In the wake of recent security breaches, the Obama administration’s 2015 budget proposal included a request for a 72 percent increase in the IRS’s cybersecurity budget, totaling nearly $250 million.
As the agency looks to restore its reputation and fulfill its mission after a lot of bumbling and bad press in recent years, the agency is turning to highly-educated, top-of-the-line information security specialists for help.
For college-educated information security analysts, auditors, engineers and administrators looking for a challenge and positions with a lot of opportunity for growth, the IRS is hard to beat.
A Bad Reputation and a Long Way to Go to Fix It
The IRS consistently emerges as the least popular of all government agencies in public opinion polling. Recent polls reveal that more than half of all Americans dislike the agency, and only 31 percent trust it.
There are reasons for the mistrust. Every year, the Government Accounting Office (GAO) independently audits the IRS, and every year prepares a list of recommendations for improving cybersecurity. And every year, the auditors look back at the previous year’s recommendations to see how many have been implemented. In 2015, it found that the IRS had only fixed 14 of 69 security holes that had been identified two years earlier.
A series of breaches in 2014 and 2015 that gave hackers access to taxpayer data stored on the agency’s servers hasn’t improved its image. Seven hundred thousand taxpayers had their returns exposed, including social security numbers, addresses, and complete income data– one stop shopping for an identity thief looking to counterfeit financial information.
Few things infuriate citizens like being forced to turn over their most private financial data to a federal agency only to have that agency fumble it right into the hands of identity thieves.
Worse, it took nine months of investigations before the agency fully understood how much data had been stolen and before then taking the steps to notify the taxpayers who had been affected.
Equally bad, in the wake of the breach, the IRS sent out unique Personal Identification Numbers (PINs) to the victims of the incident to further secure their data. Only the system used to distribute the PINs was vulnerable to any hacker who had the data from the original hack, creating a cycle of further compromises that were so bad that the entire system had to be taken offline. In doing so, useful tools were removed that affected taxpayers that were simply trying to get their returns filed quickly and accurately.
Outsourcing Brings New Cybersecurity Challenges and Opportunities to the IRS
Many at the IRS blame their cybersecurity woes on repeated congressional funding cuts. In response, the agency has been outsourcing as many of its operations as possible to cheaper private-sector vendors. Additionally, the IRS is required to report certain taxpayer data to outside agencies for purposes of enforcing garnishment and child support orders from the courts.
This shift to relying on external businesses creates another potential point of exposure for taxpayer data. To proactively secure the information traveling outside of IRS networks, the agency has created the Safeguards Program to work with outside entities to bring their systems up to acceptable cybersecurity standards.
Safeguards cybersecurity staff establish guidelines, create informational and educational material, and conduct audits of external recipients of tax data. The team uses vulnerability assessment tools to scan outside networks to uncover any exploitable holes before hackers have a chance to find them.
The outsourcing kick at the IRS isn’t just to save money, however. It’s also a way to engage additional expertise in areas that the agency has been found lacking– and cybersecurity is one of them.
This isn’t a new idea; a 2013 GCN piece points out that many agencies, including the Department of Homeland Security, are increasingly looking to outside experts for cybersecurity resources.
Accordingly, in 2013, General Dynamics was awarded a $15 million contract to support the IRS’s Computer Security Incident Response Center. The Center is responsible for monitoring IRS networks for attacks and responding to secure data, but a 2012 Treasury Department audit found that almost a third of the agency’s systems were still unmonitored.
Worse, many of the mandated plans and procedures for responding to incidents were not in place, and some incidents that were detected were not reported. General Dynamics hopes to correct that deficiency.
Qualifying for a Cybersecurity Job with the IRS
Despite the very public and very costly data breaches suffered by the agency in recent years, the IRS has been cutting back on security staff. There is only room for the best and the brightest on the payroll at the agency today.
Cybersecurity teams fall into the Modernization and Information Technology Services (MITS) unit at the IRS. Application is made through the agency’s online hiring portal.
The qualifications required vary depending on the position, but candidates with a degree from an institution that is part of the DHS/NSA certified Centers of Academic Excellence in Cyber Defense program will have a definite edge. Schools with qualifying programs hold one or more of these three distinct designations:
- Center of Academic Excellence in Cyber Defense Education (CAE-CDE) for schools offering four-year and graduate degrees
- Center of Academic Excellence in Cyber Defense Two-Year Education (CAE-2Y) for community colleges offering two-year degrees
- Center of Academic Excellence in Cyber Defense Research (CAE-R) for research institutes
Due to the emphasis on outsourcing cybersecurity functions, looking for work at the major subcontractors performing information security tasks for the IRS is also a good avenue for candidates to explore.
As noted previously, General Dynamics is one such employer. It’s possible to search their jobs database for positions specific to the IRS, located in areas around the country.