The massive investments appear reasonable in one sense, considering the recent proliferation of cyber attacks against the government. But the report warns against overspending and focusing too much on breaches, saying agencies could save money and even protect themselves more by managing their equipment better.
“Taxpayers need to understand that simply throwing more dollars at information technology and IT security is not a solution for anything other than mind-boggling waste of public funds,” Barbara Rembiesa, the association’s chief executive, said in a statement.
Government reviews in recent years have shown flaws in the way federal agencies handle their IT equipment. They lose track of devices, fail to enforce password standards, neglect to update software, and sometimes lack security guidelines, just to name a few of the issues putting federal networks and data at risk.
In 2014, the Department of Veterans Affairs failed its annual cyber-security audit for the 16th consecutive year. The agency keeps sensitive information about millions of former troops, including medical records and Social Security numbers.
The VA last year spent $11,700 per employee on IT, or twice the average amount of the private sector, according to the report.
The Internal Revenue Service, another agency that keeps sensitive information, failed to install the appropriate patches to protect its servers and databases against known vulnerabilities, according to a report last year from the nonpartisan Government Accountability Office.
Yet the Treasury Department, which oversees the IRS, spent about $37,000 per employee on IT, or more than seven times the average of the private sector, according to the report.
Overall, the federal government spends about $70 billion a year on IT equipment and an about $10 billion annually on IT security. The State Department ranked as one of the most generous with the investments, forking over about $109,000 per employee.
Meanwhile, hackers in recent years have managed a long list of successful breaches against the federal government, including intrusions of White House computers, U.S. weather and satellite networks, the State Department, the Energy Department and the U.S. Postal Service.
The Obama administration this week revealed that it would form a new agency to combat the growing threat of cyberattacks, with a focus on combining intelligence from around the government when crises occur.
The report recommended that the government establish a centralized program for creating
IT-management policies and practices for all agencies. It also called for legislation to address how agencies purchase, track and dispose of their IT equipment.
The Office of Management and Budget, which largely oversees information security for the federal government, said in a statement on Wednesday that the Obama administration has “taken a number of actions to root out waste and duplication in Federal IT while ensuring agencies have the necessary resources to protect their systems and execute on their mission.”
OMB also noted that President Obama issued an executive order directing agencies to establish controls and oversight to ensure that the government isn’t paying for unused or underutilized IT equipment.
This story was updated on Feb. 11, 2015 at 7:25 p.m. to include input from OMB, which had not previously responded with a statement despite repeated requests.