IRS head calls for Congress to renew streamlined hiring authority

Internal Revenue Service Commissioner John Koskinen on Tuesday called for Congress to renew “streamlined critical pay authority” that makes it easier for the agency to recruit and retain top information technology employees.

Without a renewal, key employees will leave the IRS, and “our ability to replace them is very questionable,” Koskinen said at a Senate Finance Committee hearing.

The authority was initially established in 1998 and allows the IRS to hire top employees without the candidates having to go through the typical government hiring process, which can take three to six months. However, the authority expired at the end of fiscal 2013, and the terms of any remaining employees working under the authority will expire by 2017.

Senate Finance Committee ranking member Ron Wyden (D-Ore.) and other Democrats also stressed the importance of renewing the authority.

“It seems to me you do not fight the cheats and the ripoff artists by osmosis,” he said. “You do it by having the right kind of experts.”

Senate Finance Committee Chairman Orrin Hatch (R-Utah) said that the committee would move on bipartisan legislation that would renew the streamlined pay authority in the near future.

During the hearing, Treasury Inspector General for Tax Administration Russell George and U.S. Comptroller General Gene Dodaro described areas where the IRS could improve its security. These finding have been detailed in past inspector general and Government Accountability Office reports.

“Cybersecurity threats against the federal government continue to grow, and the IRS is a prime target for attacks because of the extensive amount of taxpayer data it stores,” George said.

The inspector general has found that the IRS is still in the process of implementing a program that will allow it to perform real-time assessments of information security. The watchdog also found that the the IRS’ authentication processes need to be improved to comply with government standards, George said.

The GAO came out with a report recently that identified numerous weaknesses in the IRS’s security controls “due to the inconsistent application of their information security program.” The weaknesses included easily guessed passwords to gain access to important servers, IRS employees who were given more access to electronic taxpayers systems than they needed and key systems that were not encrypted but should have been, Dodaro said.

The GAO made more than 45 new recommendations and re-emphasized the importance of implementing 49 previously made recommendations, he said.  

Sen. Chuck Grassley (R-Iowa) asked Koskinen why certain cybersecurity recommendations that would not cost much haven’t been implemented yet.

Koskinen said that the IRS has already implemented about 80 percent of the GAO’s recommendations issued over the past couple of years. When it comes to internal security issues, the IRS is moving away from passwords and toward employees only being able to access servers if they have specific cards, he added.

Koskinen said the type of criminals the agency is dealing with has changed over the years.

“This problem used to be random individuals filing a few dozen or a few hundred false tax returns at a time,” he said. “Now, we’re dealing more and more with organized crime syndicates here and in other countries.”

In the past year, there have been three big cases of identity thieves targeting online services on the IRS website by pretending to be legitimate taxpayers. In the case of the targeting of the agency’s “Get Transcript” application, the information of hundreds of thousands of taxpayers’ informations was lost before the web feature was disabled.

“We need to be able to anticipate the criminals’ next moves and attempt to stay ahead of them,” he said.