The IRS is working hard to improve its cybersecurity, Koskinen added. The agency has gotten more than 2,000 security recommendations from the GAO and the Treasury Department's inspector general in recent years, and it has implemented more than 80 percent of them, he said.
Security of taxpayer information is a "top priority," Koskinen said. IRS systems withstand more than 1 million malicious attempts to access data each day, he added.
But Senator Chuck Grassley, an Iowa Republican, questioned why the IRS hasn't implemented some inexpensive GAO recommendations, like changing the passwords on some of its servers every 90 days or providing online security training to new contractors.
"Would you agree that these are low-cost changes that could improve computer security?" Grassley asked Koskinen. "Why haven't they been done?"
The IRS is moving away from passwords, which are "somewhat questionable" in terms of providing security, and toward access cards, Koskinen said. "We are working as quickly as we can" to implement other recommendations, he added.
Sign up for Computerworld eNewsletters.