I’ve been thinking about the fight between Amazon Web Services and IBM for the CIA and other U.S. government business and it strikes me that something is really screwy. I’m not talking about the bid process, which both IBM and the General Accounting Office (GA0) called out. I’m talking about how, in the age of Manning and Snowden, no Web service provider should have made the cut for a CIA service no matter how benign. The very fact that Amazon had to go to war with the GAO, which you’ve got to believe will have implications for how supportive they will be to other CIA budgetary requests, points to a real failure to understand the dynamics here.
It should have been too politically risky and it suggests that the unique services that a company in IBM’s class provides were taken for granted or completely ignored, which likely goes to its complaint about the bid process, in which Amazon shouldn’t have been able to comply—not technically, but in terms of meeting the security and compliance requirements unique to the federal government.
Perhaps it was inexperience?
I expect this may be because someone new to government put the budget in front of process, and the end result will be the kind of disaster that has made the U.S. office of the CTO a revolving door as of late (even the deputy CTO quit). I’m not talking about a product failure. I’m talking about the inability to understand what makes entities like the federal government uniquely risky to change.
It’s not an uncommon problem. Someone new comes in decides they know better, and then without understanding the politics of the situation, they commit career suicide. We kind of saw this with the Affordable Care Act website, though in that case a legitimate government contractor was used (in this case one that is known more for work in Canada than in the U.S.), but the process seemed to assure failure.
What generally happens is that problems arise, jobs change, and the new folks point to the people who made the decision as the problem. It can be career suicide, which is why large companies and government organizations don’t chase new vendors or new technology very often. Going with the flow is just safer. But should it be that way? Maybe not, but that’s the way it is.
But search on IBM Amazon and GAO and look at the press coverage that this got and then think about what that did for the decision maker’s career. Now, if you are the private sector, imagine a vendor you selected blasting your CFO in public because of a decision you made with which the CFO disagreed. Good luck with your budget and any chance for promotion. Seriously, no one in the federal government is likely going to want to touch whoever made the Amazon decision with someone else’s 10-foot pole. Any publicity is risky, this kind is a career killer, and it is far from over.
Knowing What You Are In For
I doubt the decision makers at the CIA wanted the GAO on their back, and even though they won the court hearing on the bid process (and this is far from over) I’ll bet the GAO isn’t amused and will find a way to assure that the CIA conforms to how the GAO views policy next time. Going to court against your own compliance organization is something unique to government, and in the private sector you’d have an internal audit and the judge would be the CFO that they report to—hardly unbiased.
But had the CIA understood that this would be hotly contested, it likely would have done a better job to assure the GAO was on board up front to avoid the political fallout. But I still doubt it would have chosen Amazon had it understood the risk.
Can you imagine a meeting where Snowden and Manning are discussed and the idea of throwing a CIA service onto the Web was introduced? The word “suicidal” comes to mind. Granted, the proposed changes that the NSA is discussing look pretty brain-dead stupid to me. (Cutting system admins = less data access—wouldn’t the opposite have to be true because those who are left would have to do more?)
It’s a Huge Risk
This risk I am talking about is that after the Manning and Snowden leaks, most governments are on full lock down with regard to who gets to see sensitive information—the U.S. in particular. Everyone who touches data, from users to system administrators, is going through security checks and their permissions are being heavily restricted so if someone does make it through, they don’t have the massive access Snowden did.
But how do you do that with a public cloud service? Amazon is a price leader, but it could not afford to put everyone that touches its systems through this kind of scrutiny, nor would it want to, which should have locked it out of consideration by any government agency with three letters (FBI, CIA, and NSA). If a breach occurred, it simply couldn’t defend the exposure.
This is nothing against Amazon—it is new to the Federal sector and much of its activity has either been in the mid-market or going around IT in large corporations. But CIA is high-profile federal and with massive security requirements that put the risk to Amazon and the decision maker beyond what should have been reasonable.
I think the problem is inexperience, not with the technology really, but with the kind of unique processes that typically surround large companies and government entities. Now, the big difference in this regard between IBM and Amazon isn’t the product, it is that IBM understands the process. And I think that part was left out of this decision, which focused on other, less important things.
Wrapping Up: Ombud
Basically, I think the fix to this is a social network that links the buyers and IT decision makers in a company so that decisions are fully vetted in context of the entity and people who are taking a risk with a new vendor or technology had better understand that risk, so they can either mitigate it or make a different decision before the final decision is made public.
More importantly, because some will understand why a vendor such as IBM is preferred over a vendor like AWS, they will be less likely to take the unique advantages for granted. They may still go with the cloud provider, but they’ll do so more informed. If someone else had used either vendor and had serious problems, they’d learn from their experiences and either avoid them or go about the whole thing differently to avoid the problems.
The service I know of that does this is Ombud. It’s deployed in a variety of large companies now as a way to ensure that the enterprise folks are having a dialog about the vendors they use, can rate them, and can collectively promote good behavior and address bad behavior. This service does what services like Gartner can’t. Granted, implementation in an entity like the federal government should likely be contained on government property and not provided as a Web service—for reasons similar to the AWS discussion. But the concept of assuring that no one else has the kind of publicity that the CIA is getting right now—without knowing that at the front end—would be incredibly valuable. I’ll bet, had it been in place, it would have prevented the Affordable Care Act website dust up as well.
Social networking should be about making better decisions; not about where some person is going for lunch or funny Web pictures. Whether via Ombud or something else, this CIO dust up suggests that more large entities should have in place a process whereby the collective intelligence of buyers can be accessed to make better decisions. That would be so much better than the one that exists now where when someone makes a mistake like this, the collective buyers agree the person(s) was an idiot.
In the private sector, we talk about asking permission or forgiveness and it really is a choice. In the public sector, we use the term “cover your ass,” and that really didn’t happen in this Amazon deal.