In the backlash against the proposal that certain American bank account information be reported directly to the IRS, much of the opposition to the proposal has centered around the danger of federal agents utilizing bank data to put Americans under financial surveillance. All of these concerns are well-grounded and legitimate. However, it is important to also consider that having sensitive bank account data centralized under one government agency carries an enormous cybersecurity risk.
Despite the claims that the proposed concept would help curb tax fraud, there has been no widely circulated data on how much it would cost the IRS to protect the data adequately. Worse yet, no analysis has been conducted on the enormous financial damage that taxpayers could face in the event of a catastrophic data breach.
The IRS has been a target of hackers for decades. However, a new influx of data in this level provides many more entry points and for hackers and a greater incentive for hacking operations to occur. There are multiple angles to consider this from.
Centralized bank account data would be a high-value target for hackers
In the first place, the IRS possessing a centralized repository of American bank account data would invite hackers' operations. Even though the proposal has not yet fully specified the exact type of bank account data that would be included, there would still be a danger. The advocates for this policy have insisted that the bank account data being gathered would be fairly limited. Yet, even the smallest amount of bank account information can be leveraged by hackers.
For instance, a hacker might get something as basic as a list of bank account numbers, the total amount of annual funds for each account, and the email addresses associated with the accounts. Then, the hacker could use this information to go after specific targets such as high-value bank account owners, retirees and elderly, and other particular victims with spear-phishing campaigns, spoofing, and additional attack methods.
These hackers could come from two primary sectors, foreign government-sponsored attacks, and criminal cybergangs. Although these entities utilize stolen data for different purposes, the danger is the same.
Government-sponsored attacks to get bank account information would carry several incentives for foreign governments. Foreign intelligence agencies can use hacking as a data harvesting method and then use that broad information to hone in on specific individuals. In the context of bank account data, simply having a confirmation of which business, political, and military leaders own specific bank accounts could serve as a precursor to initiate hacking operations against the bank itself in order to get more detailed information on specific individuals. In addition to intelligence, government-sponsored hackers could also potentially use this information in attempts to steal from the bank accounts themselves.
Non-government cybergangs would also have many uses for a centralized repository of IRS bank account data. While foreign government hackers often have a focus on gathering data for intelligence purposes, organized cybercrime primarily focuses on financial incentives. If they got access to this IRS bank account data, hackers could use this to single out potential victims with high-value accounts. Furthermore, by knowing where potential victims have bank accounts, hackers can use additional methods, such as installing fake banking apps made to look like the victim’s home bank.
Government agencies have a history of data breaches
Even if an organization has a perfect track record of cybersecurity with no major incidents, there is still always the possibility that a breach will occur. Yet, the federal government does not even remotely have such a track record. It is also notable that while different agencies have fared differently, the IRS has become especially notorious for a track of record filled with data breaches and compromises.
According to a Government Accountability Office (GAO) report, in 2016 the IRS encountered $12.2 billion in attempted identity theft tax fraud and paid out at least 1.6 billion in fraudulent refunds. This is a 13 percent fail rate. The report also found that the IRS had not followed best practices for cybersecurity. If the IRS cannot even always determine that they are issuing a refund to the right person, there is little reason to think that bank account data would be protected from fraudsters.
Yet, it is also important to recognize that the IRS is not in a siloed cyber-ecosystem with data sharing that is exempt from the generalized attacks that have targeted multiple agencies across the federal government. Current federal law explicitly permits the IRS to share data with federal, state, and local agencies for a variety of purposes, and it has been doing so for years. In effect, this means that no matter how strict the IRS cybersecurity standards were, there would always be a possibility that another government agency could have a data breach, and jeopardize the shared IRS bank account data.
For instance, in the recent and massive SolarWinds hack, the federal government saw data compromises across numerous agencies and departments. These entities included the Bureau of Labor Statistics, the Department of the Treasury, the National Finance Center, and several others. Thus, even though the IRS claims that it was not affected by the SolarWinds hack, this does not mean that taxpayer data in possession of these other agencies remained secure.
The potential for third-party backdoors
The GAO report also determined that one of the primary security flaws in the system was the policies of the IRS that permitted third-party software to submit and extract data with a lack of adequate cyber oversight. Specifically, the report found that much of the third-party tax preparation software had critical flaws that could lead to data compromises.
If the IRS required banks to report their account data, additional third-party software would likely be introduced into the IRS technology ecosystem in order to deal with the sheer volume of bank data. If the IRS had multiple third-party data reporters approved for integration with its system, each reporting software would stand as potential security fail point.
The broader effects of this would be twofold. On the one hand, if the IRS was too lax in its security compliance requirements, there would be a higher likelihood of taxpayer bank account data breaches. On the other hand, if the IRS implements extremely stringent cybersecurity compliance mandates, there could be an increased cost to the banks themselves and the third-party data reporting software developers.
Government financial monitoring of citizens has principle issues and technical dangers
It goes against the most basic American principles of limited government and due process for the IRS to presumptively monitor the bank accounts of citizens. Given that the entire policy proposal is based upon a faulty foundation, it comes as little surprise that the proposal carries extreme technological and security risks as well. Americans should be able to have confidence that their private bank account information will not be centralized in the hands of a government agency with a history of leaking data.