A pair of former senior Defense Department IT procurement officials didn’t hold back Thursday in expressing their doubts about the Pentagon’s forthcoming single award contract for a departmentwide commercial cloud, saying the department needs to perhaps go back to the drawing board and do more research before committing to such a large acquisition.
The two men — John Stenbit, former assistant secretary of Defense for command, control, communications and intelligence, and Stephen Bryen, former director of the Defense Technology Security Administration — said at a Hudson Institute event that by moving to a single cloud architecture, rather than awarding contracts to multiple cloud providers, DOD is limiting its ability to plan for failure and keep its systems a step ahead of adversaries.
When the private sector uses cloud, it’s usually with multiple providers, Bryen said, asking “Why is that?” With the 10-year, multibillion-dollar Joint Enterprise Defense Infrastructure, however, DOD has decided to award a contract to a single cloud provider, leading to an uproar from industry about the risky situation that puts the Pentagon in. Congress, too, has its questions about the acquisition.
“If the general trend is to have multiple providers, one has to think it’s not just for money but that it’s a pragmatic and operational decision that makes the most sense,” he said, explaining that one major benefit is there’s “backup to any risks they inherently have in depending on one provider.”
With the acquisition strategy for JEDI, though, Bryen isn’t sure what the backup would be.
“My guess is the backup actually is the existing system,” and that DOD would keep its current legacy infrastructure operational, he said, because there has to alternative infrastructure if the main system fails. “You could do a denial-of-service attack on a cloud, which is one risk, and shut it down,” Bryen said. “You could shut down DOD if it was only on one” system without a backup.
Stenbit believes that with multiple providers, the DOD would make it harder for the bad guys to locate its data.
“You do need alternate sources. You do need to protect yourself by not standing still,” he said. “It’s easier if you can play games between who’s actually got the baton that day,” referencing the ability to move data and workloads from cloud to cloud in a multi-cloud environment.
Only a few cloud vendors are thought to be in the running for the JEDI contract, including Amazon Web Services, Microsoft Azure, Google Cloud, IBM and Oracle. The general consensus in the federal IT community, though, is that AWS is a frontrunner, based on its experience hosting the intelligence community’s massive cloud environment and its authorization to handle DOD information up to the Secret level.
It’s worth noting that Thursday’s event, hosted by the conservative-leaning Hudson Institute, was sponsored by Oracle. And so it perhaps was fitting when Bryen brought up the recent news that Tesla’s AWS-hosted cloud was hacked.
Bryen also bashed the Pentagon’s work in cybersecurity, particularly the Hack the Pentagon bug bounties it launched in recent years.
“The DOD has not been exceptionally successful in terms of its security,” he said. “That’s why it hires 12 year olds to come in and hack away at the systems, to dig out new vulnerabilities. And it’s understandable, because it’s a little bit of a hodge podge system.”
Though they showed dismay for the current contract as it stands, Stenbit, Bryen and moderator William Schneider, a senior fellow with Hudson, all seemed to agree that a major migration to the cloud is necessary for DOD —it just needs to do more research before rushing into the move.
“Industry is quite vibrant and has produced many alternative ways of delivering these services based on the needs of the user, that it’s quite common for industry to have multiple providers that offer different types of services and are able to reflect a process of more continuous innovation where new providers may have different ideas,” said Schneider, who recently published a paper on the JEDI contract. “There is room for some experimentation here, and the DOD may not be availing itself of the opportunity that it has by failing to look at alternative ways of procuring the cloud services.”
It’s a matter of security for Bryen.
“I think this whole thing is really in need of a lot more study, a lot more investigation, particularly on the security side. I think what we have is a very simplistic approach to security right now that says we can put the old standards to the new system, it will work, everything will be fine, and I just think that’s wishful thinking, and it seems to me that a much more ambitious effort should be made. I think cloud computing makes sense, but it has to be secure computing.”
Otherwise, Bryen believes, the department is setting itself up for failure.
“I think there’s a lot of risk here that I don’t see any assessment,” he said. “It really bothers me that this whole thing is looking like a kind of standard procurement with all these unsettled issues swarming underneath and no one’s paying attention, and that’s scary.”