Michael Hatfield, Cybersecurity and Tax Reform, 93 Ind. L.J. 1161 (2018), https://digitalcommons.law.uw.edu/faculty-articles/511
Cybersecurity and Tax Reform
Indiana Law Journal
According to FBI experts, the IRS information system is the “gold standard” for cyberattacks in the United States. The IRS collects personal information, and, in some cases, extraordinarily detailed and sensitive information, on about 290 million individuals each year. With a U.S. population of 328 million, that is not information on everyone, but it is information on closer to everyone than any other single agency collects. The IRS also handles more money than any other agency: $3.3 trillion in total collections and $403 billion in individual income tax payments. Taking advantage of online refund processing, each year cybercriminals steal about $3 billion from the IRS. Last year they also stole detailed personal information on about 724,000 individual taxpayers.
But there are greater risks. Even more would have been lost if the IRS database were the target of a vacuum cleaner attack like Anthem and the OPM. Or if IRS information were quietly manipulated to push payments into criminals’ accounts or push taxpayers and tax administrators into confusion. Or if the information were simply deleted, destroying all record of payments and filings and dropping the government, taxpayers, and the economy into costly chaos.
Unfortunately, there is no reason to believe the IRS will develop adequate cybersecurity. While history is not determinative, it is revealing. And while the IRS has achieved some significant information technology successes, its history is marked more by significant failures. The IRS computing system remains largely dependent on the magnetic tape drives housed in the Martinsburg, West Virginia, computer center established in 1961. After decades of work and billions of dollars, the IRS has failed to establish a state-of-the-art computer system, or even a searchable database of all taxpayer information. Indeed, after four years of work and $139 million dollars, the IRS has failed even to upgrade from Windows 2003 to Windows XP.
The IRS now spends $2.4 billion each year on computer technology, but that is spread among nineteen different projects, of which updating its system is only one. Given the billions spent already, there is no reason to believe adequate technology at the IRS is merely a matter of funding. All the same, Congress has been reducing funding at the IRS for years, and probably will continue to do so. It would require a substantial increase in IRS funding to return it to past levels, which makes it even less likely the IRS will achieve adequate cybersecurity.
Given that the IRS is the gold standard for cyberattack but yet cannot manage to upgrade its Windows systems, one may wonder why the worst sorts of attacks have yet to hit the IRS. Ironically, it may be the decades of failures that have protected the IRS from cutting-edge technological attacks. While not like manual typewriters, the antiquated system of the IRS, which until very recently depended entirely on weekly uploads to magnetic tapes, is not at all like the updated systems at Anthem and the OPM that the Chinese government vacuumed. While this technological arrest has been unintentional, unlike the intentional Russian and German government strategies, it appears to have been effective. What has been successfully attacked at the IRS are not these older systems, which are open only to IRS users, but the newer, public-facing systems that provide outside users greater convenience in getting refunds or information.
This Article takes seriously the cybersecurity challenges faced by the IRS as well as the agency’s limitations in solving those challenges through its technological advances. The Article argues that we ought not to depend wholly on changes in technology but must change the way we think about cybersecurity. This Article argues the government ought not to leave cybersecurity as an information technology problem for the IRS to solve but ought to come to it as a legal problem for Congress to solve. Congress has designed a tax system that requires the IRS to collect information on hundreds of millions of individuals and to routinely issue hundreds of billions in refunds. If the tax law did not require so much information on so many, nor involve refunds to so many, the IRS would be a less appealing and more defensible cyberattack target. In short, if the tax law were simpler in specific ways, the information technology needs at the IRS would be simpler, and adequate cybersecurity for the IRS would be easier.
Part I describes cyberattacks at the IRS and elsewhere, predicting future cyberattacks at the IRS will be similar to previous cyberattacks. Part II begins with a history of computer use at the IRS, arguing that this history—as well as a variety of other factors, like inadequate funding and expertise and the technical and human difficulties of cybersecurity—reveals little reason to be hopeful that the IRS will fail to achieve appropriate cybersecurity. Part III argues that Congress should consider how potential tax reforms might make the IRS database a less appealing and a more defensible cyberattack target. This Article concludes with reflections on the relationship between law reform and the digital revolution.