going forward in 
the next panel. But what I wanted to ask you about was a couple 
of things.
    First of all, you referenced a $50 fee. Who did you have to 
pay the $50 to?
    Mr. Kasper. Well, the check was to the U.S. Treasury, but 
it was IRS Form 4506, and I mailed it to Missouri or somewhere, 
or Kansas City, and paid $50. It was an IRS fee to get that 
photocopy.
    Senator Ayotte. So you had to pay the $50 to get what you 
were able to get about your return?
    Mr. Kasper. To get a photocopy of the return which showed 
the account number, I had to pay the $50.
    Senator Ayotte. And then, also, how were you originally 
notified that you were a victim of identity theft?
    Mr. Kasper. On February 6, I got the e-mail notice that my 
attempt to file was rejected. So I got the rejection notice, 
and there was a code in there and an explanation that it was a 
duplicate tax identifier, which just a little time on Google I 
figured out that is identity theft, so I need to call the 
identity theft hotline.
    Senator Ayotte. And when you called, how many different 
people did you deal with?
    Mr. Kasper. At least four or five. It was about 1 or 2 
hours on hold each time that I called.
    Senator Ayotte. So four or five different people and each 
time 1 or 2 hours on hold?
    Mr. Kasper. That is correct.
    Senator Ayotte. And so did you have to retell your story 
each time to each new individual?
    Mr. Kasper. I believe so. I mean, like I said, they were 
very sympathetic, but they really could not do much for me.
    Senator Ayotte. You really used your own thought process 
and investigating your own case. I mean, you did a really good 
job investigating your own case.
    Mr. Kasper. So far. It was really bothering me not knowing 
who had gotten this information.
    Senator Ayotte. Right. But the IRS would not give any 
information about what they were actually doing to pursue the 
case?
    Mr. Kasper. Correct, other than that it seemed very 
unlikely they were investigating it.
    Senator Ayotte. Did they tell you even that they had 
reported it to law enforcement?
    Mr. Kasper. No. They never told me they had reported it to 
law enforcement or even to the bank. When I contacted the bank, 
the bank specifically said 6 weeks later, ``The IRS never 
contacted us about this deposit.''
    Senator Ayotte. And, obviously, then they said that they 
did not give you any followup of whether there was any kind of 
investigation conducted or any outcome of it?
    Mr. Kasper. No, I got a letter saying they had received my 
fraud affidavit, which was the one I got the same day the 
police were interviewing the person. And then at the end, after 
the bank had reported it to the IRS and then the case was 
resolved, the day after I got the check, I got a letter saying, 
``Your identity theft case has been confirmed,'' the day after 
I got the check.
    Senator Ayotte. After you got the check?
    Mr. Kasper. Yes.
    Senator Ayotte. And one of the things that, as I listen to 
what you have to say, this is something I have been hearing 
time and time again, and obviously I think why we are having 
this hearing and how important it is that we get to the bottom 
of not only preventing these types of thefts, but also a better 
response to them from the IRS. And what I wanted to followup 
with, Dr. Fu and Mr. Greene, is on the issue of--you mentioned, 
Dr. Fu, one potential third-party fraud prevention tool based 
on voice analysis, as I understand it. What other fraud 
prevention tools exist in the private sector could the IRS 
harness potentially to help us address this? And was this 
something you think that we should be pursuing as we talk to 
the IRS about this issue? Because it seems to me that there is 
already a lot being done in the private sector that could be 
transported to the government sector as we look at this growing 
challenge.
    Dr. Fu. Well, I think one of the challenges for the Federal 
Government is that--especially the IRS, you cannot deny any 
particular customer, so you have a very diverse customer base 
compared perhaps to the typical private sector enterprises. 
Now, there are a number of fraud detection systems out there, 
but it would be difficult to legislate technological solutions. 
But I think it would be worth at least conducting studies to 
understand if some of these approaches might work at all, a 
pilot program, for instance.
    NIST in particular has quite a bit of expertise in carrying 
out pilot programs and making strategic recommendations on 
authentication in particular.
    Senator Ayotte. Do you have any thoughts on that?
    Mr. Greene. The IRS Commissioner, this morning when he 
spoke, recognized that prior security measures become obsolete 
pretty quickly, and it is the proverbial race. You are 
constantly needing to improve, going beyond. KBA may have 
worked well in the past. Going beyond that in the future to 
step it up, there are ways. You can add the other factors. You 
can add the type of data analytics that Mr. Kasper talked 
about. Putting some of that in place can help you detect it a 
little sooner. Looking for patterns with certain e-mails, if 
they are very similar--if an e-mail has a string of letters or 
numbers and you keep seeing incremental increases and you see a 
pattern like that, those are the types of tools that you can 
put in place monitoring on the back end.
    Senator Ayotte. I thank you all. We are at the tail end of 
a vote here, so I am going to adjourn this, and I believe 
Chairman Johnson will be back. But we will be right back in the 
Committee, and we will take a recess, not adjournment. Sorry. 
Thank you.
    [Recess.]
    Chairman Johnson [Presiding.] We would like to call the 
hearing back to order.
    What we would like to do is just give the witnesses an 
opportunity, if there is something that you have not been 
asked, if there is another comment or another piece of 
information you would like to provide in testimony, why don't 
you do that right now? Then we will dismiss you and seat the 
next panel.
    So we will start with you, Mr. Kasper.
    Mr. Kasper. I just wanted to mention that I have been 
watching a lot of the hearings on the subject, and John 
Valentine from the State of Utah had testified previously that 
he had talked to someone at the IRS who told him they were 
seeing a pattern of previous years' tax information being used 
to submit fraudulent returns as early as last year, which, 
coincidentally, is the same time the Get Transcript function 
was introduced.
    Chairman Johnson. Who is Mr. Valentine?
    Mr. Kasper. I do not remember the name of the agency, but 
it is the agency that handles the State taxes for Utah. He had 
testified in the Senate Finance Committee about that issue and 
about their lack of getting information from the IRS at that 
time.
    Chairman Johnson. OK.
    Mr. Kasper. Because they noticed a bunch of these 
suspicious returns this year and reported them to the IRS that 
they had this pattern. Data from last year was being used this 
year, and they reported that to them early in February of this 
year that that was going on.
    Chairman Johnson. OK. Well, thank you, Mr. Kasper. Dr. Fu.
    Dr. Fu. Yes, well, I would like to just comment that with 
regards to the sample four questions to authenticate with this 
instant KBA, I think it would be rather relatively easy to 
actually write a program to rule all this out, and perhaps that 
is actually what was done to accomplish this particular breach. 
And in computer security, we often refer to these technologies 
as sort of ``security theater'' where they can give a sort of 
happy, squishy feeling for the consumer because you are doing 
some action to make you feel good, but it is always hard to 
know whether it is actually improving your security. And, in 
particular, with instant KBA there is very little understanding 
right now about how to measure the quality of the security of 
KBA, and I think we need improvements in that space if we are 
going to continue to use it.
    Chairman Johnson. Let me quickly ask you, because I 
actually had a conversation with another Senator on the walk 
down, in terms of what happened here, would there be computer 
programs that are programmed to utilize all this personal 
information and do this quickly? Or is this going to be a very 
manual process in terms of logging on to Get Transcript and 
logging in the information? Do you understand the question?
    Dr. Fu. Are you asking me----
    Chairman Johnson. Can this be----
    Dr. Fu. The attacker, how automated it is?
    Chairman Johnson. Yes.
    Dr. Fu. I believe this can be fairly automated. In fact, 
when I used to work in the industry, we would write scripts to 
automate filling out web forms. So this is something you would 
almost be taught as an undergraduate. So I would expect a 
sophisticated adversary to be able to do it quite well.
    Chairman Johnson. And then because the IRS was having that 
second layer--I forget exactly what you called it, but they 
were asking the hacker to enter----
    Dr. Fu. An e-mail address.
    Chairman Johnson. An e-mail address, and then that was 
reauthenticated. Would they had to have separate e-mail 
addresses? Would they had to have 200,000?
    Dr. Fu. I do not know the answer to that. My guess would be 
that--you would have to talk to the IRS, but I would imagine 
they would be very easily able to audit if somebody reuses an 
e-mail address. But as we know, it is fairly easy to create a 
new e-mail address, and I have to say so many of them are just 
gmail.com that the domain is not always going to be too 
telling.
    Chairman Johnson. OK. So they would not necessarily have to 
be real e-mail accounts--or they would have to be real e-mail 
accounts, so you would just be setting these things up by 
literally hundreds of thousands if not millions to do this.
    Dr. Fu. Correct.
    Chairman Johnson. OK. Mr. Greene.
    Mr. Greene. Senator, your question about automating, I 
asked that precise question of some of our experts who spend 
their days analyzing attacks and malware. They did not have any 
specific knowledge of this attack, but their response was this 
would be very easy to automate soup to nuts.
    Now, it still is a complex logistical effort. There was a 
big effort involved, but the tack of writing the scripts was 
not--they expect it was automated and do not believe that it 
was not the most highly sophisticated scripting. I guess what I 
would add is this is not the first successful compromise of 
KBA, but it has certainly received the most publicity, and most 
people do not get into crime to work hard. Copycats are pretty 
common. So I think we are likely to see more KBA attacks both 
on the private sector entities that use it and the government. 
Now is the time, I think, to look at your organization, if you 
are using it, to make sure that you have some type of second 
factor or are dialing up the sensitivity of your monitors, of 
your sensing, to look for anomalous activity, because I suspect 
that there are criminals out there right now looking at this 
successful attack and saying, ``How can I duplicate that 
somewhere else?'' They are going to reuse what they can.
