UPDATED: 04:42 p.m., on June 8, 2015, to include a written statement from the IRS provided to Federal News Radio.
The Internal Revenue Service has notified a relative handful of contractors that it plans to spend nearly $130 million to build its own new suite of identity verification services, an approach that appears to significantly diverge from an established governmentwide program to verify users’ identities.
The agency issued a request for quotations on April 30, just weeks before officials announced that their existing identity safeguards had been breached by a criminal syndicate that stole detailed tax transcripts on 104,000 taxpayers. The IRS published details of the procurement via the General Services Administration’s eBuy platform, which is only visible to existing GSA schedule contractors and lets the government choose which vendors to notify about a particular solicitation.
IRS officials made no mention of the large investment when they were grilled on Capitol Hill last week about their plans to head off another exposure.
But in contracting documents, obtained by Federal News Radio, the agency said it intended to award three blanket purchase agreements with an expected value of $129 million. Once it makes the BPA awards in July, the IRS intends to issue task orders to supply a variety of security and identity management services.
The services would build on the IRS’ existing “knowledge-based authentication” (KBA) mechanism, the credit history-based technology hackers exploited to gain access to the Get Transcript system over several months and that the agency currently procures under a contract with Equifax. The BPAs would require vendors to continue to provide KBA services, even though IRS Commissioner John Koskinen acknowledged last week that particular identity verification method had “been surpassed by events.”
In addition, the BPAs would provide for two-factor authentication by users of IRS electronic services through one-time passwords sent by email, text or phone calls. They would also ask vendors to validate taxpayer identities against financial data, state and local government records and implement their own proprietary fraud detection technology.
Pursuant to an executive order President Barack Obama signed last year, all agencies are required to implement “multifactor” authentication on websites that make personal data available to citizens by early 2016.
The broader government’s approach to that challenge is through the Connect.gov service, which lets citizens use a single, verified identity credential to access a variety of websites, and is the federal government’s implementation of the National Strategy for Trusted Identities in Cyberspace (NSTIC).
While other agencies including the departments of Agriculture, Veterans Affairs, Health and Human Services and the Postal Service have already begun to migrate their secure online services to Connect.gov, it remained unclear why the IRS was contemplating such a substantial investment in developing new services of its own.
“The IRS is reviewing a range of authentication issues to strengthen protections for taxpayers,” the agency said in a statement to Federal News Radio Monday afternoon. “We realized long ago that our future efforts require an expanded focus on authentication, and we anticipate having a variety of needs for tax administration purposes. After doing some initial market review more than a year ago, we decided in April to put out this request. The IRS emphasizes this request is very early in the process and any final decisions will depend upon available funding. We are looking at all of our options, and we are not ruling anything out.”
But agency spokespeople did not immediately respond to specific questions about whether the IRS had any plans to leverage the Connect.gov infrastructure in any way.
“In my estimation, what the IRS is asking for in this RFQ is about an 80 to 90 percent match in terms of requirements,” said one senior industry executive who works in the identity management space. “And the important thing is that Connect.gov is here and available to stop fraud today as opposed to starting from a clean sheet of paper and investing more taxpayer dollars to create a duplicate infrastructure. There’s no defensible argument for why they can’t integrate with Connect.gov or why they need something different. These are Web services. These are not some wildly-unique or exotic systems.”
The executive, who spoke on condition of anonymity because he did not have permission to speak on his firm’s behalf and because companies like his could actually benefit from the IRS approach he was criticizing, said it would allow contractors like his to sell the same services to the government twice — once through the NSTIC process, and again to the IRS as it procures identity management services on its own.
A 2013 cost-benefit analysis prepared for the IRS and the National Institute of Standards and Technology (NIST) found that the IRS could vastly improve the existing security posture of its public-facing websites by using either a new proprietary system or by leveraging the NSTIC project, and also pointed to cost savings.
A “proprietary” IRS-only approach, the study found, would save the IRS up to $286 million per year. But an “NSTIC-aligned” system would save up to $305 million. The analysis also projected major differences in up-front costs: An NSTIC solution like Connect.gov was estimated to be anywhere between $40 million and $111 million less expensive to implement.
“What I’ve found maddening in the wake of this breach has been the IRS’ assumption, in every statement, that the only way to solve this problem is to create their own in-house identity system,” said Jeremy Grant, who until April led the NSTIC program at NIST and now is an independent technology consultant. “IRS already did this once, using KBA in a way that directly conflicted with best practices for electronic authentication and with solutions that had not been certified for government use. The results of that experiment have been on display in the news. IRS may have some unique requirements, but they’d get much further working to get them addressed through a shared platform like Connect.gov, rather than spending $129 million to build their own ‘new and improved’ mousetrap. Most Americans are already dealing with 30-40 passwords, along with gobs of applications that ask them for the same answers to supposedly secret questions. It’s a broken model.”
The IRS contracting documents suggest the agency wants to use the BPAs to provide tailored authentication services to individual business units, so it’s not yet clear whether the agency has a fully-formed enterprise strategy to implement the procurement tool. But the documents also suggest an overall approach that differs from NSTIC in several important ways.
For example, they specify that IRS will use seven separate “levels of assurance” — different standards of trustworthiness for how strong a particular login mechanism is based on the methods a user had to go through to verify their true identity. The Office of Management and Budget made clear in 2013 authentication guidance that agencies should consolidate around four risk levels.
Also, the solicitation indicated a major ongoing reliance on the KBA-based authentication schemes hackers already have defeated, but some industry experts said there might be perfectly legitimate reasons for that.
“The problem with KBA is that it uses information that’s essentially public in this day and age. Ultimately none of that data is really secret anymore,” said Jeff Williams, the chief technology officer for Contrast Security. “But some places still use it as a secondary factor. The primary authentication method should be something like a token or a password, but they could just demote the knowledge-based system they’re using for all of their security right now and make that their secondary factor. That would probably put them pretty far down the road to better security.”
Richard Parris, the CEO of Intercede, an identity management firm, said KBA is generally viewed in the industry as a “poor man’s authentication mechanism,” which organizations only use when they are unwilling or unable to invest in more modern systems. But he said KBA still had its place in an up-to-date identity verification system as long as it was employed as just one factor in a suite of technologies.
“Where it has some real value is when you’re initially bootstrapping a system. Whenever a customer joins for the first time, you need to establish their initial trustworthiness,” he said. “So on a one-time basis, when a customer has time to sit down with his tax returns and answer a lot of difficult questions to establish his identity, it makes sense. But thereafter, it really is an arcane way of doing authentication in a digital world.”
But Parris also said he found it understandable that the IRS would seek its own authentication tools to counter identity theft, at least as a stop-gap measure. He said NSTIC has been slower to gain a footing than government-centric single sign on initiatives in other countries, partially because the strategy attempts to build an identity infrastructure that also encompasses private-sector websites.
“I think NSTIC is highly commendable in its objectives, but it’s trying to pull together private and public sector interests in the same direction, and that’s always going to be a major challenge,” he said. “The IRS, to an extent, needs to be looking at interim solutions. But they need to be interim solutions that are built on a stronger foundation than knowledge-based authentication. Two-factor authentication really is where they need to be.”