I’m glad all those problems at the IRS are behind us. With their various scandals in the rearview mirror, taxpayers may rest comfortably in the knowledge that their returns will be handled in a proper, confidential fashion with speedy, efficient service. Oh, who am I kidding? There are still a number of problems plaguing the agency and one of the latest showed up at NextGov this week.
Turns out that a recent audit of the agency uncovered serious problems in their data management and administrative routines. For one thing, the IRS was asked to provide a list of all the people who have access to confidential taxpayer data. Long after the due date they finally delivered an answer but admitted that it was probably only about one-third of the people who actually had access and the list didn’t even cover all of their databases.
The Internal Revenue Service hasn’t accurately cataloged all the components of its highest value hardware and software systems and doesn’t have a clear count of who has privileged access to those systems, according to an audit released Monday.
The IRS also likely isn’t patching software vulnerabilities on its highest value assets within the 30-day timeframe required for federal agencies, according to the audit from the Treasury Inspector General for Tax Administration.
Because the agency doesn’t maintain historical data about patching, however, it’s difficult to say for certain how long vulnerabilities are going unpatched, the audit states.
The term “high-value assets,” as used by federal cybersecurity professionals, essentially refers to software and hardware systems that contain the most sensitive information, including personally identifiable information about taxpayers or employees.
As mentioned above, it wasn’t just a question of who has access to what. The agency is also required to keep up to date with all the security patches which come out, installing the upgrades within 30 days and keeping records of security maintenance. Have they been doing it? Nobody seems to know because they don’t have records of that, either.
But there’s probably no reason to be concerned, right? I mean, who would bother hacking the Internal Revenue Service? We actually know the answer to that one. In 2015 and again in February of 2016, hackers were able to crack into the IRS databases and steal the personal information of more than a quarter million taxpayers.
The conclusion drawn from the audit doesn’t do much to inspire confidence.
“Given that the IRS has not been able to provide this basic but critical information, we question whether the IRS has sufficiently inventoried, validated, and minimized the number of privileged users and accounts as required,” the audit states.
How is the agency supposed to know if somebody else was accessing the system when they aren’t even sure which of their own people are supposed to be poking around in there? The IRS was under the leadership of Obama appointee John Koskinen until November 12th of last year. David Kautter has been the interim chief since then, but that was always going to be temporary. President Trump has nominated Charles Rettig as the next person to take charge, assuming he makes it through Senate confirmation. (A big assumption, given that Democrats fight every nominee tooth and claw these days.) The man has a big job ahead of him because the IRS is far from being the smooth running machine everyone was hoping for.