    Chairman Johnson. This really does answer the question why 
are these cyber attackers accessing this PII from all these 
different companies, accumulating it. This is the reason why, 
so they can utilize it this way. Correct?
    Mr. Greene. Well, and the information itself has value. 
This is an interesting attack, and this is different in kind 
than a lot of the major breaches we have seen in the sense 
that--I view this as not a breach, but 100,000 individual 
compromises. There are major breaches that have led to the 
release of millions of identities. These attackers stole money. 
In a lot of the breaches, they are stealing identity 
information to sell it. But at the same time they stole the 
money, they also acquired a lot of information. Mr. Kasper's 
tax records, his tax transcript has information that has--it is 
akin to breaking--if I broke into your house to steal $1,000 
and I saw a valuable ring, I am going to grab the ring, too, 
and then try to sell that. So they stole the money, but they 
now have more data that they will sell to others to use. There 
are very active black markets trading in this information.
    Chairman Johnson. And, again, what is the use for that 
personal information then?
    Mr. Greene. It can be anything from future tax fraud to 
trying to open credit cards. Health care records are now very 
valuable. We have seen the value of them jump up dramatically. 
Some health care records we have seen are worth 2 to 10 times 
as much as a credit card nowadays.
    I joke that if, I carry a Fitbit that transmits my data of 
my steps. That is not the Fitbit specifically, but there is a 
lot of data being transmitted that is not particularly secure. 
But if there is a way to monetize it, there is a criminal out 
there trying to figure out how to do it.
    Chairman Johnson. And, again, once you automate an attack 
like this or a breach like this, you have already got the 
automated program; you have the software. It is very easy to 
replicate it or modify it for a new type of criminal scheme. 
Correct?
    Mr. Greene. Correct, to modify it, and most of the data 
that was used for these 100,000 compromises was probably 
previously stolen or just sucked off of a public website. It is 
a combination. We are all putting information out there that we 
do not even know about. Dr. Fu said our friends post stuff.
    Chairman Johnson. So, again, with the software program, one 
individual could have pulled this thing off.
    Mr. Greene. I think it would probably be a more 
sophisticated, more organized effort than that, from soup to 
nuts, to go through it. It might have been only one----
    Chairman Johnson. How many people?
    Mr. Greene. I would be happy to get back to you. I can 
check with some of our experts to see what they would say.
    Chairman Johnson. OK. Again, I am just trying to get, the 
scope of this, the ease, how to replicate this. Is this a 
harbinger of things to come? Is it just the tip of the iceberg? 
Again, we have a billion people who have had their PII stolen, 
and this is what it is being used for, among many other things.
    Mr. Greene. The experts in our response team thought that 
this is most likely, again, from reading the outside reports, a 
criminal organization. So this is--and they have business 
plans. They have organizations set up to do all this, and they 
are looking, I am sure, at their next target.
    Chairman Johnson. OK. Again, I want to thank all three of 
you for your thoughtful testimony, your thoughtful answers to 
our questions, and we appreciate it. This will be very helpful 
in terms of us building the record of exactly why this Congress 
really needs to pass a bill that at least takes the first steps 
in providing, for example, the information sharing or the 
threat signatures, these types of attacks, so that when other 
people experience something similar, we can maybe prevent some 
of these things.
    So, again, thank you for your testimony, and have a good 
day. And we will call the next panel.
    [Pause.]
    This is perfect. Welcome back.
    Senator Carper. Thank you.
    Chairman Johnson. I will have to be leaving here pretty 
quickly myself.
    Again, I would like to thank the Commissioner and Mr. 
Millholland for coming to testify. It is the tradition of this 
Committee to swear our witnesses in, so if you would rise. I 
should be able to have this thing memorized. That is OK. There 
we go.
    Do you swear the testimony you will give before this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you, God?
    Mr. Koskinen. Yes.
    Mr. Millholland. I do.
    Chairman Johnson. Thank you. Please be seated. I really do 
have that memorized, but I like to get it accurate.
    Our first witness will be John Koskinen. Mr. Koskinen is 
the 48th Commissioner of the Internal Revenue Service, a 
position he has held since his confirmation in December 2013. 
Previously, Commissioner Koskinen served as the non-executive 
chairman of Freddie Mac from 2008 to 2012. Mr. Commissioner.

 TESTIMONY OF HON. JOHN A. KOSKINEN,\1\ COMMISSIONER, INTERNAL 
 REVENUE SERVICE, U.S. DEPARTMENT OF THE TREASURY; ACCOMPANIED 
 BY TERENCE V. MILLHOLLAND, CHIEF TECHNOLOGY OFFICER, INTERNAL 
        REVENUE SERVICE, U.S. DEPARTMENT OF THE TREASURY

    Mr. Koskinen. Chairman Johnson, Ranking Member Carper, and 
Members of the Committee, thank you for the opportunity to 
appear before you today to provide information on the recent 
unauthorized attempts to obtain taxpayer data through the IRS's 
``Get Transcript'' online application.
---------------------------------------------------------------------------
    \1\The prepared statement of Mr. Koskinen appears in the Appendix 
on page 79.
---------------------------------------------------------------------------
    Securing our systems and protecting taxpayers' information 
is a top priority of the IRS. Even with our constrained 
resources as a result of repeatedly decreased funding over the 
past few years, we continue to devote significant time and 
attention to the challenge. At the same time, it is clear that 
criminals have been able to gather increasing amounts of 
personal data as the result of data breaches at sources outside 
the IRS, which makes protecting taxpayers increasingly 
challenging and difficult.
    The unauthorized attempts to access information using the 
Get Transcript application were made on approximately 200,000 
taxpayer accounts from questionable e-mail domains, and the 
attempts were complex and sophisticated in nature. These 
attempts were made using taxpayers' personal information 
already obtained from sources outside the IRS.
    It should be noted that the third parties who made these 
unauthorized attempts to obtain tax account information did not 
attempt to gain access to the main IRS computer system that 
handles tax filing submissions. The main IRS computer system 
remains secure, as do other online IRS applications such as, 
``Where's My Refund?''
    To access Get Transcript, taxpayers must go through a 
multistep authentication process to prove their identity. They 
must first submit personal information, such as their Social 
Security number, date of birth, tax filing status, and home 
address. The taxpayer then receives an e-mail from the Get 
Transcript system containing a confirmation code that they 
enter to access the application and request a transcript.
    Before the request is processed, the taxpayer must respond 
to several out-of-wallet questions designed to elicit 
information that only the taxpayer would normally know, such as 
the amount of their monthly mortgage or car payment.
    During the middle of May, our cybersecurity team noticed 
unusual activity on the Get Transcript application. At the time 
our team thought this might be a ``denial of service attack,'' 
where hackers try to disrupt a website's normal functioning. 
They ultimately uncovered questionable attempts to access the 
Get Transcript application.
    Of the approximately 100,000 successful attempts to access 
the application, only 13,000 possibly fraudulent returns were 
filed for tax year 2014 for which the IRS issued refunds 
totaling about $39 million. We are still determining how many 
of these returns were filed by the actual taxpayers and which 
were filed using stolen identities.
    For now, our biggest concern is for the affected taxpayers 
to make sure they are protected against fraud in the future. We 
have marked the accounts of the 200,000 taxpayers whose 
accounts were attacked by outsiders to prevent someone else 
from filing a tax return in their names, both now and in 2016. 
Letters have already gone out to the approximately 100,000 
taxpayers whose tax information was successfully obtained by 
unauthorized third parties. We are offering credit monitoring 
at our expense to this group of taxpayers. We are also giving 
them the opportunity to obtain an identity protection personal 
identification number (IP PIN) as it is known. This will 
further safeguard their IRS accounts.
    We are also in the process of writing to the 100,000 
taxpayers whose accounts were not accessed to let them know 
that third parties appear to have gained access from outside 
the IRS to personal information such as their Social Security 
numbers. We want these taxpayers as well to be able to take 
steps to safeguard that data. The Get Transcript application 
has been taken down while we review options to make it more 
secure without rendering it inaccessible to legitimate 
taxpayers.
    The problem of criminals using stolen personal information 
to impersonate taxpayers is not a new one. The problem of tax 
refund fraud exploded from 2010 to 2012. Since then we have 
been making steady progress both in terms of protecting against 
fraudulent refund claims and prosecuting those who engage in 
this crime. Over the past few years, almost 2,000 individuals 
were convicted in connection with refund fraud connected with 
identity theft.
    Additionally, as our processing filters have improved, we 
have also been able to stop more suspicious returns at the 
door. This past filing season our fraud filters stopped almost 
3 million suspicious returns before processing, an increase of 
over 700,000 from the year before. But the criminals continue 
to become more sophisticated and creative. For that reason, we 
recently held a sit-down meeting with the leaders of the tax 
software and payroll industries and State tax administrators. 
We all agreed to build on our cooperative efforts of the past 
and find new ways to leverage this public-private partnership 
to help battle identity theft. We expect to announce more 
details shortly.
    Congress plays an important role as well and can help by 
approving the President's fiscal year 2016 budget request, 
which provides for $101 million specifically devoted to 
identity theft and refund fraud. A key legislative request, 
among others in the budget, is a proposal to accelerate 
information return filing dates generally to January 31. This 
would assist the IRS in identifying fraudulent returns and 
reduce refund fraud related to identity theft.
