Our Pledge To You


Don’t let cyber-hackers peek at our tax returns

Internal Revenue Service Commissioner John Koskinen speaks during a luncheon at the National Press Club March 24, 2016 in Washington, DC. / AFP PHOTO / Brendan Smialowski

Even if you are not overstating your charitable deductions this year — and of course you are not — you don’t want perfect strangers snooping into your federal tax return, right?

Unfortunately, you never know.

Cyber-criminals may have hacked into more than 700,000 tax returns since 2014, and a new audit by the Government Accountability Office, released on March 28, warns that Internal Revenue Service computers remain “unnecessarily vulnerable” to cyberattacks. The GAO found that the IRS has not completely fixed some previously identified weaknesses; it also uncovered  new “control deficiencies.”



“The financial and taxpayer information on IRS systems will remain vulnerable,” the GAO writes, until the IRS addresses a host of “weaknesses” involving, among other things, identification, authorization, cryptography and physical security.

And what has been the IRS’ response? You would hope they snapped to attention, shouted “Yes, sir!” and vowed to fix the problem immediately, taking to heart each of the GAO’s 43 recommendations.

But no. Instead, IRS Commissioner John Koskinen replied in writing that the agency would “review” the recommendations to ensure it had the information technology and manpower resources to address them. And he promised a written “corrective action plan” within 60 days.

A review. Manpower resources. “Corrective action.” Sixty days.

Feeling reassured?

There are two schools of thought about what’s gone wrong and what must be done. We suspect there is truth in both schools, with the bottom line being that this is a repair job Congress must get on top of.

House Speaker Paul Ryan, R-Wis., puts the blame firmly on the IRS, knocking the agency for the “usual excuses and evasions.” Last week, Ryan demanded that the IRS not waste another 60 days.

“The agency won’t even own up to its own problems — again,” Ryan wrote. “The agency should immediately take steps to implement these recommendations and report back to Congress with its progress.”

We share Ryan’s skepticism about that 60 days. Why more delay? This is not a new problem. It is deeply unsettling to hundreds of millions of Americans that their most private tax return information may be at risk.

A spokesperson for U.S. Rep. Peter Roskam, an Illinois Republican who has made IRS reform a centerpiece of his Congressional agenda, noted that the IRS received an extra $250 million this year for taxpayer services and cybersecurity yet “the IRS is always quick to blame all of their shortcomings on a lack of resources.”

However, we’re equally skeptical about a U.S. House Majority Staff Report released last year that chalks the whole problem up to IRS waste, inefficiencies and poor decisions, rather than any lack of funding. This is the same Republican majority that questions the existence of the IRS altogether. One of the party’s two leading candidates for president, Sen. Ted Cruz, wants to abolish the agency.

Sen. Dick Durbin, D-Ill., expressing the other school of thought, blames the IRS’ failings on funding cuts. He points out that Republicans in Congress have been slashing the IRS’ budget for years, pretending that the agency can securely handled hundreds of millions of tax returns on a shoe string.

“In recent years, the IRS has been asked to do more with much, much less,” Durbin told us. “As a result of consistent cuts to the IRS budget by Republicans in Congress, the agency’s funding is nearly $1 billion less than it was in 2010 when these cyberattacks were far less sophisticated. While the IRS can’t stop every case of identity theft, with the right resources the agency can make Americans far safer than they are today.”

“Republicans,” Durbin added, “need to put politics aside and provide adequate funding to protect taxpayers.”

The IRS collects about 92 percent of all federal revenue. And Koskinen says the IRS could collect an extra $6 billion a year were it not for a staffing shortage.

The best solution, though we fear the possibility of a political circus in an election year, would be strongly bipartisan congressional hearings. Hash this out in public. Where is there waste and inefficiency? Where is there a true lack of funding?

Cyber-hacking is a national and, indeed, an international challenge. The IRS is “attacked and pinged a million times a day” from increasingly more sophisticated sources, including organized crime syndicates, Koskinen recently said. Meanwhile, high-quality cyber-security experts are hard enough to hold onto in the private sector, let alone the public one.

But when a private company suffers a security breach, customers can take their business elsewhere. U.S. taxpayers have no choice but to share highly personal information with the IRS. They need to feel secure that such data won’t be compromised, and that the IRS is using every possible means of keeping it secure.

Follow the Editorial Board on Twitter: @csteditorials