Why can't DOD consolidate?
Readers mention a few potential hurdles, including the culture and acquisition rules
- By Kevin McCaney
- Aug 12, 2010
No one assumes that the Defense Department’s goal of a common operating view will be easy to achieve, if it can be done at all. But what’s standing in the way?
Readers responding to our coverage of Defense Secretary Robert Gates’ plan to cut $100 billion from the defense budget over the next five years – in which he mentioned the costs of decentralized systems – have a few ideas.
“Consolidation is doable where the organizational and cultural will is there," wrote LakeMD, who went on to say that it could be accomplished. "The problem is nobody is willing to give up its program funding until the ‘man in charge’ makes the hard decisions. To be successful, a comprehensive review of the interests of stakeholders (Military Industrial complex, Military Service arms and the State Side Guard/Reserves) will help establish current resources and assets.
Gates’ planned cuts will make only a small dent, analysts say
Gates wants DOD IT consolidation, but the past isn’t encouraging
“Inventorying followed by a genuine effort to achieve accurate labeling and classification of enterprise data and traffic in tiered stages can point the way to a functional and security-efficient infrastructure spread across the globe. Examples of Enterprise Services that must be consolidated to achieve vital mission objectives: IP Address Space Management, Federated Identity Management, Enterprise Messaging and Classification Services, Enterprise Applications and Web Services Architecture. Buried within all this in Steganography will be Strategic Planning, Doctrine and Mission Planning. The objective for consolidating and improving services can definitely be achieved under the Gates plan.”
A reader in the Washington, D.C., suburbs also stressed the cultural challenge. “I was the Director of Security for the Single Agency Manager at the Pentagon in the mid-'90s. The intent then was to consolidate the IT and IT security at the Pentagon. It was a great concept. We discovered, though, that consolidating the IT is a lot more doable than the consolidating the IT culture in DOD. We were successful up to a point. If they can break through the rice bowls, the technology will be easy. Hope for the best.”
Another writer suggested that consolidation must come from the top: “It'll have to be mandated from [the presidential]/congressional level. It will never be done by consensus. Too many rice bowls. A [common operating environment] does not have to mean a monoculture for OS and hardware, which is a [single point of failure] for attacks. Best to start with a blank sheet of paper and build a new system, then start cutting people over and migrating legacy data. To do this correctly, though, DOD would also have to have a standard suite of business processes, datasets, reports, ad nauseam, as opposed to the 5+ sets of everything they have now. That change would be as hard as the software and hardware end.”
And Bill of Reston, Va., was succinct in describing one roadblock: “The current acquisition rules will never allow it.”
The security of consolidated systems was a concern for several readers. One took us to task for stating that a common environment would improve security. “What nonsense. If all of your systems are the same, attacking them becomes easier, not harder,” the reader commented. “A single vulnerability now exposes your entire network, not an isolated section. With the DOD's propensity to use Windows and with all of the zero-day vulnerabilities with ready tools for exploitation, it is just a way of saying to our enemies 'Come get our data, oh and during a critical operation, go ahead and knock are systems down.' … Before NMCI, when a break in occurred or a virus entered the system it might take down a single command. Now it takes down the entire Navy. It has already happened numerous times and will continue to happen until the Navy wakes up and smells the coffee!”
“The security risk of a consolidated and common operating system is that once a vulnerability is found, it can be exploited to gain even more information,” agreed another reader. “I don't think the risk is worth the estimated savings, especially when considering the bureaucratic tendency to overestimate savings and underestimate costs. Another aspect to consider: Will the government choice of IT operating system be instrumental in creating an illegal monopoly?”
“This has several points that I hope, but not holding my breath over, they considered in this process,” wrote another reader. “For the most part consolidation takes out redundancy! I have already experienced network outages that have taken out entire theaters because of one bad replication from a domain controller. Two, where redundancy goes, security also follows. This simplifies the intruders’ need-to-know list also when you cut everything down to one OS. Especially when the company who supplies the software has to give up the source code to other governments in order to do business in that country. Three, in order for this to truly work, some of the ‘higher-ups’ need to start looking into what the other branches of the government are using before creating something from scratch to get that ‘Gee-whiz’ bullet for their job rating. I mean why create a separate contract/facility/etc. in branch A if branch B is already doing it? “
Ken in St. Louis saw value in consolidation but saw other problems ahead. “Generally speaking, anyone in the IT field understands the value of consolidation simply due to cost savings. Additional value is added when you factor security as equally weighed as cost,” he wrote. “Nevertheless, we (DOD) are way out of control on the vast number of server farms we operate and maintain within our respective services. The logical next step would be consolidation as much as practical into [the Defense Information System Agency’s Defense Enterprise Computing Centers] but, as we all know, DISA operates on a working capital fund and charges a premium for their service. Based on a cost value principle, I have no incentive to relocate to a DISA-hosted facility until their prices are more competitive with widely accepted billing rates.”
And several readers questioned the cuts Gates has proposed.
“Secretary Gates is on one hand saying that we need to make everything common and on the other hand proposing that the sole organization within the Department of Defense dedicated to bringing about a common way of doing things, U.S. Joint Forces Command, be closed,” wrote one reader. “Make up your mind!”
“Some of his recommendations are contradictory and will have disastrous consequences down the road,” wrote another reader. “Freezing the civilian workforce was done about 10 years ago. The result is an aging workforce and no one ready for management as the gap caused by the hiring freeze left a big hole in the middle ranks where the next generation of management is grown and groomed. Even now we are short the middle group and use contractors. If contractors are cut back as well, there will be less capacity to deal with the problems.”
Another suggested a solution to the workforce question: “If Gates truly wants to save money, make it mandatory for those active military with 30 years or more of service to retire!!!! They also need to cut down on the civilian upper management and make it mandatory for the civilians to retire at 30 years also. These folks have already capped out on retirement with their top three years. Get rid of some of the dinosaurs and let some new ideas and expertise into the system.”
Kevin McCaney is a former editor of Defense Systems and GCN.