    Ranking Member Carper, Members of the Committee, this 
concludes my statement, and I would be happy to take your 
questions.
    Senator Carper [Presiding.] Mr. Commissioner, I do not want 
you to assume that because all of my colleagues have left that 
we are not interested in what you and Mr. Millholland have to 
say. We are very much interested. We have a series of five or 
six votes in a row, and we are voting about every 10 minutes, 
and we are trying to keep this moving. This bipartisan 
cooperation, this is what happens when you can collaborate. We 
will see if we can keep it going, but thank you for bearing 
with us, and hopefully we will be able to sit back down and ask 
some questions when we are all together.
    All right. Mr. Millholland, nice to see you. Thanks for 
joining us. I have not seen Commissioner Koskinen since this 
morning. He testified before the Finance Committee.
    Mr. Koskinen. I am fondly referring to this as a ``double 
header.''
    Senator Carper. There you go. Day-night. What did Ernie 
Banks used to say? Remember Ernie Banks, great shortstop for 
the Chicago Cubs, on weekends when they played Sunday double 
headers, he would say to his teammates before the game would 
start, he would say, ``Let us play two.''
    Mr. Koskinen. That is exactly where I picked it up.
    Senator Carper. Go ahead.
    Mr. Millholland. Sir, I do not have an opening statement.
    Senator Carper. All right. Mr. Commissioner--are you here 
to correct his answers? Is that what your role is? OK. He is 
actually pretty good, so you may not have much to do.
    As we have discussed a time or two before, Congress has not 
given the IRS the funding that you need to fulfill your 
missions, have not done it for a while, and I think that is 
unfortunate because every additional dollar spent by the IRS, 
as we know, to ensure tax accuracy and improve program 
integrity brings in at least $6, and I have heard even greater 
amounts than that. We had some conversation today about what 
investments in compensation, ways to attract and retain some of 
the senior-level, most difficult to hire and find skill sets in 
cybersecurity, how those investments pay way more than $6 for 
every dollar we invest.
    But what has been the practical impact of the budget cuts 
on your operations, such as staffing levels, investments in 
technology, and your ability to engage in program oversight and 
integrity activities, please?
    Mr. Koskinen. Well, I would stress that the particular 
challenge we are faced with the Get Transcript application was 
not a result of a budget issue.
    Senator Carper. I understand.
    Mr. Koskinen. It is an authentication question that we need 
to continue to deal with. Authentication is a challenge for us 
across the entire spectrum.
    The budget challenge is that this is really a shot across 
the bow. As noted, this attack was sophisticated, complicated, 
run by apparently organized crime syndicates who operate here 
and around the world. And the challenge for us is not just the 
authentication for this application, which has now been taken 
down and which we will improve. The challenge is the continual 
attempts and attacks the agency is under with regard to its 
basic database. As noted, our basic filing system was not 
affected by this attack, and it is secure. But we run an 
antiquated system, and over the last several years, the 
underfunding of the information technology (IT) investment has 
meant that we have been able to replace a lot of antiquated 
systems less quickly, less rapidly as we would like. It leaves 
us more vulnerable. We are running some applications that have 
been running for 50 years. We are running other applications 
that are no longer supported by the software developers and 
manufacturers.
    So we have a difficult challenge competing with organized 
criminals who have resources and have turned this into a 
business. They have collected almost unbelievable amounts of 
personal information from people here and around the world in 
massive databases, and they have one commitment, which is to 
attack not just the IRS but attack across the board other 
financial institutions and individuals.
    I referred to a website yesterday that has indications, 
reports of 25 data breaches and identity theft activities that 
took place in May. We are one of the 25. There are 24 others 
that took place around the world. So it gives you an idea of 
the magnitude of the challenge we are facing. It continues to 
be one of our highest priorities to make sure we do everything 
we can to protect taxpayers, but that means we are going to 
have to continue to invest in the system and in the people who 
run those systems to make sure they are as secure as possible.
    Senator Carper. OK. Thank you. You spoke to us earlier 
before the Finance Committee today about the streamlined 
critical pay program. You may have alluded to that in your 
comments here before this Committee. But could you talk a 
little bit about why that program is worthwhile and why 
investing in it can pay way more dividends in terms of reducing 
the impact on the Treasury, adverse impact on the Treasury?
    Mr. Koskinen. When the restructuring act for the IRS was 
passed in 1998, the agency was given the ability to hire up to 
40 executives with streamlined critical pay.
    Senator Carper. Tell us what that means. I think I know.
    Mr. Koskinen. Streamlined critical pay means much as if you 
were in the private sector, you can find someone, as we did 
with the head of our Information Technology, Mr. Millholland, 
you can find them in the private sector, you can recruit them, 
select them, offer them a job. They can take it immediately and 
begin to work immediately. That is the streamlined part.
    The critical pay part allows you to pay, if necessary, 
above the Senior Executive Service (SES) level, although a 
number of people that participated in that program did not get 
additional pay, but that is the critical pay aspect of it. It 
has been used primarily for information technology and other 
critical technological and intellectual capacity. The Inspector 
General issued a report last December in which he noted the 
program had been run appropriately over the period of time.
    Mr. Millholland was telling me recently that we had two 
senior IT executives we wanted to hire, who were willing to 
come work for us, but were not willing to participate and wait 
for the several months it takes to be approved for government 
employment as a career employee, and also were not satisfied 
with the maximum compensation we could offer absent the 
critical pay aspect.
    So presently we have people across the IT spectrum who are 
on critical pay. We have lost almost half of the people on 
critical pay when I began a year and a half ago because their 
term ran out. The three critical data, compliance data 
analytics people, including our expert in authentication, left 
the agency at the end of last year because his term ran out. We 
have not been able to replace him appropriately.
    We hope that we will be able to get the authorization to 
resume the program which would allow us to recruit the kinds of 
people, a handful of them, that we need at the top of IT, that 
we need at the top of international tax administration.
    Senator Carper. Good. Thank you. I said this morning, Mr. 
Millholland--I do not know if you were in the audience when the 
Commissioner spoke before the Finance Committee, but I said in 
my life sometimes people ask me why I have had some success, 
modest as it is. And I always say because I picked the right 
parents, and the other thing is because I have always 
surrounded myself with people smarter than me. And if you look 
at some of the people that we are trying to attract and retain 
at IRS to help us deal with these cyber issues, they could make 
a whole lot more money in the private sector, as you know, and 
are, but the reason why they are serving where they are is 
because they are doing something for their country, and they 
feel a need to do that.
    Mr. Millholland, just very briefly, there was some 
discussion earlier, I think in the first panel, about two-
factor methods, and I think with respect to using stronger 
authentication technologies, and they talked about, for 
example, two-factor methods like sending a letter with a 
password or calling an individual's phone with a password. 
Facebook, Google, and Bank of America are just a few of the 
major names.
    How are you moving forward in using the so-called two-
factor authentication technology? And when will you have it 
fully implemented, please? Just very briefly. Thank you.
    Mr. Millholland. Sure. I want to distinguish between inside 
use and use of somebody connecting to the website. Inside use, 
we already use two-factor authentication, with variations of 
those, 
including personal identity verification (PIV) cards, for 
example--that is, the Homeland Security Presidential Directive 
12 (HSPD-12) cards. And there are a number of ways to implement 
two-factor authentication.
    For the external, we fundamentally have to decide are we 
going to set up accounts for taxpayers so that they can file 
directly. If we were to do that, and discussions have started 
with the Commissioner and others about should the IRS deal 
directly with taxpayers in the filing of their returns, we 
would want to set up accounts like you would have with a 
financial institution. If we were to do that, we would go with 
multifactor authentication; that is, certainly an ID, a 
verification that the person is who they say they are, with far 
more confidence than what we did with this particular Get 
Transcript application, perhaps use of biometrics, perhaps use 
of something like Connect.gov, something else that gives us 
that additional proof that the person is who they say they are.
    Senator Carper. OK. Thanks so much. My time has expired. 
Senator Ayotte.
    Senator Ayotte. Thank you so much.
    Senator Carper. Thank you.
    Senator Ayotte. I want to thank both of you for being here. 
Commissioner Koskinen, let me just thank you up front for your 
response to my letter of May 28, and I think this is really 
important that you are going to change the policy that you have 
in terms of providing tax returns to those who find themselves 
to be victims of identity theft. And what prompted me to write 
you that letter is I am sure many of my colleagues could share 
similar stories, but one was a woman, the Weeks family, and 
they learned last year, when they went to file their tax 
return, a month after their 7-year-old daughter had been killed 
in a car crash that, in fact, someone had claimed their 
deceased child as a dependent. In fact, what the IRS told Mrs. 
Weeks was that their deceased child's Social Security number 
had been used three times, and then she had a really hard time 
getting any more information. She could not get any information 
from the IRS, and, similarly, in terms of who used it, what 
happened, even getting copies of the returns and trying to 
understand what happened.
    Another family I had, after having surgery and 
complications that prevented one of the members of the family 
from returning to work for 3 months, she filed their tax 
returns, this family did as soon as they could, and they really 
needed the return because they were in jeopardy of losing their 
home. And what they found out when they filed their return, the 
wife discovered that someone had already filed a tax return 
with using her Social Security number, and she was told that it 
would take her 4 to 6 months to process any kind of refund 
because of this identity theft. And they became delinquent on 
their home and faced foreclosure, and this was one where my 
staff was able to intervene and help them in time to save their 
home.
