Nice lunch surprise a new thread. =)
Air Force software is so bad the guy in charge of it all is about to quit
https://taskandpurpose.com/news/air-force-cybersecurity-nicolas-chaillan/
Excerpt:
If you’ve ever struggled with a government computer still running on Windows 2000, know that you’re not alone. In fact, the military’s cybersecurity infrastructure and software development enterprise is in such a bad state that the Air Force’s first-ever Chief Software Officer will soon resign because it isn’t worth fighting the entire bureaucracy of the Department of Defense just to get some basic information technology issues fixed.
“We are running in circles trying to fix transport/connectivity, cloud, endpoints, and various basic IT capabilities that are seen as trivial for any organization outside of the U.S. Government,” wrote Nicolas Chaillan in a LinkedIn post announcing his resignation on Thursday. “At this point, I am just tired of continuously chasing support and money to do my job. My office still has no billet and no funding, this year and the next.”
For those who might be thinking “what do I care about software? Let the nerds figure that one out,” hear this: many experts believe that future conflicts will be won and lost based on our ability to develop new software.
“Success in tomorrow’s conflicts will largely depend on how warfighters are able to harness and adapt everything from mission systems on aircraft to sensor packages, networks, and decision aides,” retired Air Force Lt. Gen. David Deptula and Heather Penney who are respectively the dean and senior resident fellow for The Mitchell Institute for Aerospace Studies, in a July policy paper on network and software development.
“To prevail in a dynamic and contested battlespace, warfighters must be able to reprogram and reconfigure their weapon systems, sensors and networks,” they wrote. “Yet the Air Force continues to develop, update, and manage software and architectures in a highly centralized and stove-piped fashion.”
...“The bureaucracy of Department of Defense funding categories also prevents software tools from being fielded and employed,” they wrote, which means warfighters are always a step behind their changing battlespace. “This is a recipe for failure given tomorrow’s challenges. To put it bluntly, software and networks shouldn’t be governed by industrial age processes.”
...There are several specific experiences that impressed on Chaillan how little military leadership actually cares about cybersecurity and software development. One of those is DevSecOps, which is short for development, security and operations. DevSecOps is a process by which software developers keep security central to every step of software development, rather than tacking it on at the end of the development cycle, according to IBM.
Chaillan wrote that he was very proud of his team creating the DoD Enterprise DevSecOps Initiative, which began spreading the holy word of DevSecOps to the backwards cyber-heathens dwelling in the Pentagon. But even that process is often like pulling teeth, Chaillan wrote.
“[Our leaders] have repeatedly refused to mandate DevSecOps, not even for new starts in custom software development!” he said. “There is absolutely no valid reason not to use and mandate DevSecOps in 2021 for custom software. It is borderline criminal not to do so. It is effectively guaranteeing a tremendous waste of taxpayer money and creates massive cybersecurity threats but also prevents us from delivering capabilities at the pace of relevance, putting lives at risk[.]”
...The same problem applies to implementing Zero Trust systems. Those are software security steps like when Gmail or Facebook texts you a verification code just to make sure you’re not a hacker. You’d think national security secrets would have a better layer of security than my company’s Mailchimp account, but apparently not, according to Chaillan.
“[W]e hear the leadership talk about Zero Trust implementations without our teams receiving a dime of funding to make it happen,” he wrote. Nowadays, DoD is willing to put more money where its mouth is in terms of Zero Trust, but it’s not using any of the early work Chaillan and his team did on the subject last year, he said.
“Why waste more taxpayer money playing catch up?” the software officer wrote. “The ‘not invented here’ syndrome is powerful in DoD and our leadership is not willing to stop it.”
The ‘not invented here’ problem refers to a widespread habit of different military agencies, or even different tribes within an agency, doing their own version of the same project without sharing information or best practices. This is even a problem between different fighter jet programs in the Air Force, wrote Deptula and Penney in their analysis.
“Although the F-22 and F-35 are the only two 5th generation fighters in the Air Force inventory, they cannot share information with each other machine-to-machine,” because they use incompatible datalinks that were developed 10 years apart, they wrote. “Today, the F-22 and F-35 fleet still cannot exchange information without the aid of an externally hosted gateway, one which is still in the experimentation and demonstration phase.”
...The stove-piping is especially frustrating when DoD leaders talk a big game about sweeping programs like Joint All-Domain Command and Control and the Air Force’s Advanced Battle Management System. Both of those projects are meant to give commanders more options and intelligence faster than ever by connecting ‘sensors and shooters’ closer than ever. That could be a great development, especially after the last Chief of Staff of the Air Force, retired Gen. David Goldfein, said that access to data is the “future of warfare.”
The thing is, the military can’t implement these sweeping programs when everyone is off in their own corners. Chaillan addressed the problem head-on at a recent Air Force Association luncheon.
“Right now JADC2 has probably zero chance of success, period, full stop,” Chaillan said, according to Air Force Magazine. “Because it’s effectively not a thing. It’s a bunch of services doing their own things … with different names and different concepts, often reinventing the same wheel.”
...It also doesn’t help that DoD doesn’t seem to want to put up the money for bringing JADC2 up to speed, according to Chaillan.
“After a massive undertaking and development of a scope of work, based on demands from our warfighters and [combatant commanders], I had just started the work and built-up excitement with teams and our mission partners, when I was told by the Joint Staff that there was no FY22 funding to support the [minimum viable product] after all,” he wrote.
“After all the talk and continued assertions that this was critical work, DOD could not even find $20M to build tremendously beneficial warfighter capabilities,” he added. “A rounding error for the Department.”
...Chaillan’s last day is planned for Oct. 2, according to FCW.