The Kaspersky equation

Days before it announced to the world that it had uncovered what could be one of the largest cyber attacks targeting banks and financial institutions in history, a senior executive from Kaspersky Labs flew to Washington, D.C. Shortly after arriving, the executive met with multiple senior cybersecurity officials in the Obama administration — including a member of the National Security Council — to brief them on a new malware program called Carbanak.

In a report published Monday, Kaspersky Labs detailed the exploits of the Carbanak malware, including its ability to steal an estimated $300 million from more than 100 financial institutions in 30 countries. In a separate report, the company also detailed the inner workings of a hacker organization code-named by Kaspersky as the Equation group, which security experts have characterized as one of the most sophisticated, well-funded hacker operations in the world and that some in the media have linked to the National Security Agency.

The widespread media speculation regarding the NSA’s links to the Equation group has also revived some Cold War conspiracy theories about the motivations of Kaspersky Labs’ founder, Eugene Kaspersky, and whether the company can be trusted to be an honest broker in the world of cybersecurity. But for Kaspersky Labs, the company’s record stands on its own, and it has no plans to slink away into obscurity.

While Eugene Kaspersky’s personal history is certainly fodder for speculation and cyber conspiracies — yes, he graduated from a technical school sponsored by the former Soviet KGB, and he served in the Soviet military during the 1980s — his company’s record of unearthing major cyber crime and cyber espionage operations, a growing revenue stream, and willingness to spend the past three years providing pro bono cyber intelligence data to the U.S. government paint a starkly different picture.

The company’s cyber intelligence record is clear: Gauss, Red October, Flame, Regin, Carbanak, Equation group. That success has translated into increased revenue and market share. Last year, technology research firm Gartner put Kaspersky in the “Leader” section of its Magic Quadrant for endpoint protection platforms alongside McAfee, Symantec, Sophos and Trend Micro. “The malware research team has a well-earned reputation for rapid and accurate malware detection,” the Gartner report stated.

Founded in Russia in 1997 and registered in the United Kingdom, Kaspersky Labs now has R&D centers and 3,000 employees all around the world, including Europe, the United States, Latin America, China, Japan and Russia. Currently, the Kaspersky Lab family of companies operates in almost 200 countries and territories worldwide and has established corporate offices in 30 countries. Kaspersky Lab products protect more than 400 million individuals and around 270,000 companies worldwide. The company’s business today is highly diversified, with about 20 percent of its business coming from the U.S., another 20 percent from Russia and the majority of the remainder from Europe.

This year, the company’s U.S. business turns 10. “We started out primarily with a consumer strategy and we’ve successfully grown a business that is in excess of $100 million … with strong compound annual growth rates on the order of 10 percent,” Chris Doggett, managing director of Kaspersky Lab North America, told FedScoop in a telephone interview. “And in the last five years, we’ve made an effort to go into the corporate market, both public and private … and I think our compound annual growth rate has been about 22 to 23 percent over the last five years. We have a very healthy business.”

U.S. government future?

Analysts and media commentators have been quick to point out that Kaspersky Labs has had difficulties penetrating the U.S. government security market, stemming from a combination of geopolitical spillover and as of yet unfounded concerns about supply chain security — basically the provenance of the company’s software at a time when U.S.-Russia relations seem to be in a deep freeze.

Peter Firstbrook, one of the Gartner analysts who co-authored the 2014 report that placed Kaspersky Labs in the Magic Quadrant, told FedScoop in an email that the U.S. government generally “avoids” Kaspersky when it comes to security software and views them as a risk because of the company’s deep Russian roots. A former senior U.S. intelligence official, however, told FedScoop he was unaware of any reason why U.S. federal agencies would avoid the company.

So far, the media speculation about the company’s ties to the Russian intelligence service — a firestorm that began with a 2012 Wired profile of Eugene Kaspersky that the Russian software engineer and his American colleagues characterize as an inaccurate, conspiratorial hit job — hasn’t kept some big names in U.S. government cybersecurity away from the company.

Former White House Cybersecurity Coordinator Howard Schmidt agreed last year to lead Kaspersky’s new International Advisory Board, which includes the likes of public key cryptography pioneer Whitfield Diffie.