    And I wanted to use these real stories because your 
response to me is very important. What we heard earlier today 
from Mr. Michael Kasper--and perhaps you had a chance to hear 
what he had to say as a victim of identity theft--who testified 
before this Committee is that the process of not being able to 
get a return or information, it makes these victims--obviously 
puts them in a worse position, because Mr. Kasper went through 
a long process, finally had to pay $50 and got information that 
allowed him to go to the bank and to try to protect himself and 
actually resulted in finding out who did this.
    So what I wanted to understand is with this new procedure, 
how long do you think it will take to put this in place? And 
will all victims of tax-related identity fraud be able to 
request copies of their fraudulent returns? And can you give me 
a sense--I have constituents coming to my office. Do you have a 
sense of how big this problem would be in New Hampshire and 
across the country? And those are some of the first questions I 
have.
    Mr. Koskinen. First of all, I appreciated your letter, and 
I was delighted that we were able to review the situation and 
remedy it. We hope to in a very short period of time have the 
new process up where we can redact any information that might 
look like it would be a violation of the so-called 6103 and 
give taxpayers access to the false return so they can get an 
idea of exactly what it looked like and what they have to deal 
with, and we should be able, as I say, to have that system up 
and running within a matter of no more than 3 weeks, to be able 
to do that.
    As I have said in other contexts, the access to Get 
Transcript is really just another form manifestation of 
identity theft. These are criminals who already knew and had 
enough information to file a false return. What they were 
trying to do was get more information so they could file a 
better false return. As noted, the reason we have stopped 3 
million returns, suspicious returns at the door is because we 
keep improving the sophistication of our filters which detect 
anomalies. So if you can eliminate the anomalies, you are 
better off.
    But we continue to try to do whatever we can to help 
taxpayers. For instance, as I said, the notification to the 
104,000 who had data access, those letters are out. They should 
have those already in the next few days. But we need to, as 
quickly as we can, provide support to taxpayers. When the 
problem exploded 4 or 5 years ago, it would take us up to a 
year to be able to straighten out a taxpayer's account. We now 
have it down to an average of 120 days. Our goal really is to 
get it even shorter than that as we go.
    It is a problem. We have IP PINs in the hands of about a 
million and a half taxpayers who have had fraudulent, false 
returns filed. They are spread across the country, and, again, 
it is an ongoing challenge for us. One of the issues we need to 
continue to do as much as we can is develop filters at the back 
end to stop returns, but increasingly do authentication of the 
front end, and that is why we have this partnership with the 
private sector and the States. When I pulled them together 3 
months ago, H&R Block into it and others, I said, ``The purpose 
of this meeting is not for me to tell you what to do. The 
purpose of this meeting is start a discussion where we can work 
together, the private sector, the States, and the IRS, to 
figure out how jointly we can do a better job of protecting 
taxpayers.'' Because as you know with your cases, there is 
nothing more traumatic to an individual than to feel that their 
data has been violated, has been stolen. And it is not only the 
difficulty of getting a refund--70 percent of people who file 
with us get refunds--that you may need immediately, but it is 
that lack of certainty of where else is this information 
available.
    Senator Ayotte. Right, and that is why I think it is 
important that the taxpayer be given as much information as 
possible to protect their own financial interests. And one of 
the things we heard from Mr. Kasper, who was here, but it is 
also a similar experience that I have heard a lot about--in 
fact, Nina Olson, the Taxpayer Advocate, noted in her annual 
report that victims often must ``navigate a labyrinth of IRS 
operations'' and recount their experience time and time again 
to different employees. And so Mr. Kasper's experience was four 
to five different people, waiting an hour or two on the phone 
for each. Has thought been given to assigning one person when 
someone becomes an identity theft victim to that individual 
rather than, calling back up again and being put back sort of 
in----
    Mr. Koskinen. It is a problem that we have been focused on. 
When we started, ID theft was spread around various parts of 
the agency. We have now consolidated all ID theft issues, 
particularly for taxpayers, into one location so that they will 
actually be able to go one place and tell their story once. The 
Taxpayer Advocate, whom I work with closely and I have great 
admiration for, and I have a disagreement about whether there 
should be a single individual, because the problem with a 
single individual as opposed to a single entity is that if you 
call, they could be on vacation, they could be at lunch, they 
could be somewhere else. Most call centers, if you call any 
commercial enterprise and then call back, you do not get a name 
to talk to. What you do get when you call back is they know 
what your call is about. They have a record of what you said. 
And that is the system that we are building. So that a taxpayer 
can call a special number for ID theft. They do not have to 
battle through the lack of service we are able to provide 
generally. And when they call the second time, if they have to, 
they will not have to repeat the story. The record of what 
their situation is will be readily available to the next 
available operator for them. And I think our experience is and 
the private sector experience is that is a more efficient way 
to provide the service to taxpayers rather than for them to 
have to depend upon the location of a given individual.
    But the point that the Taxpayer Advocate raised initially 
was extremely right, that we cannot have taxpayers have to 
themselves navigate the various aspects of the IRS operations, 
and we are working to, in fact, as I say, consolidate that to 
give taxpayers one-stop shopping, as it were.
    Senator Ayotte. Thank you. I know my time has expired, and 
I will stick around for another round when we get through our 
votes. But thank you.
    Chairman Johnson [Presiding.] Thank you, Senator Ayotte.
    Mr. Commissioner, we had Mr. Michael Kasper, and in his 
closing comments, he talked about a gentleman named John 
Valentine--I believe he must be working for the Utah Department 
of Revenue--that apparently contacted the IRS in February of 
this year, talking about seeing returns with prior years' 
information, very close, basically looked like fraudulent 
returns. Were you aware of that? Or were you, Mr. Millholland?
    Mr. Koskinen. We were aware, obviously, of the difficulties 
with filings that basically took place in a number of States, 
including Utah and Wisconsin and others, in January, had a 
symptom identified with them, and that is that they had access 
to the prior year's returns, and those returns primarily were 
filed only at the State not at the Federal level. But it was 
out of that concern that I pulled together what is called the 
``Security Summit'' in March to pull everybody together to say, 
OK, what is going on and, most importantly, what can we do 
together that we cannot do separately.
    So we were aware of that situation, and we have been 
working with the States and with the private sector since then.
    Chairman Johnson. You were aware of Mr. Kasper's situation 
then? I guess Krebs on Security had a blog posting on March 30.
    Mr. Koskinen. Yes.
    Chairman Johnson. You were aware of that personally as well 
as the IRS was.
    Mr. Koskinen. Yes, we were. And, in fact, as we have been 
tracking back through everything, I am not allowed to talk 
about particular taxpayers, but as a general matter, let me 
just say that we took all of that information into 
consideration and were in the process in April of beginning to 
take a look at adjustments, made some adjustments already 
during the filing season to issues around Get Transcript, and, 
in fact, were developing and are developing with the States a 
protocol that will, in fact, improve the security significantly 
as we go forward. But we will not put the site back up until we 
are confident with its security.
    Chairman Johnson. But you were aware at the end of March, 
but you decided not to make any changes at that point in time.
    Mr. Koskinen. I know we made some changes, which I would be 
happy to talk to you about more privately, but we did not 
change the fundamental security aspect of Get Transcript. Our 
plan was to take a look at that and roll it out toward the 
middle or the end of June.
    Chairman Johnson. You were made aware of the actual breach 
of a couple hundred thousand--well, 100,000, but an attempt on 
200,000 different accounts on about May 18th. Is that correct?
    Mr. Koskinen. Yes, it would have been about May 18, and it 
was mid-May when we thought it was a denial of service, and 
then on Thursday--someplace around here I know where that date 
is. I can tell you for sure.
    Chairman Johnson. OK. But then about 2 weeks later, you 
decided to shut down----
    Mr. Koskinen. Actually, we knew there was a denial of 
service attack on May 14th--or we suspected that. We then knew 
and I was advised by Thursday, May 21, that, in fact, there had 
been--less than a week ago, 10 days ago, I was advised that 
there had been a breach. We continued to investigate that. We 
had already notified Homeland Security and other security 
people, as well as the Inspector General. And then the 
following Tuesday, it was the Memorial Day weekend, as we got 
more details and knew what we were dealing with, we made an 
announcement to the public and started mailing out letters.
    Chairman Johnson. OK. And you shut down the site then with 
how many----
    Mr. Koskinen. We shut down the site probably on Tuesday or 
Wednesday----
    Mr. Millholland. It was Thursday morning.
    Mr. Koskinen. I guess the Thursday morning before the 
meeting with me they had shut down the site.
    Chairman Johnson. So within a week or so, something like 
that. OK.
    Mr. Koskinen. From the time there was an indication of a 
problem until the time--which was originally thought to be a 
security problem, until the site was taken down was a week.
    Chairman Johnson. OK. Mr. Kasper was talking about his 
frustration that he had contacted the IRS and could not get any 
information on this, that it would take about 6 months. And 
there are always privacy concerns. That was the reason why the 
IRS could not give him more information. Can you talk about, 
why would it take 6 months? What are those privacy laws you are 
dealing with that you could not communicate with the taxpayer 
whose identity had been stolen through an IRS system? Why the 
time lag? What are those privacy laws that prevent the IRS 
from----
    Mr. Koskinen. Privacy laws that we are concerned about--and 
as Senator Ayotte raised issues with us, Section 6103 says we 
cannot reveal to anyone any taxpayer information. We cannot 
share it even with other government agencies unless there is a 
statutory exception that allows us to do that.
