In the Pentagon that joke morphed. Whenever someone wanted to get additional budget, the reason was to ‘Deal With China’. Well, in fact, maybe that is still true.

In technology today, the current budget justification phrase is ‘Cloud Computing’. Except in this case, exactly what Cloud Computing is or what it can do is even less clear than normal. On the other hand, that lack of clarity means there are lots and lots of meetings, seminars, and conferences that deal with trying to define Cloud Computing and provide advice on what to do about it.

In that context, I was on a panel Monday, May 3, that discussed Cloud Computing and the kinds of new skills that would be needed to support Cloud initiatives, http://events.1105govinfo.com/Events/Cloud-Computing-Summit-2010/Sessions/Monday/CC4.aspx.

I had three major themes.

My first theme was that people tended to mean one of a number of radically different concepts under the general topic of Cloud Computing.

Many actually were talking about consolidating multiple applications on a fewer number of servers – virtualization. It was this step that accomplished much of the savings, if there were to be any, from Cloud Computing. In fact, it was certainly possible to do server consolidation and application virtualization without actually implementing anything that actually was ‘in the Cloud’.

Others used the term Cloud Computing to putting applications on the Internet; in the web. This approach is also often described as Service Oriented Architecture, SOA. I am probably not capturing all of the nuances of SOA but to me this basically means taking a program which traditionally was self-contained and isolated and treating it like a service which others could access or integrate into a larger set of combined services. Doing so efficiently requires writing programs a bit differently, adding the ability for a service to be discovered, that is found by others, and adding the capability to expose aspects of the service to others.

SOA in the end requires not just technology change but also cultural change. To be most effective it requires an organization to be much more collegial and standards based in how it designs and develops software.

Finally, some people meant having applications, or aspects of an application such as the platform it runs on, provided externally; that is, through a cloud. The big challenge here is that when using only internal resources it is possible, though in my opinion unwise, to get by without taking the time or applying the necessary rigor to develop service level agreements (SLA’s) for all of the aspects of your system.

You can tell if people are working hard by peering over their shoulders. You can measure performance by users calling and yelling at you, and dynamically reallocate resources by yelling at someone down the hall.

However, when you move a resource out of your internal operation it becomes absolutely critical to develop robust SLA’s to manage your provider’s performance and define your expectations. It turns out that this is very hard to do especially in areas that historically have not been defined in very precise terms such as security or privacy. This is, again in my opinion, one of the major underlying reasons why there is such resistance to moving applications to the cloud.

My second theme is derived from that last point. It was always useful to create business architecture’s to drive technology development. While it might be inefficient, it was historically possible when everything was accomplish internally to ignore that benefit and instead do what was in effect the opposite approach, develop technology solutions that ended up impacting the business.

However if an organization wants to move to the not-well-defined cloud, it becomes necessary to define the business architecture’s and business goals associated with the applications. Without that definition, the likelihood of achieving the promised benefits associated with Cloud Computing are highly unlikely to be achieved.

My third theme was that the major human capital impacts were:

• Technical and operational IT assets were likely over time to move to external service providers and away from user organizations
• The demands on procurement and legal professionals were going to change as their responsibilities became more and more ‘horizontal’ between organizations and their providers of service and less ‘vertical’ supporting internal hierarchical organizations
• The importance of technical staff who also were comfortable with business issues would dramatically increase.

Federal Computer Week, http://fcw.com/Articles/2010/05/04/cloud-computing-implications.aspx, covered the panel.

“Welcome to the first Upstate CIO Conference, where CIOs from Upstate New York will connect, discuss industry trends and emerging technologies, and inform course content for information executives.

The Upstate CIO Conference is a one-day conference, held on Friday, April 16, 2010, at the School of Information Studies (iSchool) on the Syracuse University campus. The conference brings together Upstate CIOs and information technology professors to explore how academic research and professional experience come together to create innovative solutions to industry challenges, create industry trends, and educate professionals who can meet the needs of the 21st century global workplace.”

I was invited to give the keynote for the conference and to serve on a panel focusing on IT Governance. My keynote will discuss my thoughts regarding governance and how it differs between the private and public sectors. I’ll also cover what I call First Principals which are some of the key trends that are underneath some of the current technology trends.

I have included a copy of the slides below. In the interests of full disclosure, I also serve as an adjunct professor at the iSchool teaching graduate distance learning classes related to CIO Management and Cyber-security Policy.

