GAO finds growing cyber weaknesses at IRS

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Government Accountability Office said the IRS has more than 100 significant cybersecurity weaknesses that leave it vulnerable to attacks and data theft. The problems are popping up faster than the IRS is nailing them down. GAO’s Director of Information Technology and Cybersecurity Issues Vijay D’Souza joined Federal Drive with Tom Temin for the latest details.

Interview transcript:

Tom Temin: Mr. D’Souza, good to have you back.

Vijay D’Souza: Thanks, it’s great to be here.

Tom Temin: So this was kind of a tough report, you know, even from the GAO, because you just have this litany of things that are not fixed. So give us the overview here. What did you find here in the latest with the IRS?

Vijay D’Souza: Well, each year we audit the IRS’s financial statements. So one of the few perks of working at GAO is we’re able to say that we are one of the few organizations that can audit the IRS. But that work is important because it helps ensure that the IRSs information systems and financial controls are secure, you process the over $3 trillion they handle each year. So as part of these audits, we do an accounting audit and as a subset of that, we look at it security. And every year we look for weaknesses. We do find some but we also look at the IRS’s ability to address the weaknesses we found in prior years. So bottom line is for this year, we identify 11 issues and made 18 recommendations, but IRS was able to close 13 recommendations from prior years.

Tom Temin: But the list I’m looking at says that all together, there’s 132 remaining open recommendations, so they’re accumulating faster than you are able to get rid of them.

Vijay D’Souza: Well, you know, there are weaknesses year to year, but I think it is important to acknowledge that IRS is trying to address these issues. One of the things we’ve recognize is IRS has a lot of complexities is dealing with from an IT perspective. And yes, you’re right, we continue to find weaknesses, but one of the points we’ve made to IRS is we want them to try to focus on systemic issues — the idea is to catch weaknesses before we catch them. When they’re setting up systems or doing upgrades to catch them at that time.

Tom Temin: It looks like the bulk of the issues have to do with access controls, there’s 92 open recommendations. What do you mean by access controls and what’s the implication of it?

Vijay D’Souza: So access control is is one category of information security. And it’s basically things that, as it says, limit access to sensitive information. So this can be issues related to, for example, passwords, or how you make sure that sensitive data is appropriately restricted.

Tom Temin: Okay, and I guess the next largest category underneath that..

Vijay D’Souza: …is configuration management. And so configuration management is a tricky one. So that’s basically making sure that all the various settings on particular hardware and software are set in the most secure way possible. One of the challenges with that is if you’re a large organization like IRS, how do you make sure that everything is configured securely, but not so securely that it breaks things? You know, that’s always an issue. The other thing that can be challenging is when systems are upgraded or replaced, how do you ensure that they’re configured securely, because 10 of the default configuration that comes is often not the most secure configuration.

Tom Temin: And looking at the bigger picture here with all of these recommendations for access controls configuration, is this in any way related to the large number of applications that are still legacy and running on legacy code for the IRS?

Vijay D’Souza: For sure. You know, one of the challenges IRS faces is applying modern security standards to older software. Now, they have ways to do this, but it’s not as easy as if they were starting from scratch with a completely modern platform. IRS spends hundreds of millions of dollars a year modernizing its IT systems, but it’s always in sort of a catch up, and it’s always trying to triage and prioritize the most critical systems for updates and upgrades.

Tom Temin: So tell us, their cybersecurity and their modernization, which is kind of a classic question — it all comes together in the most dramatic way, really, for the IRS.

Vijay D’Souza: Right. The IRS is one of the largest organizations in the country. And from an IT perspective and a dollar perspective, it’s got quite a lot on his plate right now. The combination of trying to upgrade systems deal with ongoing changes in tax laws and handle continued threats to its systems and also to taxpayers sensitive information, you know, it’s not an easy task for them.

Tom Temin
And what do they say when presented with here’s the latest report, you’re up to 132?

Vijay D’Souza: IRS is very receptive to our findings. You know, we do see that they’re making good faith effort to address them from year to year. We continue to meet with them on an ongoing basis to identify ways that they can continue to improve. So they concurred with all of the issues that we identified in our report and have identified ways to improve them. One of the issues though, you kind of pointed out that in some cases the numbers sort of pile up. This year some of these things require fundamental large scale upgrades to infrastructure — and IRS doesn’t understand that we want to make a lot of changes to its IT infrastructure in the midst of filing seasons, or in the midst of a lot of other outside changes. So for example, what’s happening right now, this is probably not the ideal time to be taking systems down to do patches and upgrades.

Tom Temin: I was gonna say they’ve got these new impositions from Congress under the different acts, that could be another one coming yet with more stimulus payments to individuals. And so all of their issues with database access, and with financial controls, and do they have basically the correct data they need in the first place to be able to do this accurately. That’s all crowding in on the ability to step back and say, where do we need to go next with our modernizing?

Vijay D’Souza: Right. You know, I think the analogy is, you don’t want to try to fix the airplane while you’re flying it. But on some level, that’s what you have to do with the systems that are being used 24/7. So you have to schedule and when is the time, we’re going to take the system down? When is the time we’re going to do the upgrades? We need to test things before we turn them back on. So all those things aren’t easy.

Tom Temin: And they have made very good progress in eliminating identity theft and wrongful access to people’s individual accounts. I think that’s down pretty much exponentially from what it was a number of years ago. So they have shown they can fix things when they put their mind to it as an agency.

Vijay D’Souza: Yes, I mean IRS has definitely recognized identity theft as an issue, and they’ve taken a lot of steps to address it. Things like that, just like other cyber threats, are always a moving target though, the trick is trying to stay one step ahead. And as new fraud schemes come up, and new information security weaknesses come up, trying to figure out how you’re going to address them.

Tom Temin: Would it be accurate to say that any agency or any organization, if you looked at it annually, there would be new cybersecurity vulnerabilities because that’s the nature of the beast. There’s always something new. The question is, how fast can you close them so that you’re ready to take on the latest?

Vijay D’Souza: Yeah, for sure. And I think it’s important that we keep this in context. IRS definitely has information security weaknesses, but I don’t want people to get the idea that their information is not secure. IRS takes a lot of steps to try to keep things secure. It’s just that it’s a larger organization, and it faces a lot of scrutiny from outside organizations like ourselves — and rightly so because of its importance to the functioning of the American economy. You know, we need to keep trying to make sure they’re secure. And you know, they need to try to keep addressing these recommendations, both as we find them and ideally before we find them, that would be the best case scenario.

Tom Temin: Vijay D’Souza is Director of Information Technology and Cybersecurity Issues at the Government Accountability Office. As always, thanks so much for joining me.

Vijay D’Souza: Thank you. It was great to be here.

Read the full report here.