    So the challenge we had when taxpayer information--
fraudulent returns were filed, first you have to determine who 
is the fraudster and who is the legitimate taxpayer. Second, 
there was a concern that if we issued a copy even of a 
fraudulent return, it could have other taxpayer information 
that had been stolen in that return, and technically it is a 
criminal violation for us to reveal that.
    I do not know why it took anybody 6 months. It should never 
take you 6 months to get through the system. But basically what 
we have set up is a situation where we can simply redact any 
third-party information in a return and give the taxpayer a 
copy of the fraudulent return so they will know exactly what 
was in there.
    Chairman Johnson. And how long a time do you think that 
process should take then?
    Mr. Koskinen. That process, we have a special hotline for 
identity theft, and if you get a notice that you have been 
returned, there is no reason you should not be able to get a 
copy of that return promptly.
    Chairman Johnson. Promptly means?
    Mr. Koskinen. Promptly within--if you call us, I do not 
know why you could not have that return within a week.
    Chairman Johnson. OK. In Wisconsin the Guenterbergs had 
their identities stolen quite a few years ago. Again, the IRS 
could not--even though they knew they were fraudulent returns, 
they understood there was identity theft, they were prevented, 
again, under apparently the same privacy statute, from 
contacting the Guenterbergs, and as a result, they continued to 
have their identity being stolen and victims of that.
    I have introduced a piece of legislation. It is called 
``The Social Security Identity Defense Act of 2015,'' to allow 
you to provide that information of identity theft. Is that a 
piece of legislation you will support?
    Mr. Koskinen. We would be delighted to be able to. Our 
biggest problem, for instance, with law enforcement is when 
there has been identity theft, we cannot give the law 
enforcement authorities that information without the approval 
of the taxpayer involved. So to the extent that for law 
enforcement purposes, for protection against identity theft, we 
are allowed to provide information to either law enforcement 
authorities or others who need to know to prevent further 
identity theft, that would be helpful.
    Chairman Johnson. Mr. Millholland, I am actually surprised 
that having noticed, found out about this breach on May 18, you 
already know that there have been 13,000 fraudulent returns 
filed from those same breached accounts and $39 million of tax 
refunds have been sent to those criminals. How did the IRS get 
that information so quickly?
    Mr. Millholland. Part of our analysis was to go in and look 
at every one of these attempts and see what they were doing and 
such. And, thus, the mapping process, the data analysis process 
of taking each one of these e-mails, tracking down what domains 
those e-mails were going to, determining how many Social 
Security numbers had different e-mail addresses, all that then 
were worked so we could block those particular Social Security 
numbers from getting any more information. But it also allowed 
us then to go dive into the IRS master file and associated 
systems to say, all right, how many of these people actually 
filed returns? How many of them did not file returns? The 
Commissioner provided some numbers on that. That has led us 
down to this approximate 13,000 that may or may not be 
fraudulent. We are not sure yet.
    Chairman Johnson. As long as we are talking about those e-
mails, so you have that two-step authentication that required 
the criminals to get another--a signal from or a text or an e-
mail to that account. Did those have to be separate e-mail 
accounts?
    Again, the 100,000 accounts that were successfully 
breached, that was a two-step process. Did those have to be 
separate e-mail accounts? Were they separate e-mail accounts?
    Mr. Millholland. They did not have to be. It was one of the 
design flaws.
    Chairman Johnson. OK. So that is a design flaw.
    Mr. Millholland. Absolutely.
    Chairman Johnson. OK.
    Mr. Koskinen. But part of our problem is because we do not 
communicate with taxpayers yet electronically, so we never send 
e-mails back or forth because we have no security for them. If 
we could as part of our development and refinement of our 
systems be able to communicate electronically, it would 
accomplish a lot of goals, one of which would be the two-factor 
authentication then would be much more significant. Financial 
institutions and others, when you want to change your password, 
they send you a key to your e-mail address because they know it 
is your e-mail address.
    Chairman Johnson. That is a relatively significant flaw and 
a pretty easy fix that, each e-mail, in terms of this 
authentication, has to be a unique e-mail. Correct?
    Mr. Millholland. That would be going forward, is absolutely 
correct.
    Chairman Johnson. OK. So that is a corrective item that 
needs to be done almost immediately.
    Mr. Millholland, knowing that this authentication process 
is being used by Healthcare.gov, the Social Security 
Administration, and other agencies in the Federal Government, 
have any of those agencies or departments been in contact with 
you to discuss what happened at the IRS? And are they 
considering shutting down their sites?
    Mr. Millholland. I cannot speak to whether they are 
shutting down or not, but we have had conversations, just most 
recently this last Friday, with the Social Security 
Administration on what do they do to authenticate. So that kind 
of conversation is going on there.
    In addition, we have had, although it has been a bit of 
time, with the VA, again, how do they authenticate. So I will 
call it ``best practices'' amongst government is much better 
known.
    Chairman Johnson. So Healthcare.gov, CMS, the U.S. 
Department of Health and Human Services (HHS) has not been in 
contact with you in terms of their authentication and their 
concern about similar type of breach of their system?
    Mr. Millholland. Not with me. Perhaps with other parts of 
the IRS, but not with me.
    Chairman Johnson. OK. I would like to find out whether they 
have. I think that is pretty serious.
    [Pause.]
    I do know that, Mr. Commissioner, you did mention budget 
cuts as one of the potential problems, but this really had 
nothing to do with budget cuts. Correct?
    Mr. Koskinen. In my testimony, as I have said, this issue 
was not a budget issue. I have tried to make that clear all 
along. I do not want anybody to think--while we have 
significant budget challenges, I do not want anybody to think 
that every problem we have is a budget problem. There are 
issues and challenges we have that are management questions. 
There are other issues. Our problem here for the budget is not 
fixing the authentication on this side. Our challenge for the 
budget is, in fact, upgrading and protecting our entire system, 
which is at this point secure, but under continual attack.
    Chairman Johnson. Mr. Millholland, this knowledge-based 
authentication, you are using an outside vendor to provide you 
this type of information. Correct? That was from 
Healthcare.gov, but yours is very similar. Correct?
    Mr. Millholland. We use a third-party source for 
information beyond the type of questions that--if someone 
called, they are asked a series of questions. Then we go to 
these out-of-wallet questions to a credit scoring agency.
    Chairman Johnson. Again, that taxpayer personally 
identifiable information, that is not held within the IRS 
anywhere. Correct? That is all held by an outside vendor?
    Mr. Millholland. That is correct.
    Mr. Koskinen. That is correct.
    Chairman Johnson. Is there any personal information that 
the IRS stores that is not obtained by the IRS directly from 
the taxpayer? Do you go to any outside vendor anywhere in the 
IRS and then store it within the IRS' system?
    Mr. Millholland. I do not believe so, but possibly Criminal 
Investigation (CI), maybe.
    Mr. Koskinen. That is a good catch. As a general matter, we 
have no personal information from people that they have not 
provided us. The Criminal Investigation Division does in its 
investigations pursuing criminal cases accumulate data and 
information that they go after. If we do an audit of someone, 
an examination where we are actually examining their records, 
we may accumulate information about demonstrating whether they 
are following the tax laws. But even that is not in a database 
that the IRS is keeping on individuals. The only data we have 
in our major database is the information that comes from filing 
of taxes. And that is lot.
    Chairman Johnson. Again, that is simply on a case-by-case 
basis, that information .
    Mr. Koskinen. That is right. Both the investigations and 
the examination are just on case-by-case pursuit of particular 
issues.
    Chairman Johnson. Is the IRS in any kind of analytics 
utilizing information from credit card companies, Mr. 
Millholland or Mr. Commissioner?
    Mr. Koskinen. Yes. Under a statute provided by Congress, as 
individuals we all at the end of the year get a credit card 
summary of your expenses. We get on what is called the 1099-K, 
we get that information for all merchants. So for the first 
time in history, we have third-party information about what 
small and medium-sized, even larger businesses are doing as far 
as credit card receipts. So that comes in. Then we have to 
decide what to make of it because all it tells us is what the 
credit card receipts are.
    Now, the really out of it small businesses are filing 
returns with less revenues than their credit card receipts, so 
those are sort of low-hanging fruit. But beyond that, we do not 
know what their expenses are. More importantly, we do not know 
what their cash receipts are. So that data needs to be 
analyzed. We need to try to figure out what do we know as a 
result of that data. How can we begin to model what an average 
business in a certain industry in a certain area ought to look 
like based on the data we are getting out of those credit 
cards? And we think the biggest part of the tax gap is an 
estimated $135 billion of underreporting by small and medium-
sized, some large businesses, and this is the first time we 
have ever had third-party information. So there is a 
significant amount of data analytics around that information.
    Chairman Johnson. Are you getting individual transaction 
information? Or are you just getting a summary of----
    Mr. Koskinen. We are getting summary data. It is obviously 
voluminous. It is as a result of a year's transactions. We do 
not know what an individual bought, whether they bought, had 
their car washed or had it serviced or whatever else. What we 
are getting is, in fact, the receipts, this many credit cards, 
this many dollars in funding provided to that organization.
    Chairman Johnson. So is this kind of akin to a 1099 then? 
You are using this--so you can trace the fact that if it is a 
small business who is obviously receiving revenue through 
credit cards, you are matching what that business has reported 
for income versus the----
    Mr. Koskinen. The summary amount--exactly.
    Chairman Johnson. So that is what this is being used for.
    Mr. Koskinen. Yes, exactly.
