If the IRS is to protect taxpayer information, Congress needs to restore a special budgetary authority to quickly hire IT specialists, a panel of top agency officials and government watchdogs told a Senate committee Tuesday.
The agency’s cybersecurity woes were again a topic for lawmakers as the Senate Finance Committee pressed officials for answers about recent incidents, including one announced in February in which an automated software bot attempted to generate PINs for stolen Social Security numbers via the agency’s E-File online tax portal.
The U.S. Treasury inspector general for tax administration and the head of the Government Accountability Office told the committee their offices have been weighing on the agency to make necessary security upgrades, with the latter issuing two reports in the past two weeks calling on the IRS to upgrade controls that guard taxpayer data.
[Read more: GAO hits IRS (again) over bad IT security]
Gene Dodaro, who runs the GAO, said his office’s investigations have sniffed out sloppy practices like easily guessed passwords for servers that hosted key systems, bad privilege management, systems hosting data that was not encrypted and failures to log activities tied to systems handling taxpayer data.
IRS Commissioner John Koskinen did not shy away from the incidents, pointing out the agency’s systems withstand 1 million malicious attempts every day. He did, however, call for Congress to reinstate streamlined critical pay, a provision that authorizes the IRS to hire up to 40 individuals at any one time into positions it deems vital to the agency in an administrative, technical or professional field.
The provision expired in 2013, with Congress needing to reauthorize the process if the agency is to quickly hire top-notch cybersecurity professionals, Koskinen explained. The IRS hired 10 senior IT officials under the provisions who will be leaving next year, as the hires are limited to four-year appointments.
When asked about the critical pay program by Sen. Ron Wyden, D-Ore., J. Russell George, the Treasury inspector general for tax administration, told the committee the IRS kept it under budget, never using the full 40 position allotment.
“Here we have something that has been an essential tool, and they are not going to have it any longer absent Congress getting serious on a bipartisan basis to renew it, and TIGTA said the program came in under budget,” said Wyden. “If that isn’t a wake up call to Congress I don’t know what is. If we are going to beat the crooks, we need to have it.”
The panel also suggested that the IRS be given the authority to set security standards for private tax preparers, as some have fallen victim to the same scam associated with agency’s Get Transcript hack. A February report from the Online Trust Alliance found 46 percent of free E-File services fail to adequately protect consumers.
Wyden said the report showed that even as the IRS has had its problems, the blame does not solely lie with the agency in failing to protect taxpayers.
“In my view, taxpayers have been failed by the agencies, the companies and the policymakers here in Congress that they are counting on to protect them,” he said. “There is simply no excuse for this. This is not just a problem at the IRS, there is plenty of blame to go around.”