US Treasury says IRS still hasn't fixed vulnerabilities in tax processing systems

Vulnerabilities in two IRS systems -- including the Customer Account Data Engine (CADE) developed to replace all existing tax processing systems at the agency -- were known and repeatedly raised during the nine-year development process but not addressed, according to an in-house report.

A statement from the Treasury Inspector General for Tax Administration (TIGTA), which released the September report publicly on Thursday, says that "Security weaknesses in controls over sensitive data protection, system access, monitoring of system access, and disaster recovery have continued to exist even though key phases of the CADE and the AMS have been deployed. As a result, the IRS is jeopardizing the confidentiality, integrity, and availability of an increasing volume of tax information for millions of taxpayers as these systems are put into operation."

The 29-page report (PDF available here) covers problems with the CADE and with the Account Management Systems (AMS), which employees use to work with data in CADE. Both are core technologies in future buildout of the IRS' computer systems.

The TIGTA report said that the vulnerabilities are such that an intruder could gain access to taxpayer data "with little chance of detection." Moreover, the systems aren't built for big trouble: the report says that in case of emergency, they "could not be recovered effectively and efficiently."

CADE has been in development since 1999 -- two years after the IRS designated security to be a "material weakness" of the agency and promised to do better. The system began processing 1040EZ filings in 2004 and so far this year has handled 28.1 million returns, or about 19.8 of all tax returns filed. It's also the machine working through this year's one-time economic-stimulus payouts. Development, operation and maintenance through 2012 is scheduled to cost over $1 billion.

The three-page, 22-item list of vulnerabilities TIGTA found in seven months of testing is, in that light, a little sad. Among the highlights: security events and unauthorized access to CADE accounts by privileged users (eg, a sysadmin with the urge to browse records, as happened with the Presidential candidates at State Department offices this year) aren't logged; contractors can make changes to configuration settings without notice, approval or security checks; the system can't identify and process all its error codes, leaving it vulnerable to crashes; backups and data shared with other agencies weren't encrypted; there were no procedures for disabling inactive accounts, such as those of former employees.

Most surprisingly, the report said that the system had no protection against malicious code -- in other words, $1 billion did not buy the IRS an antivirus package.

These vulnerabilities, the report charges, were known to the agency during the development process and certainly at the time of accreditation -- the moment when the agency says 'close enough for government work,' takes responsibility for whatever comes after, and flips the switch. "The system owners did not consider the security vulnerabilities to be significant enough either to give an interim authority to operate or delay development," the report said. "We disagree..."

A response from the CIO of the Treasury Department is included at the end of the report. Arthur Gonzalez says that the IRS has "already fixed nearly half of the vulnerabilities outlined in the report prior to publication" and states that the service has 'action plans' in place to address the remainder.

Mr. Gonzalez also notes that the agency's request to have the full contents of the report classified Sensitive But Unclassified -- a term of some controversy in the era of the Homeland Security Act -- were not granted, to the agency's strong objection.

The Office of Audit appears to be less than moved by that response, and with the agency emphasis on continuing existing oversight processes. "As stated in the report, we believe that the existing security vulnerabilities were not caused by process deficiencies," the auditors retort. "Instead, IRS offices did not carry out their responsibilities for ensuring that security weaknesses were corrected before deployment."