    Chairman Johnson. OK. Mr. Millholland, I see that you used 
to be chief technology officer at Visa International. Is there 
any government agency taking a look at individual transactions 
from the credit card companies that you are aware of?
    Mr. Millholland. Not that I am aware of, no.
    Chairman Johnson. Because we do hear that the CFPB, is 
looking at individual transactions and trying to come up with, 
for some purpose.
    Mr. Millholland. Again, not to my knowledge, sir.
    Chairman Johnson. OK. Senator Carper, do you have further 
questions? Thank you.
    Senator Carper. Mr. Millholland, do you feel up to one 
more? All right. We want to get our money's worth out of you 
today. Here is the chance to do it.
    Again, thank you both for being here and for your hard 
work. We are lucky to have you serve our country. We are 
grateful.
    It seems that there are some valuable lessons to be learned 
from this incident. We have talked about some of them this 
afternoon, and we certainly talked about them this morning 
before the Finance Committee with the Commissioner. But I would 
just ask you, Mr. Millholland, what are your plans for ensuring 
that breaches like this do not happen again or at least we 
reduce significantly the likelihood that they will happen 
again? And have you updated your security procedures in fraud 
prevention methods to account for this particular attack?
    Mr. Millholland. I call it a work in progress at the 
current point in time. As I say, the Commissioner pointed out 
the timeframes. It has only been a week since we shut the site 
down. We are completing our data analysis of what happened and 
when did it happen. Did the problem extend beyond this group of 
200,000? So we can get basically all the facts and data in one 
place.
    In addition, there are investigations outside of the IRS 
going on that we have to, let us just say, maintain the 
environment for.
    But beyond that is then what could we have done 
differently? This particular application was designed the way 
that the phone system was designed; that is, we make a phone 
call. We designed it very much that same way in the sense of 
provide an easy way for the taxpayer to get a copy of their 
information. We extended it because it was electronic to these 
out-of-wallet questions as such. The debate inside was how many 
of those should we have. What degree of confidence would we 
have if, instead of asking 4 or 5, we asked 15 or 16? Each one 
of those questions that you ask can increase the confidence 
level that it really is the person who you think it is. I think 
if you ask 16, you are in the 99-percent range of confidence. 
But that is then a burden on the taxpayer and such. So the 
decision point inside is how easy do you make it versus the 
risk that you are wrong kind of thing.
    The one aspect I would say that in hindsight I think we 
should have looked at a little bit better was the method of 
this particular attack. We sort of, as I say, built it the way 
the phone system was built, whereas if you want to get 
someone's tax return, you would call up and fake it and 
hopefully you would get through. An individual would do it. 
That is the mind-set we had with the electronic version. It 
would only be one person attempting to get it instead of what 
happened was, appears to be an organized criminal activity. 
That in hindsight one we had to--we should have thought better 
about. But, again, it is a hindsight question.
    In addition, one could argue should we have put other 
authentication factors in like some other method that would 
provide the way we set up an e-mail account, for example, is to 
write a letter to the taxpayer instead to say, ``This is your 
code for your e-mail address.'' That, of course, adds time and 
burden to people who want their transcripts very fast.
    But it is those kind of debates that we had inside. A risk 
decision was made back in 2013 about the level of risk we were 
willing to take, and as I say, for a lot of people it has been 
very successful. I believe the Commissioner remarked it was 
some 23 million people who got their transcripts successfully. 
But then, again, we had this incident, and that is the dilemma.
    Senator Carper [Presiding.] All right. Thanks.
    And the question I asked of the Commissioner this morning, 
he used the term ``IP PIN,'' and I asked him just to drill down 
and explain to our Committee this morning what was the 
relevance of that and why was that important. Would you just 
tell us what you think? And we will compare answers. Go ahead, 
Mr. Millholland.
    Mr. Koskinen. No pressure. [Laughter.]
    Mr. Millholland. The use of an IP PIN is an additional flag 
that we can provide to those who have demonstrated an ID theft 
issue. In that case, then, within the--I will just say the 
master file of the IRS, their account, their return, all the 
information about them has that flag on it to say this person 
had a theft and, therefore, needs to be treated differently. We 
would then look for returns that come in allegedly from that 
person that do not have that IP PIN with them.
    This, of course, necessitates a lot more work from the 
point of view of, well, what do you do when the person loses 
the PIN? And then you have to have another validation procedure 
on top of the one you had to give them still another PIN. Thus, 
again, it complicates life, so to speak, but this is all part 
of the Digital Age where one has to think through all of those 
use cases. What will you do about it if something goes wrong? 
And then how do you provision it in a way that for the taxpayer 
is relatively easy but yet still maintains the security that 
you want to have around such a request?
    Senator Carper. OK. Good. Let me ask, Commissioner one last 
question, and it is kind of a wrap-up question for me, and you 
answered this this morning and this afternoon as well. I am 
going to ask you to do it again, and just tell us what can 
Congress, particularly this Committee, do to help prevent 
future breaches like the one we are talking about, both at the 
IRS but also at other organizations.
    Repetition is good.
    Mr. Koskinen. We need third-party information, particularly 
W-2s, earlier. We need to get them when the employees get them 
in January so we can match the taxpayer's return with third-
party information.
    We need legislation that allows us to mask or put hashtags, 
as they are called, on those W-2s and then limit the number of 
people who can prepare those by an appropriate competitive 
process, because criminals now are so creative, they are 
creating false corporations, false W-2s, and then filing 
false----
    Senator Carper. These guys are not stupid.
    Mr. Koskinen. No. They have made enough money and have 
enough money that they are a multi-billion-dollar operation out 
there with an unbelievable amount of information on individuals 
across the world. So if we could get the W-2s earlier, if we 
could make sure the W-2s were accurate, if we could increase 
the penalties for identity theft and refund fraud----
    Senator Carper. By what magnitude? Any idea?
    Mr. Koskinen. We have proposals in there to, not make it 
unreasonable, but make it unreasonable enough that it increases 
the penalties significantly. Those are in our proposals for 
this year for legislation that would be very helpful. And then 
ultimately, as we talked about earlier, reauthorizing 
streamlined critical pay. We always had it for 40. We never 
used it for more than 34. It would allow us to continue to 
recruit and retain directly the smartest, best people we can 
like Mr. Millholland.
    Senator Carper. So that you can continue to surround 
yourself, as I do, with people smarter than you?
    Mr. Koskinen. Smarter than you are, yes.
    Senator Carper. There we go. All right. That is good. 
Senator Ayotte.
    Senator Ayotte. Thank you very much, Senator Carper.
    I just wanted to followup, actually. I know that you were 
just discussing the IP PIN program, and I believe you also 
testified that over a million taxpayers already, as I 
understand it, are in this program. But I also, in looking at 
the TIGTA report, said that there is still a big gap in terms 
of at least for 2013 what we could see that when TIGTA had 
looked at it, there were still over a half million eligible 
taxpayers, looking at processing year 2013, that the IRS did 
not give the IP PIN to.
    So can you help me understand, are you sort of overwhelmed 
at this point that everyone who wants one cannot have one? Or 
is there a reason for that?
    Mr. Koskinen. No; there was a reason. At that point, those 
were returns a little like the 200,000 we have today--the 
100,000 that did not have any access to their accounts, so they 
have not been victims of identity theft from the standpoint of 
the IRS. So we have indicators on a number of accounts where 
there is an indication that there may be an issue, and the IG 
raised in that report that we should for those--actually a 
total of about 1,700,000 people had some, sometimes minor, 
sometimes more significant, indications.
    We have historically been careful about the IP PINs. As Mr. 
Millholland said earlier, when we issue them, if you lose it, 
then we have to go through validating you again, and it is a 
burden on the taxpayers. But we took the IG's recommendation to 
heart, as we often do, generally do with the IG 
recommendations, and this before this filing season we offered, 
besides mailing out a million and a half PINs to people who had 
them before and got them again, we offered the 1.7 million the 
opportunity to get a PIN.
    We also have a pilot program that ran this year for the 
second year, in Florida, Georgia, and the District, which are 
the three major kind of hotbeds historically of ID theft, and 
offered taxpayers there, even if they did not have an indicator 
of tax identity theft, to apply for an IP PIN if they would 
like. And it is a pilot to see what the burden is on the 
taxpayers, what the burden is on the IRS, and how effective 
that can be.
    Senator Ayotte. Well, that was going to be my follow-up 
question. Is this something that we can offer opt-in for 
everyone?
    Because I think there are definitely some of my 
constituents that would choose to opt in on this.
    Mr. Koskinen. The reason we ran this pilot was to see how 
it would work if we offered people the PINs. One of the things 
we are looking at right now--if you get an IP PIN, the 
requirement is you have to get a new one every year, and you 
have to file forever with your IP PIN. One of the things we are 
looking at now as a result of evaluating the process is could 
we allow people after 3 or 4 years, if they wanted to, to drop 
their IP PIN and go back to their Social Security number if 
they feel that by this time it is all right?
    The other thing is, can we give the IP PIN and have it last 
for more than a year? In other words, could we give it to you 
for 3 years so that we and the taxpayer do not have the burden 
of sending them back and forth? We started initially that way 
just to try to get control of them.
    So as we get that refined, then we will take a look at is 
there a way we could offer more people IP PINs. As you can 
imagine, though, if we had 100 million people with IP PINs out 
there and they start losing them, which people inevitably do, 
we then suddenly have a major influx of calls and revalidations 
that go on that would be almost impossible for us in our 
present resource-constrained situation to handle.
