Boldness Is Needed for the Military Cloud Revolution
Embracing new technologies with old methodologies usually leads to old results.
In 2013, Wired magazine declared that “The Cloud Revolution is Dead.” The cloud revolution did not end because it failed; on the contrary, it ended because it was a resounding success. The business community reaped the benefits of migrating to cloud architectures in both economic efficiency and customer interface, and it is not going back. Defense Department information technology systems are economically unsustainable, but the department only now is catching the revolutionary spirit of the cloud, and adoption is slow and not in line with advances in the commercial sector. The time to start a real cloud revolution is now, and success requires radical changes in how planners think about designing, acquiring and using information technology, both technically and culturally.
In what may be an apocryphal story, when Hernán Cortés landed with his soldiers in Mexico, he ordered the ships scuttled so that his forces had to move forward and could not turn back. The same applies to technology. Continued reliance on backward compatibility will impede innovation and the ability to move forward. The cloud revolution will not succeed if resources still are being directed toward legacy systems and the military continues to look back at these systems as a source of reassurance. While current systems must remain in operation, all budgetary resources directed toward their modernization must be redirected toward implementation of cloud architectures; once those new architectures are proven, the current systems must be scuttled.
The military takes pride in its uniqueness; but in cloud computing, uniqueness is not a virtue, as it introduces both risk and cost. Unique clouds with unique applications introduce vulnerabilities that have not been analyzed and mitigated by the larger technology community. Furthermore, unique designs introduce high costs for development, integration, maintenance, testing and accreditation. Organizations must ask themselves if their information technology solution, when compared to the industry leader in their sector—for example, in communications, logistics, payroll, personnel, maintenance and medical—is more efficient, effective, reliable, secure and resilient. If the answer is “no,” then that organization should adopt an industry standard solution. Even uniquely military systems, such as operations and intelligence systems, perform common functions such as mapping, chat, file transfer, audio and video. They should use industry standard products instead of contracting for something new or unique. By using best-of-breed commercial products—including open source—for the majority of functions, the military can focus resources on the truly unique military requirements.
The Defense Department should not own when it can rent. For example, most military members never have called Google or Yahoo tech support for their home email services, but almost every military member has called tech support to fix his or her government email. The reason for this is simple: the military is good at warfare and deterrence, but the private sector is better about maintaining customer-friendly services. As the military moves to the cloud, it must decide which information technology services require direct military operation and maintenance and which can be run more effectively by the commercial sector. Amazon, Google, Microsoft and others all have proved their ability to operate massive cloud architectures with secure segregation of users, services and data. The military immediately could achieve increases in efficiency, reliability, resilience and security by turning over core cloud operations and basic network services—email, communications, data storage, network infrastructure—to commercial providers. It also would save drastically on the power, space and cooling for server farms. The job of the military is to fight and win wars; this may require the use of information technology but should not require having to operate an information technology infrastructure.
For information technology capabilities that the military still deems critical to be specifically designed, it should use the cloud revolution to create what is needed, not recreate what exists. Bureaucratic tendency is to take existing systems and contract to have them migrated to a cloud architecture. While this potentially provides a quick fix to check the box on cloud migration, it is not revolutionary. In the long term, it places the military right back where it is now with out-of-date systems that do not meet customer needs. The cloud is not merely a technological framework on which to throw existing systems; the cloud is a technological framework that allows the military to rethink how it does business at a fundamental level. For every unique military function, the lead organization must make a concerted effort to determine how best to harness the distributed, collaborative, scalable, data-driven nature of the cloud to accomplish its mission, and then design from scratch to meet that requirement.
The biggest advantage of cloud computing is that it lowers the cost of failure. For mere pennies or dollars, a developer can create an application or patch, deploy it to the cloud, run it in parallel with existing systems, test it with users worldwide and then remove it, repeating the cycle whenever necessary. This model of development is diametrically opposite the current acquisition model, which bets on a single solution from a single contractor, based on requirements that may or may not meet the user needs by the time the solution is fielded. In a cloud environment, organizations instead can invest small amounts into dozens of potential solutions that probably will fail, iteratively test them with the users and then synthesize the aspects that work best into an effective solution. Investing in failure promotes innovation by allowing developers to push the technological envelope without fear of repercussion, creating information technology systems that are responsive to the changing operational environment and advances in technology.