Upstate CIO Conference Slides

The link to the conference site is: http://ischool.syr.edu/newsroom/cio/conference.aspx.

“When I use a word,” Humpty Dumpty said, in a rather scornful tone, “it means just what I choose it to mean – neither more nor less.”
“The question is,” said Alice, “whether you can make words mean so many different things.”
“The question is,” said Humpty Dumpty, “which is to be master – that’s all.”

And thus it is with Cloud Computing. The question on the table is whether we are to be the master of the Cloud Computing concept and what it means to us as practitioners and/or users or whether we will treat it as magic providing whatever value we have need of during that moment in time.

For those of you, who are willing to brave Washington during the Nuclear Security Summit, April 13, I encourage you to drop by a Digital Government Institute sponsored event called “Use Secure Cloud Today to Optimize Customer Experiences”, being held at the Willard Hotel, from 8:30am to 1pm; registration opens at 7:45am.

I was asked to be on a panel at the conference starting at 10:30 entitled Meeting Customer Expectations In the Cloud, Practical Experience”. The panel will be hosted by Chris Dorobek, the ever popular host of the Federal News Radio afternoon show The Daily Debrief, and is scheduled to have:

• Gil Guillen from the Office of Electronic Services at the Social Security Administration;
• Laef Olson, CIO, RightNow Technologies;
• Thom Rubel, Vice President, IDC Government Insights; and
• Joe Thele, Director Air Force Personnel Operations Agency.

Based on the last phone call interaction with the other panelists Chris will lead us through three sub-topics:

• Current status,
• Thoughts on why one should consider ‘doing’ Cloud Computing, and
• Examples of lessons learned and how to deal with the barriers that tend to get in the way when doing so.

It should be fun and informative.

You can get further information at:

http://www.digitalgovernment.com/Events/Conferences/Use-Secure-Cloud-Today-to-Optimize-Customer-Experiences.shtml.

And as an added benefit, you can go out before or after and demonstrate for or against the Summit activities.

I discussed two topics under the topic of Bringing Governance, Performance Management, and IT Together.

Here is the presentation:

My Potomac Forum Presentation

The presentation is divided into parts.

The first part discusses my thoughts about what should we are trying to do with the Open Government initiative. I am a very enthusiastic supporter of these initiatives.

My major point, however, was that much of what has gotten public attention such as Transparency or externally published data sets are not the goal, it is what they are intended to accomplish that is the goal. Specifically, we want to cause something to happen that would not have happened if they were not performed.

As one of the other speakers noted, if this only became a compliance exercise then we would not be accomplishing enough.

The second part of the presentation dealt  with how I attempted to use transparency and a status dashboard at the US Department of Transportation during my last year at the Department to improve oversight of cyber-security status. The approach turned out to be partially effective.

Our ability to see into the various networks, most of which were independently managed, improved a great deal. However, I was unsuccessful in setting up a process that carried over across the chasm of the change in Administration. I indicated some of the lessons learned and how I would have improved our approach.

I was on January 15^th, you can listen to the entire show that week at http://www.wfed.com/index.php?nid=17&sid=1865007.

In this post, I wanted to briefly touch on the second of the two articles I discussed, DISA expands access to ProjectForge cloud environment, http://gcn.com/articles/2010/01/13/disa-projectforge-collaboration.aspx.

The article illustrates the greater comfort level that Government has with using open-source software produced by non-Governmental organizations. While not explicitly mentioned, this increased involvement is leading to open-source development going the other direction; being produced by Government and then placed into the greater community.

Just to make sure that everyone is on the same page, I should explain a few terms.

DISA, which stands for Defense Information Systems Agency, provides an increasingly large part of the Information Technology infrastructure for the Department of Defense; http://www.disa.mil/.

As I have mentioned in a number of venues before, I believe there needs to be a Civilian version of DISA to serve a similar purpose. The most logical candidate to me for this is GSA, though historically GSA has done a better job of managing contracts than managing the implementation of contracts. Regardless, as the Government increasingly understands the value of centralizing the provisioning of infrastructure, allowing the Program staff to focus on their program mission, DISA has increased its responsibilities; not without growing pains but that is a different blog entry.

The article talks about DISA expanding its ProjectForge effort associated with Cloud Computing, this effort is part of its forge.mil program. The word ‘forge’ comes from the original efforts to develop Open-source software.

