The head of the Treasury Inspector General for Tax Administration (TIGTA), J. Russell George, testified before Congress today concerning the latest data breach at the IRS involving the “Get Transcript” application. At this point we have some preliminary estimates on the damage done by this cyberattack: $39 million in fraudulent refunds. And while George stopped short of saying that it all could have been prevented, he clearly did place some blame on the IRS. Every year for the past several years, TIGTA has identified weaknesses in IRS security systems and makes “recommendations” for improving them. As of March 2015, there were around 50 problem areas that still required attention.
The problem is that most of the time these “recommendations” are simply acknowledged by the IRS and taken into consideration, and nothing further. In other words, the IRS will agree with the recommendation but not take the additional steps necessary to correct the problems. I have been frustrated by this pattern for years and wished TIGTA somehow had the authority to require action, rather than kindly make recommendations.
IRS Commissioner, John Koskinen, was also present during George’s Congressional testimony and you can probably guess his response: budget cuts have hampered the IRS’ ability to combat cyber criminals and has kept the IRS from upgrading their computers and cybersecurity technology. But after realizing that he had painted himself into a corner, he quickly tempered his remarks:
Not every problem is a budget problem, so I don’t want to wander around town every time we have a challenge saying, “Ah, if we had more money, we’d fix it,” … [t]his is a technology issue, not a budget [issue]…
The other part of his response was that implementing TIGTA’s recommendations would not have prevented this particular cyberattack. It’s apples and oranges. There was apparently something different about this data breach; it was very sophisticated and was orchestrated by multiple groups located in foreign countries. According to Koskinen, it was a “sophisticated international syndicate” that was responsible for this latest data breach. In other words, this was a tricky group of criminals and nothing could have stopped them.
Don’t believe it. We know the IRS’ track record and they make a lot of mistakes. There is a reason why they immediately took that part of their website down following last week’s announcement. I am also very skeptical of the statement I keep seeing that the main IRS computer systems were not compromised in this cyberattack. Remember when top IRS officials were certain that Lois Lerner’s emails were not recoverable? There are times (and I see this on a daily basis in my communications with IRS rank & file) when the IRS does not appear to be all that familiar with its own systems. We’ll have to keep a close eye on this story. I would not be surprised if more information is discovered in the coming weeks that calls into question this statement about IRS’s main computer system. I hope I am wrong.