GAO Sees Good News, Bad News in IRS Security Efforts
The Internal Revenue Service has done a lot over the last few years to bring its systems up to speed with the latest online security measures. As the threat from cybercriminals has increased, the IRS—aided by its Security Summit partners—has added new and more effective measures to help counter the threat.
However, more work remains to be done.
The Government Accountability Office (GAO) did a study of the process that the IRS uses to bring in new security measures. Keeping current, after all, makes all the difference in the world of cybersecurity. Their findings reveal a mixed bag of solutions and room for improvement when finding the next tool in the arsenal.
In a recent appearance before a House subcommittee, James McTigue, the Director of Strategic Issues for the GAO, told the panel that the IRS has indeed taken steps to improve taxpayer authentication. These steps, McTigue said, include working with the industry partners to identify solutions in the fight against identity theft refund fraud and developing an authentication strategy for its most pressing challenges.
“However, we also found that IRS has not prioritized the initiatives supporting its authentication strategy nor identified the resources required to complete them,” McTigue said. “Further, we found that IRS does not have clear plans and timelines to fully implement (the National Institutes of Standards and Technology’s) NIST’s new guidance for secure online authentication and also lacks a comprehensive process to evaluate potential new authentication technologies, which could provide taxpayers additional options to actively protect their identity.”
The GAO’s report to the subcommittee contained a number of recommendations, all of which were agreed to by the IRS. The GAO recommended the IRS management:
- Direct the Identity Assurance Office, in collaboration with other IRS business partners, to estimate the resources (i.e., financial and human) required for the foundational initiatives and supporting activities identified in its Identity Assurance Strategy and Roadmap.
- Direct the Identity Assurance Office to prioritize foundational initiatives in its Identity Assurance Strategy and Roadmap.
- Establish a policy for conducting risk assessments for telephone, in-person, and correspondence channels for authentication. This policy should include, for example, the frequency of assessments to be performed and timeframes for addressing deficiencies.
- Direct the Identity Assurance Office and IRS business owners to develop a plan for performing risk assessments for telephone, in-person, and correspondence channels for authentication.
- Establish a mechanism to collect data on outcomes for telephone, in-person, and correspondence authentication, consistent with federal standards for internal control.
- Revise or establish, as appropriate, procedures to ensure data quality in the Account Management Services (AMS) consistent with federal standards for internal control.
- Ensure that IRS business units have access to complete AMS data to monitor authentication performance and identify potential issues.
- Direct the Identity Assurance Office and other appropriate business partners to develop a plan—including a timeline, milestone dates, and resources needed—for implementing changes to its online authentication programs consistent with new guidance from the National Institutes of Standards and Technology (NIST).
- Implement improvements to IRS’s systems to fully implement NIST’s new guidance.
- Develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, including technologies in use by industry, states, or other trusted partners. Include and prioritize these options, as appropriate, in IRS’s Identity Assurance Strategy and Roadmap.
McTigue gave three examples of technology that could be explored for a role in the security mix but are currently not on the IRS radar.
First is a new technology called possession-based authentication, which uses a piece of computer hardware—a trusted device or “security key”—that identifies the user as a trusted source to the IRS. The device would comply with the NIST standards and the IRS could enable its systems to accept these trusted devices as authenticators for the taxpayers who elect to use them.
Another strategy is to enlist third parties who are trusted partners of the IRS. These partners could identity-proof and authenticate taxpayers and could include tax preparers, financial institutions, or other federal or state agencies.
McTigue said the IRS had indeed been exploring such options with the Social Security Administration and the U.S. Postal Service, although the next step had not been determined.
Lastly, the IRS could expand its online services to further protect taxpayers. For example, the GAO report suggests, the IRS could develop functions that allow taxpayers to designate a bank account or specify a preference for a paper check through settings in their online IRS tax account. If a fraudster filed a return with different information, it would be automatically rejected.
In short, McTigue concluded, the IRS needs to cast a wider net to get the best and most up-to-date authentication methods to protect the nation’s taxpayers.
“Taxpayer authentication has become more difficult with the wide availability of personally identifiable information and fraudsters’ ability to develop more complex and sophisticated methods to commit fraud undetected,” McTigue said. “Addressing the issues we describe could better position IRS to identify and mitigate vulnerabilities in its authentication efforts and better protect taxpayers and the Treasury.”