The IRS's tortured timeline for dumping Windows Server 2003 may have started in 2011, but the agency won't wrap up until the end of 2016, or a year and a half after the software was retired by Microsoft. Credit: The Treasury Inspector General for Tax Administration
Government auditors have blasted the Internal Revenue Service (IRS) for missing deadlines to upgrade Windows XP PCs and data center servers running Windows Server 2003, both of which have been retired by Microsoft.
In a recently released report, the Treasury Inspector General for Tax Administration (TIGTA) criticized the IRS for spending nearly $140 million on upgrading Windows XP to Windows 7 even as it failed to meet the support cut-off of April 2014. At the deadline, over half of the IRS's PCs were still running XP.
Nine months after Windows XP fell off Microsoft's support list, the agency still could not account for 1,300 PCs -- about 1% of its total -- and so couldn't say whether they had been purged of the ancient OS.
On the server front, half of the IRS's Windows-powered servers were still running Windows Server 2003 in May, even though Microsoft would pull the support plug on that software two months later. At that time, the IRS still had not installed Windows Server 2012, the latest version, on any of its systems.
The failure to upgrade its infrastructure to supported versions of Windows, said TIGTA, threatened taxpayers and tax collection. "We believe that running workstations with outdated operating systems pose significant security risks to the IRS network and data, particularly in the environment where a chain is only as strong as its weakest link," the TIGTA's report stated. "External hackers or malicious insiders need to locate only the one computer with security weaknesses, such as one with an outdated operating system, to exploit in order to steal data or further compromise other computers."
That's not just theory. Earlier this year, the IRS admitted that hackers infiltrated its network and made off with personal information on more than 300,000 taxpayers.
Running out-of-date software also put the IRS's responsibilities on the line, said TIGTA. "Security breaches can cause network disruptions and prevent the IRS from performing vital taxpayer services, such as processing tax returns, issuing refunds, and answering taxpayer inquiries."
TIGTA blamed poor management for the debacle. "The IRS provided inadequate oversight and monitoring during the early phases of this effort," the watchdog said, citing the agency's decision not to make the upgrade a separate project and other factors.
Worse, the delays in moving off Windows XP -- and the slow pace of upgrades from Windows 2003 -- means the IRS will be looking at a tighter window to make the next migration. "After taking four years to upgrade to Windows 7, the IRS is now faced with the challenge of addressing Microsoft's announcement to end extended support for Windows 7 in January 2020," the auditors said.
Sign up for CIO Asia eNewsletters.