IRS Commissioner John Koskinen cited the end of a high-salary program as one of many reasons for its ongoing lapses in keeping taxpayer data safe from theft, according to testimony before the House on Thursday.
Koskinen spoke before a meeting of the House Subcommittee on Research and Technology
following a year in which hundreds of thousands of pieces of sensitive information were stolen by hackers, and on the heels of a reporter from the non-partisan Government Accountability Office (GAO) documenting an additional 45 problem areas with IRS security.
The IRS suspended an IP PIN security system on March 7, after finding nearly 800 cases of fraudulent access, including one instance where a South Dakota woman used the pin to file her taxes and found someone had already filed under her name, seeking a significant refund. More than 2.7 million such PIN numbers, designed to help prevent identity theft, had been given out.
Leandra Lederman, a law professor with the Indiana University Bloomington, who has written on the IRS and its security, told AMI Newswire that part of the problem stems from the movement by the IRS to implement electronic filing and get refunds out faster, despite budget cuts. This, she said, has led to a rise in refund fraud. Such fraud accounted for more than $3 billion paid out fraudulently in 2014, according to the GAO report.
“This combination then means that it’s easier for a fraudster to file, and it’s a real challenge to then try to catch them,” she said.
In addition, the IRS's “Get Transcript” system, in use since 2011 to help IRS customers request copies of their previous tax returns, was found to have been repeatedly compromised by identity thieves. In all, more than 700,000 records were taken in individual breaches in 2015, according to the IRS.
In his testimony, Koskinen maintained that the IRS core databases remained secure from what he said was over a million digital attacks logged daily on IRS systems.
“I’m not here to beat up the IRS … but we need to know what has gone wrong and get a guarantee that that's not going to happen again,” Rep. Dan Lipinski (D-Illinois), a member of the subcommittee, said during the hearing. “There's no 100-percent guarantee of security: We know that, we have to accept that.”
Critics have attacked the IRS’s defense of the security holes, pointing to reports from the U.S. Treasury Inspector General for Tax Administration (TIGTA) dating back to 2010, in which it warned that the IRS had improper controls in place to protect taxpayer information.
“The agency has failed to implement recommendations from government audits repeatedly over a long period of time,” Alex Hendrie, federal affairs manager for Americans for Tax Reform, told AMI Newswire. “This failure has little to do with lack of funding and more to do with the agency’s refusal to heed [Inspector General] warnings and do its job.”
Following the GAO report's release, the IRS said it would look into those recommendations.
House Speaker Paul Ryan demanded the IRS immediately implement the reforms in a March 30 statement.
As part of the Consolidated Appropriations Act, 2016, Congress provided an additional $290 million earmarked for addressing cybersecurity shortfalls at the IRS.
Koskinen rebuffed statements by the Subcommittee Chairwoman Rep. Barbara Comstock (R-Virginia) that it had cut IT staff in spite of the additional money, noting that the IRS had shed more than 15,000 employees in the last five years.
Cuts to IT, he said, were proportionately smaller than throughout the rest of the organization. In addition, an end to a more than 15-year-old “streamlined critical pay program,” Koskinen argued, further threatened to cost the organization key staff needed to address security issues.
The program was designed to help the IRS compete with the private sector for highly skilled workers, by authorizing up to 40 positions to be hired more quickly than the usual three- to six-month window, with base salaries as high as $227,300.
Congress has not re-authorized the program, which Koskinen said would account for the two high-level departures from the IRS cybersecurity staff, and prevent him from competing for the best candidates. He told the subcommittee that high-level IRS workers were regularly “being recruited by the best companies in the world.”
“The under-funding issue is the most important issue facing the IRS today,” Lederman said. “The cybersecurity problems are just one manifestation.”
When witnesses were asked by Rep. Lamar Smith (R-Texas) whether taxpayer information was safer this year than last, representatives with the TIGTA and the GAO Information Security Issues department were uncertain.
“I can’t comment,” Gregory Wilshusen of the GAO testified. “But I’d probably say that there’s no evidence that [taxpayer information security] is higher or lower.”
Koskinen has faced repeated scrutiny from the Republican-controlled Congress after a 2013 incident in which the IRS was investigated for allegations that it targeted conservative political action committees for audits and denial of tax-exempt status. A Department of Justice investigation into the allegations ended with no criminal charges being filed.
The latest hearing comes as a bill to impeach Koskinen, introduced last fall, sits before the House Judiciary Committee.