The IRS has audited plenty of taxpayers and organizations.
But this time, it is the Treasury Inspector General for Tax Administration auditing the IRS, the agency's legacy IT environment and its cybersecurity.
The Audit's conclusion? These numbers don't add up.
How do you define a legacy system?
We all know asset management is hard for organizations. There can be a constant churn of legacy systems becoming obsolete, unsupported and insecure. These things can become problematic.
But according the new audit at the IRS, there's an organization wide problem. It has been unable to answer key questions: what is a legacy system? And how many legacy systems do we have?
The Inspector General's report summarizes the IRS and its IT environment like this:
"The reliance on legacy systems, aged hardware and software, and use of outdated programming languages poses significant risks, including increased cybersecurity threats and maintenance costs.
In addition, the IRS cannot effectively manage its legacy systems if it does not have an enterprise-wide strategy, an enterprise-wide
definition, and a complete and accurate inventory to address updating, replacing, or retiring most of its legacy systems.
When we asked for specific plans to identify, manage, or modernize the IRS’s legacy systems, IT organization and other business unit and function management stated that, generally, there were no individual plans for all systems at the IRS."
IRS legacy system numbers: math error?
And this lack of clarity by the Internal Revenue Service led auditors to uncover some bad IT math on the part of the tax collection agency:
"By applying the Information Technology organization’s definition of a legacy system to the As-Built Architecture (ABA) as of April 29, 2020, TIGTA determined that 288 (43 percent) of the 669 systems in the IRS’s production environment had missing information that prevented TIGTA from determining whether the systems should be considered legacy.
Of the remaining 381 systems, TIGTA determined that 231 systems were legacy and 150 were not legacy.
When comparing our list to the IRS’s lists of legacy systems, TIGTA identified 46 systems as legacy that the IRS had not and one system that the IRS incorrectly identified as legacy.
Further analysis determined that an additional 49 systems will become legacy within the next 10 calendar years."
This math is crucial, because right now the IRS is in the middle of a multi-year multi-billion dollar plan to upgrade some systems and retire others.
However, the audit found what is underway is not enough, from an information security perspective:
"...if further action is not taken to address the growing number of and reliance on legacy systems, the IRS faces the risk of increasing cybersecurity threats and maintenance costs as more of its systems become legacy."
How massive is the IRS information technology infrastructure?
The IRS currently has 669 systems in its production environment and the IG audit says the cost of maintaining this environment is astronomical:
"In Fiscal Year 2019, the IRS spent over $2.86 billion to operate its
current information technology infrastructure, nearly $2.04
billion (71 percent) of which was on operations and maintenance.
If current trends continue, spending is expected to increase
to over $3 billion annually by Fiscal Year 2026."
What does effective asset management look like from a cybersecurity perspective?
Asset management is difficult. Aflac CSO Tim Callahan told us as much after his keynote at a SecureWorld conference last year.
How do you manage your assets effectively at the enterprise level? Here's how Callahan explains it:
"It's very simple to talk about, it's really hard to do. But really, an organization needs to have a living inventory of digital assets. Because if we know what we should have, it's easy to program things that don't meet that.
It's like, 'This is the good list. Anything not on the good list is bad.' Simple, and easy to program. Keeping the IT asset management system up to date is a challenge.
We do have a little bit of a benefit, because we've established a protocol where no device can touch our environment, or authenticate our environment, if it doesn't have one of our security certificates on it. That helps us keep it fresh.
Because if one of the admins forgets that he needs to go to our solution Venafi, check out a certificate, and put it on the server, then it won't authenticate. So it helps in that.
You know there are always challenges, any organization is going to have a challenge in asset management. But it has to be a partnership, it has to be a good understanding by IT leadership that this is important for the ongoing posture of the company. Not just security, also the management of the company. And so we have to continuously reinforce that."
And right now, the Treasury Inspector General is reinforcing that message at the IRS.
LISTEN: SecureWorld podcast with Aflac CSO Tim Callahan, "From Bombs to Cybersecurity."