A new federal company

Doggett is happy to have the conversation about the media’s speculation, acknowledging that there has been a healthy level of interest in the Kaspersky Labs’ stance on international relations and its relationship with foreign governments. Kaspersky has a good story to tell and has good answers for anybody who has such questions, he said.

“We have, up until very recently, not made any effort to be part of any government contracts,” Doggett said. It wasn’t until last October that the company established Kaspersky Government Security Solutions as “a completely separately run company,” according to Doggett. “And I mean completely — different financials, different systems, different people,” he said. “It’s staffed by people who have federal security clearances and we’re in the process of getting a facilities clearance as well.”

Doggett sees a future for Kaspersky in the federal government providing security intelligence, including the research the company is famous for, the reports that come from that research and even the “raw data feeds” it collects around the world. “We have incredible collection capabilities in terms of malware and where it is coming from, malicious traffic and malicious websites as a result of the global network of collection systems that we operate,” Doggett said. “We think that that could provide some incremental value to organizations in the U.S. government that are either in the intelligence business or in the business of assessing threats.”

But what some critics often miss is the fact that Kaspersky is not trying to actively sell its commercial end point security software to the government, Doggett said. “First of all, it wouldn’t be a good fit. It’s not built for that type of environment and it wouldn’t serve their needs.”

Do the lingering conspiracy theories remain a factor in the company’s plans for its U.S.-based critical infrastructure and government security business? Of course they do; but they are a minor distraction, Doggett said. More importantly, “we haven’t tried and failed.”

The NSA-Equation nexus

Is Kaspersky Labs’ Equation group really the NSA? Although Kaspersky doesn’t have anything to say on the matter, other experts do, and many said the scope and complexity of the espionage operation is in keeping with the NSA’s preferred method of overwhelming the adversary’s infrastructure with all of the tools at its disposal.

“It’s not a leap to connect the NSA to this attack,” said Grayson Milbourne, Webroot’s threat intelligence director. “Kaspersky is drawing correlations between the tactics used in Stuxnet — which was revealed to be a collaborative effort between the U.S. and Israel — and other malware that shows enormous programmatical similarities to Stuxnet. Deep-dive analysis has revealed that the techniques employed were very, very advanced and not something one would see even from an exceptionally organized malware syndicate.”

For example, the worm designed by the Equation group was made to breach an air-gapped network, or a network that’s fully isolated. It also used three zero day exploits that enabled the malware to infect via USB drives, even when auto-run was disabled. Two of the three exploits used included the exact same code found in the Stuxnet attack, Milbourne said. “What’s notable is that Zero Day exploits are incredibly expensive to develop and not something we typically see being utilized by non-nation state actors.”

“Sure, it’s a leap. Just not a very big one,” Contrast Security CTO Jeff Williams said, referring to the speculation surrounding the NSA’s links to the Equation group operations. “As with all cybersecurity incidents, certainty an attribution is basically impossible. You never really know if you’ve identified the real attacker or if you’ve been duped by a sophisticated frame-up. However, in this case, it’s hard to imagine that anyone other than the NSA could have pulled this off. There are a number of technical, manpower and logistical problems with deploying an attack of this magnitude. And yes, it is absolutely an attack. The sophistication of the spying platform that was deployed in this way is amazing.”

Doggett and other Kaspersky Labs executives are quick to point out that it wasn’t Kaspersky who attributed the activities of the Equation group to the NSA. That was strictly a creation of the American media. Attribution of such sophisticated cyber espionage operations is notoriously difficult and company executives said doing so is not fundamental to the company’s mission.

“We are not able to confirm the conclusions that journalists came up with in regards to attribution. Kaspersky Lab experts worked on the technical analysis of the group’s malware, and we don’t have hard proof to attribute the Equation Group or speak of its origin,” the company said in an official statement. “With threat actor groups as skilled as the Equation team, mistakes are rare, and making attribution is extremely difficult. However we do see a close connection between the Equation, Stuxnet and Flame groups.”

Doggett takes it a step further. “It’s not the job of Kaspersky labs to do definitive, final attribution,” he said. “Making that last jump of attribution always involves some form of speculation, and that’s not what we feel is appropriate for us to do.”

Are APIs the future of government IoT efforts?

As government ponders its place in the landscape of the Internet of Things, some feds are pointing to APIs as a good place to start.

