A government watchdog says the agency is "unnecessarily vulnerable."
A version of this post titled “Cyberattacks on taxpayers” originally appeared in the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter.
Have you filed yet?
Monday is Tax Day, of course—everyone’s favorite holiday. It’s that time of year when the weather begins to warm up, the sun spends more time in the sky, and the government comes knocking on your coffers. Not far behind: Hackers and fraudsters trying to score some of the levied loot.
This past week John Koskinen, commissioner of the Internal Revenue Service, has been making the rounds on Capitol Hill. He has borne the unenviable task of explaining to various committees how the agency has used its “constrained resources” to secure its computer systems and protect taxpayer information—though neither approach appears to be working. Indeed, thieves have been pummeling the agency with cyberattacks—more than one million per day, by Koskinen’s count. And the attackers have been making out like bandits by impersonating citizens and exploiting website weaknesses. In February the agency said that hackers looking to fraudulently claim tax refunds had stolen 724,000 people’s data—double the number it estimated last summer. It hasn’t helped that the IRS has debuted faulty transcript tools, nor that the agency has had at least one identity thief within its own ranks.
For more on stolen tax refunds, watch:
For a worthwhile summary of the agency’s technology troubles, read this overview by my colleague Jen Wieczner, which appeared in the April 1st issue of Fortune magazine. Or you can read this damning report from the Government Accountability Office, which concluded that the IRS has remained “unnecessarily vulnerable” with “significant deficiency in internal control.” The title of the assessment? “IRS Needs to Further Improve Controls over Financial and Taxpayer Data.” Although specifics about the office’s 43 technical recommendations are reserved for a separate, private report—to keep the information from falling into the wrong hands—the imperative is clear: Improve.
To be fair, the IRS is a top target for cybercriminals. The GAO is a known harsh grader. And the agency has faced a multitude of funding challenges over the past few years. The IRS’s $11.2 billion budget for fiscal 2016 is less than its inflation-adjusted budget in 1995, even while attacks have increased, as Wieczner points out. To make matters worse, the government has had an unquestionably tough time luring talent away from the private sector, where technologists are in high demand—and compensated accordingly.
These points are all elements of Koskinen’s plea: Thanks for the $290 million year-end bump in cybersecurity funding—really, thank you—but it’s not quite enough. (Not a surprising position given the raison dêtre of the agency he leads: Taxation.) Specifically though, Koskinen has asked for the reauthorization of a provision that allowed the IRS to attract IT and business smarts since 1998. The so-called streamlined critical pay authority expired in fiscal 2013.
“Out of the many expert leaders and IT executives hired under critical pay authority, there are only 10 IT experts remaining at the IRS, and we anticipate there will be no staff left under critical pay authority by this time next year,” he told the Senate Finance Committee on Tuesday, per his prepared remarks. Referencing the President’s fiscal 2017 budget, which reinstates the pay measure, he added: “I urge the Congress to approve this proposal.”
Say what you will about the federal government’s ability to spend smartly: Cybersecurity is worth paying for.