The White House is busily reviewing more than 90 comments on its draft IT modernization strategy.
The comments came from industry associations, specific companies and individuals, including federal employees, and most were pretty vanilla, offering basic support for the initiatives in the draft strategy and insights, both generally and specific to the organizations’ or vendors’ area of expertise.
But none was more fascinating then the flames Oracle decided to throw about the entire IT modernization effort over the last nine years.
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
Kenneth Glueck, the senior vice president in the Office of the CEO for Oracle, wrote a 13-page takedown of many of the Obama administration’s key technology efforts.
“We respectfully suggest the government has not gone far enough in articulating a plan that will result in significant change and instead seems to be driving the government in the opposite direction,” Oracle stated. “Many of the report’s recommendations and current modernization efforts seem out of sync with the best technology practices deployed in a Fortune 50 company today.”
Oracle laid out three false narratives that it said are driving the modernization efforts in the wrong direction.
First, Oracle said the government thinks it should act more like a start-up.
Second, agencies believe they need in-house development expertise, such as the General Services Administration’s 18F and the U.S. Digital Service at the White House.
Third, the mandate to use open source is required so the software is available to the taxpayer.
“These false narratives have led to a series of actions that is unquestionably holding the [government] back from modernizing its IT, some of which are contained in the report, but all of which are being deployed across government, to the bewilderment of many in the private sector,” Oracle wrote.
Oracle outlined nine broad problems with the current IT modernization efforts.
You can read them here, but let me highlight a few that stood out.
“The largest contributor to cost and complexity is customization, yet actions of the [government] and the report seem to embrace both government developed bespoke technology and customization,” Oracle wrote.
This is where Oracle goes after 18F and USDS for promoting the writing of code instead of seeking to “leverage and scale by engineering out labor costs, including process engineering.”
Oracle also claims the push for open source is coming from 18F and USDS.
“The actions of 18F and USDS plainly promote open source solutions and then propagate those mandates across government with the implicit endorsement of the White House. The [government’s] enthusiasm for open source software is wholly inconsistent with the use of open source software in the private sector,” the Oracle stated.
Instead, the company said open source should be competed against proprietary software for what works best for the functions desired.
“There is no math that can justify open source from a cost perspective as the cost of support plus the opportunity cost of forgoing features, functions, automation and security overwhelm any presumed cost savings,” Oracle stated. “Developing custom software and then releasing that code under an open source license puts the government at unnecessary security risk as that code is not ‘maintained by a community,’ but is rather assessed and exploited by adversaries. Further, this practice puts the government — most likely in violation of the law — in direct competition with U.S. technology companies, who are now forced to compete against the unlimited resources of the U.S. taxpayer.”
But this is where Oracle’s argument begins to fall apart. The Office of Management and Budget issued a policy in August 2016 requiring agencies who develop any new, custom source code available for other departments to access and use. But this wasn’t the first time OMB encouraged the use of open source.
It started during the administration of President George W. Bush. OMB referenced the use of open source in a 2004 memo reminding agencies how to license this type of software, and the Defense Department issued open source policies in 2003 and again in 2009.
The resulting Code.gov portal from the 2016 memo includes thousands of examples from 27 agencies, and if sharing open source code saves money, what’s the harm? There still is no mandate to use the code, but OMB wants agencies to look at the portal first before developing new code or buying it from vendors.
Oracle goes even further to take on 18F and USDS, claiming that initiatives to bring on software engineers and other experts from the private sector “resulted in the predictable outcome of creating favoritism for those vendors’ solutions, and seems to replace presumed technical expertise with the more complex task of procuring, implementing, maintaining and securing systems over the long term.”
Another flaming arrow takes a shot at the Login.gov platform. Oracle called 18F’s attempt to build a single sign-on capability for federal services “misdirected security resources,” which will leave citizens without a modern approach to identity management.
While vendor frustration with 18F and USDS isn’t new, the case Oracle makes is a whole new level of angst.
The argument against 18F and USDS also is misplaced. There were a lot of problems with USDS and 18F, but slowly the two organizations are repairing their initial challenges.