The federal government already has more than 6,000 APIs, short for application programming interfaces, on which the public can build applications. Gray Brooks, a senior API strategist with the General Services Administration’s 18F, argues that instead of trying to keep up with the evolution of the Internet of Things, government should focus on its role as an information and API provider.

“One of the things the government does well is aggregate and provide information and certain functionality, and that truly is irreplaceable,” Brooks said during a panel Wednesday at the Federal Mobile Computing Summit. Now government is making a name for itself positioned “in a layer underneath on which a third-party application or product” is built, he said.

Government is used to being the sole provider of its services and information. But Brooks, during his work with APIs at the Federal Communications Commission prior to joining GSA, realized government’s “mission was best served by allowing third-party integration.”

“We started to let go of being the end-all be-all for the user experience. Trying to be everything to everybody doesn’t work,” he said. “As we started to let go of that, we became kind of this layer underneath where third-party apps could go on top of our APIs, and that I think is the role the government has to play in the Internet of Things — taking the things that only they can provide and making sure they’re available to everybody else.”

An early example of that is 18F’s project “If Gov Then That,” based on the popular Web-based service If This Then That. The conditional system is set up around an “if this happens, then do that” command structure. For instance, users could set up the application so that any time President Barack Obama signs a bill into law, it sends out an alert — whether that be a text message, an email or a temperature boost in their Internet-connected, Nest-controlled home, if they so choose.

While agencies are catching on to the external benefits of developing public APIs, Brooks said federal government often fails to see the collaboration and communication efficiencies that come with using them internally as well.

“Too often talk of APIs is bundled up in talk of open government and open data,” he said. “And that’s really a loss because I think we’ve seen very clearly from industry and the private sector where the greatest beneficiaries of APIs are the [creators] and the efficiencies they accrue internally.” He believes the need for this internal Web service as a utility will lead to the creation of agencywide intranets around government in coming years, used much the same way private developers interact on a GitHub page.

“We’re talking kind of a cutesy game of ‘Let’s put out APIs so app developers can make things for the public,’ and kind of stopping there,” Brooks said. “We’re failing to realize that within a medium-sized agency, there are 30,000 potential people who need internal-only information and functionality. And why would you not do the same efficiency of basically making that available as a dynamic Web service? It’s something that agencies are starting to wake up to, and it’s going to be very powerful.”

Sokwoo Rhee, the National Institute of Standards and Technology’s associate director of cyber-physical systems, agreed with Brooks that APIs could play a major role in government’s involvement in IoT, especially bridging the gaps between agencies.

“We are not necessarily maximizing the investment we have made in IoT,” he said, calling the government’s Internet of Things efforts fragmented. “Everybody does their own thing. The question is how we can make the different agencies to work together, collaborate and get these different data sets and ideas to connect. And I think that’s where APIs are pretty useful.”

The federal government has invested massive amounts of money into IoT research, Rhee said, and the goal now needs to focus all those Internet of Things efforts around one common mission.

“At the end of the day, what is it going to do?” he asked. “Is it going to create more jobs? Is it going to create more businesses? Is it going to save lives? That’s the kind of things we really need to ask ourselves.”

But when the effects of the federal government’s involvement in the Internet of Things do arrive, the public won’t even realize it, Brooks said. “You will see citizens and industry partners being served by government without even knowing that they’re engaging with government and being a lot happier for it.”

Big health data project on new chief data scientist’s agenda

In his new job as the federal chief data scientist, DJ Patil will be working on a new Obama administration project to use big data to improve patient care, the White House said.

The Precision Medicine Initiative is an effort to test and eventually use “precision medicine” — that is, treatment plans that factor in differences from patient to patient — to help treat cancer and other diseases.

As part of the plan, researchers hope to bring together 1 million or more volunteers to participate in a research cohort. Participants would share genomic data, lifestyle information and biological samples, and that information would be linked to their electronic medical records, National Institutes of Health Director Dr. Francis Collins said during a two-day workshop on the program last week. Researchers then ideally would analyze that information to improve medical treatments.

“We have a lot of work to do to take what has emerged as a nascent, compelling, exciting, promising idea and turn it in to something that we can actually push for,” Collins said at the event.

