Feel-Good Story of the Year: The IRS Gets Audited (and Fails!)

Don Miller

More Government Dysfunction When it Comes to Cybersecurity

In connection with the US federal government’s National Critical Infrastructure Security and Resilience Month (CISR Month), MFT Nation offered a “case study in what-not-to-do” concerning the cybersecurity misadventures of a key department of the White House.  While writing this case study, we discovered that an additional US government agency—the Internal Revenue Service (IRS)—had some pretty bad cybersecurity practices as well.  We want to share what we learned from a report recently released by the IRS auditor showing how lax the IRS is when it comes to protecting taxpayers’ personally identifiable information (PII).

Unencrypted Email Use Puts Taxpayer Information at Risk

The auditor’s report, entitled “Employees Sometimes Did Not Adhere to E-mail Policies Which Increased the Risk of Improper Disclosure of Taxpayer Information,” is based on a random sample of e-mails sent by 80 IRS employees in one division during a four week period in 2015.  The IRS auditor found the following significant cybersecurity violations:

  • Even though IRS policy requires employees to encrypt emails containing PII, about half of the 80 employees sent a total of 326 unencrypted e-mails that contained information about 8,031 different taxpayers internally to other IRS employees or externally to non-IRS email accounts.
  • 14 of the offending e-mails were sent with taxpayer PII in the e-mail subject line (probably a taxpayer name and social security number), which cannot be encrypted and is expressly prohibited by IRS cybersecurity policies.
  • Six employees sent 20 e-mails that “involved official IRS business” to personal e-mail accounts.

IRS Management Promises to Take Corrective Steps. But Will Management Stand By Its Promises?

IRS management promised to take corrective steps recommended by the auditor to establish a “systemic solution.”  But soon after making such promises, IRS management also issued statements which attempted to downplay the significance of the cybersecurity violations.  For example, one IRS manager claimed that most of the offending emails posed “minimal risk” because they were sent internally and therefore protected by the agency’s firewall.  This type of response demonstrates an utter lack of understanding of cybersecurity best practices.

Most, if not all cybersecurity professionals/experts would tell the IRS that the best data security strategy involves several different security methods deployed in a layered manner.  A layered approach reduces the likelihood that an attack will succeed by forcing the attacker to penetrate multiple security measures deployed at different layers of the network.  In fact, government regulators have sanctioned private sector companies for failing to deploy and/or properly use a layered approach, reasoning that such tools could have eliminated or reduced the risk of a data compromise.

In addition, the attitude of the IRS manager is downright disturbing.  When data is transmitted unencrypted, the risk is never “minimal.”  Remember, not all the unencrypted emails were sent behind the firewall.  Also remember that six IRS employees sent 20 e-mails that “involved official IRS business” to personal e-mail accounts.  Remember as well that widespread violations were discovered based on a spot check of a very small sample size—only 80 employees in one division during a four week period in 2015.  One can only imagine how many similar incidents the auditor would have discovered had he reviewed emails sent/received over the last couple years by all 80,000 IRS employees.

protecting access to your data

As for the unencrypted emails sent behind the firewall, government regulators have sanctioned private sector companies under similar circumstances reasoning that the “potential” for harm still exists.  For example, take a look at all the documents filed in an administrative proceeding brought by the US Federal Trade Commission (FTC) against a company named LabMD.  According to this document filed by LabMD, the FTC spent “millions of taxpayer dollars to destroy a small, innovative cancer detection laboratory” even though no evidence existed that any consumer was harmed by the alleged cybersecurity violations.  One blog described the LabMD saga as “the story of how one simple breach of a single rule by a single employee sank a $4 million per year company.”

The same should apply for government agencies like the IRS and its employees; there must be consequences for bad cybersecurity practices.  While the IRS has penalties—ranging from a warning to removal—for employees that put taxpayer information in unencrypted e-mails, there “was no evidence provided” to the auditor that any penalties were enforced.  In other words, no employee will be disciplined for violating crucial cybersecurity policies.  Nor was any IRS manager disciplined; although IRS management did promise to send a meaningless e-mail to all managers stressing the “importance of managerial awareness.”  Yeah, like that’s really going to trigger any real change in behavior.  To effect real change in the IRS cybersecurity culture, there must be consequences for such blatant disregard for vital cybersecurity policies.

The Awkward Truth About US Federal Government Cybersecurity Practices

“Unprotected e-mails put taxpayers at risk of identity theft, or inappropriate disclosure of information about their identity and tax returns,” according to the auditor’s report.  This incident reveals an awkward truth for an agency that is required to protect taxpayer information.  Yet to our surprise and dismay, very few people or media sources are reporting about this very serious problem.  Why is that?  I think we all know the answer.

Stay tuned for further developments regarding the IRS cybersecurity audit (we understand other cybersecurity audit reports exist).  In between MFT Nation posts, you can stay current on developments in the world of cybersecurity by following bTrade on Twitter, Facebook, LinkedIn and Google+.