The Government Accountability Office (GOA) realeased a report last week
stating vulnerabilities in the security system used by the IRS to protect
taxpayer data. The report showed the IRS has number of security issues
in the way that it protect sensitive data.
Some of the major security issues include: the IRS doesn’t encrypt certain
types of sensative data, user IDs and passwords can be easily obtained by
any user on the network, and they don’t enforce strong password rules for
authenticating users.
A lack of an agency-wide security program and no annual review of risk
assessment are the root of many of these issues. As a result, the IRS is
especially vulnerable to attackers with inside information, wich could expose
taxpayer and financial data.
The GOA cited several specific security problems. Among those were the
following: A contractor-maintained website has exposed usernames and passwords;
any authenticated user on the network has access to shared drives containing
sensative data like taxpayer informaiton and social sercutity numbers;
financial information and account data were tranferred from the IRS’s accounting
system without first being encrypted; inadequately logging various security
events at data centers.
The IRS is currently trying to improve it’s security system. They have taken
several steps to do this thus far, including, better controls for authenticating
users, patching critical vulnerabilites quickly, and forming a better plan
for logging critical business processes.
IRS Commissioner Douglas Shulman responded to GOA report, stating that data
security and privacy are of the utmost importance to the IRS, and said that
they would release a detailed corrective action plan stating how they would
fix the vulnerabilites discovered.
This report by the GOA followed the October release by the general for tax
administration that also criticised the IRS’s security controls. That report
was mostly critical of the security vulnerabilities found in new $1 billion
system called CADE the IRS is rolling out to eventually manage all taxpayer
accounts. They were also critical of the $700 million system called AMS that
is designed to provide faster access to the taxpayer information stored in
the CADE database. The report cited several weaknesses with access control,
system access monitoring, and disaster rocovery involving the CADE and AMS
systems, which pose a direct threat to sensative taxpayer data.
With indentity theft rising each year and more and more security breaches
occurring, keeping sensative data is of the utmost importance. The IRS
databases contains sensative information on almost every American citezen. The
IRS’s lack of security measures to protect the information of taxpayers could
result in a large security breach that could affect millions of Americans.
With such a poor security system in place, it is only a matter of time until
a security breach occurs unless the IRS acts quickly implement an agency-wide
security plan to keep sensative information secure.
The fact that these kinds of vulnerabilties exist in a government system
housing a wealth of sensative data on millions of Americans demonstrates the
much larger issue today. Too few institutions are concerned with protecting the
sensative data within their databases. Security is still an afterthought,
security patches are issued and holes are fixed, rather developing a secure
system from the start. The new CADE and AMS systems the IRS is rolling out
is just another demostration of how systems need to be designed with security
in mind from the start, and that simply is still not happening.
 
			
It is rather unfortunate that a major government organization with this kind of sensitive data is in a reactive mode to security problems. One would hope that eventually companies, and certainly government institutions that protect private data take a more proactive approach to security, and as you mentioned, design systems with security in mind from the start. I for one, am seriously concerned that an agency that has financial and personal information of mine seemed not to focus on upgrading security until an outside party (thankfully not a malicious party) wrote a report about potential exploits. Will security ever consistently be a part of the initial software design process, or is human nature too complacent that security will often be a reactive measure?
It’s unfortunately not particularly surprising that an entity like the IRS does have security vulnerabilities–it’s a huge ‘company’ (not really a company in the traditional sense, but it’s relatively insulated from, say, the supreme court even though they’re both part of the government). The fact is that security is simply not the focus of the average person in charge, getting it ‘working’ is. I have no doubt that there are talented individuals working at the IRS who brought these issues up but had their concerns dismissed as too esoteric and expensive to deal with.
I do see some positives to this though: the IRS isn’t simply trying to sweep it under the rug and ignore the issue (at least not yet–it remains to be seen if they actually do fix the issue). More than that, though, is that they say they’ll release the report to the public. Hopefully it’s a sign of great openness of the IRS.
That said, I don’t think developing an enterprise level application with super strong security is very easy–there are so many levels of people involved, all working on different parts, such that even misunderstandings of how different modules connect to each other leads to security issues. Despite how much many companies get lambasted for their security holes, these companies have many smart programmers and software architects working for them.
I’ve heard about how the federal government has had increasing numbers of contractors in recent years (as in, decade+, I don’t just mean under the Bush administration), such that they have had contractors managing contractors (as opposed to a more traditional FTE managing contractor setup). I think they really need to start contracting out in general to security firms to find security holes and report them preemptively, rather than relying upon 3rd party research and then patching after the fact.
The government has at least been aware of the security risks facing its computer systems. This lead to the passing of FISMA, which was meant to be a way to analyze and audit government run systems. While FISMA didn’t require these networks and systems to actually fix their security flaws, becoming aware of them is a necessary first step.
What I find most concerning is that these new systems that the IRS is planning to roll out already have a number of security weaknesses. I may be a little more forgiving of a system that was designed in the naive days of the internet, when security was an afterthought. But the threat of data theft is well known and a serious problem, so any system (especially ones costing $1 billion and $700 million) being designed today should take these into account.