Open-source software typically is created by crowd sourcing, which is with the participation of many contributors often in a fairly loosely coupled fashion. The process and the resulting source code is presented transparently. Companies typically make money around open-source efforts by selling training, consulting, and/or support contracts of one sort or another.  For more details, see http://opensource.org/.

There has been a continuing argument within Government over the proper place for open-source software. Some people are uncomfortable with the thought that the software has no single creator or owner.  Open-source advocates would argue that the gains achieved by making the source code completely visible are significant. Security experts tell me that security that is premised largely on secrecy ultimately fails. In the same way, the power of exposure, at least in theory, reduces the possibility of bugs and/or trapdoors which cause security vulnerabilities in a software application.

Fundamentally this discussion represents the much broader issue of the real-world value or power of crowd sourcing versus classical hierarchically produced results. I plan to talk more about this in later blog entries a bit more.

Returning to the article I presented, it is clear that the argument over Government use of open-source is being largely decided in favor of use. Here we have one of the largest providers of IT in the Federal Government with an active open-source effort both in concept and execution within the Federal Government.

The article also illustrates one of the under-reported stories; that of Government produced open-source software. It is increasingly common that the Government makes use of privately produced open-source software. But there are an increasing number of situations where the Government is creating open-source software and either making it available to a larger community for usage or even setting up relationships with non-Governmental organizations to manage the resulting open-source community.

The premise of the panel is that every Friday, Francis asks three people from the ‘community’ to each select three news stories having something to do with the Federal Government. I selected three Information Technology related stories.

You can hear the panel which consisted of myself, Jon Desenberg, President of the Performance Institute, and Jeff Sural, a former DHS Deputy Assistant Secretary, and now of Alston and Bird at:

http://www.wfed.com/index.php?nid=17&sid=1865007

I thought I would summarize and perhaps expand a bit on why I picked those stories and what they meant, at least to me. In this entry, I talk about the first story:

Transparency, public input to guide IT policies

http://www.federaltimes.com/article/20100113/ACQUISITION03/1130306/1009/ACQUISITION

 The emphasis of the current Administration, and in particular CIO El Jefe Vivek Kundra, has been great. As many have said sunlight is the best disinfectant.

But like many good things, transparency has some complexity to it.

The first complexity is we can use the term transparency to apply to at least three different kinds of data.

We want to expose data that the Government collects and potentially uses in a transparent fashion. The value of doing this is that we increase the chances of getting public input as to the quality or makeup of the data. In addition, by exposing the data we allow people and various organizations to make use of it quickly. The Apps for Democracy competitions, http://www.appsfordemocracy.org/, ended up with applications that took government data, used the data very creatively in ways that were unlikely to happen anytime soon.

We also want to expose data about the processes the Government is following. Many of the dashboards that were created through the leadership of Karen Evans under President Bush as part of the President’s Management Agenda, and adapted, modified, and expanded under President Obama, aim to accomplish just that. By using the classical green/yellow/red ratings or something similar it is possible to capture the status of various Government projects, whether they are meeting schedule and/or spending goals, and help to identify those that need fixing.

Finally, we want to expose data about the results of the Government programs and their associated impact. In fact, ultimately it is this kind of transparency that can have the greatest impact. The goal of transparency is not; if I may use sort of an anti-tautology, just to be transparent. It is to allow something good to happen that would not have happened without being transparent. It is the ‘something good’ we are aiming for; transparency is often just the intermediate step.

One other point regarding making data available, as Vivek has pointed out, if you are going to expose all of this data on the web it is important to format the data in a way that external users can easily make use of it, download it, and manipulate it. There are the associated issues of data standardization and consistency which I will talk about sometime in the future.

The second complexity is that what is good for the organization is often not so good by those we depend on accomplishing that better good.  Creating the systems or enhancing the data flow to expose it on the web takes resources. I know of few if any agencies or departments who feel they have lots of resources sitting around, whether we are talking about money or staff time. When investments are made to accomplish these important projects it typically means something else is not getting done. However important these are (and I think they are very important), the positive impact may not be immediately obvious while the incremental pain of not completing other projects will hit immediately.

Also, when first exposing data, there almost inevitably is going to be some that will be embarrassing for one reason or another. For example, data may be made available before it is actually clean; or it will become obvious that some of the data sets are incomplete or poorly constructed. While the result may be positive, cleaning and creating better data, the short-term impact of news articles or in a worse case, Congressional testimony, is not a way to have a great day.

