Federal law enforcement authorities may deny the link between strong encryption and data security, but critical government agency overseers won’t.
In a report released Tuesday, the Government Accountability Office (GAO) noted that the Internal Revenue Service (IRS) paid out more than $3 billion in 2014 to people who fraudulently requested tax returns. The tax-processing agency was vulnerable to these claims, in part, due to weak cyber security controls, GAO concluded.
“Key systems we reviewed had not been configured to encrypt sensitive user authentication data,” the watchdog reported.
GAO also revealed that the key computer systems at the IRS are protected by “easily guessable passwords,” and that the agency failed to implement effective internal controls to ensure that employees aren’t granted access to data outside their purview.
In a separate audit released in March, GAO gave 45 new technical recommendations to the agency to beef up its security, in addition to 49 other “outstanding recommendations from previous audits.”
More than 100,000 Americans had their taxpayer info improperly accessed by hackers in January alone, according to the IRS. Such attacks are routine on data-rich government bodies that have antiquated security protocols. As last year’s Office of Personnel Management (OPM) hack revealed, agencies are often running outdated computer systems that lack even the capability to encrypt data.
A separate federal inspector general, overseeing the Consumer Financial Protection Bureau is also examining agency-wide encryption techniques. The CFPB watchdog revealed last month that it is reviewing “the effectiveness of the CFPB’s processes and technologies for encrypting sensitive data stored on mobile devices, such as laptops and cellular phones.”
The IG reported that it specifically wanted to examine the strength of the agency’s encryption methods and complexity of its passwords.
Meanwhile, draft legislation released last week by Senate Intelligence Committee leadesr aims to effectively hobble the work of the oversight bodies. The measure put forward by Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) would empower judges to force tech companies to undermine the security features on their consumer products at the behest of law enforcement.
Technologists have repeatedly warned that implanting “backdoors” or weaknesses in encryption technology for law enforcement purposes would also grant hackers, identity thieves, and foreign government spies easier access to sensitive information. Kevin Bankston, the director of the Open Technology Institute, said in a statement last week that the draft Burr/Feinstein bill was the “most ludicrous, dangerous, technically illiterate tech policy proposal of the 21st century.”