    But we are kind of gradually working into it because, for 
someone who has an IP PIN, it is added security. That is why 
the 104,000 who had data illegally obtained are being offered 
the opportunity to get an IP PIN if they would like.
    Senator Ayotte. And as I understand it, you cannot e-file 
with an IP PIN, too, so----
    Mr. Koskinen. Pardon?
    Senator Ayotte. You cannot e-file when you have an IP PIN. 
Is that true?
    Mr. Koskinen. No; you can. I e-filed this year. I actually 
live in the District of Columbia and thought, well, as the 
Commissioner, I ought to try the pilot program.
    Senator Ayotte. So you can do it with----
    Mr. Koskinen. Yes. You can file. Our joint return with IP 
PINs for the two of us went through.
    Senator Ayotte. So one of the things I wanted to 
understand, too, is do you feel you have the legal authority 
today to contract with any fraud prevention tools that you 
might think are effective for the agency? Or is that authority 
that you need from us? Obviously, I know the resources need to 
be there, but----
    Mr. Koskinen. Right. I have not been made aware of any 
legal restrictions on our ability to actually take advantage of 
external things. In fact, already, as Mr. Millholland said, for 
the out-of-wallet authentication, those questions come from a 
third party that we selected by route of a competitive 
contract. So at this point, nobody has told me that we are 
hamstrung in any way that way, and, in fact, we have spent a 
lot of time over the last 4 or 5 years in consultation with 
financial institutions and others about what their 
authentication is. And as I say, we just spent the last 3 
months with States and with the private sector tax preparers 
and software developers sharing information about existing 
authentication regimes and what we can do among the three of us 
to deal with it better.
    One of the things we can do, we are thinking about--that I 
have always been intrigued by is we could charge you $1 for 
your transcript, and then you would pay for it with a credit 
card, and that would be a multifactor verification because you 
would have to have the credit card handy. Now, of course, there 
is enough data out there, some criminals have your credit cards 
as well, but they would not necessarily know which one to use 
and which one was available. So there are different elements of 
that that we are looking into.
    Senator Ayotte. You think about the challenges that people 
are facing. Right now, on the refund issue, do you screen 
refunds for last known bank accounts or mailing addresses which 
are consistent with past returns before checks are mailed out?
    Mr. Koskinen. We have a whole series of filters in our 
system that we generally do not talk a lot about for obvious 
reasons.
    Senator Ayotte. Sure.
    Mr. Koskinen. One thing we have looked at, you have to 
understand with addresses, is we are little less mobile than we 
used to be. It used to be 20 percent of people moved every 
year. And, in fact, therefore, if we never got anybody moving 
with new addresses, we would be suspicious.
    Senator Ayotte. Well, and also if you have a multiple 
refund situation, it strikes me as being able to look at, where 
has there been some consistency on mailing address or bank 
accounts, because the multiple refund issue has to obviously 
raise a big flag.
    Mr. Koskinen. And we cut that. It took us a little while to 
catch up with that, but this year, for instance, we would only 
send three refunds to a bank account. Beyond that, if whoever 
was collecting them, preparers or otherwise, we mailed the 
checks.
    Senator Ayotte. So one other thing that I wanted to ask 
about was what you tell victims, because it strikes me what we 
heard from Mr. Kasper who was here, but also have heard this 
from other of my constituents, that the IRS did not tell Mr. 
Kasper whether his case would be investigated, whether law 
enforcement would be notified, or whether there was any action 
taken on his case. So if I am a victim and I am trying to 
contact the IRS, what is the IRS taking in terms of telling me?
    And then for this category of people that you have some 
kind of red flag, where there may be an indicator, are you 
affirmatively notifying anyone that we are seeing something on 
our end that should cause you to examine your financial 
records?
    Mr. Koskinen. We are. That is one of the reasons we are 
writing letters to the 100,000 that did not lose any 
information, because we know that there are indications that 
criminals have at least some of their personal----
    Senator Ayotte. And if they do not use it now, they could 
use it in the future.
    Mr. Koskinen. They could use it in the future. So we think 
it is important for that second group of 100,000 to get a 
notice from us to give them an opportunity to protect their 
data and their identity to the extent they can. And we have 
marked their accounts so that someone cannot file a fraudulent 
return on their behalf as we go forward.
    But it is important for us--we have a whole series of 
people who have been delighted with their care. The people who 
handle dealing with ID theft victims, our call center people, 
are dedicated to helping them. They go out of their way to try 
to be as helpful as they can. There have been, and particularly 
early on when we were overwhelmed, 4 of 5 years ago, even up to 
maybe 3 years ago, people just did not have a lot of time. But 
we have tried to refine both single point of contact internally 
but try to make sure that we respond quickly, that refunds are 
issued, and that cases are resolved inside of 120 days, because 
while people sometimes have a hard time understanding it, we 
spend a lot of time trying to help taxpayers across the board 
figure out what they owe, how to pay it. And so anything we can 
do, particularly for taxpayers in this situation, to help them, 
we are going to.
    We cannot tell them, because we do not know, whether anyone 
is going to actually be charged for that case. It is turned 
over to our criminal investigators. They do not prosecute. They 
then turn cases over----
    Senator Ayotte. Well, and I know my time is up, but one 
thing I wanted to understand fully is if you turn it over to 
your criminal--I was a prosecutor before this, so if someone 
came in to report a crime--and this is a crime, clearly.
    Mr. Koskinen. Yes.
    Senator Ayotte. We could not tell them all the information 
on the ongoing investigation, but we could tell them that, yes, 
this is going to be referred to law enforcement, and here is 
the law enforcement agency that is going to be handling that. I 
have not gotten that sense that that is happening with the IRS, 
and is it or isn't it being--I know you have your own 
investigators, but does it end there, or does it get referred 
to--for example, Mr. Kasper was able to go to a local police 
agency.
    Mr. Koskinen. Well, one of the things that we advise 
people, both on the website and when they call, is they should 
actually go immediately and report the case to their local law 
enforcement authorities, and they should report it to the 
Federal Trade Commission as well, as well as to us, and we 
report it--and TIGTA keeps track of all this. So we are 
delighted to have as many law enforcement or other people 
involved as possible.
    So the taxpayers who are victims of identity theft, one of 
the pieces of information they should be getting is that they 
should themselves feel comfortable directly going and, in fact, 
should go--and, in fact, for authentication sometimes we need 
an affidavit that they have gone--to local law enforcement.
    Senator Ayotte. Well, this is obviously a really important 
issue. I want to thank the Chairman and Ranking Member for 
holding this hearing. I have a number of questions I am going 
to submit for the record, because this issue is one I hope 
obviously the Committee works on with you to get this right for 
taxpayers. So thank you both for being here.
    Chairman Johnson [Presiding.] Thank you, Senator Ayotte.
    I just have a couple closing questions, and then we will 
give you an opportunity to make some final comments.
    Mr. Millholland, when you were setting this thing up, 
considering it in 2013 before you set it up in 2014, did you 
ever review and take a look at utilizing for that second step 
using a phone number or some identifier from an actual tax 
return?
    Mr. Millholland. There were a number of options we 
considered as we were looking at how do you know this is the 
person, if you like. Some of that information was considered. I 
cannot remember all the factors, so to speak, but we really 
came down to say let us use this out-of-wallet approach with a 
third party. That seemed to be where the energy was, and it was 
like more believable and such that these credit scoring 
agencies would have a lot more information about the individual 
than we would. And, thus, that is what we basically focused on.
    Chairman Johnson. We did have Dr. Fu go through that list 
of questions and just pretty well show how incredibly easy it 
is to have that information, particularly in light of the fact 
that we know we have a billion people whose identities have 
been compromised and all that information with Social Security 
numbers is readily available. I mean, did you factor that in?
    Mr. Millholland. It was factored in in the following way: 
Yes, the ease of use of the system for the taxpayer versus our 
confidence level at least equivalent to the phone, if somebody 
had called in, that this is the person who they say it would 
be. I previously remarked that, of course, in hindsight we had 
not thought about the mass attack like this. We thought of 
individuals coming in to try to fake it, but not the mass. And, 
frankly speaking, that is one of the mistakes we made in this.
    Chairman Johnson. I appreciate the fact that the IRS has 
taken the decision to shut this site down because of the 
danger, the risk to taxpayers of losing even more information. 
Are you surprised that none of the other government agencies 
that are using this have not made that same decision?
    Mr. Millholland. I really cannot comment on how they 
balance their risks. The whole cyberspace, so to speak, with 
these kind of applications, you always are making tradeoffs of 
risks, how risky is it versus the benefit you are getting from 
it. As I say, 23 million taxpayers got their transcripts 
successfully. That is a tremendous saving in productivity for 
them and, of course, a cost savings for the IRS.
    Chairman Johnson. Yes, but the IRS has made a decision 
because of the risk to taxpayers. What about the Social 
Security Administration? What about CMS with Healthcare.gov? 
OK, I can understand decisions being made and thinking this 
will be secure enough. Now we know it is not secure enough. It 
is highly vulnerable. And I guess I will ask you, Mr. 
Commissioner, are you surprised that--have you been contacted 
by any of these other Secretaries or department heads or agency 
heads in terms of the decision you made? And are they mulling 
the same decision?
