W-2 forms are being mailed out across the country, signaling the onset of tax season. The IRS is preparing to process returns, but also is gearing up to fight tax fraud, and it is using technology and shared services to get the job done.
Amid tight budget and staff shortfalls, the IRS is turning to shared threat and fraud prevention services. The agency also is deploying analytics and authentication technology to fight against tax fraud. The efforts suggest that, as criminals refine their techniques to use stolen data and identities to file fraudulent tax returns, the IRS is turning to technology to try and stay ahead of the tax cheats.
Shared Services Help Under Tight Budgets
As the IRS's budget and workforce has been reduced over the past several years, it has turned to other federal agencies to try and make up ground, and it is pursuing that strategy in fraud prevention services. It needs to do so, because the threat is real.
Tom Brandt, the IRS' chief risk officer, told Federal News Radio that the agency receives more than a million "pings" each day that warn of attempted cybersecurity intrusions. He said the IRS, in an environment of "reduced resources," has turned to other partners in government for their expertise and data.
Speaking on Jan. 17 at the Association of Government Accountants' annual Financial Systems Summit, Brandt said that by partnering with state tax authorities, financial institutions and tax preparers, the IRS has used threat sharing information to stay ahead of criminals. The agency has used it to update filters and for other methods of detecting and preventing fraud activity, according to Federal News Radio.
In March, as Federal News Radio reports, the Education Department shut down its data retrieval tool on FAFSA.gov after hackers used it to obtain sensitive financial information on as many as 100,000 people who applied for student loans, and then used that data to file tax returns.
In the aftermath, Brandt said the IRS has worked with the Education Department to increase cybersecurity protections. "We worked very closely with them to shut that down, and to fix the problem, and then to bring that up in a much more secure way," he said, according to Federal News Radio. "But I think it just then adds to us continuing to look at where is tax information shared and used across the full landscape, and then how do we ensure that it's not being misused by criminals."
The IRS has used data from the Federal Bureau of Prisons in the Justice Department to prevent criminals from filing tax returns using inmates' names and financial information, according to Brandt. He also said the IRS would hold an internal risk roundtable to discuss new trends in fraud cases.
"Doing something like that is an opportunity to bring together all of those elements within your organization that are actually working to address fraud, and look at where there are some lessons learned [and] shared opportunities," Brandt said, according to Federal News Radio.
The IRS can look at case studies and events that happened at the IRS, other agencies, or in some cases, other tax administrations, Brandt said, to determine how vulnerabilities were exploited and how the IRS can prevent future intrusions and instances of fraud.
The IRS is also using data analytics technology to help other agencies detect and prevent fraud.
Joan Iannotta, the agency's senior adviser for data analytics, said at the AGA conference that the IRS's analytics service is aimed at helping agencies develop data-centric internal control that can be built into existing technology infrastructure to help detect high-risk payments.
IRS Embraces Authentication Technology
In addition to data sharing and analytics tools, the IRS is also exploring how to enhance its authentication technology. Michael Anthony said that identity access management, which he is director of at the IRS, is critical for the agency.
Speaking at a Jan. 31 Digital Government Institute event, Anthony said the National Institute of Standards and Technology's digital identity guidelines (titled NIST SP 800-63-3) will allow the IRS to "leap ahead" with levels of assurance by deploying features such as a digital identity acceptance statement, according to GCN.
"As part of NIST SP 800-63-3, we want to ensure our digital identity risk assessment process is forward and backward compatible with our current capabilities," he said. "We're currently performing an analysis to understand where gaps between our current implementation and the new requirements may be, [and] we are going to continually assess and innovate since threat vectors and bad actors continue to evolve."
Over the past several years, the IRS has worked to strengthen its identity access strategy with internal and external partners. The agency has worked directly with NIST and the Social Security Administration to share best practices on the technology, Anthony said.
The IRS wants to protect the privacy of citizens' data and ensure it is following NIST's digital identity guidelines as the financial industry evolves, Anthony said, according to GCN.
"One of the IRS's future state goals is to increase customer satisfaction through more cost-effective delivery channels such as online account access," he said. However, the IRS must also deal with the fact that some individuals might not have access to more sophisticated authentication tools.
"How do we digitally enable communities that may not have these devices?" Anthony asked. "We need to manage end-user expectations balancing security, privacy and accessibility. We urge industry to innovate in this space," with the new capabilities that NIST SP 800-63-3 allows, he said.
In January 2017, the IRS created an Information Sharing and Analysis Center, Anthony told GCN, which aims to bring the IRS, state governments and the tax industry together in a secure environment to "work through the challenges and issues related to privacy, data security, and sharing of information in a real-time, proactive nature."