He also said there would be major challenges surrounding the data sets that would be created for the research.

“This is going to require huge investments to make sure we come up with the right structures and the ability to mine them,” Collins said.

Tailoring health care treatments to patients isn’t new, he said. Indeed, patients use prescriptions for eyeglasses and receive blood transfusions based on their blood type. But things like electronic medical records, big data, mobile health applications and other advances could allow for greater precision, Collins said.

President Barack Obama announced plans for the Precision Medicine Initiative during his State of the Union address earlier this year, and he included a $215 million request for the program in his fiscal year 2016 budget request. Following the State of the Union, Department of Health and Human Services Secretary Sylvia Mathews Burwell told NIH during a town hall that the initiative was a “presidential priority.” Funding for the initiative will go toward efforts within NIH, the Food and Drug Administration and the Office of the National Coordinator for Health Information Technology, according to a White House fact sheet.

Kathy Hudson, NIH deputy director for science, outreach, and policy, said during the conference that the government has “only the barest framework for this initiative.” And she said it would develop more detailed plans as they receive input from experts and members of the public.

Secret’s out: National Archives searches for new FOIA chief

Lovers of open government take note: The federal government is on the hunt for a new Freedom of Information Act ombudsman.

The Office of Government Information Services has been under the leadership of acting Director Nikki Gramian since its award-winning founding director retired late last year. But now OGIS, an office within the National Archives and Record Administration that oversees federal FOIA activities, is searching for a permanent chief.

The new director would manage programs that “contribute to the effective administration of the FOIA,” mediate FOIA disputes and provide input on policies related to FOIA, according to the Thursday posting on USA Jobs.

During an event last October, then-Director Miriam Nisbet hailed one interagency effort to improve the FOIA process — FOIAonline — as a significant achievement. FOIAonline is a digital processing system for FOIA requests and is used by a number of units, including the U.S. Navy, Commerce Department and General Services Administration.

“To say it’s a success is not overstating things,” Nisbet said at the time.

Late last year, the National Archives posted another top-level job: director of the Federal Register, the “newspaper” of the government that publishes federal notices and executive orders. Both positions require top-secret clearance.

The OGIS director job pays between $121,000 to $168,000 a year. The application closes March 12.

How Megan Smith would solve tech’s diversity problem

Do you know who invented the dishwasher? Until a few weeks ago, neither did Megan Smith.

The country’s chief technology officer used the story of Josephine Cochrane — inventor of the dishwasher and top prize winner at the World’s Fair in 1893 — to make a larger point Wednesday on how the United States can attract more women and minorities into technology careers.

Speaking during an event held at the New America Foundation, Smith used examples like Cochrane and computer science pioneer Grace Hopper to point out the disparity in how computer science is approached in schools. Smith said at the K-12 level, schools need to do more to make sure everyone reaches a “digital literacy,” comparing it to achieving reading or math benchmarks.

“As a grown up, you wouldn’t be talking about how reading was so hard,” Smith said. “We are failing to teach in a way people would enjoy learning [computer science] and they remain terrified of it.”

Anne-Marie Slaughter, the president and CEO of New America, said as a high school student, even she was terrified of computer science after she was told it was extremely math heavy.

“If you tell me tech is math, I’m terrified of it,” Slaughter, who is widely known for her 2012 Atlantic op-ed “Why Women Still Can’t Have It All,” told the audience. “If you tell me tech is a language, I’ve got no problem with it. Yet in my world, it was always described as math.”

Smith said stigmas like that are part of the reason girls either stay entirely away from computer science or fail to stay with it through their academic career. Whether it’s a negative connotation about math or systemic gender biases, Smith said women face “death by a thousand cuts” in the culture surrounding technology.

Women “face so much unconscious bias, we have to become conscious of what we are doing,” Smith said. “You can explain away any individual person [for leaving computer science], but when you look at it in the aggregate, it’s just astonishing to see how bad it is.”

The numbers support Smith’s view: According to the National Science Foundation, only 18 percent of women earned a bachelor’s degree in computer science in 2012. That’s a drop of nearly 20 percentage points from a high of 37.1 percent in 1984.

Aliya Rahman, program director for Code for Progress, said tech’s diversity problem goes beyond gender biases and is partly rooted in the way the country’s education system is constructed.

