The IRS is employing a “white hat” approach to improve its cybersecurity.
The IRS awarded Synack Government a $2 million contract to provide penetration testing by ethical hackers or researchers with no knowledge of IRS systems.
“Synack will be helping with this initiative through our crowdsourced security testing solution,” said a company spokeswoman in an email to Federal News Radio. “Synack’s Red Team, a network of white hat security researchers located around the world, work from an adversarial perspective to uncover hidden vulnerabilities in our customers’ systems, like websites, applications, networks and more. For the IRS, Synack’s vetted Synack Red Team (SRT) will be doing more of the same.”
The tax agency awarded the one-year contract on Sept. 15, but the company wasn’t allowed to discuss the deal until recently.
The company spokeswoman said the IRS began a pilot with Synack last spring.
Synack is one of two companies that won follow-on contracts from the “Hack the Pentagon” contest. Under the deal, Synack and HackerOne will help run as many as 14 other “white hat” hacker events where participants will earn payments for discovering security flaws. The Pentagon is inviting individual military services and agencies to submit their own systems to crowdsourced vulnerability testing; individual projects will be awarded as task orders under the contracts.
The Army recently launched its first hackathon, opening its contest up to 500 ethical hackers.
DoD also expanded its “Hack the Pentagon” program to anyone who wants to submit potential vulnerabilities of publicly-accessible Defense networks through a centralized portal. It also set out a new policy under which hackers can feel free to prod live systems for bugs without fear of prosecution.
The IRS is not following exactly in DoD’s footsteps with hackathons.
Rather, Synack said it will offer the IRS a vetted, diverse and scalable set of researchers through a private, managed approach.
“After our rigorous five-step vetting process, Synack accepts less than 10 percent of SRT applicants and proudly leads the industry with the highest signal-to-noise ratio and average bounty reward sizes. We guarantee our clients full visibility and auditability of researcher activities, tracked through our proprietary secure gateway, LaunchPoint, and our Mission Operations Team, at all times,” the spokeswoman said. “The Synack Government solution is tailored to serve government agencies’ sensitive IT requirements and mission-critical assets.”
The IRS’ decision to use this ethical hacker approach comes after it has faced a host of cyber challenges.
The agency had to shut down its “Get Transcript” application in 2015 for a year after cybersecurity holes left personal information accessible. The IRS relaunched the program in June with better cyber protections.
The Treasury Inspector General for Tax Administration found in its annual report on the IRS’ IT programs that the security for taxpayer data and IRS employees is again the number one management and performance challenge facing the IRS for the sixth consecutive year.
“TIGTA identified weaknesses within the IRS’s cybersecurity program in which three domains need significant improvement (information security continuous monitoring, configuration management and identity and access management),” auditors said in the report released Oct. 27. “TIGTA also identified weaknesses in the electronic authentication process controls. Additional areas that need improvement include physical security controls, backing up and restoring data, and SharePoint controls.”
At the same time, the IRS reported few successful malicious attacks, only 17 of 376 incidents reported to the Homeland Security Department’s U.S. Computer Emergency Readiness Team (US-CERT). The agency also has improved its fraud detection and prevention capabilities.
The IRS spent more than $197 million on cybersecurity services and tools in 2015, TIGTA reported.