GAO knocks IRS for gaps in computer security

The Internal Revenue Service, despite its involvement in citizens' finances, wasn't singled out earlier this month when a House committee graded two dozen government agencies on their information security.

But the Government Accountability Office recently slammed the tax agency for a dismal cybersecurity record in an audit that found more than 40 previously reported weaknesses have not been addressed, and cited new problems threatening the integrity and security of the agency's financial information systems.

Rep. Tom Davis, R-Va., chairman of the House Government Reform Committee, the panel that issues the cybersecurity grades, said the IRS did not receive its own rating because it is part of the Treasury Department, but noted that the agency's systems played a large part in the Treasury grade.

"We do not break out the separate offices or bureaus within a department," Davis said in a statement. "Instead, we hold the secretary of that agency accountable for all systems in all offices within the agency, just as we would for any other function."

Treasury received a D- in 2005, or 60.5 percent, which is an eight-point drop from 2004, but a significant improvement from the 48 percent the committee gave the department in 2002.

The GAO report (GAO-06-328), addressed to IRS Commissioner Mark Everson, said the computerized systems the agency relies on to collect taxes, process returns and enforce tax law are inadequately protected against "disclosure, modification or loss [of information], possibly without detection."

Some progress has been made since GAO last looked at the agency's information technology security last April (GAO-05-482), including the correction of 41 of the 81 technical weaknesses, the report said. But until the IRS fully implements an agencywide information security program, the problems will not go away, the auditors stated.

In a response to the report, Everson agreed the agency needs to continue working to implement the recommended IT security program and said the weaknesses identified by GAO are being rectified.

Following the publication of the April 2005 GAO report on the agency's information security, all senior officials were notified that the issue is important. An "extremely aggressive" initiative is underway to improve security at the IRS' offices around the country, Everson said.

The National Treasury Employees Union, which represents 90,000 IRS employees, said the report shows a continuing risk to taxpayer information that is unacceptable and said a move to outsource some debt collection work adds to the risk.

"Rather than seek to move personal and sensitive taxpayer information into private hands, the IRS needs to devote time, attention and resources to ensuring it can protect these vital data when the information is in its own hands," said Colleen Kelley, president of NTEU. "I don't think anyone can realistically be satisfied right now that the agency has accomplished that."

In a separate matter, the IRS has established a way for taxpayers to report phony e-mails that purport to be official agency communications.

An electronic mailbox (phishing@irs.gov) will accept information about suspicious IRS-related e-mails as part of an effort to combat a growing method of electronic fraud known as phishing. Thrift Savings Plan participants were recently targeted in such a scheme.

"The IRS does not send out unsolicited e-mails asking for personal information," Everson said in a statement. "Don't be taken in by these criminals."

Current scams include e-mails informing recipients that they are due a tax refund. Links direct them to a Web site posing quite realistically as an IRS site, which is used to fraudulently collect information.