Security experts reacted on news that cyberattacks on the IRS, previously estimated to affect 100,000 taxpayers, is now more likely to have affected 300,000 taxpayers, exposing their personal information. The IRS further admitted there had been 600,000 breach attempts.
[su_note note_color=”#ffffcc” text_color=”#00000″]John Gunn, Vice President, VASCO Data Security :
“If you are hoping to get your tax refund before the hackers get it, you better file early next year.
Government agencies and other organizations must abandon outdated methods of user identification and security. Criminal hacking organizations are employing remarkably innovative and sophisticated methods of attack. If we don’t get serious and employee equally advanced methods of authentication and fraud detection, the hackers will continue to win.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Jeff Hill, Channel Manager, STEALTHbits Technologies :
“One of the reasons authentication-based attacks are so effective – and so popular among hackers – is that they’re very difficult to identify. Once legitimate credentials are obtained, it’s nearly impossible to distinguish between the good guys and the bad guys, especially if the attackers are patient and disciplined. Here we have a case where a successful authentication-based attack was discovered in May, and yet the IRS is still unclear of the extent of the breach’s damage months later. Even now, how confident is the IRS they fully understand the extent of the attack completely, or should we expect yet another shoe to drop in the coming weeks?”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Stewart Draper, Director of Insider Threat, Securonix :
“The impact of this breach will move well into 2016 and beyond, with the President attempting to counter these concerns with a 72 percent increase in cyber security funding for the IRS. Much of the damage has already been done. Critical personal data (such as social security numbers, which cannot be changed like your debit card) are already in the hands of potential attackers. Investing this money in the RIGHT areas of security will be critical for the success of the IRS. There cannot be many people left who do not have free credit protection and this is fast becoming an unacceptable recourse to victims of security breaches of this magnitude.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Philip Lieberman, President, Lieberman Software :
“The current IRS scheme points out the crying need for the Federal Government to reinvent itself to operate safely in an Internet connected world. The necessary changes require the type of leadership that only the Executive and Legislative branches can provide since the IRS simply follows policies set by government leadership.
The IRS and many other government agencies critically need significant cyber-security funding as well as a new modern mandate that will allow them to build better defenses (and mount offenses against attackers). The unfortunate truth is that the IRS is by nature an IT shop (it does not manufacture anything but paper and bits), but like many IT shops, its management has be forced to focus on the reduction of costs, customer service, and the maximization of revenue above and beyond IT innovation, security and resiliency.
Laws exist to punish fraudsters that commit financial crimes, but as a practical matter, there is a fundamental lack of resources to allow for the prosecution of all criminals especially when the crime is done electronically; only really big crimes or high profile crimes get the attention of law enforcement as a practical necessity. There is limited staff to investigate (they are not exactly highly compensated nor heavily resourced) as well as pragmatic in-field issues such as jurisdiction and compensation for local law enforcement to clean up Federal crimes.
There are finite resources in any government agency (they IRS does not generally get to use the money the collect). The existing ‘war on terror’ has taken considerable resources from both citizens as well as government agencies to advance post-9/11 objectives as well as legacy programs to try to improve society. Perhaps it is time to provide leadership for federal agencies in cyber-defense, prioritize financial crimes such as identity theft/financial crime and reallocate existing resources to that task. Financial crimes via the Internet affect more citizens each day than do other threats, with the breaches at retailers and government proving the numbers behind this assertion. Agencies by themselves are not the creators of their mission or methods, only the legislature can make the required changes to adapt to today’s realities in the Federal Government.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.