A driving cost in military information technology is the requirement for reliable and redundant systems. Systems go through expensive, multiyear development and testing programs to meet this standard; but despite the effort, military systems often remain less reliable than commercial counterparts. Cloud computing provides an alternative approach by assuming failure and designing resiliency into the architecture using load-balancing, multiple server instances, parallel application deployment, elastic storage and other native cloud features. Netflix and other companies prove their resiliency daily by deploying “Chaos Monkey,” a tool within the “Simian Army” suite of open-source cloud tools. This software intentionally breaks portions of the live service to prove that it can survive and recover. A network that can break itself but continues to operate is better proof of reliability than years of testing, and it gives a higher level of confidence to the operator that the system will be available when needed.
Another thrust is to assume that everything is insecure but use it anyway. The fear of insecurity is slowing the adoption of cloud computing. The need for cloud security is not unique to the military, and many aspects already have been addressed by the information technology industry, the financial sector, privacy advocates and even criminal elements. Instead of accrediting systems as secure, the military instead should assume that everything is insecure and develop systems that mitigate the inherent insecurity through strong security standards and active monitoring. Again, Netflix is addressing this through automated tools such as “Security Monkey” and “Conformity Monkey,” which continuously test every application and service to ensure compliance with security protocols and industry best practices. By following the commercial security example, rather than relying on current accreditation processes, the military could innovate and deploy secure technologies within days or weeks instead of years. If Apple Incorporated can build a secure architecture that deploys thousands of apps from thousands of unknown developers with only a seven-day compliance and security review, then the military should be able to do the same with trained, vetted and cleared developers and the extra layers of defense provided by the National Security Agency and the U.S. Cyber Command.
Some of the keys to success for the military cloud lie in culture, not technology. For example, the Defense Department needs to formalize innovation. At its heart, innovation is not the haphazard adoption of new ideas that percolate to the top but rather a structured process that brings together experts from technology, business, operations, psychology and other disciplines to create elegant, human-centered solutions to complex problems. Military organizations should establish innovation teams that have the expertise and authority to look at their mission set, incorporate outside ideas and provide multiple potential solutions to their leadership. The rank and background of these professional innovators is of less importance than their ability to contribute to creative solutions. But, as with any specialized skill, it must be reinforced with training. Innovative businesses support creative thinkers and hone their skills by sending them to training at places such as the Stanford University Design School and other innovation hubs. Innovation is not accidental—the small investment in manpower and money to form and train innovation teams will allow the military to fully explore the potential of the cloud and reap rewards in both resources and operational effectiveness.
Downsizing is a related target. A large bureaucracy and structure is an impediment to rapid innovation and a successful revolution. The current military manpower model for information technology operations is large organizations with a large number of information technology generalists who are given limited areas of responsibility. Successful private sector companies create small teams of highly trained information technology specialists with a wide areas of responsibility and authority. This small work force knows the vision of the company and is trusted with personal freedom to collaborate and innovate to achieve the mission. Now, some manpower intensive military information technology functions—such as deployable communications and tactical systems—will not go away soon. But in a successful cloud revolution, the military could transition routine services to commercial providers and invest the manpower savings into a small and talented information technology work force that can rival those of the Silicon Valley. By focusing solely on military unique capabilities, the Defense Department can engage more closely with operational forces to provide agile development and maintenance support for even the most complex challenges in the operational environment.
If the military cloud revolution merely develops a military-run cloud for data storage and basic network functions, then the revolution has failed. The revolution must be ruthless in breaking traditional information technology organizations, security constructs, manpower models, operations and maintenance functions, and acquisition and development processes. In the end, the result cannot be status quo activity on a new military cloud server farm, but instead it must be a new information technology ecosystem that keeps pace with commercial development, is integrated with the commercial sector and has the innovation capacity to meet operational needs in any domain against any adversary.
Lt. Col. Enrique A. Oti, USAF, an Air Force cyberspace operations officer, is a 2014-2015 National Security Affairs Fellow at the Hoover Institution, Stanford University. The views expressed in this article are his and do not reflect those of the Air Force Research Institute, the U.S. Air Force or the Defense Department.