I recently released an Op-Ed in the Financial Times describing how the DoD can catch-up with China’s innovation in warfighting capabilities, in 6 months.
The living document below is a step-by-step guide detailing how to implement the 5 critical pillars that will save us from having to learn Mandarin: Agility, Workforce Investment, Enterprise Services/Breaking silos, Public-private partnerships, and Accountability.
When I resigned from the Department of the Air Force as the first Chief Software Officer, I raised the alarm regarding the fact that, as it stands, the U.S. will lose the artificial intelligence (AI) and Cyber war against China unless we take action now regarding the lack of agility, and adoption of basic IT capabilities in the Department of Defense such as Cloud, cybersecurity, DevSecOps and AI.
Make no mistake, the nation that leads in AI will be leading the world.
Due to a deeply entrenched lack of institutional urgency and a degree of comfortable complacency within and surrounding key influential decision-making positions over the last 20 years, we have positioned ourselves into a state of relative decline with respect to the Chinese Communist Party. Unfortunately, we have done so in the most crucial of domains – specifically artificial intelligence, autonomous capabilities, and cyber offense/defense. While we have certainly advanced, they have advanced much faster. Pentagon leaders like to call China a “near peer adversary” but that only demonstrates how we continue to underestimate them.
I don’t, and you shouldn’t. This is an existential threat to our nation and to our kids’ future.
Now, I believe we have something they don’t: the American values – freedom, equality and the American Dream.
The DoD must take tangible actions before we run out of time. Before long, it will be impossible to catch-up due to the compounding effects of AI.
This strategy for competitive advantage outlines the 5 critical tenets that will close the gap within 6 months. #wakeupamerica
First, embrace failing and agile principles:
Agile is about the fast delivery of incremental value in production. Rapid iterative innovation. We cannot fear failure if we want to innovate. Fail fast, learn fast but don’t fail twice for the same reasons.
The Deputy Secretary of Defense (DSD) must work with the DoD Service Acquisition Executives (SAEs) to require all acquisition teams to move from outdated waterfall principles to end to end agile acquisition. Agile is 22 years old and yet it is barely used except in pockets of the DoD. We must buy “capacity of work” and not be stuck in time with outdated requirements and outcomes that cannot move at the pace of relevance. Agility will enable us to prioritize work based on global geopolitical events and the fast-moving IT pace. To this date, there is not even one hour of required agile training for our warfighters. I would furthermore ensure that automated data analytics and metrics reporting are incorporated (yet lightweight) so that we can truly understand how it is that we are learning rapidly and so that we can make data “informed” decisions along the agile path.
The Defense Acquisition University, the university in charge of training our acquisition workforce, must completely scratch its outdated curriculums, adopt the Digital DNA (from OUSD A&S) training and embrace agile and more importantly, remove anything that isn’t aligned with agile such as Earn Value Management.
Moving to end to end agile acquisition will solve much of the tremendous waste of taxpayer money that we see across the Department. While our taxpayers feel good about investing over $750 billion every year in DoD, they should know that I believe that we barely get 10 cents on the dollar in terms of return of investment. This is disgraceful and frankly, borderline criminal.
DevSecOps provides the ability to continuously deliver software fast and incrementally in production and in the hands of the warfighters. DevSecOps must be mandated for all new software intensive programs and for all existing software intensive DoD programs. All such programs must move to DevSecOps within 2 years in full compliance with the DoD Enterprise DevSecOps Reference Design v2.1 and ensure we do not get locked-in to Cloud providers and DevSecOps platforms thanks to our CNCF agnostic implementation.
There is no valid reason not to use DevSecOps in 2021 and beyond for custom software development.
Contracting teams must be trained to address basic issues that were solved decades ago on the commercial side. Is the government funding the entire cost of something? If so, the government should own the Intellectual Property (IP). That’s called “work for hire”. Have a work for hire clause ready to use for all acquisition teams. Is the government only paying for a piece of something? Have a clause for a worldwide unlimited license to use it in perpetuity. Is the government buying for capacity of work? Have a clause to define the “definition of done” of software with quality, security and delivery gates inside of a government furnished DevSecOps platform and passing the user story acceptance criteria. All of this may sound pretty basic but unfortunately, none of this is streamlined or well understood in DoD. Too often the DoD gets locked in for years due to lack of access to source code or IP.
