Like many other entities (both singular and conglomerate), the IRS was reluctant to sever ties with Windows XP. Microsoft forced the issue, however, and gave everyone plenty of time to migrate to an operating system released sometime in the last ten years. Even with this head start, the IRS has yet to meet this target.
An Inspector General's report notes that the IRS is almost finishing upgrading its workstations to an operating system that's only eight years old (Windows 7). Almost.
As of May 2015, the IRS has completed most of the Windows XP workstation upgrades across the country. Approximately 1,300 workstations have yet to be located or confirmed as running the old operating system.
At this point, I'm going to do something I rarely do: cut a government agency some slack. The IRS did have plenty of workstations to upgrade -- nearly 110,000 -- so if 1,300 went "missing," it's somewhat understandable. On top of this, budget issues forced the agency to upgrade old workstations instead of replacing them with newer systems, which would have greatly sped up the process.
The IRS claims it does
know where these missing 1,300 workstations are, but that the Inspector General won't listen to it. The included "Management Response" says the following:
The audit incorrectly concludes that IRS has not accounted for all XP workstations. We acknowledge there were challenges with our inventory data due to the many antiquated systems in our IT ecosystem. In spite of this, we took extraordinary steps to identify, document and upgrade every XP workstation in the IRS. On several occasions throughout the audit, the IRS provided information to the TIGTA team that clearly documented the number of workstations to be upgraded, where those workstations were located, and our strategy to complete the upgrades. Although footnoted in the report, TIGTA opted not to change their assertion that the IRS had not accounted for all XP workstations. As of this date, only 71 Windows XP workstations remain to be migrated.'
The IG's footnote tells a different story.
After the conclusion of our fieldwork, the IRS provided documentation that these workstations were located and upgraded to Windows 7, as of July 22, 2015. We were unable to verify this information.
Beyond the workstations, there's the IRS's servers, which are also running up against Microsoft's upgrade clock. This not-overly-optimistic statement by the IG suggests the IRS will be living in the (OS) past for much of the future.
Based on our discussions with management, we determined it is unlikely that the IRS will have its servers upgraded to Windows Server 2012 any time this Fiscal Year.
This is due to the fact that the IRS is still struggling to upgrade its servers to seven
In fact, the IRS still has not fully upgraded its servers from Windows Server 2003 to the 2008 release. Currently, the IRS has approximately 3,000 Windows servers still running the 2003 operating system. Management informed us that they have upgraded approximately 4,100 servers to the 2008 version which is already seven years old. The IRS currently has no servers running the 2012 operating system in production at this time.
Time to start reeling in the slack I cut the agency earlier. This logistical issue seems especially absurd.
The IRS also discovered nearly 6,000 applications being used by employees to do their jobs that required an assessment of each application to determine whether it would operate on Windows 7.
Unfortunately, the report doesn't provide more details on the massive amount of applications being used by the IRS. Every interlocking piece presents a new possibility for a hole or an exploitable flaw, something compounded by the use of unsupported system software.
The IRS has already seen its system exploited
by scam artists, who were able to use the credentials of taxpapyers to fraudulently obtain refunds. That its "user data" (the tax records and personally-identifiable information of millions of Americans) is secured behind a patchwork of outdated software presents criminals and rival governments other opportunities for exfiltration and exploitation of taxpayer data.
Even if the IRS manages to hit its self-imposed targets for the most recent round of upgrades, support for those
operating systems is also on its way out.
Despite the eventual progress made by the IRS on the Windows XP upgrade efforts, we believe the IRS provided inadequate oversight and monitoring during the early phases of this effort, starting with including it among other Microsoft product upgrades rather than making this effort its own project up to the decision made by the CTO to oversee the project himself. In addition, after taking four years to upgrade to Windows 7, the IRS is now faced with the challenge of addressing Microsoft’s announcement to end extended support for Windows 7 in January 2020.
The IRS has agreed to a majority of the Inspector General's recommendations which means… well, it probably doesn't mean much of anything. Chances are the IG will revisit this in a few years and still see the agency struggling to stay current with its operating system software. It's eight years behind on system software and seven years behind on server software, with the latter's migration less than 50% complete. The IRS doesn't have it easy, not with 110,000 workstations, 7,000 servers and -- for god knows what reason -- 6,000 applications, but unless it's willing to give this the priority it deserves, it will always be in danger of making a flawed, bulky system even more insecure.