What’s the rush with the JEDI defense cloud contract?

While the Pentagon’s long-awaited colossal cloud-computing deal has sparked fierce competition between tech giants Amazon and Microsoft, the Defense Department is keeping a keen eye on China’s own cloud efforts.

 

China is racing to develop its own military cloud computing system, and Pentagon officials are eager to get moving…

 

“We don’t have an enterprise approach,” Deasy said alongside Shanahan. “We have a bunch of siloed solutions we built. We have lots of vendors we’re using for cloud solutions, but we’ve never stepped back and created a holistic solution, and that is causing challenges out in the field.”

That was from an CNBC article, “Pentagon eager to resolve JEDI contract as China races to develop military cloud computing system.”

While Oracle’s protest of the JEDI contract was thrown out by a US court, Oracle is now suing again. The DOD, of course, wants to get this contract moving. Officials are using China to scare policy-makers and court judges into a headlong dive into one cloud to rule them all.

Three points on the cloud. First is the nice critique from ComNavOps on the huge risks of a single cloud network:

Another drawback to consolidating all of the Navy’s information is that if when an enemy does successfully hack the system, they’ll get EVERYTHING.  The current situation, where data resides on many different systems may be inefficient but at least it has the unintended benefit of limiting the amount of data that any one successful hack can acquire.

That kind of systematic risk is something we should pay to avoid, even at the cost of inefficiency. For example, Amazon AWS cloud went down on August 31, 2019. Not only was service disrupted, there was significant data loss:

A recent power outage outage at an Amazon AWS data facility and the resulting data loss for some customers shows that storing data in the cloud does not mean you do not also need a backup…

 

Amazon protects themselves by specifically stating that they will only issue credits for loss of service availability and that they are not responsible for data loss.

Author and programmer Andy Hunt tweeted the following:

Reminder: The cloud is just a computer in Reston with a bad power supply.

The incident wasn’t a hack, but such a disruption — which could be affected by our adversaries — might bring the defense business to a standstill.

ComNavOps also brings up the question of what real benefits would result from a totally integrated cloud enterprise:

So, does moving to cloud storage, with its attendant dangers, improve our combat capability?  Let’s see what the Navy has to say.
One of the biggest benefits to the Navy, Geurts [Navy acquisition chief James Geurts] said, is that sailors and civilians on the pier or on the flight line will be able to reach into the cloud to keep an eye on parts bouncing through the pipeline …

I totally agree that such a benefit is really quite small when we think about combat capability, and any of “fusion” of data sources as diverse as say, contractor business data and tactical targeting data, seems to provide only the most marginal real-world benefits. Certainly, it does not outweigh the risk of our adversaries getting a hold of everything through one hack — a sort of Bletchley Park on steroids.

Now, from my understanding, cloud is more secure because its tools enforce a kind of standardization of security measures across developers. It avoids some of the issues around unique vulnerabilities of one developer or another. But is it unhackable? Unlikely. The gains to a successful hack will be much higher, and so the adversarial effort will be much more concentrated.

The second point is that a single cloud infrastructure can only be used to its greatest effect when it allows new companies, small companies, and non-traditional vendors, to all start participating in defense software development. If these new entrants can do agile development in a secure cloud infrastructure, then we can have a diverse ecosystem of developers creating different APIs and the like which can build upon one another in combinatorial innovation.

But it isn’t clear that DOD acquisition practices could support such an ecosystem of development. New suppliers don’t just face the confusing set of cybersecurity regulations (CMMC), but all sorts of difficulties with getting funding, abiding by regulations, meeting specified requirements, and finally being awarded a contract.

Usually, the government solicits work as part of a larger weapon systems program rather than paying for smaller component pieces. That puts these new entrants at a disadvantage, relying on prime contractors, their subs, and suppliers who may act non-competitively.

And this brings us to the third point. Data analysis, such as for artificial intelligence, isn’t going to aggregate data from across the entire Department of Defense. There’s simply too much data of different types to relate into a single, general, model.

Instead, defense will benefit most from a diverse ecosystem of different analytical applications, each particular to a different task and tied together by an organizational design of humans-in-the-loop. It would be ridiculous to think that satellite imagry data should sit next to budget data, or whatever it might be.

Siloed data not only makes sense from a security standpoint, but it also allows for a diversity of standards better optimized to each area of applications. Competitive clouds hedge against the risk of failure for the single integrated system, which may require numerous tradeoffs to functionality to make it universal. We must also ask how the cloud will evolve to meet new technologies and requirements that haven’t yet been conceived.

Yet none of this really solves the problem of enticing new entrants to start agile development across the ecosystem of requirements. That’s a more general problem that cannot be solved by cloud alone.

Be the first to comment

Leave a Reply