We must adopt the newly created Software Pathways and make the Budget Activity (BA)-8 pilot permanent and require it for all software intensive programs. BA-8 enables programs to have a single color of money for software. That’s critical as software is never done. There is no such thing as sustainment, operation and maintenance (O&M) and research and development (R&D) when you continuously engineer software using DevSecOps and Agile principles.
Second, invest and fix our workforce/talent issues
As I have observed, defense leaders often fail to understand the technology itself, and refuse to empower those who do. If you are a leader and you don’t know the subject matter, then educate yourself and be prepared to take advice, or step out of the way. Don’t become the bottleneck.
Empower our warfighters at the lowest level possible. The military calls this “Power Down” and encourage informed decision-making at the point of decision – or nearest the work. They do the work; they feel the pain, and they know what needs to be accomplished to win. Speed of decision is itself a weapon that has to be used to gain and maintain competitive advantage.
To close the gap, we must invest in our people by enabling continuous learning with unbiased content (we built and implemented this capability during my tenure) and provide 1 hour a day of self-learning.
Do not create more silos. Many reports propose the creation of siloed AI and cyber teams or worse, a Cyber Force – this makes no sense. We do not need more siloed teams that will come save the day, but this appears to be the current path we are on with our labs and with our industry partners. This must change. This isn’t how we build upon our existing workforce. Software, cyber and AI must be baked into every DoD team. Concepts like the Defense Digital Service have failed because they focus on short term gains and because they operate in an isolated silo. I don’t believe they are part of the long-term answer because the answer isn’t more silos. While a bold initiative, this design vastly underestimates the problem. We must have a holistic and enduring IT workforce that understands current challenges and IT best of breed technologies across the enterprise and not just 60 siloed individuals trying to serve 4 million DoD workers. How would that even make a dent?
We should also leverage the Highly Qualified Expert (HQE) hiring authority more often. This program is a great mechanism to bring various and critical talent into DoD and should certainly be used more and streamlined. We must keep in mind that implemented solutions are not momentary or idiosyncratic and as such they should endure beyond the individual because they are grounded in current best practice. Waiving policies isn’t an acceptable answer.
Unlike DDS’ former leaders, we should focus on fixing policies instead of waiving a magic waiver wand (which rarely sticks) and bringing shadow IT devices/networks/Wi-Fi into the Pentagon and calling that a win when no one else can use them.
Instead, I propose that we create career paths for software, DevSecOps, cybersecurity, data science, AI/ML, etc. These paths must have progression of pay and title with special duty allowances that make compensation more competitive to the commercial sector. DSD must work with the Office of Personnel Management (OPM) and Congress to create these new careers tracks which will not only attract more talent but also retain our existing workforce. Building on these critical areas in our military academies and across the nation in our ROTC programs will benefit the entire DoD workforce and most certainly our warfighters. These investments in new educational programs and scholarships combined with other incentives for our talented officer and enlisted personnel will begin to bridge the gap we currently experience in these demanding but exciting domains.
We have worked with Kessel Run and many DoD software factories experts on a step-by-step plan with tangible yet simple actions to make software career paths possible in DoD for civilians and military personnel. Implement those recommendations immediately. Most of them can be in place within 6 months, some will take a little more time.
We must fix the clearance vetting process. Leverage AI/ML to better understand the risk that someone is posing to our nation but more importantly, we must destroy the DoD bubble and enable folks to go work for a commercial company, see how fast things are moving in companies like Tesla and SpaceX and come back to implement those best practices into DoD. Of course, this will potentially increase insider threat but again, without new talent, we will fail.
Unfortunately, most DoD employees leaving the government end up working for the large DoD primes that are part of the same DoD bubble, moving at the same slow pace in this never improving vicious cycle.
