A Culture Shock Is Coming

SIGNAL Magazine
July 2011

By Paul A. Strassmann

original article

Funding and technology are not the barriers to Defense Department cloud computing.

Personal information assistants could be a boon for Defense Department users. They would be portable, secure extensions of the department's network.

The majority of the 2.5 million military, civilian or reserve personnel in the U.S. Defense Department do not care much about the technical details of computing. Users only wish to receive answers reliably and quickly. Requested information needs to be available regardless of the computing device they use. Responses must be secure. No restrictions should hamper access by certified users communicating from remote locations. Information has to be available for people authorized to make use of what they receive.

Information sources must include data received from people, from sensors or from public websites. Information must be available to and from ground locations, ships, submarines, airplanes and satellites. A user must be able to connect with every government agency as well as with allies.

What the Defense Department customer wishes to have is a personal information assistant (PIA). Such a device matches a person's identity. It is configured to adapt to changing levels of training. It understands the user's verbal or analytic skills. It knows where the person is at all times. Any security restrictions are reconfigured to fit a user's current job. Every PIA is monitored at all times from several network control centers that are operated by long-tenured Defense Department information professionals and not by contractors.

What a user sees on a display are either graphic applications or choices of text. The user only needs to enter authentication signatures.

Defense Department users will not know the location of the servers that drive their PIA. The user does not care which operating system the applications is using or how a graphical display on the PIA is generated. Which programming language is used is irrelevant. If a message is encrypted, the embedded security will authorize decryption. Although the department has thousands of applications, the user will be able to see only those applications that correspond to the situation for which use is authorized.

What the users then hold in their hands reflects what is known as a software-as-a-service (SaaS) cloud. SaaS is the ultimate form of cloud computing. It delivers what a user can put to use without delay. It is an inexpensive computing solution for everyone, everywhere, by any computing method.

However, SaaS is not the only model for cloud computing. There are private and public infrastructure-as-a-service (IaaS) clouds. Private and public platform-as-a-service (PaaS) clouds also are available. Some existing legacy applications ultimately will be replaced, but in the meantime, they will be placed on the Defense Department networks as virtual computers.

Virtualized legacy applications can be useful if encapsulated within an IaaS structure. During the transition from legacy to SaaS computing, every PIA will be able to access all information. The result will be the Defense Department Hybrid Cloud.

A transition into hybrid computing is a concept of what could be available universally to everyone in the Defense Department. The centerpiece of the Defense Department's future computing network will then be the ubiquitous PIA — not the servers, not the networks and not the data centers. Servers, networks and data centers are necessary, but concentrating on them represents an obsolete way of thinking. What matters now is the PIA, which is the computing appliance that delivers an all-inclusive computing experience. The user sees only the results. All the details regarding how results are calculated remain invisible.

PIA-based hybrid networks differ from the client-server environment and even more from the mainframe data center environment. For example, in the client-server environment, there are multiple links from desktops to the servers. An estimated 15,000 networks are in place in the Defense Department providing such connectivity. In the hybrid cloud environment, there is only a single link from any PIA to every conceivable server.

Also, in the client-server environment, each server-silo operates as a separate computing cluster. In a hybrid cloud configuration, there are automated services that discover where the requested data is located.

Finally, in the client-server environment, there is a proliferation of separate databases with duplicate data. Almost every major application keeps storing a diverse amount of incompatible data because that is dictated by the way in which organizations let contracts for isolated applications. Added software then is required for translating content as well as formats. It makes real-time interoperability hard to achieve. In a hybrid cloud configuration, there is a universal metadata directory, which steers database accesses to the applicable servers that will provide automated responses.

The key issue facing the Defense Department now is how to migrate to where it should be — a more robust hybrid cloud environment. How fast can the department transition into a hybrid cloud that delivers universal connectivity to every PIA? How can the department change its information architecture so that the technical details of information technology management will remain invisible to users?

The obstacles that block the transition from a fractured computer-centric asset acquisition environment to a universal user-centric architecture are cultural, not technological.

It is not the limitation of technologies that are holding up the Defense Department's progress. The technology of cloud computing is readily available. What needs to be overcome is the prevailing acquisition-centered culture. Instead of integrating systems for universal interoperability, the department still is pursuing a policy of systems fragmentation. Contracts are awarded that are dictated by acquisition regulations and not by operating needs.

