Cyberattacks on taxpayers

By Robert Hackett
April 16, 2016

Have you filed yet?

Monday is Tax Day, of course—everyone’s favorite holiday. It’s that time of year when the weather begins to warm up, the sun spends more time in the sky, and the government comes knocking on your coffers. Not far behind: Hackers and fraudsters trying to score some of the levied loot.

This past week John Koskinen, commissioner of the Internal Revenue Service, has been making the rounds on Capitol Hill. He has borne the unenviable task of explaining to various committees how the agency has used its “constrained resources” to secure its computer systems and protect taxpayer information—though neither approach appears to be working. Indeed, thieves have been pummeling the agency with cyberattacks—more than one million per day, by Koskinen’s count. And the attackers have been making out like bandits by impersonating citizens and exploiting website weaknesses. In February the agency said that hackers looking to fraudulently claim tax refunds had stolen 724,000 people’s data—double the number it estimated last summer. It hasn’t helped that the IRS has debuted faulty transcript tools, nor that the agency has had at least one identity thief within its own ranks.

For a worthwhile summary of the agency’s technology troubles, read this overview by my colleague Jen Wieczner, which appeared in the April 1st issue of Fortune magazine. Or you can read this damning report from the Government Accountability Office, which concluded that the IRS has remained “unnecessarily vulnerable” with “significant deficiency in internal control.” The title of the assessment? “IRS Needs to Further Improve Controls over Financial and Taxpayer Data.” Although specifics about the office’s 43 technical recommendations are reserved for a separate, private report—to keep the information from falling into the wrong hands—the imperative is clear: Improve.

To be fair, the IRS is a top target for cybercriminals. The GAO is a known harsh grader. And the agency has faced a multitude of funding challenges over the past few years. The IRS’s $11.2 billion budget for fiscal 2016 is less than its inflation-adjusted budget in 1995, even while attacks have increased, as Wieczner points out. To make matters worse, the government has had an unquestionably tough time luring talent away from the private sector, where technologists are in high demand—and compensated accordingly.

These points are all elements of Koskinen’s plea: Thanks for the $290 million year-end bump in cybersecurity funding—really, thank you—but it’s not quite enough. (Not a surprising position given the raison dêtre of the agency he leads: Taxation.) Specifically though, Koskinen has asked for the reauthorization of a provision that has helped the IRS attract IT and business smarts since 1998. The so-called critical pay authority expired in fiscal 2013.

“Out of the many expert leaders and IT executives hired under critical pay authority, there are only 10 IT experts remaining at the IRS, and we anticipate there will be no staff left under critical pay authority by this time next year,” he told the Senate Finance Committee on Tuesday, per his prepared remarks. Referencing the president’s fiscal 2017 budget, which reinstates the pay measure, he added: “I urge the Congress to approve this proposal.”

Say what you will about the federal government’s ability to spend smartly: Cybersecurity is worth paying for.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber, PGP encrypted email, Wickr, Signal, or however you (securely) prefer. Feedback welcome.


THREATS

Microsoft sues U.S. over email privacy. Like Apple, the software giant is taking a hard line against government surveillance. The company has filed a lawsuit against the Department of Justice that aims to notify customers whenever a federal agency has requested access to their email accounts. Microsoft cited a right to privacy that should extend to peoples’ data, even when stored in the cloud. (Fortune)

IBM discovers banking malware. Researchers at IBM’s X-Force security group identified a new strain of malicious software that stole $4 million from two dozen banks and credit unions in the U.S. and Canada during the first week of April. The operators have primarily targeted business accounts by tricking customers into clicking or downloading booby-trapped links and attachments. (Fortune, IBM Security Intelligence)

Ditch QuickTime, Windows users. Cybersecurity firm Trend Micro spotted critical security flaws in the PC version of Apple’s QuickTime video player. Rather than patching the vulnerabilities, Apple has decided to stop supporting the software. What this means for you: Uninstall. (Fortune, Trend Micro Simply Security)

A deception worth $100 million. Imposters pretending to be a legitimate vendor tricked an unnamed American company into handing over $100 million in one of the largest reported “business email compromise” scams. The company has recovered about $74 million so far, and the U.S. government has stepped in an attempt to recoup the rest, which was laundered through 20 international banks. (Fortune)

Panama Papers fallout continues. Russian President Vladimir Putin said during a live Q&A session that the people making associations between officials and offshore accounts are “simply trying to muddy the waters.” Meanwhile in China, censorship watchers suspect that the country’s move to block the blogging network Medium is related to posts about the Panama Papers that appeared on the site. Also, Bill Gates said he is “surprised” that so few American names turned up in the leak. (Fortune, Fortune, Fortune)

WordPress adds encryption. The blogging network WordPress has decided to roll out HTTPS encryption for all of its sites. The extra layer of security, which protects Internet traffic to and from computer servers, helps prevent hackers and spies from intercepting, manipulating, or snooping on data. (Fortune)

Apple vs. FBI questions. Did the Israeli computer forensics firm Cellebrite help the FBI break into that terrorist’s iPhone, or did “gray hat” hackers lend the agency their talents? (Conflicting reports have surfaced.) Will the government reveal the method of intrusion, or won’t it? (No one knows.) Will the unlocked handset yield any investigatory leads? (An unnamed source told CBS News that nothing significant has been found on Syed Farook’s device yet.) (Fortune, Fortune, Fortune)

Share today’s Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/

Looking for previous Data Sheets? Click here.


ACCESS GRANTED

Fortune contributor David Meyer explains how a number of groups are trying to put limits on the creation of killer robots.

The Red Cross is obviously not wildly keen on autonomous weapons at all, nor on anything else that kills people. However, seeing as governments and defense contractors seem determined to build them anyway, the organization at least wants to see limits on their autonomy.

In short, they’re worried about killer robots deciding on their own whom to target.

Government experts from around the world are currently meeting in Geneva to discuss autonomous weapons—self-guided drones, killer robots, and so on—and humanitarian and human rights groups are pleading with them to make sure these kinds of weapon systems always keep humans in control. Read the rest on Fortune.com.



ONE MORE THING

A tale of two hackers. Out of the underground teenage hacking community of the 1980s, two men from the group known as the Inner Circle wound up leading wildly different lives. The FBI busted the collective after its members got caught hacking into an early email system that hosted email for companies such as Citibank, Coca-Cola, and Raytheon. One man lives on the streets in Santa Monica, Calif., while the other is apparently a family man who lives in the suburbs of Detroit and works with computers. (Gizmodo/PaleoFuture)

SPONSORED FINANCIAL CONTENT

You May Like