By making the DoD nimbler, when these leaders and managers transition, leaders will act as change agents to simultaneously evolve the Defense Industrial Base so they can remain technically competitive and fiscally responsible in their fields of endeavor and deliver advanced systems to the warfighters instead of systems that are outdated at initial operational capability (IOC). This strategy will create what I call a win-win-win. It is a win for the DoD, a win for our industrial complex, and most importantly a win for the American people and our allies.
Finally, if you really want to attract people with technical talent, entrepreneurial spirit and experience to join the DoD, empower them to succeed by staffing them, funding their work but more importantly implementing their recommendations rapidly. Having all the responsibility without capacity or authority is a formula for disaster. I’ve seen decisions that take a day or two at best in a large commercial organization, take a year in DoD. Instead, empower folks at the level possible to make those decisions and back them up when times get tough!
Third, setup a Joint Enterprise IT office to break silos and stop redundant work
We do not have enough talent and yet we have tremendous siloed and redundant work. Some of it can be blamed on Congress, but most of it is driven by organizational silos and egos.
We must stop this nonsense.
We have no enterprise services which should be enabling DoD teams to focus on their mission while piggybacking on enterprise capabilities. Worse, I’ve heard Defense Information Systems Agency (DISA) leaders who are supposed to build these enterprise services, say that there is no chance to build a DoD-wide capability because of the size of the Department. This is wrong. It just requires an entrepreneurial mindset that puts its customers first and buy-in from the Pentagon leadership. Companies like Google and many others deliver tangible value to their millions of users. By borrowing best practices proven at scale across private industry, so can the DoD.
We are all still waiting for that enterprise cloud contract miracle that we’ve been promised for 3 years. The Joint Enterprise Defense Infrastructure (JEDI) was recently cancelled after being stuck in court for years. I made it clear that a multi-award contract was the only path forward but, no one listened and preferred to die on their sword instead. Well done!
First, we must merge the Advanced Battle Management System (ABMS), Project Convergence, and Project Overmatch into a new Joint All Domain Command and Control (JADC2) program office.
Second, DSD must create a new enterprise IT office, Technology & Information Merged Enterprise (TIME) and direct all DoD Services and DISA to merge their enterprise IT acquisition teams, transport/connectivity, cloud, data-lakes, zero trust, DevSecOps platforms, and AI/ML enterprise work to that office. No excuse.
The TIME Director will report directly to DSD and not DoD CIO or DISA or a single Service.
This new joint office must be staffed with domain experts from all DoD Services but let’s be clear, selection should not be driven by rank or degrees. This must be driven by relevant experience in the domain.
TIME must have value streams and embrace end to end agile principles with strong automated data metrics.
Each value stream – Acquisition, Transport, Cloud, DevSecOps, Zero Trust, Data, Modeling and Simulation, Training, and AI/ML – will be led by government. These leaders can be either military or civilian and this shouldn’t matter which. Value streams must never be staffed by a single-vendor award. Every value stream will have multiple companies providing merged and mixed talent so that there is a diversity of ideas and opinions, and so that we can prevent vendor lock-ins. This should be the only way the USG is allowed to buy capacity of work from now on.
All enterprise teams must use each other’s services as their first “customers”.
For all these value streams, it is important that we leverage both enterprise funding and consumption funding. Enterprise funding must fund enough capacity of work to keep the lights on while enabling some continuous innovation without making those teams bloated. The consumption funding will be driven by customer adoption and determine growth based on customer satisfaction/adoption.
Of course, we must not start these teams from scratch, we must leverage the most advanced existing team in the Department.
The “Acquisition” team will setup agile contract vehicles. For licenses, we must be able to buy in bulk, without having to wait to place orders and get retroactive discounts based on total volume ordered per year. For services and talent, we must be able to buy capacity of work with a baked-in “definition of done” to ensure teams don’t have to think about those details. The “definition of done” of work must include the delivery of software continuously in a government furnished DevSevOps environment, passing the testing, quality and cyber gates but also the user acceptance gates as well so we do not buy “wasted time”.
