Skip to main content

NEW YORK (TheStreet) -- Internal Revenue Service Commissioner John Koskinen appeared before the Senate Finance Committee Tuesday morning to answer questions about last month's data breach in the IRS "Get Transcript" program, as well as overall data security at the IRS.

The "Get Transcript" breach occurred last month when identity thieves stole the personal information of more than 100,000 taxpayers. Unlike other recent attacks, in this breach hackers did not actually break into the government computers.

Instead, they logged in legitimately using personal information and Social Security numbers acquired illegally, then downloaded the users' tax forms and personal data.

"This past filing season, our fraud filters stopped almost three million fraudulent returns before processing them, an increase of over 700,000 from the year before," Koskinen said. "But, even though we have been effective at stopping individuals perpetrating these crimes, we find that we are dealing with more and more organized crime syndicates here and around the world."

Although the breach began in February, according to Koskinen's testimony before Congress, the agency hadn't noticed until after filing season ended.

"During the middle of May, our cybersecurity team noticed unusual activity on the 'Get Transcript' application," Koskinen said. "At the time, our team thought this might be a 'denial of service' attack, where hackers try to disrupt a Web site's normal functioning."

The traffic was masked by the elevated traffic of taxpayers, causing IRS officials to dismiss the increased attempts to access agency Web sites among the flood of traffic normally experienced during the months of April and March. When filing season ended and the traffic continued, they knew something was wrong.

In response, the IRS has shut down the "Get Transcript" application, which allows users to gain access to their old tax records, for the time being.

Tuesday's hearing focused on next steps forward. Amid a session that often seemed as much about political posturing as security, one theme emerged from the embattled IRS commissioner: resources.

Frequently during the proceedings, Koskinen reminded the panel of the agency's requests and limitations in the face of punishing budget cuts which have hampered its ability to prepare for and respond to cyberattacks.

When asked what the IRS agency was doing to help taxpayers whose data was stolen, Koskinen reminded the Senators that, "there are numbers that they can call, but as you know our ability to get people on the phone is not as much as we would like it to be."

"We've lost the three people who were our data analytics people," he said at a later point. In response to a question about fraud from illegal tax preparers, Koskinen replied that his agency isn't just worried about the crooks but also incompetence.

"We are concerned about not just criminal tax preparers but also unqualified tax preparers," he reminded the legislators. "As you know, we've requested legislation requiring a minimum qualification."

Koskinen wasted no opportunities to remind the assembled Senators of the IRS' financial limitations, and the question of data security comes at a time when the IRS increasingly is trying to shift more of its operations online to save manpower and increase user convenience.

During his remarks, Koskinen promised increased security for the coming year but failed to provide concrete details beyond increased "cooperative efforts" with states and private companies.

According to Tom Kellermann, chief cybersecurity offficer of Trend Micro (TMICY) , vague promises like this simply aren't up to the scope of the challenge. Calling for a "strategic and tactical shift in the landscape," Kellermann said that, "we have to change the architecture of how we secure these very sensitive financial and government networks."

"The current game plan that's being utilized to protect government agencies is flawed as it relates to the sensibilities of the elite hackers of the world," he said. "They have been successfully targeting and breaching the financial sector [including the IRS] for over 15 years now, and have been quite successful in that they have been able to deactivate the traditional methods used in cybersecurity."

In the case of data breaches at the IRS, the agency has been vulnerable to two different types of attacks: direct hacks and identity theft, which involves logging on using stolen but valid information.

At Tuesday's hearing Koskinen argued that the IRS' ability to respond to identity based hacks is limited, as the system already has a multistep authentication process. This is consistent with many organizations in the financial services industry, to establish a user's identity, he said. The process includes, "out-of-wallet questions ... designed to elicit information that only the taxpayer would know, such as the amount of their monthly mortgage or car payment," he added.

According to Kellermann, the idea that these systems cannot be further secured is simply not true, nor is it the case that personal information is anything close to secure.

"You can literally buy people's personas, and what I mean by that is their financial information and their Facebook profile and their LinkedIn account," he said. "You can buy all of that using economies of scale from the eastern European dark web."

Together these troves of information generally contain the common, personal knowledge used to establish easy-to-remember security questions for users.

Instead Kellermann suggests verification based on "location and real time." Users should be able to register their computer as an allowed device, or tell the IRS system where specifically from they log in, so that an unrecognized machine in Russia would get rejected.

Even more effectively, he said, the system should work in concert with users' mobile phones and generate dynamic passwords that get texted to the taxpayer when they log on.

The bigger concern, however, is that the IRS may not actually know how many accounts have been accessed. Kellermann said virtually every hacker, when he or she breaks into a system, tries to do two things right away: set up a back door, or "secondary infection," in the system and steal password information.

"Maybe we're going to find out five months from now that there was more of a breach here because they're saying that during that heavy traffic period, they were not cognizant of what was going out of their network," he said. "The biggest problem that I see there is the No. 1 thing that a hacker does when he gets into a network -- he steals your credentials."

In other words, it may be months before the IRS can determine the true scope of the hack. Or maybe not. The problem is that it simply can't know right now.

Ultimately all of these problems are fixable, but Kellermann's analysis echoed Koskinen's frustration during the hearing. The problem needs more money. Asking for "adequate funding" to help secure Americans' tax records, Koskinen said to the Senate Finance Committee that "Congress has an important role to play here."

"Congress can help by approving the President's [2016 fiscal year] Budget request, which includes $101 million specifically devoted to identity theft and refund fraud, plus $188 million for critical information technology infrastructure," he urged the assembled senators.

"People need to start to appreciate the hostility of the Internet," agreed Kellermann. "This is a direct manifestation of the lack of budget, and this is a direct manifestation of a greater investment, and greater budget needs to be allocated to cybersecurity and these critical infrastructures."