Is it possible that there is an issue out there that Hillary Clinton and Donald Trump could find as common ground?
We have reached out to the presidential campaigns and shared with them The International Association of IT Asset Managers Plan for Federal IT Spending/Improved Cybersecurity. Our message is simple: Washington needs to do something about the fact that half or more of the $70 billion to $80 billion the U.S. government spends each year on information technology and IT security is flat-out wasted. That waste is how you get to the point where a federal agency not involved in national security – the Department of Education — is spending more than 30 times more per employee for IT than the average for American private industry.
This is much worse than the just the usual run-of-the-mill story of wasted federal tax dollars. The haphazard way that Washington approaches IT actually leaves federal agencies in greater danger of breaches, lost and stolen hardware, the use of outdated software, missing software patches and other preventable cybersecurity dangers.
The good news is that there is a way out of this mess. The federal government must put in place meaningful IT Asset Management if it is going to curb the ongoing waste in IT spending and avoid further cybersecurity risks. Until Washington adopts such a rigorous and common-sense approach, it will continue to see more of the IT-related failures experienced recently at the Internal Revenue Service, the White House, State Department, the Veteran’s Administration and all too many other places.
So what would getting serious about ITAM look like?
By devoting most of their attention to hacks and other breaches, elected officials and agency administrators are failing to take a bottom-up approach to the purchase, control, inventory and proper destruction of such IT assets as software, computer hard drives and mobile devices. The federal government spends about $70 billion a year on IT purchases and an average of about $10 billion a year on IT security. With no meaningful standards and controls in place across and even within federal agencies, the result is massive waste, inefficiency, and huge vulnerabilities that can easily be exploited from those inside and outside of the system.
What is needed is for the federal government to learn the lesson that most corporations already have: You can’t make technology more secure if you don’t know what you own and where it is.
Two recent analyses concluded that private industry in the United States spends an average of $4,600 to $4,900 per employee on IT – less than $5,000 a head. By contrast, the federal government spends more than $36,000 per employee on IT. The variations by federal agency are even more extreme, including more than $168,000 per Department of Education employee and more than $109,000 per State Department employee! It is not comforting to see that the most reasonable (in relative terms) level of spending is at the technology-challenged Veteran’s Administration at nearly $11,700 per employee, which is still more than twice what private industry pays.
Consider these horror stories:
- An October 2014 Inspector General report of a sample of laptops at the Securities and Exchange Commission found that 17 percent had an incorrect location, 22 percent had incorrect user information, and 5 percent — 24 of 488 laptops – were missing altogether. Based on that sample, the IG concluded that more than 200 SEC laptops were totally unaccounted for.
- In November 2014, the VA failed its annual cybersecurity audit for the 16th consecutive year, after neglecting to put in place earlier recommendations. Between fiscal years 2011 and 2013, the VA’s IG made 55 recommendations for improving overall IT security and less than half (21) had been adopted.
- According to a recent Department of Homeland Security IG report, the Federal Emergency Management Agency and United States Citizenship and Immigration Services were still using the Microsoft Windows XP operating system, which is vulnerable to attack as Microsoft stopped providing software updates in April 2014. The IG for the Department of Agriculture found in 2014 that a mind-boggling 82.5 percent of correctable vulnerabilities at one USDA agency were not patched.
- A 2014 report concluded that the IRS was paying monthly service fees for almost 6,800 devices that were not inventoried (roughly 17 percent of total devices involving about $2 million per year in service fees). For more than 700 employees, the IRS was shelling out for multiple mobile devices (between two and five) despite having a prohibition against multiple devices.
Here is what we are telling the Trump and Clinton campaigns: Simply throwing more dollars at federal IT and IT security is not a path to anything other than more of the same colossal waste of public funds. Right now, we have the high-tech equivalent of the $436 Pentagon hammer and it’s just going to keep getting worse until order is imposed. Federal agency IT chiefs often cite inadequate funding as the biggest inhibitor to such progress, but this isn’t a problem Washington can spend its way out of. The only solution is to start imposing tight controls over what the federal government has in order to reduce the IT failures now plaguing government agencies.
Barbara Rembiesa is president and CEO of International Association of IT Asset Managers. With more than 8,000 members in more than 125 countries, IAITAM is the world’s largest professional organization for IT asset management professionals.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Submission guidelines can be found here.