Who should get the blame in IRS breach?
- 02 June, 2015 20:45
If cybercrime is visualized as a river, its headwaters may be in a doctor's office in places such as South Florida. It's here where a cellphone photograph of a medical form filled out by a patient can be sold for a minimum of $10.
With that information, fraudsters add other data streams from publicly accessible databases, social media sites and other sources, such as stolen credit records. It's this now-river of data that was used to attack an Internal Revenue Service application called Get Transcripts and access the records of more than 100,000 taxpayers.
The U.S. Senate Finance Committee will hold a hearing today on this breach. The IRS will put some of the blame on lawmakers, at least indirectly. The agency has suffered big budget cuts, including to its cybersecurity program, and has lost some key IT personnel.
But does IRS budget-cutting, from $12.15 billion in 2010 to $10.9 billion this year, fully explain the breach?
If the IRS is asked to explain the security processes it will describe "a multi-step process to check identities" for its Get Transcript program. The first part involves submitting personal information about the taxpayer, including Social Security number, date of birth, tax filing status and street address. There are also "out-of-wallet" questions, questions "based on information that only the taxpayer should know, such as the amount of their car payment or other personal information," said the IRS.
But one former IRS IT manager, who didn't want his name used, said that IRS cybersecurity officials "would have preferred to implement a more dynamic and aggressive security framework that would have stopped the fraudsters from being able to get in using the information they stole from the third party." IRS senior leadership favored, instead, an approach to keep the process simpler to encourage use, this manager claimed.
A more complex authentication system would have involved a multi-factor authentication approach - "biometrics, dynamic questions using non-public information rather than static or simple out-of-wallet questioning," said this former IRS manager.
But there's no easy approach here. Even if the government were to implement some form of biometrics, it faced potential problems.
The estimated pay rates for cellphone photographs of medical records comes from Yair Levy, a professor of information systems and cybersecurity at Nova Southeastern University in Fort Lauderdale, Fla. The theft of medical records is major contributor to breaches, and he believes that a multi-authentication process will be needed that includes biometrics.
But Levy says it will be difficult for the government to win acceptance of biometrics. In his research he sees that people, especially in the U.S., "have this mental resistance to biometrics - they see it as giving a copy of themselves to the government." About 75% will refuse to give the government biometric data "no matter what," he said.
One system that the IRS did put in that can be effective is making six-digit PIN available to taxpayers, but Levy said a lot of people are not aware of it.
Nevertheless, attackers have been able to get data to answer out-of-wallet question from publicly accessible records, as well as through the theft of credit records.
"Out-of-wallet challenge response questions, or KBA (knowledge based authentication) would not have offered much of a defense for those who were exploiting the IRS Get Transcript functionality," says John Zurawski, vice president at Authentify, a supplier of authentication services.
Zurawski believes that authentication processes that link phone numbers to people, similar to what online services such as Google now offer, could thwart many attempts to breach records.
IRS funding for cybersecurity has fallen from $187 million in 2011 to $149 million in 2015 -- a drop of more than 20% , said Matthew Leas, an IRS spokesman, in a response to a query from Computerworld.
This biggest cut happened 2011. Funding fell off a cliff in 2011 and declined to $129 million in 2012, and then rose. (This 2011 budget data was not immediately available when Computerworldfirst reportedon the staffing decline and budget. The available data shows an increase from 2012 to 2014.)
"Complicating this situation even further are staffing issues, both in cybersecurity as well as leadership and executive positions across the agency," said Leas, in a statement.
In addition to a smaller workforce, the IRS "lost several key leaders in the information technology and analytics areas due to the loss of streamlined critical pay authority late last year," said Leas, in a statement.
The critical pay authority allowed the IRS to appoint or retain people with a high level of expertise for up to four years at salary rates above normal government levels. But no one could be paid higher than the vice president, who earns $233,000.
IT appointments accounted for most of the positions filled under this program. The "private-sector expertise had been crucial to introducing new leadership to supplement in-house expertise," according to report late last year by the Treasury Dept.'s Inspector General.