    Mr. Koskinen. We have had enough visibility with this issue 
that I would assume that everybody is, but I have not been 
contacted. And as Mr. Millholland said, they are all dealing 
with a whole set of unique circumstances and challenges in 
their agencies, and I am confident they will continue to make 
the right decisions. And if they need information from us, we 
obviously communicate and provide security information across 
the government. So at this point, I do not know what they are 
doing, and there is no way I can second-guess what they should 
be doing or what they have been doing.
    Chairman Johnson. So you have not been contacted by Sylvia 
Burwell or none of the other agencies that are using this have 
contacted you directly to just talk about your experience, 
asking you the questions I am asking, and talk about the 
decision you made?
    Mr. Koskinen. None of them have, and none of them at the 
technical level either.
    Chairman Johnson. OK. Well, if they are watching here, I 
would highly recommend that they get in touch with both of you 
gentleman and start thinking long and hard about whether or not 
they ought to be taking their websites down or changing this 
very quickly.
    Mr. Millholland, how quickly would you be able to set up a 
new authentication system with multiple steps that would be 
more secure?
    Mr. Millholland. The question literally comes down to how 
should we extend the multifactor approach into this application 
and what level of confidence do we want to have that the person 
is who they say they are. This will range from work that we 
already have initiated. As I say, we are still doing the 
analysis of what happened and such. We have to settle these 
13,000 taxpayers right now, but then present the options and 
debate it inside.
    But I suspect that we will be bringing the decision to the 
Commissioner before the end of June of here are the investments 
we think we now want to make in hardening this, and then that 
will go through a process of decisionmaking. It probably will 
involve externals.
    Chairman Johnson. How many months do you think it will take 
you to actually implement increased security and be up and 
running again? Do you have any kind of outside estimate? I am 
not going to hold you to it. I mean, is this months or is this 
going to be dragging to 2016?
    Mr. Millholland. The way I would answer it is to provide a 
reasonable level that the people are who they say they are. 
Reasonable is in the eye of the beholder, actually, in this 
beholder, that we think this person is who they say they are 
with this level of confidence. Here is what it will take to do 
that. It may involve things like, hey, if you are asking for a 
transcript, maybe we ought to have you use your credit card, 
another form of authentication, charge you $1 or whatever, so 
that at least we now have that additional piece of information 
about you. All those things can be done, I will say, in a 
straightforward way. Certainly we will do this before the next 
filing season.
    Chairman Johnson. Through a third-party vendor, will you be 
able to access a beefed-up security system other than this? Or 
is this going to be something that you are going to have to use 
a third-party vendor and implement something within your own 
software system?
    Mr. Millholland. My leaning right now today is beef up the 
use of the tools that are already available from the out-of-
wallet provider. There are a number of technology things we can 
do, like, for example, the IP address of the person that made 
the request. Are they now switching devices when they make a 
second request--that kind of information is known--and a number 
of other, I will just say, technology approaches that are 
available from that third party.
    In addition, there are the other choices we have from a 
technology view. What kind of blocks do we want to put on this? 
As I said earlier, you only get one e-mail address with one 
Social Security number, if you like. That has consequences. As 
I say, well, suppose a person wants to change the address, how 
easy do we make that? And all those what-ifs unfortunately, Mr. 
Chairman, increases costs and the complexity of the solution we 
want to put out.
    In any case, I think we will be able to make significant 
hardening of this particular application certainly before the 
next filing season.
    Chairman Johnson. So were those capabilities to harden this 
security available from the third-party vendor when you were 
going through this in 2013? Are these new capabilities? Or was 
it primarily just a cost decision that it will harden our 
capability but it is going to cost too much?
    Mr. Millholland. I frankly do not remember all the 
technology capabilities that this particular third party had at 
the time. I do know that when we made considerations of the 
tradeoffs, the tradeoffs were keeping it easy like it was on 
the telephone versus adding this additional layer of questions 
and complexity. And that was a frank and vigorous exchange of 
views inside the agency about how we ought to do that.
    Chairman Johnson. What is the cost of this outside vendor 
for this application?
    Mr. Millholland. I think it was around 10 cents per 
transaction to get per question. I am not 100 percent positive 
about that.
    Chairman Johnson. It is a per question cost.
    Mr. Millholland. Right.
    Chairman Johnson. So that thing right there costs 40 cents, 
and if you have 23 million accessing this----
    Mr. Millholland. It is clearly one of these things that is 
negotiable with the particular suppliers. You could say a 
bundle of questions could be X amount. All those go into the 
contract negotiations and such.
    First is the cost of, well, suppose you just kept it the 
normal way and let us say we mailed you your tax return. That 
is 40 or 50 cents to do that. So all those go into those 
tradeoff decisions of benefit versus the risks, and that is 
going to be one of the things we have to weigh as we decide how 
hardened do we want this.
    Chairman Johnson. Mr. Kasper in his testimony said that 
when he contacted the IRS and talked about the fact that 
somebody had already filed a tax return on that, the IRS did 
react by saying that there was something suspicious about the 
address being used by the criminal. Do you know what that was?
    Mr. Millholland. In Mr. Kasper's case, no, I do not.
    Chairman Johnson. Those addresses used, were those easily 
identifiable as Russian, or were they addresses in the United 
States but somehow you were able----
    Mr. Millholland. They were--go ahead.
    Mr. Koskinen. I am going to say the IG has asked us not to 
speculate in public about where the domains were set up. There 
were domains that were set up for this purpose relatively 
recently, and we would be delighted to give you that 
information off the record.
    Chairman Johnson. OK. That is really all the questions I 
have. I am happy to give you gentlemen the opportunity to make 
a final comment before we close the hearing.
    Mr. Koskinen. I appreciate that, Mr. Chairman. First, as I 
said to start my testimony, this is a serious issue. We take it 
seriously. Protecting taxpayers and their information is a high 
priority for us, in many ways the highest priority.
    This is, as I said, in many ways a shot across the bow. The 
issue we are dealing with here, critical to the taxpayers whose 
accounts were accessed, is about a Web access, a Web program we 
have that does not have anything to do with our system. But as 
I say, we increasingly over the last 3 or 4 years have seen 
that more and more of the identity theft we are seeing, more 
and more of the attacks we are seeing are coming from organized 
crime and syndicates around the world. So it is, as I fondly 
say, no longer bean bag. We are actually in the middle of a war 
with very sophisticated, well-funded, intelligent enemies.
    And so the challenge for us all--and it is not just a 
problem for the IRS, not just a problem for government 
agencies. It is obviously a problem for everyone in the 
financial services industry, everyone who has data, financial 
or otherwise, on people, to try to figure out how to battle 
this most effectively.
    So to some extent, it is a question of funding for how do 
we make sure our system is secure across the board as we go. 
But it is not just a question of money. It is also a question 
of just a continual attempt to assess where you are and where 
you are going. So we should always assume that we have to get 
better, which means as we get better over time, we will always 
be better than we were in the past.
    The system of out-of-wallet authentication, already 22 
percent of taxpayers cannot answer their own questions. In some 
cases it means that the criminals are better able at answering 
the questions in some cases than the taxpayers. So to Mr. 
Millholland's point, you are always doing that balancing act: 
Do you make it inaccessible to taxpayers and increase the 
burden, and at what cost? Clearly, I think that with all of the 
breaches that have gone on, as I noted, I think--it is hard to 
remember what I have noted here and earlier today. The IRS was 
one breach out of 25 in the month of May across the world. So, 
clearly, we are dealing with unknown volumes of information out 
there that dwarf anything we could imagine.
    So we are going to continue now, I think, to have to assume 
that we are at risk. It is what we assume in our normal day 
with our security for the overall cybersecurity issue of our 
system, is to assume that we are at risk. So even as we harden 
this program and put it back up--and we will not put it back up 
until we feel comfortable with it, even then we will run on the 
assumption that we are at risk. And we need to do that, and I 
think that is the only way we are going to be able to continue 
to make progress.
    But it is not a simple problem. It is a complex one that is 
going to take the best efforts of everyone, and that is why we 
are delighted to have what I think is going to turn out to be a 
very successful partnership as a result of the Security Summit 
we put together with the private sector, because we all agreed 
we can do a lot more together working with various levels and 
layers of authentication and protection than any group, whether 
it is the private sector or the States or the IRS, by 
themselves can do, and that is what we are committed to doing 
going forward.
    Chairman Johnson. Thank you, Mr. Commissioner. Mr. 
Millholland.
    Mr. Millholland. I have no closing remarks.
    Chairman Johnson. OK.
    Mr. Millholland. Thank you, though.
    Chairman Johnson. I would like to ask consent to enter into 
the record two articles,\1\ Krebs on Security and Nextgov, 
``Other Agencies Use Same Log-on Procedures As Exploited IRS 
Site.'' Without objection, so ordered.
---------------------------------------------------------------------------
    \1\The articles referenced by Senator Johnson appears in the 
Appendix on page 86.
---------------------------------------------------------------------------
    I want to thank both of you for your thoughtful testimony 
and your answers to our questions.
    Mr. Commissioner, I would ask that you take a serious look 
at the Social Security Identity Defense Act of 2015. I think it 
really would be a very helpful piece of legislation to allow, 
actually require the IRS, when you are made aware of the fact 
that identity theft has occurred, to notify the taxpayer as 
well as Federal authorities so they can track down the 
criminal, and we can, end those types of activities. So if you 
could look at that, I would appreciate you working with our 
staff, and hopefully you can be supportive of that.
    With that, the hearing record will remain open for 15 days 
until June 17 at 5 p.m. for the submission of statements and 
questions for the record.
    This hearing is adjourned.
    [Whereupon, at 4:28 p.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]