The “Transport/Connectivity” team must be charged to merge efforts across all Services to build a Mesh capability that connects key Cloud Service Providers (CSPs) backbones, internet backbone cages, CONUS and OCONUS bases, satellite connectivity, and 5G. Of course, we must have hot redundant disaster recovery options worldwide so as not to be dependent on CSPs and decouple cryptographic capabilities from the transport so the mesh can be used across all classification levels. Cryptographic options can be added on top of the mesh with cages on U.S commercial facilities and for OCONUS, on U.S bases, with Type 1 and Commercial Solutions for Classified (CSfC) options. Commercial internet can be the foundation of the Mesh as well thanks to modern encryption capabilities. My team and I designed this exact plan for the JADC2 minimum viable product (MVP). This piece can be implemented, end-to-end, within 6 months for less than $20M.
For the “Cloud” team, start with Cloud One as the foundation which today has five cloud service providers already on contract. Merger all other Services efforts and stop the Joint Warfighter Cloud Capability (JWCC) engagement at DISA. Ensure the stack is fully abstracted end to end, leveraging Infrastructure as Code for seamless instantiation across all classification levels. Ensure we have a better partnership with the Intelligence Community Cloud contracts (C2S and C2E). The Cloud One team must move to a “capacity of work” model instead of orders on an Indefinite Delivery/Indefinite Quantity (ID/IQ) contract. That’s not agile.
For the “DevSecOps” team, we must merge all redundant DevSecOps platforms across the Services, leverage Platform One and fund it properly. While Platform One has been unfunded by the enterprise for years despite being the only approved enterprise DevSecOps solution by DoD CIO and OUSD A&S, we see Kessel Run spend $60M on their DevSecOps platform. Don’t get me wrong, they’re an awesome team but we must merge the platform efforts. The same is true for Kobayashi Maru, Army and Navy efforts. We can decouple (to a degree) the operational piece, but the platform development teams must merge. Additionally, Platform One Iron Bank, the DoD repository of hardened containers and Platform One Big Bang must be used as they vastly streamline the adoption of Software Bill of Material (SBOM), Zero Trust, and behavior continuous monitoring, but more importantly accelerate and automate Day 2 work thanks to GitOps, Infrastructure as Code and Configuration as Code principles.
For the “Zero Trust” team, let’s not allow DISA to reinvent the wheel from scratch without using best of breed existing capabilities like the Cloud Native Access Point (CNAP) from the Air Force. CNAP enables comply2connect, user enforcement and much more. It leverages the concept of Software Defined Perimeter to create Segment of One, micro-segmented networks, to reduce attack surface and lateral movement. This is exactly what is happening with their Zero Trust project Thunderdome. Kill it. Instead, leverage and adopt the Air Force Zero Trust (CNAP) team and its leadership to become the DoD-wide capability and the mandated DoD Zero Trust implementation. CNAP-in-a-box also supports on premise legacy environments and can be deployed across all classification levels today.
For the “Data” team, the Air Force and Space Force started to merge its 20+ data lakes into 6. That’s a start, but this must scale to the entire Department of Defense with the help of great leaders like David Spirk, the DoD Chief Data Officer (CDO). We must build a data fabric that will allow both federation and aggregation and more importantly enable structured and unstructured data capabilities. This must leverage the GitOps principles to ensure parity across all classifications and full deployment across all fabrics from day 1. Cloud based and physical cross domain solutions will be leveraged, supporting container-based artifacts, to enable seamless and secure transfer of data across the enterprise. We must create an enterprise streaming event (pub/sub) to enable live streaming of data between weapons. As we move to a microservice architecture with “Lego block” containers, we must have an enterprise capability to publish and consume events. These capabilities will support Attributes Based Access Control (ABAC) and Next Generation Access Control (NGAC) from day 1 to enable the labeling of both users and data down to the cell level.
For the “Modeling and Simulation” team, we shall merge efforts across Navy, Army and Air Force including the Digital Engineering as a Service capability on Cloud One and make digital engineering tools widely available at all classification levels. Admittedly, Digital Engineering will be a journey for the DoD, but this is the primer for a great beginning, and it sets the conditions for success.