“We have a systemic inequity in how we deal with our education funding,” Rahman said. “Where you’re born determines a lot about your access to computers and the curriculum that you are going to be receiving.”

Among the changes Rahman is working toward is a way to connect with all of the development boot camps that are springing up across the country, along with the creation of a standardized competency measure that would better serve people looking to break into science, technology, engineering and math, or STEM, jobs.

“When employers say, ‘I want to hire a junior developer who is a Python ninja,’ actually, that means nothing,” Rahman said. “I think it’s possible for us to develop a competency level, some form of ‘You know what you are going to get.'”

FCC Commissioner Jessica Rosenworcel also said it’s time to rework the educational system, saying the country needs to be a lot more aggressive in finding role models for females (“Everyone should know who Grace Hopper is,” she said) and should revamp the way material is taught to the next generation.

“So many of these classrooms are stuck in this industrial age,” Rosenworcel said. “You’ve got some number of children sitting there and the teacher speaking at the front, assigning them reading from textbooks that are purchased every seven to 10 years by their school district. That strikes me today as completely crazy. That might have been my educational experience, but that’s not the one I want for my kids in this digital age.”

Rosenworcel said this idea is partly why the FCC extended its E-rate program, which aims to put high-speed broadband and wireless connections in all of America’s classrooms.

“When we start to promote really high-speed broadband in all of our schools, we are going to create a market for teaching tools, devices and STEM education that’s more project-based and different from our sad and tired textbook universe,” Rosenworcel said. “If we can reinvent our schools at the earliest ages with that kind of thinking, we can produce a different pipeline, a more equal pipeline, with one that engages more kids and different kids in STEM education a lot sooner.”

Smith also hopes that time comes quickly, knowing the power diversity can hold.

“Whether it’s solving poverty or cybersecurity, the more diverse the team, the better we are,” Smith said.

Most orgs fall short in email security, report finds

One key component in two of the most recent high-profile cyber crimes has been criminals’ focus on exploiting the vulnerability of email systems. A report released Wednesday sheds new light on just how vulnerable those systems are.

In its report, security startup Agari found a host of companies that store highly personal data are often behind on email security. Agari poured over 6.5 billion emails over the course of 2014, finding that criminals move unpredictably from sector to sector until their phishing and spamming exploits work. Once an exploit is found, attacks become massive.

“Companies don’t know when attacks will happen, but when they come, they may well be tsunamis,” the report reads.

It has been reported that “spear phishing” — a fraudulent email that contains a highly personalized message — was to blame for the recent Anthem Inc. hack, as well as an attack on Russian banks where criminals stole at least $300 million.

The report measured companies’ use of three email authentication standards — Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC) — as well as the amount of spam and other malicious email sent to consumers fraudulently using a company’s domain. Researchers assigned scores to sectors based on their findings.

The health care sector was found to be the most vulnerable. An email from an insurer was four times as likely to be fraudulent as one from a social network, which were found to be the least vulnerable of the sectors measured. Anthem Inc., which announced earlier this month that criminals had compromised as many as 80 million customer records, was among a list of top-level health care companies that Agari considered an “easy target” for hackers. Only Aetna Inc. was noted as taking email security seriously.

Other sectors that were found to have a high number of easy targets were retail, payments (credit card and digital wallet services), U.S. and European “megabanks,” and airlines. Of the 147 companies that were measured, only 13 earned a perfect “TrustScore,” which indicates they are using all three standards of email security.

Even as the report notes that more than 85 percent of U.S.-based email inboxes are DMARC enabled (which rejects suspected spoof emails from entering a system instead of diverting them to spam folders), companies need to quickly move to the new standard as they are likely to be targeted more as they fall behind.

Read the full report from Agari below.

White House names DJ Patil chief data scientist

The White House has plucked another technologist from Silicon Valley, naming DJ Patil as the nation’s first chief data scientist Wednesday.

U.S. Chief Technology Officer Megan Smith announced the hiring in a White House blog post Wednesday, saying that Patil comes aboard after an “incredible career” as a data scientist for a multitude of private companies. Patil served as vice president of product at RelateIQ, a customer relationship management software company that was recently acquired by SalesForce. He has also worked for LinkedIn, venture capital firm Greylock Partners, Skype, PayPal and eBay.

