Audit Finds More Security Vulnerabilities at IRSGAO Makes More Security Recommendations; IRS Now Has 127 Issues to Resolve
The Internal Revenue Services’ internal financial reporting systems and IT infrastructure have 14 new security vulnerabilities, along with a long list of previously unresolved deficiencies, according to the U.S. Government Accountability Office.
The findings were part of an annual audit of the IRS's financial security control systems, the government watchdog noted in a report released Thursday.
The GAO report also includes 20 recommendations for improving security and mitigating flaws and misconfigurations within IRS IT systems.
Room for Improvement
The security recommendations are aimed at safeguarding the IRS' infrastructure and databases, which contains financial data and other personal information on millions of U.S. taxpayers. By extensively using technologies such as encryption and identity and access management tools, the IRS would make it systems less susceptible to cybercrimes, such as identity theft and other financial frauds, the report states.
In 2018, the IRS, which is part of the U.S. Department of Treasury, collected nearly $3.5 trillion in federal tax payments and processed about 225 million tax returns, according to the report.
"We identified 14 new information system security control deficiencies, such as weaknesses in access controls and in procedures to help ensure information systems are operating securely. Weaknesses like these place IRS's systems and data at risk," GAO investigators write in the online report.
In a letter to IRS Commissioner Charles Rettig, the GAO points out eight security deficiencies or potential vulnerabilities related to the IRS's access control devices and four related to configuration management control deficiencies. One was related to segregation of duties and another concerned contingency planning.
The GAO report urges the IRS to increase transparency about how it plans to secure its systems against attack and to create a better contingency plan to make its infrastructure less susceptible to cybercrime and other types of security breaches.
History of Breaches
The audit released this week comes after the continuing fallout from a 2015 data breach at the IRS that exposed data on more than 100,000 taxpayers and triggered a series of Congressional hearings and investigations into how the service manages its security.
Four years ago, hackers gained account information from U.S. citizens who used the agency's Get Transcript app. The hackers were known to use sophisticated methods that managed to bypass multistep authentication tools in order to breach the data, according to news accounts (see: IRS: 100,000 Taxpayer Accounts Breached ).
Second Set of Recommendations
This is the second set of recommendations that the GAO has made concerning the information and security systems of the IRS. In a July 2018 report, GAO investigators identified 87 deficiencies and made over 150 security recommendations, but the agency addressed only 49 percent of these issues by the September 2018 deadline, this week's report notes.
With the new set of 20 security recommendations, the IRS now has a total of 127 issues to resolve, according to the GAO. The latest report notes, however, that the IRS has taken considerable steps to address its prior recommendations and has agreed to fix mistakes and flaws within its internal systems.
"IRS agreed with our recommendations and stated that it will ensure that its corrective actions include root because analysis for sustainable fixes that implement appropriate security controls," according to this week's report.
Some of the cybersecurity issues at the IRS included in the latest GAO audit include:
Access Control Loopholes: According to the GAO's findings, the majority of the vulnerabilities are in access point controls; these could permit a high degree of intrusion into IRS programs, data and other computing resources. To address this issue, the GAO recommends the increased use of encryption, the additional protection of system boundaries and the development of better ways to authorize permissions to access systems.
Lack of Encryption: The GAO found that the IRS failed to comply with federal mandates that it encrypt its servers, emails and database. In addition to expanding use of encryption, the GAO recommends increased use of electronic signatures to assess changes made by groups or individuals within the agency.
Identification and Authorization: The GAO says the IRS needs to ramp up its user identification efforts and better determine access privileges. The auditors recommend the IRS issue certificates to electronically sign tax documents and require the use of multifactor authentication to access certain applications.