Cyber

The Cybersecurity Challenge for Tax Authorities

April 8, 2024

A. Why Tax Authorities are Prime Targets for Cyber Attacks

Tax Authorities have critical roles in national financial systems, making them prime targets for cyber-attacks. Tax authorities manage huge amounts of funds and sensitive information and have a critical role in the operational activity of governmental services. In many cases, tax authorities rely on legacy IT systems, increasing their vulnerability to digital threats. Beyond the operational and financial damage cyber-attacks can inflict on tax authorities, successful disruption of tax authorities is seen as symbolic achievements for cyber-attackers. In this article, we will review the unique vulnerabilities of tax authorities, review examples of cyber-attacks on tax authorities in different countries from recent years and will conclude with recommendations on how tax authorities can improve their cyber resilience and readiness to cyber-attacks.

B. Sensitivity of Tax Authorities – Prime Targets for Cyberattacks

Tax Authorities are a crucial part of any national economic infrastructure and are lucrative targets of cyber attacker due to the assets they hold and the governments they represent. Some of the factors making tax authorities attractive targets for cyber-attacks include:

  1. The strategic role of tax authorities in national economies – Tax authorities are a critical source of funding for public services, they handle significant volumes of financial transactions and influence fiscal policies. The impact of an attack a tax authority goes beyond immediate financial loss. It affects individuals' privacy and the nation's economic health. An attack can disrupt a nation's financial stability, damage public trust, and harm the authority's reputation.
  2. Tax authorities hold immense volume of sensitive data - Tax authorities are key targets for cybercriminals as they store high volumes of sensitive information. This includes personal and financial data of individuals and companies. If this data is stolen, it can lead to serious problems like identity theft, financial fraud and may adversely affect the international information collaboration and sharing with other national tax authorities.
  3. Vulnerable IT systems - Digital systems used by tax authorities are large and interconnected. In many cases the systems used by tax authorities are older legacy digital systems, making them vulnerable in multiple points. Cybercriminals seek to exploit these weaknesses to launch sophisticated attacks.

C. Examples of cyber-attacks on Tax Authorities

  1. DDoS Attack on the Polish Tax Service Website, March 2023.

a. Attack Type: Distributed Denial-of-Service (DDoS) attack, causing disruption to the Polish national tax portal.

b. Impact: Short-term disruption, with the website crashing and blocking access to online tax for a day.

c. Resolution: No data breach occurred; authorities monitored and managed the incident without specifying further recovery details.

2. Costa Rica – Ransomware Attack on Government Systems – April-May 2022

a. Attack Type: A ransomware attack by the Conti Group, utilizing malware to encrypt government systems, demanding a ransom of $20 million.

b. Impact: Severe disruption of governmental services, including tax collection and customs, impacting Costa Rica's economy and public sector operations.

c. Resolution: The Costa Rican government declined to pay ransom, initiated recovery efforts with international cybersecurity assistance.

3. United States - Attack on the IRS Compromised in the SolarWinds Supply Chain Attack - December 2020.

a. Attack Type: The IRS was attacked by a supply chain attack with inserting a malicious code to an IT monitoring software named Orion, programmed by SolarWinds. The malicious code creates a backdoor through which hackers can access and impersonate users and accounts of victim organizations. The malware could also access system files and blend in with legitimate SolarWinds activity without detection, even by antivirus software. In simple terms, the attackers attacked the IRS by infiltrating a software it was using, by hacking its update. The backdoor inserted by the attackers was unrecognized to users and seemed identical to a legitimate update.

b. Impact: The attack potentially exposed sensitive taxpayer information and jeopardized government data integrity. It raised concerns about the breadth of access gained by the attackers to the federal systems.

c. Resolution: After the attack was uncovered by FireEye, The IRS cybersecurity and IT teams isolated the compromised Orion software, deployment of patches, and institution of additional rigorous security measures. Since the hack was active for over a year until it was detected, it required long ongoing efforts to resolve and assess the damages following the attack.

D. Recommendations for Tax Authorities to Enhance Cybersecurity:

  1. Regular Training and Awareness: Conduct regular cybersecurity training for all employees, emphasizing the dangers of phishing attacks and the importance of strong password policies. Educate staff on recognizing suspicious emails and the protocols for reporting them.
  2. Access control and protection from Insider Threat: Employee vetting, compartmentalization of data, implement anomaly detection systems, and zero-trust policies. Utilize multi-factor authentication and ensure that access to sensitive data is strictly on a need-to-know basis. Regularly review and update access privileges to prevent unauthorized data access.
  3. Stay Updated with Security Patches and update IT infrastructure: Maintain a routine of updating and patching all software and systems. Employ a robust system for monitoring and quickly deploying the latest security updates to defend against known vulnerabilities.
  4. Leverage Exposure Management and Cyber Threat Intelligence: Implement continuous cyber threat exposure management and utilize cyber threat intelligence to proactively identify and respond to emerging threats, by looking at the internal network from the attackers’ perspective. This approach enables tax authorities to stay ahead of potential cyber risks and tailor their defenses to the evolving threat landscape.
  5. Implement tools for ongoing Cybersecurity Vulnerability Assessments: Cyber-security assessments are not enough, with the speed of attacks the spread of employments even if you do an assessment on one day, systems can be attacked on the following day.
  6. Incident Response Plan: Develop and regularly update a comprehensive incident response plan. Ensure that all employees are familiar with their roles in the event of a cyber incident and conduct regular drills to test the effectiveness of the plan.