Prior to his private sector work, Patil spent time working with the federal government. According to the White House, Patil worked with the Defense Department directing “new efforts to bridge computational and social sciences in fields like social network analysis to help anticipate emerging threats to the United States.”

He’s also worked with one of the foremost repositories of federal data, using data from the National Oceanic and Atmospheric Administration to create improvements in numerical weather forecasting during his time as a doctoral student at the University of Maryland.

According to Smith, Patil “will help shape policies and practices to help the U.S. remain a leader in technology and innovation, foster partnerships to help responsibly maximize the nation’s return on its investment in data, and help to recruit and retain the best minds in data science to join us in serving the public.” He will report to Smith but also work with newly appointed U.S. Chief Information Officer Tony Scott and the U.S. Digital Service team.

Smith also expects Patil to work on the Obama administration’s Precision Medicine Initiative, which aims to harness data to improve medicine from both a clinical and personal perspective.

Patil’s Silicon Valley ties echo the resumes of other top administration appointees. Prior to being appointed CTO, Smith was vice president of Google X, an advanced research laboratory run by Google. Likewise, Scott was CIO at visualization software company VMware prior to hi appointment as federal CIO.

The federal government has been making a push to harness the power of its data in recent years. The federal government’s open data repository, data.gov, now boasts over 138,000 data sets available to the public. Federal agencies have also made a push to harness their own data, aiming to hire chief data officers. Last week, the Energy Department announced their own CDO, Dave Dutton, who was hired at the end of January.

GSA explores new cloud contract vehicle

The General Services Administration is considering new methods for acquiring cloud computing services.

GSA’s Cloud Computing Services project management office released a request for information Feb. 11 seeking “alternative models and/or solutions for future cloud acquisition contracts and processes that would continue to add value to Government Agencies in procuring Cloud Services,” the document says.

As it stands, GSA offers several different cloud procurement options, like infrastructure-as-a-service (IaaS) and email-as-a-service blanket purchase agreements. But the folks in the cloud project management office want to see if there’s room to improve on those current models.

“Cloud is one of those technologies that is ever evolving in standards, security, and capabilities,” Stan Kaczmarczyk, director of GSA’s cloud computing project management office, told FedScoop in an email. “GSA acknowledges this and has issued this latest RFI to gain a better understanding of how the cloud market has matured and how GSA can best provide continuity of service while allowing for product evolution.”

Since GSA released its first cloud IaaS blanket purchase agreement in 2010, Kaczmarczyk said, things have changed in the market, and so have agencies’ needs. And the market and agencies are will ultimately dictate what comes of this RFI.

“That is what makes this RFI so important,” he said. “We want feedback from customers and industry to determine if another vehicle is truly necessary, and if so, what is the best way to create the solution. We’re not going in with preconceived notions, we are going to let the data and feedback determine the outcome.”

In fact, that’s how GSA got started down this path. The project management office met with all current IaaS blanket purchase agreement holders, and unanimously they were in favor of some sort of new vehicle. That feedback is included on the RFI, targeting areas like the need for cloud professional services to include assessment, planning, migration and integration, and the need to introduce new technology over the life of a contract.

Though the end result of this solicitation will depend on the feedback GSA receives, Kaczmarczyk said, “the new vehicle would likely include continuing the existing value of a pre-completed cloud vehicle but would have enhancements such as cloud professional services, updated technology and flexibility.” The hope, he said, is it will keep “up with the fast paced evolution of the cloud industry” by using methodologies that “keep current and avoid obsolescence.”

This request comes after GSA began developing an IT Schedule 70 cloud special item number last fall. That SIN will ultimately define the different types of cloud (and what isn’t “cloud”) and help agencies better understand what they’re buying — yet another way GSA is assisting its customers in procuring cloud.

“While the Cloud SIN project will realign IT Schedule 70 cloud technology offerings to accurately reflect the current cloud computing market and satisfy customer needs, a follow on cloud acquisition vehicle will provide continuity of added value services that aid customer agencies who require a more guided approach to cloud acquisition,” Kaczmarczyk said. There’s also the possibility, he said, that feedback may call for a “broader solution including a comprehensive suite of cloud products and services.”

