As the government grapples with its cybersecurity posture and scrambles to protect its networks, the IRS is taking the lead with a series of new authentication measures and information sharing practices.
The IRS — along with 20 industry tax organizations and 34 states — will share 20 new data elements with each other during the 2016 tax filing season to help the agency detect identity theft and fraud.
“Being able to share that information regularly in real time through the filing season, we think is going to increase the ability of all of us to detect situations where there’s been identity theft and it’s being used to try to obtain fraudulent refunds,” IRS Commissioner John Koskinen told summit members and reporters during a press conference Oct. 20 in Washington. “It doesn’t mean we’re going to be perfect. But as a result of this great effort by all of our partners, we’re in a much stronger position this season than we’ve ever been before.”
The agency will serve as the facilitator for participating states and industry groups, who will send the IRS data they collect on identity theft. It’s a concept similar to one in the contentious Cybersecurity Information Sharing Act, which the Senate is considering this week.
“We have never had this level of cooperation and sharing,” Koskinen said. “We’ve never had it a coordinated way, in a shared way, where we will collect all of the information at the same time from all of the participants. We will collect in real time, pull it together and share it back out so everyone has access to that information.”
The public-private partnership is a result of the agency’s Security Summit, which Koskinen organized and convened for the first time in March. Agency leaders, state revenue department officials and industry CEOs met again in June to test the data elements and make changes to the recommendations they discussed during their first meeting.
Koskinen said it’s the first time the agency has collaborated with industry on this scale.
Making it more difficult for criminal hackers
This comes as the agency struggles to get its Get Transcript system back online, after hackers attempted to steal old tax returns and personal information from as many as 334,000 people.
In the wake of the breach, the Treasury Inspector General for Tax Administration told Congress, the IRS didn’t implement a dozen security fixes to its systems.
But the agency said the Get Transcript breach wasn’t a cybersecurity incident. Hackers collected the answers to the security questions taxpayers might use on other online banking systems, for example.
“This is not a security breach in the usual sense,” Koskinen told reporters in May. “This is a modified form of identity theft with criminals who had enough data to impersonate a taxpayer.”
The agency’s new authentication initiatives are an attempt to make incidents such as the one with Get Transcript more difficult for criminal hackers. The IRS and industry software partners agreed to several new identity verification and authentication requirements for taxpayers, which include:
A timed lockout feature and a limit to unsuccessful login attempts.
Three new security questions.
Out-of-band verification for email addresses.
Tax software companies will use out-of-band verification — a technique already common at many private banking and loan companies — and will send taxpayers an email or text with a PIN number. That number will act as another mode of authentication for taxpayers who file their returns electronically.
The summit also created the Strategic Threat Assessment and Response (STAR) working group, which will help industry partners adopt the National Institute of Standards and Technology cybersecurity framework.
The IRS said it already has met with NIST to develop a strategy for the private companies that agreed to participate, and it will continue to meet with them to further craft the framework adoption strategy.
Slashing the budget not a solution
For Koskinen, the agency’s new authentication and information sharing initiatives are a top priority. He said the $481 million President Barack Obama requested in his fiscal 2016 budget would pay for these new programs.
But the agency’s funding dropped by $1.2 billion since 2010, and Congress has threatened similar budget cuts will continue in 2016.
If predicted spending cuts pan out, or if funding remains flat, Koskinen said he will likely have to shift his budget to pay for new identity and authentication initiatives.
“It means something else will have to suffer, he said. “Either enforcement will have to go down. It’s hard to imagine our tax level of service getting worse, but if the funding’s not there, that’s one of the alternatives we’ll have to consider.”
Slashing the agency’s budget won’t fix the agency’s security flaws, particularly in the wake of the Get Transcript breach, Koskinen said.
“These are critical issues, and you can’t solve them without the appropriate funding,” he said. “My hope is that the Congress — whatever else happens in the budget process — will understand that this additional funding will be very targeted to protect our systems, to protect the taxpayers and to protect government revenues.”