IRS cyber deficiencies leave taxpayer data at risk, IG report says
The IRS has cybersecurity deficiencies leaving taxpayer data open to misuse, tampering or disclosure due, in part, to the agency’s over-reliance on old systems, according to the Treasury Inspector General for Tax Administration.
An annual assessment of the IRS‘s IT program found the agency needed to boost its abilities to detect cyber events through continuous monitoring and keep track of its hardware and software.
The American Rescue Plan (ARP) Act passed in March gave the IRS an additional $1 billion in funding, including provisions to modernize legacy systems. But conservative political groups have opposed further efforts to increase the tax collection agency’s budget, reported The Washington Post.
“The reliance on legacy systems and aged hardware and software, and its use of outdated programming languages, pose significant risks to the IRS’s ability to deliver its mission,” reads the inspector general’s report released Tuesday. “Modernizing the IRS’s computer systems has been a persistent challenge for many years and will likely remain a challenge for the foreseeable future.”
IT weaknesses could limit the IRS’s ability to collect the $4.1 trillion in taxes and process the $1.1 trillion in refunds and outlays it handled in fiscal 2021, as well as fairly enforce tax law, according to TIGTA.
After receiving additional funding, the IRS released an ARP Modernization document in June detailing initiatives for tech innovation and faster rollout of capabilities. The plan would accelerate Phase 2 of the IRS Integrated Modernization Business Plan.
But the agency continues to struggle with maintaining a comprehensive inventory of information systems, TIGTA said, and it hasn’t completed Phase 1 of the federal Continuous Diagnostics and Mitigation program, which involves implementing a scanning tool for identifying unnecessary hardware and software.
TIGTA found most laptops and desktops the IRS provides employees are sanitized prior to disposal, but the process to verify that is ineffective.
The IRS implemented most baseline security controls for its Get My Payment application, but the use of weak cryptographic ciphers could allow an attacker to compromise the system, according to the report. And the agency has the tools needed to detect vulnerabilities in the app but failed to readily remediate 17 critical and 169 high-risk vulnerabilities within the mandated 90 days.
Other IRS success include the agency creating a roadmap for finding encryption solutions for the systems it’s developing, deploying Release 1 of its Enterprise Case Management solution and defining the role and responsibilities of its chief information officer.
“However, the chief information officer is not notified of all significant information technology acquisitions,” reads the report. “Problems were also reported with the IRS’s information technology acquisitions, asset management, human capital, project management, risk management, implementation of corrective actions, modernizing operations, and the coronavirus disease 2019 response.”