Responses to the RFI are due by March 13.

Will bigger fed IT budgets boost security? Maybe not, says report

As the White House asks Congress for nearly $80 billion to support federal information technology in fiscal year 2016, a new report suggests that more spending may not equal more security.

An analysis this month from the International Association of Information Technology Asset Managers Inc. asserted that better management of IT inventory, software licensing and system upgrades within federal agencies — the sort of work its members do — could not only save money but also improve security.

“Federal IT chiefs often cite inadequate funding as the biggest inhibitor to progress, but a thorough investigation of the overall federal government IT sector reveals that cost savings and IT security would be increased by a comprehensive [IT asset management] program at the national government level in the U.S.,” the report said.

Barbara Rembiesa, the group’s CEO, said in an emailed statement that her group was uniquely positioned to point out this issue.

“Every serious-minded corporation already takes [IT asset management] seriously. The point of the report is that it’s high time for the federal government to do the same. There is no defense that can be made of wasting half of every dollar the federal government spends on IT/IT Security,” she said.

In the last year, the federal government has experienced a number of embarrassing breaches, including hacks of U.S. Central Command‘s social media accounts, U.S. Postal Service personnel information and a White House unclassified network.

Meanwhile, the report said, the federal government spends six times more per employee on IT compared to the private industry — an average of $36,000 per employee last year versus nearly $5,000 per private sector worker. The higher federal figure, though, includes spending on major public-facing networks, like the Department of Education’s systems that track hundreds of billions of dollars in student grants and loans.

The industry group analysis also collected findings from various inspector general reports that found shortcomings in their departments’ IT systems. In particular, the group cited a report on the Education Department that detected “longstanding weaknesses” in its systems that had been cited in previous years.

The report said better asset management could allow administrators to have a firmer grasp on what’s in their inventory — and how it’s being used. It also would allow administrators to jettison unnecessary assets.

“[S]pending greater and greater sums without proper [IT asset management] controls in place is a prescription for more breaches, risks posed by unauthorized devices, increases in lost and stolen hard drives, and major vulnerabilities created by outdated and/or ‘unpatched’ software,” according to the report.

However, the Office of Management and Budget touted the Obama administration’s efforts to root out waste in federal IT.

“Alongside an Executive Order directing agencies to establish controls and oversight so the Federal Government isn’t paying for unused or underutilized IT equipment, tools like PortfolioStat have eliminated duplication while saving billions in taxpayer dollars,” an OMB official said via email. “The report in question uses misleading math to portray an inaccurate picture. We have more work to do, and we will continue to drive efficiencies, make smart investments in Federal IT, and maximize taxpayer resources.”

NSTIC chief Jeremy Grant leaving government

Jeremy Grant, the senior National Institute of Standards and Technology executive who has led the development of the National Strategy for Trusted Identities in Cyberspace for the last four years, plans to leave government in April, FedScoop has learned.

Grant announced his plans Wednesday in an email to senior members of the Identity Ecosystem Steering Group, a public-private partnership funded by NIST to help develop policies and standards for trusted online identities.

“It’s with very mixed feelings that I’m announcing my plans to leave NIST,” Grant wrote. “Leading the implementation of the NSTIC is hands down the best job I’ve ever had; I’m truly blessed to have been given the opportunity to serve in this role, and to have had the chance to work with such a talented and dedicated team.”

Michael Garcia, who currently serves as deputy director of NSTIC, will serve as acting director until a permanent replacement for Grant is named.

Grant’s decision comes just months after the NIST-funded IDESG experienced one of its first significant internal disruptions since its founding in 2012. In a flurry of emails in December, Grant outlined increasing concerns about “repeated personal attacks” and “abusive character attacks” by some IDESG members against other volunteers.

“The conduct of people in IDESG has been a big issue for well over a year now,” Grant wrote in a Dec. 15 email addressed to Kaliya Hamlin, a San Francisco-based technologist and member of IDESG since 2012. “And it’s been a cancer on the organization. I’ve had dozens of emails and phone calls from people letting me know that they were pulling back from participating in IDESG because they could no longer justify spending their hours in an organization that tolerated such unprofessional behavior,” Grant wrote.

Grant said his last day at NIST would be in April. He declined to say what his plans are or where he might be going next.