Friday, December 24, 2021

Unintended Consequences of the Information Economy III

In "Unintended Consequences of the Information Economy II" (2021), I mentioned an Executive Order issued in May of this year (2021) by the Biden White House: "Executive Order on Improving the Nation's Cybersecurity". This morning over a leisurely Christmas Eve breakfast I read the fifty-four page EO from start to finish. (It's not that onerous; the way it is formatted on the White House web site, with very short lines, it was expeditious to print it two web pages per physical page.)

I'm tempted to say that I've never read an EO before, so I didn't know what to expect. I've read so much stuff over the past decades,  I can't say for certain. (I once found myself having to read U.S Department of State International Traffic in Arms Regulations in regards to a commercial product I was helping develop for the business aviation space.) But for sure, I didn't expect the EO to be as interesting (or as readable) as it was. Here are some of the things I consider highlights:

  • There was a a lot of verbiage about the need for federal agencies to share information with one another on malicious cyber campaigns. This may seem obvious, but in many organizations - government and commercial - this might be a hard sell. There is little incentive for organizations to admit they've been hacked, for lots of reasons. So an EO which requires federal agencies to do so is probably a good thing.
  • There was also a lot of talk about the need for vendors who sell into the federal government space, especially cloud service providers (CSP), to share information on malicious cyber campaigns. Good idea, especially since they may detect such campaigns in their commercial environments as well. Same disincentives apply as above.
  • The EO requires federal agencies using cloud services to adopt Zero Trust Architecture "as practicable". Also a good idea, and (if I am to be honest) something I haven't been that great about in some of my own work. I need to do better, and so does the U.S. Government.
  • There is a section on the need for vendors that sell into the federal space to use a secure software development environment. It recommended such actions as administratively separate build environments, and automated tools to demonstrate conformance to secure development processes. There was a lot of text about the need for products to provide a verifiable software bill of materials (SBOM). Keep in mind this was written back in May of this year, months before the Log4J vulnerability came to light. If software products in use today that depend on Log4J had such an SBOM, a lot of IT folks might be having a much more relaxed Christmas holiday.
  • Really an eye opener for me: there is a section proposing a cybersecurity labeling standard for consumer internet-connected (i.e. Internet of Things) devices. I very much look forward to seeing what happens with this. As a cybersecurity engineer friend of mine quips: "the 'S' in 'IoT' stands for 'Security'". I confess to still be grappling with security concerns - and the tradeoff between security and real-time behavior - in my own IoT projects.
  • Most unexpected: a long section explaining the use and value of system log files. Preaching to the choir, President Biden. It requires federal agencies and their IT service providers to save such logs in a secure manner, and to periodically verify the logs against hashes to insure they haven't been modified. Such logs are crucial for post-hoc analysis of lots of stuff, not just malicious cyber incidents.
  • The EO contains the usual caveats and exceptions for the Department of Defense and the Intelligence Community, but at the same time requires cooperation and leadership across the DoD and IC for this effort.
  • Several requirements mention the use of automated software tools to audit, verify, and analyze the security of government IT systems. This is going to attract a lot of tool vendor attention. It will be interesting to see how those vendors address this, since the tools themselves - which are likely to be large and complex - will also be recursively subject to these same requirements. (I find myself reminiscing about the Gödel Incompleteness Theorems from graduate school.)

I still think the major impact of this will be more revenue for the small handful of ginormous prime contractors in the defense space. But I'd like to believe it's a step in the right direction.

Tuesday, December 21, 2021

Unintended Consequences of the Information Economy II

In "Unintended Consequences of the Information Economy" (2014) I cited an article in Foreign Affairs (2014), the journal of the Council on Foreign Relations, by former Deputy Secretary of Defense William Lynn. He talked in part about how companies in the technology sector typically invest far more of their revenue in research and development than do the handful of prime defense contractors in the United States.

What I didn't mention is how we arrived at the situation we currently find ourselves in: with just handful of big prime defense contractors.

In 1993, during the Clinton administration, then-Deputy Secretary of Defense William Perry convened defense industry executives into a meeting that came to be called "The Last Supper". He informed them that due to a huge reduction in the defense budget, there would have to be a consolidation of the defense industry.

