IRS Chief: Agency Faces Loss of Key InfoSec Personnel

Cybersecurity , Legislation

Koskinen Seeks Renewal of Law That Boosted Pay Levels IRS Chief: Agency Faces Loss of Key InfoSec PersonnelSenate Finance Committee's hearing on protecting taxpayer data

The Internal Revenue Service, which has been plagued by data security incidents, faces the loss of key IT and data security personnel over the next year unless Congress renews a lapsed law that boosted the pay of top-notch personnel temporarily recruited from the private sector, the head of the IRS says.

See Also: Detecting Insider Threats Through Machine Learning

"The loss of streamlined critical pay authority has created major challenges to our ability to retain employees with the necessary high-caliber expertise," IRS Commissioner John Koskinen testified at an April 12 hearing on cybersecurity and protecting taxpayer information held by the Senate Finance Committee. He said the agency's top cybersecurity expert recruited through the program recently left. "In fact, out of the many expert leaders and IT executives hired under critical pay authority, there are only 10 IT experts remaining at the IRS, and we anticipate there will be no staff left under critical pay authority by this time next year."

IRS Commissioner John Koskinen discusses the benefits of the streamlined critical pay law.

The lapsed law, which expired in September 2013, allowed the IRS to pay more than usual to hire up to 40 individuals for positions requiring extremely high-level expertise, including information security. Among those recruits: IRS Chief Technology Officer Terence Milholland, who served as executive vice president and CTO at card issuer Visa International when recruited 8½ years ago and is leaving the agency later this year.

Higher Salaries

The streamlined critical pay law limited a term of service to four years, although the average tenure was 2.2 years, according to a 2014 inspector general report. But recruited personnel could serve more than one term. Employees recruited under the streamlined critical pay program could receive a top annual salary of $227,300; that's 24 percent higher than the top yearly pay of $179,700 members of the federal government's senior executive service could receive.

Losing key IT and cybersecurity personnel could be damaging for the IRS, which over the past year has experienced a number of IT security breaches and has come under criticism by government auditors for failing to implement cybersecurity safeguards (see Audit Reveals IRS Struggles to Implement Security Controls).

Koskinen received a sympathetic ear from several senators who called on their colleagues to reauthorize the hiring program, including the ranking member of the committee, Sen. Ron Wyden, D-Ore.

Impact of Congressional Inaction

"When it comes to blocking hackers, Congress has done next to nothing while the IRS loses its ability to hire the experts who can keep taxpayer information safe," Wyden said. "If you're a top-notch tech expert, you're already taking a pay cut to work in public service. Now, without what's called streamlined critical pay authority, it can take four to six months to bring a new hire on board at the IRS. So let's be clear: Taxpayer information is under assault every day, but the IRS does not have the legal authority it needs from Congress to build a cybersecurity team that can beat back the crooks."

The committee's chairman, Republican Orrin Hatch of Utah, said the panel will address legislation to reauthorize the program, but he did not provide a time frame for doing so.