Security Short Take: Blame for IRS data breach laid on cybersecurity cuts

Funding for cybersecurity is down 20% since 2011, but that's not the whole story

irs stoplight
Credit: Thinkstock
list making rounded

The IRS breach revealed last week will be Topic No. 1 at a hearing today before the U.S. Senate Finance Committee, and agency officials are expected to place the blame for the data leak on lawmaker-driven cutbacks in funding.

Criminals stole sensitive information affecting roughly 100,000 taxpayers through the agency's "Get Transcript" app. The IRS disclosed the breach on May 26.

IRS spending on cybersecurity is down by 20% since 2011, from $187 million four years ago to $149 million in the current fiscal year. (That's actually less bad than it sounds. Funding plummeted to $129 million in 2012 before rebounding a bit in recent years.) The agency also lost key IT personnel when it was stripped of its ability to pay cybersecurity experts at higher-than-normal levels.

To try and head off future breaches, the IRS has options, according to a former IRS IT manager. Those options include:

  1. A more dynamic and aggressive security framework that would make it harder for fraudsters to impersonate legitimate taxpayers using information scarfed up from around the Web. Instead of taking that tack, top-level execs at the IRS opted for a simpler process aimed at encouraging more people to use the Get Transcript app.
  2. A more complex system that includes multi-factor authentication using biometrics and dynamic questions based on non-public information. The hurdle there is that many people in the U.S. are leery of government use of biometrics and see it as a potential privacy invasion.
  3. Better use of a system the IRS already has in place: A six-digit PIN that is  available to taxpayers. Many people are not aware of that option.
  4. Or an authentication process that links phone numbers to taxpayers, similar to what online services such as Google now offer.

At today's hearing, IRS officials are expected to explain the multi-step security processes they now use to double-check taxpayer identities. In addition to personal information about a taxpayer, like Social Security number, date of birth, tax filing status and street address, the agency also poses "out-of-wallet" questions based on information only the taxpayer would know.

With reports by Patrick Thibodeau at Computerworld.

This story, "Security Short Take: Blame for IRS data breach laid on cybersecurity cuts" was originally published by CSO.