GAO: Taxpayer Data at Increased RiskIRS Commissioner Ignores GAO's Info Security Criticisms in His Response to Audit
A government audit of Internal Revenue Service financial statements reveals deficiencies in internal information security controls, including missing security updates, insufficient audit trails and monitoring for certain key systems, and the use of weak passwords.
"Until IRS takes the necessary steps to address these control deficiencies, its financial and taxpayer data will remain at increased risk of inappropriate and undetected use, modification or disclosure," Cheryl Clark, GAO director of financial management and assurance, says in the audit report.
IRS Chief Accentuates the Positive
IRS Commissioner John Koskinen, in his response to the audit on the financial systems for fiscal years 2014 and 2015 , ignored Clark's criticisms regarding deficiencies in security controls while accentuating the positive aspects of the audit report. "We are pleased the GAO recognized our continued focus on securing information systems and protecting sensitive taxpayer and financial information, including our efforts to further restrict access privileges on key financial applications and our continued migration to multifactor authentication across the agency," Koskinen says.
The GAO's financial statements audit isn't the first time auditors have taken the IRS to task for failing to properly implement information security controls. The latest critique occurred in the wake of the breach of the IRS's Get Transcript system in May (see IRS: Hack Much Wider Than First Thought). Treasury Inspector General for Tax Administration Russell George told the Senate Finance Committee in June that since 2011, the IRS had failed to implement 44 security recommendations, including 10 recommendations that came from audits conducted more than three years ago (see Controls Might Have Averted IRS Breach).
In the new GAO audit, Clark points out that "the collective effect of the deficiencies in information security from prior years that continued to exist in fiscal year 2015, along with new deficiencies, are important enough to merit the attention of those charged with governance of IRS and therefore represent a significant deficiency in IRS's internal control over financial reporting systems."
Clark cites the IRS's failure to install appropriate security updates on certain databases and servers that support financial systems, which increased the risk that known information security vulnerabilities could be exploited. In addition, she says, communications between key financial applications were still at risk of compromise because the applications failed to employ sufficiently strong encryption, limiting the agency's ability to ensure data integrity and confidentiality.
The audit also uncovered deficiencies in the way the IRS uses passwords. For example, one key system used a password that also was the account name. The audit also uncovered systems administrators using desktop files, shared files and instant messaging to store and transmit passwords used to access systems and servers, making the systems and databases more susceptible to compromise.
Although the IRS has a comprehensive framework for its information security program, some parts of it are not being implemented effectively, according to the GAO audit. The IRS's information security testing approach, for instance, didn't consistently determine if required controls operated effectively, the audit notes. "Consequently, we continued to identify control deficiencies in key financial systems that IRS had not detected," Clark says.
A Matter of Resources
IT security practitioners often contend that critical observations from auditors about a lack of security controls don't necessarily mean systems are unprotected.
"Understand that the auditors' priorities are almost never the same as the CISOs' priorities and that is as it should be," says IT security adviser Robert Bigman, the former CISO at the Central Intelligence Agency. "The auditors show up with their checklist of items, which are driven by regulations like FISMA. My checklist was driven first and foremost by mission requirements, second by my program plan and third - and if there was money left over - by the auditors' interests. It is not that the auditors are not important; it is simply a matter of juggling priorities and, always limited, resources."
In fact, the IRS is one of many federal agencies that have failed to get a clean bill of health from auditors sizing up their security efforts.
"Government agencies are tasked with many things under the law, and some of them are underfunded or unfunded," says Gene Spafford, an information assurance professor at Purdue University. "IT functions, and security specifically, are also usually understaffed by people with appropriate skills. So, when many updates or changes are required, the core function of the agency gets first priority and that may mean the changes don't get made."
Spafford notes that Congress cut the IRS's budget as "symbolic punishment" after the agency investigated efforts by conservative organizations that applied for tax-exempt status. "We're seeing the strain of those cuts," he says.
"At the top levels of any government agency, if the leadership is tasked with making a choice - don't carry out all of the mission but get all the controls in place and up-to-date, or carry out the mission and put off some updates that may not make an immediate difference - the choice is obvious," Spafford says. "People lose jobs over a failure to execute the basic mission; people seldom lose jobs over not keeping up with updates, even if those result in terrible breaches."