The current process for acquiring information technology is broken into six phases to contain risks. This separates planning, development, vendor solicitation, contracting for services, asset acquisition, and operations and ongoing maintenance. To create a Defense Department system requires the coordination of dozens of organizations, multiple contracts and a large number of subcontracts. This results in an elongation of implementation schedules that are currently twice as long as the technology innovation cycle. Meanwhile, projects will be managed by executives who will be on an assignment only for a short while before moving on. This will guarantee that changes in scope will creep in, budgets will rise and results will fall short of what originally was proposed.

The fundamental issue in the Defense Department is not the supply of technologies but the department's capacity to organize for making the transition into the hybrid clouds. What needs changing is not technology, but rather, the fiscal culture.

The roots of the current Defense Department information technology culture can be traced to the Brooks Act of 1965. This legislation reflected a mainframe view of computing. Its purpose was to limit the growth of data centers to constrain costs. The Brooks Act was based on the assumption that if the General Services Administration would control the purchase of mainframe computers, all associated costs would be limited. The 1965 idea that closing data centers is a way to cut costs has persisted to this day. The number of Defense Department data centers has grown at an accelerated rate in recent years. It now stands at 772. However, this count has no significance as a cost-management metric.

Servers, with a capacity far exceeding what now is defined as a data center, can be purchased for a fraction of mainframe costs. A culture that pursues numerical reductions in the number of data centers without examining associated cost reduction, security, application and support characteristics may simplify Defense Department information processing but will not lead to the PIAs that should be the future of the department. This flaw in the Brooks Act thinking was recognized in the Clinger-Cohen Act of 1996.

Clinger-Cohen hoped to address rising costs of information technologies; at that same time, the military was shifting to new concepts such as information warfare and information dominance. While the military was driving toward increased dependency on computers, the cost management culture created by Clinger-Cohen was lagging behind the military's needs. Although Clinger-Cohen created the position of the chief information officer (CIO) to promote warfare-centric deployment of information technology, the management of information technology continued to install isolated projects as a way of containing technology risks.

The central CIO oversight was diluted when the role of acquisition personnel was enlarged. The acquisition corps, dominated by civilians with financial and not computer backgrounds, had every incentive to award contracts that followed regulations that were at least 20 years old. This locked the Defense Department culture into client-server concepts. These were alien to concepts that are now being implemented by leading firms such as Google, Amazon, Microsoft and IBM, as well as thousands of other commercial enterprises.

The unity of oversight that was advocated by Clinger-Cohen never happened. What exist now are the remainders of a culture that has been spending money primarily on buying networks on the assumption that if networks are built, integration will somehow follow. That is like building superhighways without thinking about the origins of automobile traffic.

Clinger-Cohen had several consequences. The share of information technology spending allocated to the Defense Department infrastructure, which supports an increasingly disjointed collection of systems, grew from 33 percent in 1992 to the current 57 percent. Because infrastructure reflects system overhead, less money was available for serving the warfighter's needs.

Under Clinger-Cohen, there has been a pronounced shift of spending to contractors as well as to the legislatively mandated set-aside subcontracts. The best estimate of information technology spending now managed by contractors is 76 percent. There are more than 1,000 contracts with annual budgets of less than $1 million. The amount of documentation, testing and certification that is demanded by the stretched force of acquisition executives is now the preferred way of containing risks. The cost per function delivered by contractors is now a large multiple of commercial costs.

A consequence of shifting to contractors was a depletion in the cadre of qualified military information professionals necessary to provide leadership that will assure compliance with warfare requirements. As an example, there are only five flag-level officers presently in the Navy serving as “information professionals.” This can be contrasted with a decades-long experience of a four-star flag Navy officer in charge of nuclear propulsion. He is supported by 12 flag officers.

There are good reasons to argue that in terms of complexity and scope, the migration into the cloud environment will exceed the challenges faced by the late Adm. Hyman Rickover, USN. Supporting the future of computing in the Defense Department requires a culture that views information technology as a warfare capability and not as a back-office task that is best delegated to suppliers.

One of the consequences of Clinger-Cohen has been the shift of a large share of information technology costs from the military to defense agencies such as the Defense Information Systems Agency (DISA), the Defense Logistics Agency (DLA) and the Defense Finance and Accounting Service (DFAS). Agencies now spend twice as much ($14.6 billion) on information technology as each of the services individually (averaging $7 billion each). As a result, the culture now favors the distribution of information technologies into 2,103 systems silos. Because of funding limitations, almost every system enclave must pursue separate architectures, unique applications, diverse standards, incompatible software design methods and inconsistent operating practices.

