With bad actors intent on reaching the trove of sensitive data held by the agency, the Internal Revenue Service is focused on maintaining comprehensive cyber defense and partnering with industry on solutions to help take their already-strong capabilities to the next level to meet evolving threats.
“I’m always excited to hear what industry can bring to the table at IRS,” Cybersecurity Operations Director Rick Therrien told the Government Technology and Services Coalition’s recent IRS Day.
Therrien said that the proportion of cyber threats faced daily by IRS is on par with the surge of attack attempts confronted by other agencies, but IRS “by and large has got to be the most interesting agency with the most interesting data to nefarious actors around the world.”
“My guys don’t sleep so the rest of America can,” he said.
The cyber team at IRS has an “exemplary set of capabilities” and is always looking to maintain an edge by bringing in additional capabilities that can take their powerful tool sets even further, Therrien said, adding that a new solution or capability must surmount the challenge of integration for it to work at IRS.
The Office of Management and Budget memorandum on moving the federal government toward zero-trust cybersecurity principles emphasized the Cybersecurity and Infrastructure Security Agency’s five pillars: identity, devices, networks, applications and workloads, and data. The IRS cyber office is diligently working at executing zero trust – “a big lift” for an agency that has such a large footprint of technology platforms, users, and contractors.
“We have a good, strong set of tools but our integration challenges are going to persist for years to come,” Therrien said, noting that the agency is “phasing in new capabilities that give us a strong cybersecurity advantage.”
Deputy Chief Information Security Officer Paul Selby expressed his admiration for the team working to keep taxpayers’ data secure. “We’ve got people working at the IRS who are the best in the business,” he said.
Selby spent 20 years in industry and said his “preconceived notion” about working in government has turned out to be one of the “biggest myths I’ve ever encountered.”
“I’ve never worked with such dedicated people,” he said, calling the IRS team “absolutely phenomenal” and stressing that, day-to-day, IRS employees work in “service to our country” with an “absolute commitment to customer service.”
“I am floored by that they are absolutely laser-focused – more than any other organization I’ve seen – on taking care of taxpayers,” he added.
Selby emphasized the importance of partnering with procurement colleagues to “make sure we’re able to meet the mission.”
“I don’t think we can do the job without private industry,” he said. “We need your ideas; we need solutions.”
Discussing the cyber threats faced at IRS and beyond, Therrien said he runs phishing campaigns on a routine basis and “constantly” sees employees continue to get snared by phishing emails. “Don’t trust just because it says ‘IRS’ something or ‘tax’ this – have a notion of distrust up front, don’t click on it, be suspicious,” he advised.
“We see attempts to do account takeovers, active campaigns, every day – nefarious actors trying to take over the accounts of taxpayers will start trying to get money out of the Treasury that’s yours,” he added.
These campaigns are getting “ever more precise” with sharper spearphishing to where it’s “harder for people to tell the difference.”
“Don’t be a clicker,” Therrien advised. “Take a look at what’s really being asked. Don’t click on it.”
Zero trust requires a “change in mindset,” he stressed. “When it was introduced to agencies it was thought of by IT organizations as a silver bullet – we know it’s not.”
IT professionals have “moved beyond” the cybersecurity analogy of a castle and moat trying to protect a village of data, Therrien said. “We no longer have that.”
The cybersecurity enterprise must concentrate on “protecting the data where it’s at” with a “full stack of capabilities.”
That means introducing “more security friction” for the data that moves and “having a real good sense where it’s supposed to be, who needs access” with “situational awareness on it at all times.”
To help counter insider threats, the IRS is increasing its log collection. “If there is interest in individual activity, I need to have that information at my fingertips to reconstruct activities of individuals,” Therrien said. “But we’re also looking at insider threat from a more holistic perspective.” That includes being aware of personal issues that could affect employees from family crises to mental and physical well-being. “We look at now the personal security dimension, the human capital dimension as well as the IT dimension to get people help they need or just get the training they need to avoid falling into situations in which they’re unknowingly duped.”
Selby asked “how many people have changed the password on their home router” as part of their regular cyber hygiene.
“It’s not the big things that are going to get us, it’s the little things,” he noted. “People ask, what do I need to do to increase cybersecurity – do it all. You cannot do too much to protect your data.”
Selby encouraged industry to “come meet with us” and discuss what a company can offer the IRS infosec mission.
“We’re not looking for a tool that describes our tools,” he said. “We would love to hear about a tool that replaces several tools. If you’ve got something that can help us, that’s the story.”
