A series of Treasury Inspector General for Tax Administration (TIGTA) reports show that the Internal Revenue Service (IRS) has critical cybersecurity vulnerabilities in its information technology (IT) systems.  The IRS stores troves of confidential taxpayer data, including personal identifying information, which it is legally required to protect. 

The TIGTA reports make it clear that outdated IT systems, some of which are decades old, are creating too many vulnerabilities and placing too much taxpayer data at risk.  Yet, in the Inflation Reduction Act (Pub. L. No. 117-169), Congress provided the IRS $87 billion over 10 years, much of which will be used to increase the number of IRS auditors, rather than giving the agency sufficient resources to modernize its technology and increase its cybersecurity protocols, along with improving customer service.

A September 27, 2022, TIGTA report, found that the IRS rushed its transition to a cloud computing system without conducting proper due diligence to ensure that security measures were put in place to protect taxpayer information.  Cloud services, when implemented properly, can provide a higher level of security and lower costs, and should be considered as part the IT modernization strategy throughout federal agencies.  The IRS’s transition to cloud services, which began in April 2019, offered the opportunity to move away from outdated IT hardware, increase cybersecurity, and provide potential cost savings.  However, according to the TIGTA report, the IRS failed to implement appropriate security measures as required by FedRAMP for all federal IT programs.  While the IRS and other agencies should pursue more efficient and modern technology, moving data to the cloud should be conducted using FedRAMP guidance, under an authorization to operate, so that confidential information is not put at risk. 

In a September 30, 2022, report on database scanning and controls, the TIGTA reported that the IRS decided in 2018 to reduce vulnerability scanning of databases “without following proper procedure or policy,” leaving the agency without knowledge of the full risks of its mainframe computers despite increasing scanning by March 2022.  Problems also occurred with the outside vendors used by the IRS to conduct database checks and report back the results.  IRS managers did not receive the reports on a regular basis and those that they did receive only include surface level analysis of potential issues.  This lack of regular and detailed reporting prevents the IRS from determining the root causes of database issues that would aid in developing possible solutions or patches.  This leaves IRS management without sufficient foresight to provide the services necessary to fully protect databases and other IT systems from attacks. 

The issues outlined in the TIGTA reports are only two instances in a long history of IRS mismanagement of taxpayer information.  In 2016, the IRS said that more than 700,000 Americans had their Social Security numbers and other information exposed in a data breach.  On June 8, 2021, ProPublica exposed the tax information of America’s billionaires and ultra-wealthy it had obtained from a “vast cache of IRS information showing how billionaires like Jeff Bezos, Elon Musk and Warren Buffet pay little in income tax compared to their massive wealth – sometimes, even nothing.”  Instead of raising alarms about the release of this confidential taxpayer information, this reporting was used by members of Congress like Sen. Elizabeth Warren (D-Mass.) to renew their calls for a wealth tax and increased tax enforcement by the IRS. 

Information in the IRS’s possession was also used for political purposes under President Obama’s administration, when the agency delayed or unfairly investigated applications for tax-exempt status from conservative groups.  And in early September 2022, the IRS revealed that the agency had inadvertently disclosed the private information of over 100,000 taxpayers.  Taxpayer information should not be left vulnerable to hacking by criminals and should not be used to advance political motives.

It is abundantly clear that the IRS is rife with mismanagement, and it should be obvious that the answer to the agency’s problems is not to add more auditors, but instead fix the agency’s ongoing IT and customer service problems.  But like most other agencies and programs, Congress’s answer is to throw more money at the “problem,” which in this case amounts to a massive increase in the agency’s budget.  Congress needs to increase its oversight of the IRS and act on the TIGTA reports and other recommendations that will improve the performance of an agency that is in great need of improvement.