John Mintz wrote about this and its consequences in "How a Dinner Led To A Feeding Frenzy" in the Washington Post (1997).
Perry's warnings helped set off one of the fastest transformations of any modern U.S. industry, as about a dozen leading American military contractors folded into only four. And soon it's likely only three will remain, with Lockheed Martin Corp.'s announcement yesterday that it plans to buy Northrop Grumman Corp. for $11.6 billion.
The unintended side-effect of the consolidation of the defense industry into just a handful of prime contractors was that there is now far less competition in the defense sector. If the Pentagon wants to buy a new major weapons system, there may only be a single contractor capable of delivering it.

Since this happened, the U.S. Departments of Defense and Justice and the Federal Trade Commission have tried to reverse this process by opposing further mergers in the defense industry.

John Deutch, also a former Deputy Secretary of Defense as well as Director of Central Intelligence, argued, in "Consolidation of the U.S. Defense Industrial Base", published by the Defense Acquisition University's Acquisition Review Quarterly (2001), that the consolidation also led to far less stability in the companies that did survive this process
In the 1993–1998 period of euphoria, defense companies experienced significant increases in equity prices based on the expectation of revenue growth and margin improvement from cost savings. In 1998, the outlook for the industry began to darken for several reasons. First, DoD reversed the consolidation policy. Second, expected cost savings were not shared with the companies, and hence margins were squeezed, especially from increasing interest payments on debt required to fund acquisitions. Third, defense companies making acquisitions were overly optimistic about the expected growth in top-line revenues from DoD, foreign military sales, and commercial spin-offs of defense technology. The anticipated increase in defense outlays had not materialized.

Finally, some key companies found it difficult to manage their expanded enterprises effectively in all respects and to meet their optimistic financial targets. The capital markets quickly shifted to more glamorous (at that time) dot.com and high-tech stocks not associated with defense.
My tiny one-man corporation has done its share of government contracting over the years, but always as a subcontractor to a far larger organization that had all the infrastructure, people, and processes in place to deal with the federal bureaucracy. The overhead involved is a significant barrier to entry for smaller organizations. And, remarkably, to larger organizations.

In my original article cited above, I related the story of Boston Dynamics, the spin-off of MIT that designs the human- and dog-shaped robots we all watch on YouTube. After the Defense Advanced Research Projects Agency (DARPA) poured a bunch of funding into the company, it was bought by Google in 2013, who basically said “thanks, but no thanks” to any further DoD involvement. Google went on to sell Boston Dynamics to a Japanese company, which in turn sold it to a South Korean company. All that government funding resulted in intellectual property that didn’t even stay in the United States, much less in the DoD. Many large tech firms have big revenue streams that for the most part don’t rely on the U.S. government; there are easier ways to make (lots more) money in the commercial sector.

This leaves much of the technology needs of the U.S. government in the hands of just a few big prime defense contractors.

In a recent edition of his newsletter "The Embedded Muse", embedded software and hardware technology pundit Jack Ganssle mentions that the Biden White House has issued an "Executive Order on Improving the Nation's Cybersecurity". Jack writes:
Uh oh. Do you sell to the US government? Since they buy pretty much everything, pretty much everyone does. A new executive order re security will make our lives much, much harder. Though the details are still being fleshed out, a pretty good overview here will raise your blood pressure. 

Jack references an article by a vendor who is, of course, trying to sell you something, but is none the less a pretty good overview of the EO. From that sales pitch:

This EO directs these agencies to develop new security requirements for software vendors selling into the U.S. government. These requirements will be incorporated into federal contracts for commercial software and hardware with the intent of imposing “more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.”  This is a monumental shift that will have an immediate impact on global software development processes and lifecycles.

In addition to  a host of new information and operational security measures that government agencies need to implement, the new order establishes a robust approach to supply chain security. The new requirements will include security testing throughout the development process as well as a Software Bill of Materials (SBOM) to address security issues in open source components.

I expect this EO to be a huge boon for the few existing big prime defense contractors, while preventing the small-to-medium, and even large, tech companies from participating in providing innovative technology solutions to the federal government.

As both a software engineer and a taxpayer with many decades of experience doing both, I have very mixed feelings about this. I can appreciate the need to make sure that our tax dollars aren’t wasted, that expenditures are all accounted for, and that the products our government purchases are reliable and secure. But I feel pretty confident in predicting that it will mostly mean that giants like Raytheon and Lockheed-Martin will do well.