But the Biden administration keeps collecting more and more of it.
But the Biden administration keeps collecting more and more of it.
A t his confirmation hearing on February 15, Danny Werfel, President Biden’s new IRS commissioner, told the Senate Finance Committee about a list he wrote of the most important factors for effective tax implementation. What did he write first? “Data security and making sure that we protect taxpayer information from unauthorized disclosures.”
Having served as acting IRS commissioner and in leadership positions at the Office of Management and Budget, Werfel knows from experience that cybersecurity needs to be more of a priority. So does Jason Smith (R., Mo.), the new chairman of the House Committee on Ways and Means. The day after Werfel’s hearing, Smith sent a letter to the Treasury Inspector General for Tax Administration demanding answers about “the ProPublica leak.”
It’s been nearly 21 months since the news organization began publishing private taxpayer data, and the public still doesn’t know what data were lost, how they were lost, or who else may have access to the detailed records relied upon by ProPublica.
In just the last two years, taxpayer data have been posted online by accident in one instance and shared all over the pages of American and foreign newspapers via the ProPublica leak in another. The IRS also suffered major data breaches in 2015 and 2017.
Taxpayer data were at risk in 2020, too, when the Treasury Department was compromised in the SolarWinds hack. The last significant update we received came only ten days after the incident was exposed — not nearly long enough for a complete investigation — with the inspector general writing, “At this time, there is no evidence that any taxpayer information was exposed.” Smith and Werfel may wish to ask for an update on this matter as well.
With Tax Day now upon us, the IRS is on the public mind. But with respect to security breaches, the IRS is not alone. America’s federal records are being turned inside out regularly by hackers and leakers. Odds are, anything you have shared with the government is possessed by some bad actor somewhere, or will be soon.
Try finding a federal agency that hasn’t faced an embarrassing or damaging leak in recent years. In 2023, we have already learned of compromises at the United Special Operations Command in the Department of Defense, the Federal Bureau of Investigation, and the U.S. Marshals Service, three of the most secure corners of the government. If they stumble and trip, who can stay afoot?
After all, keeping information safe today is almost impossible. Vulnerabilities abound, and while patches are often developed quickly, when a novel hack breaks open a formerly secure system, everything can be taken out before a fix is found. Even when technology is secure, human stewards leak information all too frequently, sometimes by accident, sometimes not.
But whether trying to secure data over the long run is mission impossible or not, three things are now clear. First, the federal government is failing to keep our information secure and is losing it at an alarming rate. Second, current government cybersecurity cannot be counted on, and there is no new technical security architecture that will turn repeated failure into complete success overnight. Third, policy-makers must accept and adapt to the day-to-day operating reality that information held by the federal government is insecure and will continue to be for some time.
Unfortunately, setting Smith and Werfel aside, most policy-makers do not recognize this reality. Indeed, their bewildering lack of urgency is dangerous for our national and individual security.
The first and most significant step policy-makers can take to stem the tide is to collect and retain less information. But in this regard, the Biden administration is only making the problem worse.
Because of the Inflation Reduction Act, thousands of new human agents and AI bots will be trained to find more information about taxpayers to feed the IRS’s audit-targeting algorithms. As it collects more detailed records, the IRS will share this information with other government agencies, domestic and foreign. Having to protect even more information will push our security infrastructure to the brink. Now, with even more digital territory to cover, our already struggling cyber defenders will be overwhelmed, and their failures, as the stewards of more sensitive information, will be more costly.
The digital territory that must be protected is already disturbingly large and varied. Between employees and contractors, people in the office and at home, APIs (programs for computers to talk to each other) and bots, the task is truly Herculean. Not to mention all the data-sharing counterparties (governmental and otherwise), and of course their employees, contractors, and bots, too.
Take the IRS alone. According to its own disclosure-accounting system, the agency shared taxpayer records over 27 billion times in 2021, up from 2.5 billion in 1995. The data, with official identifiers, were sent out to other agencies in the federal government, to state agencies, and even to foreign governments. And these figures exclude unintended data loss from hacks and leaks. They also don’t account for extensive information sharing in deidentified and tabulated forms, such as the data files and statistics released by the IRS’s Statistics of Income program. Is it even a surprise that some experts are now suggesting that the ProPublica leak may have come from outside the IRS?
With this in mind, it is good that policy-makers like Werfel and Smith are beginning to demand answers about past data-security lapses. Although nothing can change what is already done, far greater transparency about leaks and hacks can and should be provided moving forward. Right now, the bar is pretty low. The federal government recorded over 32,000 security incidents in 2021, itemized only seven of them, and even still provided scant detail. Of course, temporary discretion may be needed at times to protect still-vulnerable systems, but there is no excuse for the government’s persistent secrecy about its failures. More transparency will help policy-makers and voters alike fully grasp the reality that any data the federal government collects must be considered potentially compromised.
If policy-makers want to make the job of our hardworking cybersecurity defenders much easier, they can start by pairing simplifying fiscal and regulatory policy reforms with strict limits on data sharing and data collection. In the process, they will also ensure that American citizens’ data are far safer than they are now. Otherwise, blind hope that government can collect and secure ever more sensitive information is bound to produce more bad results.