For the “Training” team, we must merge the efforts from Platform One, Bespin and OUSD A&S with the Learning Hub and Digital University with DAU training into a single team that will bring unbiased training that moves at the pace of relevance for our innovation teams. Training cannot be pushing biased content created by Cloud providers or DevSecOps platforms. Instead, it must be agnostic and ensure we train our teams to abstract their capabilities, creating “Lego blocks” (containers) across the Department.
For the “AI/ML” team, the Joint AI Center (JAIC) will move into the TIME team. It’s important that we prevent JAIC from becoming bloated as it seems they are starting to build their own infrastructure and data lake capabilities. Instead, they should use the enterprise services mentioned and they should focus on the AI/ML layer on top. That’s their mission. After staffing JAIC with leaders who understand AI/ML and the basic concepts of agility, the most important work will be building the Joint Common Foundation (JCF) which is supposed to bring a multi-tenant AI/ML capability for data scientists. JCF will be used to build and train AI models and deploy them into Platform One Big Bang instantiations, in production at all classification levels.
As a final touch, while these enterprise services will behave and think as startups within the Department always aiming to please their customers (the warfighters, not just General Officers at the Pentagon), we will also ensure that they will be mandated across DoD with a waiver process with tangible data collection to understand why a specific team couldn’t use them so we can have the ability to continuously improve its offerings. Too often, I witnessed teams request a waiver not to use enterprise services because of conflict of interests, egos or personal preference. These are not valid or acceptable reasons; the DoD cannot continue to allow this waste of taxpayer money for unfounded excuses from team to “do it themselves.”
These new joint teams and enterprise services must be seen as a startup/company within the DoD. Everyone should always ask the question, “Who is my customer?”. The customers are the warfighters. If we forget this fundamental tenet, we’ve already failed.
Fourth, enable information sharing and public/private partnerships
We must stop being complacent and accepting reports give us more time to fix things than we actually have. We’ve seen reports claim that we have 7 or 10 years to take meaningful action in AI etc. That’s just nonsense. Those reports are often written by PhDs or bureaucrats who have never actually built a production-ready capability or a product in their lives. The vast majority of them don’t know how to innovate or how to deliver value to end-users, nor do they understand the accelerated pace of the IT space. They also forget that we are competing against 1.5 billion people who aren’t waiting for us to figure this out. AI innovation compounds upon itself and is exponential based on velocity of delivery and data volumes. By definition, we are already at a massive disadvantage as they have more people and data working the problem.
We must stop calling China a “near peer adversary” and recognize that they are often leading in many critical domains.
To be clear, we have incredible U.S companies innovating across all domains, including self-driving cars, space and AI/ML etc. Unfortunately, the Pentagon continues to over-classify information which prevents us from sharing China’s behavior against our nation with those companies and we continue to see companies refusing to work with DoD. I believe that if we were able to share more about what we understand, most American patriots and companies would proactively want to partner with DoD to fight back and win this fight. How can they understand the risks and potential costs if they are kept in the dark?
AFWERX and SPACEWERX etc. type investments are awesome but aren’t going to cut it here. We need this done at scale, with more funding, and we need innovators (former investors/VCs partners etc.) to run these offices.
A strong public-private partnership like during WWII with engagements like the old days of Bell Labs and ARPA are necessary.
Unfortunately, today DARPA is mostly incapable of moving at the pace of relevance due to their inability to adopt DevSecOps principles and deliver innovation that can be used in production in the hands of the warfighters without tremendous investments from DoD programs to make them production ready.
I was shocked that after meeting dozens of DARPA teams, only a couple of capabilities that they were working on could even be applied to my immediate production needs in the Air Force and Space Force.
Fifth, accountability and smart fights
If you haven’t read the book “The Kill Chain” by Christian Brose, stop reading this post and go buy it now and come back to read more. Christian describes our current situation better than most people I know.
Okay, now that you have read “The Kill Chain”, you know that none of the things we talked about will matter if we don’t have accountability.
The DoD system is designed to ensure that we are not held accountable for our mistakes. We overclassify information and use “operational security risk” (OPSEC) as an excuse not to share more with our taxpayers.
