It’s a lot of highly personal financial data, so it’s sensitive and important information.
The short answer is “no.” Every year, the GAO — Government Accountability Office — reviews IRS security and issues a report. The title of this year’s report
kind of says it all: “IRS Needs to Further Improve Controls over Financial and Taxpayer Data.” The details are ugly: failures in identification and authentication of network users, failures to encrypt data, failures in audit and monitoring and failures to patch vulnerabilities and update software.
To be fair, the GAO can sometimes be pedantic in its evaluations. And the 43 recommendations for the IRS to improve security aren’t being made public, so as not to advertise our vulnerabilities to the bad guys. But this is all pretty basic stuff, and it’s embarrassing.
More importantly, this lack of security is dangerous. We know that cybercriminals are using our financial information to commit fraud. Specifically, they’re using our personal tax information to file for tax refunds in our name
to fraudulently collect the refunds.
We know that foreign governments are targeting U.S. government networks for personal information on U.S. citizens: Remember the OPM data theft
that was made public last year in which a federal personnel database
with records on 21.5 million people was stolen?
There have been some stories
of hacks against IRS databases in the past. I think that the IRS has been hacked even more than is publicly reported, either because the government is keeping the attacks secret or because it doesn’t even realize it’s been attacked.
So what happens next?
If the past is any guide, not a lot. The GAO has been warning about problems with IRS security since it started writing these reports in 2007. In each report, the GAO has issued recommendations for the IRS to improve security. After each report, the IRS did a few of those things, but ignored most of the recommendations. In this year’s report, for example, the GAO complained that the IRS ignored 47 of its 70 recommendations from 2015. In its 2015 report
, it complained that the IRS only mitigated 14 of the 69 weaknesses it identified in 2013. The 2012 report
didn’t paint IRS security in any better light.
If I had to guess, I’d say the IRS’s security is this bad for the exact same reason that so much corporate network-security is so bad: lack of budget. It’s not uncommon for companies to skimp on their security budget. The budget at the IRS has been cut
17% since 2010 ; I am certain IT security was not exempt from those cuts.
So we’re stuck. We have no choice but to give the IRS our data. The IRS isn’t doing a good job securing our data. Congress isn’t giving the IRS enough budget to do a good job securing our data. Last Tuesday, the Senate Finance Committee urged
the IRS to improve its security. We all need to urge Congress to give it the money to do so.
Nothing is absolutely hacker-proof, but there are a lot of security improvements the IRS can make. If we have to give the IRS all our information — and we do — we deserve to have it taken care of properly.