An excellent guest column by Brian Garst in the Cayman Financial Review reports on the US Government’s “atrocious” mishandling of its citizens’ private information and how inevitable breaches of poorly designed and managed IRS and OECD reporting systems will soon unleash a global torrent of unsecured personal identification and financial data:
Here’s an excerpt:
The IRS itself has been accused by government watchdogs of having serious vulnerabilities, and of moving too slowly to fix them.
Every year since 2008, the Government Accounting Office has identified 100 cybersecurity weaknesses at the agency. Specifically, the IRS has been faulted for routinely failing to encrypt data or for using weak methods for doing so, allowing greater access to data than workers require to perform their duties, permitting user passwords that are easily guessed, and being dangerously slow to install crucial software updates and security patches.
This record alone is enough to question the ability of the IRS to secure and protect the sheer breadth of financial records it will receive due to FATCA, but serious concerns are already being raised about IDES’ specific security protocols.
The system’s rules for encryption recommend use of Electronic Codebook (ECB) as its encryption mode. ECB is widely faulted by cryptography experts as being incredibly weak, as it encrypts blocks one at a time and it thus does a poor job of hiding data patterns. Upon discovering the IDES recommendation of ECB in its protocols, prominent security expert Bruce Schneier incredulously asked, “Are they serious?”
Apparently they are not about protecting taxpayer information.