Dear Commissioner Koskinen:
I write concerning cybersecurity at the Internal Revenue Service (IRS) and the IRS’s apparent reluctance to implement EINSTEIN network protection on the IRS’s systems. In the wake of recent, high-profile cyberattacks against the IRS, I ask that you immediately address this serious issue to safeguard the IRS’s systems and all taxpayer information housed on them.
The Department of Homeland Security (DHS) has the mission to provide a common baseline of security across the federal civilian executive branch network and to help agencies manage their cyber risk. The foundation of this common baseline is provided by DHS’s government-wide intrusion detection and prevention system, commonly known as EINSTEIN. EINSTEIN serves two purposes for federal cybersecurity. First, it detects and prevents cyberattacks from compromising federal agencies. Second, it provides DHS with situational awareness to use threat information detected in one agency to protect the other agencies and to assist the private sector in protecting itself from these same risks.
To that end, last July, the Committee marked-up and unanimously approved the Federal Cybersecurity Enhancement Act of 2015, legislation I co-sponsored, authorizing EINSTEIN and requiring agencies to implement important cybersecurity best practices. Specifically, the bill required DHS to implement EINSTEIN at all departments and agencies and for all departments and agencies to have EINSTEIN protecting their networks no later than Dec. 18, 2016. This legislation was later incorporated into the Cybersecurity Information Sharing Act of 2015 (CISA), which the President signed into law as part of the 2016 Omnibus Appropriations bill.
However, DHS recently briefed Committee staff that the IRS is either unable or unwilling to implement the statutorily required mandates of CISA of integrating all levels of the EINSTEIN network protection tools on the IRS systems and for all IRS data. According to DHS, the IRS believes, based on other statutes, that IRS is exempt from these statutory requirements.
The IRS’s refusal to adopt EINSTEIN protections is all the more concerning due to the vast amounts of personally identifiable information that the IRS collects on every American, as well as the IRS’s previous failure to protect this information. As you know, last year the IRS suffered a substantial breach involving its “Get Transcript" application. An analysis by the Treasury Inspector General for Tax Administration (TIGTA) identified 620,931 taxpayer accounts implicated by potentially unauthorized access from Jan. 1, 2014 through May 21, 2015. Further analysis found that the unauthorized users were successful in accessing and obtaining transcripts for 355,262 taxpayers. TIGTA also discovered that the IRS did not identify 2,470 additional taxpayers that were targeted through the Get Transcript application.
In June 2015, the Committee convened a hearing to examine this breach. At the hearing, you committed to the Committee that “protecting taxpayers and their information is a high priority for us, in many ways the highest priority." You also recognized that “we are actually in the middle of a war with very sophisticated, well-funded, intelligent enemies" and that “we should always assume that we have to get better." Congress passed the EINSTEIN authorization to do just that: to improve cyber defenses of federal agencies by detecting and preventing future cyberattacks.
To ensure that the data the IRS maintains on American citizens is secure, please provide the Committee with the IRS’s schedule to comply with all mandates of CISA, including implementation of EINSTEIN by Dec. 18, 2016 as specified in the statute. I ask that you provide this information to the Committee as soon as possible, but no later than Sept. 14, 2016.
Thank you for your prompt response.
Sincerely,
Ron Johnson
Chairman
Source: U.S. Senate Committee on Homeland Security and Governmental Affairs
