Government auditors have blasted the Internal Revenue Service (IRS) for missing deadlines to upgrade Windows XP PCs and data center servers running Windows Server 2003, both of which have been retired by Microsoft.
In a recently released report, the Treasury Inspector General for Tax Administration (TIGTA) criticized the IRS for spending nearly $140 million on upgrading Windows XP to Windows 7 even as it failed to meet the support cut-off of April 2014. At the deadline, over half of the IRS's PCs were still running XP.
Nine months after Windows XP fell off Microsoft's support list, the agency still could not account for 1,300 PCs -- about 1% of its total -- and so couldn't say whether they had been purged of the ancient OS.
On the server front, half of the IRS's Windows-powered servers were still running Windows Server 2003 in May, even though Microsoft would pull the support plug on that software two months later. At that time, the IRS still had not installed Windows Server 2012, the latest version, on any of its systems.
The failure to upgrade its infrastructure to supported versions of Windows, said TIGTA, threatened taxpayers and tax collection. "We believe that running workstations with outdated operating systems pose significant security risks to the IRS network and data, particularly in the environment where a chain is only as strong as its weakest link," the TIGTA's report stated. "External hackers or malicious insiders need to locate only the one computer with security weaknesses, such as one with an outdated operating system, to exploit in order to steal data or further compromise other computers."
That's not just theory. Earlier this year, the IRS admitted that hackers infiltrated its network and made off with personal information on more than 300,000 taxpayers.
Running out-of-date software also put the IRS's responsibilities on the line, said TIGTA. "Security breaches can cause network disruptions and prevent the IRS from performing vital taxpayer services, such as processing tax returns, issuing refunds, and answering taxpayer inquiries."
TIGTA blamed poor management for the debacle. "The IRS provided inadequate oversight and monitoring during the early phases of this effort," the watchdog said, citing the agency's decision not to make the upgrade a separate project and other factors.
Worse, the delays in moving off Windows XP -- and the slow pace of upgrades from Windows 2003 -- means the IRS will be looking at a tighter window to make the next migration. "After taking four years to upgrade to Windows 7, the IRS is now faced with the challenge of addressing Microsoft's announcement to end extended support for Windows 7 in January 2020," the auditors said.
Windows 7's final security update will be shipped on Jan. 14, 2020.
In its response, the IRS contested some of TIGTA's numbers, saying that the missing PCs had been located and updated to Windows 7 by July 22, 2015. The agency also said it had boosted the portion of its servers running Windows Server 2003 to approximately 61% by that date.
TIGTA noted those amendments in its report, but also said that it had not been able to verify the information provided by the IRS.
The IRS also countered TIGTA's conclusion that it had mismanaged the migration, arguing that the process the auditors said should have been followed was unnecessary and inappropriate for an upgrade project. "However, we agree that large scale, enterprise-wide efforts such as the two Windows upgrade projects need to have a minimum set of product documentation requirements to ensure that effective project management is adhered to for projects of this size," the tax agency said.
Both TIGTA and the IRS pointed out that budget limitations contributed to the overlong and costly upgrades, with the former noting that lack of money forced the IRS to upgrade older PCs to Windows 7 rather than buying new devices, "which would have made the upgrade processor easier due to the compatibility of new hardware with new operating systems."
Some of the money the IRS spent went to Microsoft to pay for post-retirement support contracts that provide large customers with critical security updates, even though the same patches are not offered to the public. In April, 2014, the IRS disputed a Computerworld estimate of the cost of its custom support contract with Microsoft. The $11.6 million estimate was generated using data provided by several licensing consultants, but the IRS said it had paid just half a million dollars to keep its then-58,000 Windows XP machines secure for the next 12 months.
In its report, TIGTA said that the agency this year had also purchased a custom support contract to cover its remaining Windows Server 2003 systems for the next 12 months, but did not provide a dollar amount.
TIGTA knocked the IRS for that expense as well. "The IRS will begin paying a premium for extended service on an outdated server operating system that no longer receives critical security upgrades automatically from the vendor," its report said. "As a result, we determined the IRS has not adequately planned for the Windows server upgrade in regard to the costs, potential security implications, and amount of time necessary to complete the upgrade."
TIGTA's report can be downloaded from its website (PDF).