6 February 2018

Dark Clouds Form Around the Defense Department’s Data Strategy

By Mytheos Holt, 
February 2nd, 2018

The U.S. government has a troubling history with adopting new technology. While programs like DARPA have laid the groundwork for much of the private sector’s development in the past, most of the government seems to treat technological progress the way a six-year-old treats trips to the dentist: as someone to be avoided as much as humanly possible, and gotten out of the way in a cursory manner when it becomes necessary. Incumbency also reigns beyond the point of reliability: for example, as of 2013, some government departments were still running their servers on 2003 Windows software.
This kind of inefficiency is not always so darkly funny, however. It can have massive implications for national security. Whatever one thinks of the furor over Russian hacking, the issue probably would not have the legs it does if the federal government had a reputation for peerless efficiency and impregnability in the cybersphere. Unfortunately, the opposite impression widely exists.

Moreover, until recently, Pentagon Acquisition Chief Ellen Lord, was poised to make it worse. Specifically, Lord had plans to hand overstorage of the Defense Department’s virtually entire cyber resources over to a single company. In other words, Lord was preparing to store all the Department of Defense’s “cloud” data on a single company’s servers.
This approach should give anyone with interest in our government’s technological security night sweats. Yes, using cloud computing to store data is an advance for the U.S. government and one that would likely have become only more urgent with time. But to just drop all the most significant national security data on one cloud? What?

If anything, distributing the massive amounts of U.S. data across multiple cloud companies would be most prudent, for any number of reasons. To name just a few, there’s the fact that locating data on multiple clouds makes it more difficult for hackers to access all that data since they will have to hack multiple virtual storage systems rather than just one. Alternatively, there’s the fact that awarding such a massive contract would all but monopolize the cloud computing market for a single company. This is not purely an economic point: monopolies are not only bad for pricing. They are also bad for innovation, and that is one of the more vital concerns to consider, given the need to innovate constantly in response to new cybersecurity threats.

But, let’s say you accept the odd idea, pushed by Lord herself, that these problems are reasonable prices to pay for the expected gains in efficiency that a single cloud computing contract could provide. If this is true, then at a minimum, would one not want to have a competitive bidding process to see who would be handed the keys to the One Cloud to Rule Them All?

Well, until this past December, the Defense Department’s answer appears to have been “no.” Rather, they appear to have had token attenuated meetings with various companies, and then decided unilaterally that only a single company’s services would do, technology-wise. What’s more, under Lord’s leadership, they did so with an extraordinary and intentional lack of transparency. Small wonder that industry leaders raised serious alarm bells over the process, and Lord was replaced as head of the Joint Enterprise Defense Infrastructure (JEDI) committee that recommended a sole provider in the first place. However, her removal may have ultimately been a fig leaf for the process to begin all over again.

One could also make a political argument against this decision — namely, that the company benefitting from all this rigged dealing is not exactly known for its mutual cordiality with the current administration, and that this poses a potential problem internally due to the increasing politicization of the technology industry. However, while important, this point is ultimately tangential to the principle at stake. Even if a similar deal were being made between the Trump administration and a completely pliant, friendly tech company, the same red flags would wave just as vigorously:

Yes, storing all government data in the same place might increase efficiency at the margins, but it also increases the vulnerability of an already patchy cybersecurity regime. Yes, the government itself is an inherently monopolistic institution, policies that grant privately held monopolies are nigh-universally bad. And yes, even if you discount both these points, fair competition among companies for the privilege of storing all the Defense Department’s data would mitigate the concerns they raise by encouraging open bidding and transparency.

One only hopes that the DoD engages with these concerns going forward, rather than pursuing its original plan to render government data cloudy with a chance of breached firewalls.

No comments: