WASHINGTON, D.C. – U.S. Senator Joni Ernst (R-IA) yesterday raised questions during a Homeland Security and Governmental Affairs Committee hearing entitled “The IRS Data Breach: Steps to Protect Americans’ Personal Information”.  The Senator discussed current cybersecurity threats and proposed methods to improve and secure systems with Symantec Corporation Director Jeffrey E. Greene, University of Michigan Associate Professor Dr. Kevin Fu, and Mr. Michael Kasper of Poughkeepsie, New York. 

Click here or on the image below to watch.


SENATOR ERNST: Thanks to our panelists for being here today. This is a very timely issue I’m glad we’re able to discuss it right away. So I thank the Chairman and the Ranking Member for calling this hearing. I do have, as I'm sure most folks do, very serious concerns about the implications of this type of data getting out there, and how easily it seems to be obtained by these people hacking into different systems. So I look forward to learning more about it and hearing your thoughts, additional thoughts on it. What I’d like to find out just from you, either you Dr. Fu or Mr. Greene, are there readily available private sector solutions for this that could be compared, you know the website you talk about, the KBA, and are there private sector firms that use this type of information and what’s the best way to replace what we’re doing now with a better, more secure system?

MR. GREENE: So there are security measures, certainly Senator, you can put in place, many of the KBA back ends are provided by the private sector and in fact are used by the private sector. The security that worked three, five years ago isn't working as well today because of the information that was stolen. Through the initial login process when you’re setting up the account, there’s kinda, there are two ways I look at it. One is how do you prevent a fradulent account from being set up? How do you stop it before it happens? And that would be through some form of two factor authentication, improving KBA, and there are different ways to do it, one of which we’ve talked about is the phone or the letter. On the back end, to try to see who’s doing this activity, there are ways to basically take the data log, the servers that are logged in, perform analytics on them and see if you’re seeing a pattern of activity indicative of some level of fraud. Now, to some degree, for a few people, the horse is going to be out of the barn at that point. Because you may already have some false logins, but you need to be looking at it from both ends, and we’re never going to be able to stop 100 percent of it. But as the criminals get more sophisticated, the tools that worked become less effective, and I think that’s where we are with KBA. And there are ways to improve it going forward.


DR. FU: Well, let’s see, I think I have two different responses. One is NIST, So NIST has actually proposed this ten year roadmap, called the NSTIC, the National Strategy for Trusted Identites in Cyberspace. And in fact, they already have given advice to IRS, and there’s a published report. And I think that the federal systems will find better authentication systems if they do engage with NIST, and take the advice of NIST’s independent non-regulatory experts. They have a wealth of information on the technologies, the risks, the benefits, there’s also a number of companies working in the two factor authentication space. I don’t know of any that specifically work on, for instance, protecting taxpayer information, but one company local in Ann Arbor, Duo Security, for instance, uses a mobile phone as a second factor. So when they attempt to have their customers log into a to some kind of service, not only do you need to have a password, but you also need to have a mobile phone present. And the idea is that it is more difficult for an intruder to physically steal your phone if they’re somewhere in a foreign country. There’s also some interesting innovation by a company that I believe had come out of Georgia Tech, Pindrop Security, they actually work for financial services companies. They listen to the audio of the phone calls as people call in and they’re able to actually identify repeat offenders who are calling in pretending to be other people based on the delay in the phone line from the country they’re calling from, some interesting characteristics of the copper wires. You could use some of these advanced technologies not to eliminate, but at least reduce the risk of fraudsters trying to go from one fraudster doing 100,000 accounts to at least making it more dififcult to scale up to so many different accounts from one adversary.

SENATOR ERNST: Thank you. And Mr. Kasper, I’m sorry you've had to go through this experience as so many others have. You had indicated that the IRS thought that the e-mail account – maybe I had read this somewhere – that the e-mail account was suspicious? Was that from your testimony, or was it somewhere else that I read?

MR. KASPER: Yeah, I don’t remember the exact words that I used but when I was on the phone I said “Hmm that doesn’t seem right," or something like that. 

SENATOR ERNST: Yeah it makes me wonder, especially if these are coming from foreign adversaries, that if they have a different e-mail address that indicates they are coming from, originating from a foreign nation, that that is something that could be flagged for requiring additional information? I don’t know if that’s something else that could be considered.

MR. KASPER: Yeah there’s probably some analytics they could do just on the domain name, because they highlighted the 200,000 had these suspicious domain names, but it’s very easy to get a Hotmail or Yahoo e-mail account and automate that and have some type of process for taking advantage of it. There are things that it seems like they weren’t monitoring with those servers and transactions that they could have been doing.


MR. KASPER: IP Addresses and all of that.

SENATOR ERNST: Exactly. And do any of you know has the IRS has reached out to any private sector providers to try and correct the system that they have now, or done any sort of control measures? Do any of you know? Ok, that’s a question for our next panel. Ok. Well I appreciate it very much. I thank you for your time and hopefully we can get to the bottom of this and find better ways of utilizing our information systems. Thank you. 

# # #