Small projects do not have sufficient money to fund rising security requirements. The military is experiencing a rising dependency on the support from the agencies, which have no direct fiscal accountability for work done for the military.

Systems managers now concentrate more on carving out the largest information technology budget they can extract during the budget cycle than on keeping up with rapidly changing technological capabilities. Clinger-Cohen left the Defense Department with a culture that is more than 20 years old just as information technologies are charging ahead with cloud concepts. Individual project managers do not have the funds to invest in innovation. They are just trying to manage ever-smaller incremental projects.

A recent example of fracturing of systems into smaller components is found in a March 2011 U.S. Government Accountability Office report on the U.S. Navy's Next Generation Enterprise Network program. To increase the number of bidders for a major system, the acquisition executives expanded it from the existing three contractual relationships to 21. Instead of the integration that is essential for cloud computing, one of the largest Defense Department projects will be headed in the opposite direction.

In fiscal year 2011, the department's information technology had rapidly expanded to $36.3 billion, not including the costs of military and civilian personnel, which would add at least another $6 billion to the total cost of information technology ownership. The per capita cost of information technology spending now represents more than 10 percent of payroll costs. It exceeds the expenses for most fringe benefits. It offers one of the largest operating cost targets for achieving cost reductions.

The Defense Department's information technology systems management culture now has arrived at a dead end, traveling down the wrong street. What then is the way out? What cultural changes will be necessary to speed up the adoption of cloud-based computing? What is the time urgency?

Two variables will influence decisions regarding what needs to be done. The first is the need to make vast improvements in the security of Defense Department operations to ensure survival during a concerted cyberattack. The second, and perhaps more important variable, is financial. New money is needed to pay for better security and to fund long-overdue innovations. That cannot come from larger budgets. It must be extracted from savings in current operations.

The fastest generator of Defense Department cash savings is to transfer the operation of “commodity computing” to the SaaS clouds. Commodity computing includes email, collaboration, text processing, messaging, spreadsheets and calendars. It includes voice over Internet protocol, or VoIP, as well as video over IP. Commodity computing also provides access to all forms of social computing such as YouTube, Facebook, MySpace, Twitter and blogs.

Commodity applications consume a large share of the fiscal 2011 $4 billion Defense Department network costs. Most of that is concentrated in DISA. However, it is feasible to use communication over the Internet as a secure channel instead of depending on private circuits. There is no reason why such traffic should not be routed over the Internet instead of the department that is operating dedicated links for commodity applications. Banking transactions, airline reservations and global trade all are conducted over the Internet using a variety of techniques that have been deployed to make it more secure.

The technology for placing Defense Department commodity computing and communications into a SaaS cloud is available. SaaS services or licenses are available from competitive sources at a fraction of what it costs the department now. SaaS depends on open-source applications, which further reduces license costs for proprietary software. Operating-cost reductions are potentially in the range of 60 percent to 70 percent with only minimal up-front development expense.

One of the major cyberthreats to the Defense Department is the chance that commodity microprocessors, currently manufactured in places without adequate security inspection, may be installed in department servers. Such microprocessors would come with back-door openings already implanted. This can be overcome if the Defense Department pursues a SaaS architecture. The world's largest SaaS firm, Google, has its circuit boards custom built. The National Security Agency (NSA) has experience with oversight of microprocessor manufacturing. No reason exists to prohibit this from being doing for a Defense Department SaaS, which would be only a fraction of the size of Google.

Migration to SaaS must overcome many obstacles. For starters, the Defense Department will have to stand up an organization that will plan, manage and contract for commodity computing.

Also, Defense Department components will have to commit to a uniform approach to network access authorization by everyone. Information security will have to be implemented consistently, following standards set by NSA.

Every commodity computing service will have to be structured for interoperability across several SaaS platforms so that vendor lock-in cannot take place. SaaS services need to be delivered from redundant data centers. More than three data centers should handle every transaction for delivery of 99.9999 percent reliability.

SaaS would have to be distributed to the edge of Defense Department sites so that Google-like latency can be realized. Delivery of SaaS transactions will have to be monitored by means of automated network control centers that will conduct real-time surveillance of the status of every user device.

SaaS can operate only as a component of a hybrid cloud configuration. Legacy, IaaS and PaaS clouds must supplement Defense Department computing and telecommunication during a transition time that may be never completely finished.

The next installment in Paul A. Strassmann's series on defense information technology will examine migration steps on the way toward cloud computing.

Government Accountability Office Information Technology report: www.gao.gov/products/GAO-11-150