The CIO of the US federal government, Tony Scott, is a man with a plan. A plan to implement to rid government agencies of their ageing, insecure, unstable, but critical, applications and infrastructure estate. Of which, according to Scott’s keynote at the 2016 ICIT Critical Infrastructure Forum, there is plenty of.
All he needs is Congress to approve a $3.1 billion IT Modernization Fund. A fund that will set federal government up to replenish itself over a multi-year period and actually deliver up to $20 billion of new applications and infrastructure, according to Scott.
However, interestingly (or worryingly, depending on how you view things), Scott made no mention of the use of cloud computing during his discussion. This is despite the fact that a lot of the problems he spoke to with government IT during his speech could be directly eliminated through the use of ‘as-a-service’ technologies.
Obviously the use of cloud in federal government has its own barriers, but the US was one of the first countries to introduce a cloud first policy, the GSA has its own cloud programme to help agencies buy technologies, and the likes of Amazon have government specific solutions available.
Something to think about…
The wrong approach to IT
Scott began his keynote by describing a day early on in his previous job at Disney, where lightning hit one the company’s main data centres and the whole thing went down. He said:
He added that thanks to the good work of his predecessor, no data was lost, the data centre got back up and running and no guest or customer of Disney noticed the outage.
It’s events like that that make you hyper aware of the role of infrastructure, the role of training, the role of making sure that even in the worst circumstances that people know what to do, practiced it and have a game plan.
Scott took up his position as federal CIO just over a year ago. He said that when he arrived in the job he knew he would be spending a lot of time focusing on cyber security, but at the time he didn’t realize how much it was going to be “core” to the work he does. Scott said:
Cyber security is not by itself an isolated thing. One of the underlying root causes for cyber security challenges is ageing and out of date infrastructure, applications and environments. And as we started looking at what we had, the as is starting point for improving security and resiliency in the Federal government, we uncovered a bunch of really old ageing apps and infrastructure.
These inherently are hard to defend and anything one does is the functional equivalent of putting air bags and band aids on an existing environment. It’s just hard to get good cyber security when that’s the mode that you’re in.
Scott said that to his surprise, when looking at the applications and infrastructure estate, he found some of the original Sun Microsystems Sparc servers, which he had helped develop back in the 1990s. End of life support for them was in the early 2000s. He said:
You can imagine my surprise when I got here to the Federal government and found out we have still got a tonne of those things still sitting around. The good news is they’re continuing to run. The bad news is that they didn’t break, they didn’t get upgraded or replaced. Unfortunately this is the paradigm for how we think about the critical applications and infrastructure that run the Federal government. It’s a wait until it breaks, or some kind of event happens, model.
I believe that in today’s world that’s the wrong way to think about things. I think we need to move to a model that’s continuous upgrade, continuous replacement. So that you’re never more than a few years out of date.
Scott said that the benefits to continuous upgrade and replacement are “obvious” and that the maths is “simple”, referring to the fact that Moore’s Law is still delivering on the promise of double the capacity/compute power being available every couple of years for a price point that stays the same.
When you take into account the costs for maintenance and support, Scott believes the US federal government has got itself into a poor situation. He said:
Meaning that you can buy for the same dollar, often double the capacity, every three years or so. This means that over a 10 year period you’ve lost 4X if you’re just sitting on the old stuff and not upgrading.
I know that if I spend a dollar on IT, it’s going to cost me 15 cents a year to maintain that. So if I wait 10 years I’m still paying the 15 cents per dollar spend, but I’ve missed 4X in terms of capacity or compute power that I could be getting.
We should be upgrading, we should be replacing this stuff. It gets even worse if you look at network. It gets worse if you look at storage. In essence, by sitting out on our hands for all these years, the Federal government has missed out on multiple generations of opportunity for higher performance, better bang for the buck, but we are locked into that 15 cents. And the bad news is that that 15 cents gets higher and higher and higher the older the stuff gets.
Scott said that this scenario is the “motivation” behind his proposal for an IT Modernization Fund, for which he has asked Congress for $3.1 billion as a one time investment for modernizing critical applications and infrastructure across federal government.
He said that the structure of the fund isn’t uncommon in the private sector and she allow federalgovernment to replenish its IT estate frequently over the next few years. Scott said:
If you’re an agency that has some of this most critical, insecure or hard to manage or inefficient applications and infrastructure, you can apply to the fund and make a business case for doing so. You get incremental funding as you hit deliverables and milestones. And then over a five year period of time you will pay back the fund.
If you are in the private sector, that doesn’t sound like an unusual construct. Every time I was asking for capital investment in the private sector to do something, it came with the understanding that wherever that capital was, it would get depreciated, but it would have to get paid back somehow.
In the federal government that hasn’t been the case, the way appropriations have worked in the past is that you’d get a one time shot and that’s it. Often management’s attention drifted off to the next thing they were asking for and not on getting the thing delivered that had been for asked for in the first place. So this is a mechanism to both fund needed upgrades, but also to keep management attention focused on the delivery of critical applications and infrastructure as the work gets done.
Replenishing the funds sets up to refresh the next set of projects. We think we can address $15bn to $20bn worth of applications and infrastructure over a several year period, all for that one time investment.
An interesting proposal from Scott. The structure of such a funding mechanism isn’t particularly innovative (well, not in the private sector anyway) and could well work to replenish the IT estate. But to what end?
Is this the best way to spend $3.1 billion? I always get nervous when a programme of this size is simply focused on having the ‘newest and latest’ kit. Yes, I get that this is important for federal agency infrastructure and applications, but at the same time there isn’t a great deal of focus on the outcomes or service delivery.
As I hinted above, is there not scope to be talking about a cloud programme of this scale? Should agencies not be thinking less about how they have to refresh tech every few years and more on how they provide services to citizens? Maybe the fund will open up investment for cloud buying, but Scott didn’t create that impression during his keynote.
Interesting, but not entirely convinced it is the right approach.