The Internal Revenue Service deployed two systems with known vulnerabilities, leaving consumer data and sensitive account information vulnerable to thieves, according to a government review of the security controls.
The IRS deployed a new Customer Account Data Engine (CADE) and an Account Management Services (AMS) system to better manage and control access to customer data. The audit, conducted by the Treasury Inspector General for Tax Administration (TIGTA), was part of an annual review to assess the agency's IT security.
"Security weaknesses in controls over sensitive data protection, system access, monitoring of system access, and disaster recovery have continued to exist even though key phases of the CADE and the AMS have been deployed," wrote Michael R. Phillips, the Tax Administration's deputy inspector general for audit. "As a result, the IRS is jeopardizing the confidentiality, integrity, and availability of an increasing volume of tax information for millions of taxpayers as application releases are put into operation."
Phillips said the IRS moved forward with the project despite finding security vulnerabilities in the software as part of its testing process prior to deploying the system in full production. The system has no user provisioning features and does not monitor transactions. The vulnerabilities could allow an attacker to gain access to taxpayer information without detection. The flaws could also hamper recovery of sensitive data in an emergency, Phillips said.
The audit also finds fault with the project steering committee, saying it failed to provide sufficient oversight and signed off on deploying parts of the project despite the existing weaknesses. The IT security pros who recommended the system owners accept the risks associated with the vulnerabilities are also criticized.
"We disagree with the system owners' acceptance of what we consider excessive risks for these security vulnerabilities, particularly the inabilities to successfully recover the systems and their data in the event of a disaster and to detect malicious security events and unauthorized accesses to taxpayer data," Phillips said.
Auditors warned the IRS of its security deficiencies on at least two other occasions. The CADE system was deployed in January 2007. The AMS system went partially live in October 2007. The audit report noted that development staff did not test security features prior to releasing the application code. Also, an application-specific vulnerability scanning tool was not used during the development process.
Encryption is missing for backup tapes and other devices used to share data with external sources. The AMS system also lacked the ability to suspend sessions after 15 minutes of inactivity. Error logs from both systems contained taxpayer identification numbers, putting consumer data at risk, Phillips said.
The Treasury Department objected to publicly disseminating the audit report, but its request to have the contents of the report classified as "sensitive" was rejected. Arthur S. Gonzales, chief information officer of the Treasury Department, noted that half of the vulnerabilities addressed in the audit report were corrected. The IRS is working to improve processes and procedures to ensure security controls are in place before systems are deployed, he said.
"We strongly object to the public dissemination of IRS security vulnerabilities, as we believe that it poses unnecessary and unacceptable risks to our national tax system and our economic infrastructure," Gonzales said.
Software security experts said the lapses encountered by the IRS are not very different than those faced by firms in the private sector.
"I'm personally more concerned if my income tax return gets out than does my credit card data; It's much more damaging to me in terms of identity theft," said Jack Danahy, chief technology officer and co-founder of source code vulnerability analysis firm, Ounce Labs Inc.
Danahy said it appears as though the funding mechanism was one of the main drivers for the IRS to get the systems online, despite the security deficiencies. The IRS had a number of milestones it needed to reach with the project in order to receive additional funding.
"It appears from the commentary that exists within the report that there was a series of prevailing pressures upon these major programs where funding events are tied to milestones," Danahy said. "Clearing those stages end up forcing the acceptance of a series of risks in order to get to the next chunk of funding."