Oracle said agencies shouldn’t be coding or hiring technology experts. That logic is flawed as well.
Just look at the work former Social Security Administration CIO Rob Klopp did in turning around that agency. He relied on a stable of federal employees who learned advanced coding languages, and supplemented those skills with a host of contractor support.
It’s not just at SSA, the move toward digital services expertise relies heavily on contractor support at agencies such as the departments of Defense, Veterans Affairs and Homeland Security, as well as the Environmental Protection Agency.
Oracle does have it right to be concerned about Login.gov. The government has failed three other times to create a single-sign on capability, and it’s unclear if the current approach will find success.
Oracle also makes a dozen or so recommendations, including modernizing the cloud security standards process known as the Federal Risk Authorization Management Program (FedRAMP), and focusing cyber efforts at both the data level and at the perimeter.
While the impact of Oracle’s comments is unclear, the company has benefitted from the IT modernization effort it so criticized.
According to USASpending.gov, from 2012 to 2016, Oracle, directly and through its resellers, won more than $4 billion from federal contracts, including tens of millions of dollars from those same agencies that have led the use of digital services, agile development and many of the things that Oracle seems to think don’t work in government.
We can admire Oracle for being an outspoken critic and probably saying many things that other vendors were too scared to say, but the question comes back to why now and why so publicly?
Along with Oracle’s comments, here are a few others that were interesting or out of the ordinary:
• Avue Technologies pushed back against the government’s “monopolies” in the shared services area. Avue, which provides human resources services in the cloud, wrote that payroll services, for example, are 20-30 years behind and insecure. “As with all monopolies, inertia ruled the day and the government never modernized the IT infrastructure, architecture, cybersecurity or systems used by the government’s SSCs. In addition, the inefficiencies baked into these systems required adherence to outdated business processes which drove costs up, not down, and constrained rational changes in policy that would move the government into a 21st century workforce and talent management framework,” Avue wrote. “After eliminating the private sector from competing, the government eliminated any mechanism of accountability for federal service suppliers and shared service centers to achieve the results that underlie the theory of shared service efficiencies. The dramatic cost increases and concurrent productivity declines are the result of this lack of accountability.”
• Google makes a big push for better cloud security, saying agencies need to get out of the perimeter-based cloud security mindset. “A perimeter-centric security mindset can translate into prescriptive controls and compliance requirements that prevent government from accessing the best of commercial cloud security. While timely, comprehensive patching stands out as one of the key security advantages of cloud services, recertification requirements can risk muting that advantage by serving as a de facto gate to deploying patches and new security features,” Google stated. Google pitched the need to recognize and put international standards into practice more often. “Given the constant advances in and evolutionary nature of the cloud security model, the federal government should consider ways to harmonize its standards with those defined by internationally recognized security standards organizations to enable agencies to benefit from commercial capabilities (including in security) at a faster pace. Where agencies find those standards to fall short, they should engage in a dialog with commercial providers to better understand whether their security model and practices meet the desired security outcomes. The adoption of these standards would reduce this disparity and increase the availability of commercial services to the federal government,” Google wrote.
• Salesforce made a strong push for the “as-a-service” model as part of the move to shared services. The company says everything from capital planning and investment control- to acquisition- to change-as-a-service would reduce red tape and duplicative approaches. “Collectively, this approach presents a repeatable approach to ensure that no other modernization project will have to live through overcoming previously solved problems on their own,” Salesforce wrote.
• Adobe is encouraging the White House to not just accelerate the continuous diagnostics and mitigation program, but move to phase four immediately. Under phase four, DHS would provide data protection tools, such as encryption and digital rights management. Additionally, Adobe brought up the lack of any mention of citizen services in the draft strategy. “On balance, the report’s recommendations include networks, security controls and improved contracting. But these are tactics on a road toward digital modernization strategy. In contrast, a strategic focus for improving government begins with tackling the citizen and government customer experience. Ensuring a concurrent focus—or equally prioritized emphasis—on modern digital experiences achieves an even greater outcome of reduced operating costs, increased performance, and better advocacy from the electorate, as well as the hardworking personnel who execute the business of government,” Adobe stated.