WASHINGTON — Sen. Ron Johnson (R-Wis.), chairman of the Senate Homeland Security and Governmental Affairs Committee, wrote to John Koskinen, commissioner of the Internal Revenue Service, on Thursday regarding the IRS’s unwillingness to implement a Department of Homeland Security-provided network protection system to keep Americans’ personal information protected.
“The IRS’s refusal to adopt the EINSTEIN system is very concerning due to the vast amounts of personal data stored by the agency, as well as its recent security breaches,” said Johnson. “As you know, last year the IRS suffered a substantial breach. However, the DHS recently told my committee staff that the IRS is either unable or unwilling to implement the statutorily required mandates of integrating all levels of the EINSTEIN network protection tools on the IRS systems and for all IRS data.”
The DHS has a government-wide intrusion detection system, commonly referred to as EINSTEIN, that protects and prevents cyberattacks, as well as provides the DHS with situational awareness information to protect other agencies that may be at risk. EINSTEIN is required by law to be implemented by all departments and agencies by Dec. 18, 2016.
The letter is available here and below:
September 8, 2016
The Honorable John Koskinen
Internal Revenue Service
Washington, DC 20224
Dear Commissioner Koskinen:
I write concerning cybersecurity at the Internal Revenue Service (IRS) and the IRS’s apparent reluctance to implement EINSTEIN network protection on the IRS’s systems. In the wake of recent, high-profile cyberattacks against the IRS, I ask that you immediately address this serious issue to safeguard the IRS’s systems and all taxpayer information housed on them.
The Department of Homeland Security (DHS) has the mission to provide a common baseline of security across the federal civilian executive branch network and to help agencies manage their cyber risk. The foundation of this common baseline is provided by DHS’s government-wide intrusion detection and prevention system, commonly known as EINSTEIN. EINSTEIN serves two purposes for federal cybersecurity. First, it detects and prevents cyberattacks from compromising federal agencies. Second, it provides DHS with situational awareness to use threat information detected in one agency to protect the other agencies and to assist the private sector in protecting itself from these same risks.
To that end, last July, the Committee marked-up and unanimously approved the Federal Cybersecurity Enhancement Act of 2015, legislation I co-sponsored, authorizing EINSTEIN and requiring agencies to implement important cybersecurity best practices. Specifically, the bill required DHS to implement EINSTEIN at all departments and agencies and for all departments and agencies to have EINSTEIN protecting their networks no later than December 18, 2016. This legislation was later incorporated into the Cybersecurity Information Sharing Act of 2015 (CISA), which the President signed into law as part of the 2016 Omnibus Appropriations bill.
However, DHS recently briefed Committee staff that the IRS is either unable or unwilling to implement the statutorily required mandates of CISA of integrating all levels of the EINSTEIN network protection tools on the IRS systems and for all IRS data. According to DHS, the IRS believes, based on other statutes, that IRS is exempt from these statutory requirements.
The IRS’s refusal to adopt EINSTEIN protections is all the more concerning due to the vast amounts of personally identifiable information that the IRS collects on every American, as well as the IRS’s previous failure to protect this information. As you know, last year the IRS suffered a substantial breach involving its “Get Transcript” application. An analysis by the Treasury Inspector General for Tax Administration (TIGTA) identified 620,931 taxpayer accounts implicated by potentially unauthorized access from January 1, 2014 through May 21, 2015. Further analysis found that the unauthorized users were successful in accessing and obtaining transcripts for 355,262 taxpayers. TIGTA also discovered that the IRS did not identify 2,470 additional taxpayers that were targeted through the Get Transcript application.
In June 2015, the Committee convened a hearing to examine this breach. At the hearing, you committed to the Committee that “protecting taxpayers and their information is a high priority for us, in many ways the highest priority.” You also recognized that “we are actually in the middle of a war with very sophisticated, well-funded, intelligent enemies” and that “we should always assume that we have to get better.” Congress passed the EINSTEIN authorization to do just that: to improve cyber defenses of federal agencies by detecting and preventing future cyberattacks.
To ensure that the data the IRS maintains on American citizens is secure, please provide the Committee with the IRS’s schedule to comply with all mandates of CISA, including implementation of EINSTEIN by December 18, 2016 as specified in the statute. I ask that you provide this information to the Committee as soon as possible, but no later than September 14, 2016.
Thank you for your prompt response.