IRS Hackers stole $39M and effected 2.7 million taxpayers

It’s easy to jump all over the IRS for a seemingly obvious security problem. Congress and reporters are calling for a quick fix.  This isn’t like fixing a broken window.  The complexity is more like an entire city with lead pipes, crumbling infrastructure, financial problems, and organized crime.  Thousands of applications with probably a billion lines of code.

The fact that the GAO reported security problems several years ago should have been a wake up call.  In a way, the GAO is like an attacker — they are probing the agency for security problems.  But the GAO is the least threatening class of attacker by far.  Next would come casual attackers, then lone wolf hackers, then organized crime, and then nation-state sponsored hacking.  But most agencies aren’t even protected against casual attackers.  They only take security far enough to get protection against GAO-level threat.  Instead, our agencies should be focused on the capabilities of (at least) organized crime in 3-5 years and ensure that their defenses are sufficient for that level of threat.

The fact is that there are almost certainly thousands more security problems in the applications run by the IRS.  IRS Commissioner John Koskinen testified to Congress that they have an antiquated system with applications that are, in some cases, over 50 years old. I’ve worked with large financial organizations for the last 15 years and I can say with assurance that with a dedicated effort and the proper investment the IRS can make headway in the 3-5 year timeframe.  But quick fixes are simply not possible.

The commissioner raised the question of whether it is possible to be secure AND easy to use.  This is a false dichotomy that has been around since the early days in computer security. Security can also be viewed as an enabler – making things that would have been impossible easy.  The “fetch transcript” function is a good example.  Would this process be easier to do over the Internet with a strong password?  Or easier to do in person at an IRS branch office?  Don’t let the IRS claim that security is preventing people from interacting with them.

Want to know how deep the crazy goes?  Right now, the IRS doesn’t have accounts.  That’s the whole problem here.  Every other institution in the galaxy requires people to set up accounts — from the tiniest startup to Google, Twitter, and Facebook.  This is how organizations establish a verified identity with a taxpayer that you can build on over time.  The IRS has ample opportunity to do this.  They could make this process quite difficult for hackers to spoof.  And once they do it, they’ll always have a secure foundation to build on.  So OF COURSE they should have accounts.

Let’s hope that the flurry of activity here doesn’t just result in a firing.  Let’s hope that the seeds of a real application security program get planted, and that a strong message gets sent to all the other agencies…  because they are all in the same boat.