Lawmakers on Thursday pressed Internal Revenue Service Commissioner John Koskinen on the agency’s cybersecurity practices in his third straight day of testifying on Capitol Hill.
{mosads}”The IRS has not taken the necessary steps to ensure that individuals are who they claim to be before handing over Americans’s confidential tax information,” Chairman Lamar Smith (R-Texas) said in his opening statement during a House Committee on Science, Space and Technology hearing.
The beleaguered IRS has been under increased pressure from lawmakers — including Speaker Paul Ryan (R-Wis.) — to ensure the security of its systems after a series of embarrassing breaches.
Hinting at seemingly widespread impatience, Smith asked if Koskinen’s staff members could find out before the hearing was over how many reccomendations from the Government Accountability Office (GAO) had been implemented.
Hours before the hearing, Ryan blasted out three pointed questions he wants Koskinen to answer, including a demand that the commissioner provide an update on its implementation of a more recent set of recommendations from the watchdog.
“What is the holdup? Why not pledge to do these things now?” Ryan’s office asked in a blog post.
Koskinen defended the IRS response, insisting that enacting all of the GAO’s recommendations is the agency’s first priority.
“There’s been some question about why we didn’t immediately sign on to the most recent ones, but the process is we are supposed to advise Congress within 60 days of a detailed timeline,” Koskinen said.
Gregory Wilshusen, director of information security at the GAO, said Thursday that the agency has 94 open recommendations going back to fiscal 2010, including 45 new recommendations made in March.
“We’re limited by time and resources, but we are committed in the security area to implement those as quickly as we can,” Koskinen said.
The more recent GAO report, issued last month, stated that unless the IRS takes steps to follow its recommendations, “its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure.”
According to the watchdog, while the IRS made progress last year in securing its systems that process taxpayer and financial information, sensitive information is still vulnerable to being accessed by those with malicious intentions. The IRS hasn’t always implemented proper controls for authenticating users, appropriately restricted access to servers and made sure that certain sensitive data was encrypted, the report found.
The IRS has struggled to combat digital intruders over the past year. In August, the agency revealed that hackers had been able to swipe sensitive information about more than 300,000 taxpayers.
The cyber thieves broke in through the IRS system that allows taxpayers to request transcripts of their returns and other sensitive information. The agency shut down the system in May, after the breach was first discovered.
In a Senate hearing on Tuesday, Koskinen rebuffed criticism for these incidents.
He noted the agency is fighting an unprecedented volume of cyber criminals.
The IRS has also implemented 80 of the Government Accountability Office’s cybersecurity recommendations over the past few years, he added.