Folks argue that I am an operational security risk right now by raising this alarm. That’s nonsense. China and Russia already know all of this – the information is everywhere but few are listening except for them. The fact is, they don’t want a precedent where the public is allowed to know how bad things are, so we don’t ever have to be held accountable.
Of course, DoD also controls information released to the media as well.
We must renew our oaths and let our actions stand as proof that we know who we serve – the warfighters at the tip of the spear and everyone in support. Because of this, we must stop wasting billions of taxpayer dollars year after year only to promote those in civil service and in uniform who failed as though they achieved something profound. They need this shared vision of the future and when they work to achieve it, they will indeed make a difference to every service member in DoD.
We must be comfortable being held accountable, but we also understand that you cannot innovate without failure. What we shouldn’t be okay with is to fail twice for the same reasons. This requires transparency and the sharing of information and knowledge. It’s that simple.
As taxpayers, we must demand transparency and a monthly update regarding progress of this plan.
Finally, we must stop preparing for and fighting the wrong battles!
Can we defend Taiwan? Maybe. During recent wargames, in a fake battle for Taiwan, U.S. forces lost network access almost immediately and we failed miserably said Gen. Hyten, the Vice Chairman of the Joint Chiefs [https://www.defenseone.com/policy/2021/07/it-failed-miserably-after-wargaming-loss-joint-chiefs-are-overhauling-how-us-military-will-fight/184050/].
What is certain is that the next war will be massively software defined. It won’t be won with 5th generation fighter jets. China doesn’t need them when they can take down our power grid because of kindergarten-level cybersecurity defense capabilities in critical infrastructure thanks to Department of Homeland Security (DHS)’ inability to adopt zero trust principles when I offered it to them 5 years ago.
We must understand that we will be fine having a few less F-35s and that we must use that funding instead to invest in electronic warfare, jamming technologies, enterprise IT, software innovation, drone swarming technologies, hypersonic AI powered capabilities and cyber defense/offense.
Those new weapons must move away from human-driven large, exquisite, multi-billion-dollar platforms to leaner, more “cattle-like” autonomous capabilities that can be discarded as needed. They must be deployable at the edge, highly decentralized when it comes to command and control, and managed from anywhere. The space domain will bring a lot of opportunities to rapidly deliver weapon capabilities within minutes all over the world as “space edge bases” become reality.
If you compare the velocity of China in hypersonic for example, they are not afraid to test and fail to innovate. They’ve launched over 200 times while the United States barely did 9. This is why we don’t have a chance at winning this fight if we don’t educate teams on the agile principles necessary to innovate and win.
Unfortunately, the DoD’s budget is often earmarked years ahead for legacy platforms and for the sustainment of outdated capabilities that are heavily defended and protected by staffers and lobbyists. We must mandate that 10% of the yearly DoD budget to be spent on new innovative concepts. This doesn’t mean just Research & Development (R&D). By leveraging DevSecOps and Agile principles, we can rapidly deliver small incremental value to the warfighters, in production, not in a lab.
Today, the DoD relies upon an antiquated consensus building methodology. This approach permeates the decision-making process and is ill suited for algorithmic warfare that occurs in minutes, not months. This process must be completely overhauled, and when done properly, coordination will naturally occur, but tough decisions have to be made and the goal will never be to please everyone.
China managed to negotiate the mining rights in Afghanistan by inviting the Taliban to China months before they took over the country and without losing a single troop. The United States instead lost thousands of troops and gave away $20+ billion of military equipment. Ever heard about fighting smarter? That’s what China has been doing for the last 20 years by stealing IP, enticing the U.S to move its entire supply chain to their nation by using lower costs as a carrot but effectively, on the long run, potentially owning the United States as a whole, injecting CCP operatives in U.S. companies and universities, investing in the education and training of their citizens early on so they can win the AI war etc.
In conclusion, let’s be clear, China is an existential threat to our nation and kids’ future. This isn’t a political discussion; it is the simple truth.
So, we must walk the talk we talk and rally as One Team One Fight, across the commercial sector and the U.S. government and close the gap. This will ensure that we win this fight!