The point of this is that not only is it important to establish goals and set deadlines, but also to at least spend a little bit of time thinking through to the extent possible about the benefits that will accrue to the people responsible for the implementation. The more the career staff support these initiatives because they think it is a good idea, as opposed to just a required one, the better the results will be.

The third complexity is how to keep in place these improvements over time. I would suggest there are two important ways to make it more likely to stick.

The first is to continue what is already being pushed, publishing the data externally in the most public fashion as possible. If data is exposed to the public and external interest groups, then when the data becomes stale or disappears altogether, someone is likely to raise a public red flag.

The second is to make sure as much of the data is created and published automatically as part of the normal course of events. This is as opposed to having a staff person take data and manually manipulate it and create some kind of table. The reason is that over time if the data is created manually, eventually the staff creating the data will get reassigned to some higher priority project. This is particularly true when there is significant change in senior staff. If the system produces the data automatically then it will stay current and available.

What I see happening thus far at locations such as http://www.data.gov/ and as exemplified by the Open Government Directive, http://www.whitehouse.gov/the_press_office/TransparencyandOpenGovernment/, are very positive steps in increasing the interaction between Government agencies and their external stakeholders. It will be important to pay attention to the operational details to keep these projects moving forward.

Naturally I had more than two cents worth of thoughts about the issue and most likely my take was so orthogonal to what they were working on that it ended up being of marginal utility.

On the other hand, it gave me an excuse to think about the topic and allowed me to fill out another blog post. With Wyatt’s permission, the rest of the entry is what I sent to him in response to his request.

Thoughts On 2010 Technologies That Will Be Important to the Government, Pick 3-5

This is a pretty interesting question to answer.

Digital technologies are becoming integrated so tightly into almost everything that we do. Thus one’s answer depends to some extent as to who we are trying to answer for: the internal technologists, the operations managers, the CIO, or the people responsible for mission implementation.

In addition we are in a period of increasingly rapid and radical changes. Thus not only do we need to make a judgment about what technology might ‘win’, e.g. your thought of 4G Wireless winning out over WiMax, but also the impact of the technology; who could have predicted Apps for Democracy happening as a result of the increased capability and comfort level with 2.0 technologies.

Let me focus on those that will have the potential to cause dramatic change either in how Government relates to its external or internal stakeholders or manages itself. I will suggest four that I would pay attention to in 2010:

• Government 2.0
• Virtualization
• Real-time Security Situation Awareness
• Mobile Network Endpoints

 and one that I would start to pay attention to in 2010 but is just starting to reshape our approach to network and business architectures:

• Sensors.

The first two represent technologies whose 2010 importance are that they are moving from the edge of the art, or at least not as used by senior management, to mainstream.

Government 2.0 Where 2009 was a year where 2.0 technologies started to become used in general and where President Obama’s team pushing their use could be news, 2010 will be a year where every Government agency will be expected to have a robust 2.0 presence just to get to average. The culture changes needed to allow the exposure of increasing amounts of information, even in intermediate form, will take energy to overcome. But the result is extremely powerful allowing external interested parties to create mashups and produce much more interesting and often more user-friendly versions of the data which the Government might never have achieved.

This will also lead to greater use of 2.0 technologies to implement various versions of crowd sourcing. Where Intellipedia and Aspace are big news, internal wiki’s will become more second-nature. Pilots associated with prediction markets, using groups to predict things like project results or other public facing data, are starting to be piloted by early adopters.

Virtualization. In this case I am referring to virtualization computing resources, not virtual environments which I mention later. It is the maturing of virtualization of servers, still utilized by too few agencies, that has allowed the frenzy around cloud computing, with a dash of high-speed networking and ability to manage multi-tenancy on the servers also required.; though there is likely to be as much or more work done with private or community clouds than public usage in 2010.

This is a big tool for the going Green supporters as well.

Combine this with desktop virtualization and you start to get the incredibly big fight going on between desktop-client versus remote-client providers; the short-hand would be Microsoft vs Google. The implications are enormous in terms of technical architecture, application development, procurement, and security.

Real-time Security Situation Awareness. And speaking of security, I believe the big trend in 2010 will be away from static analysis focused on perimeter protection toward situational awareness used to enable mobile and distributed applications to run even while under attack.

This change underlies a lot of the ferment going on with how to rework the FISMA process.  It also ties back to the thought that it is increasingly necessary to prioritize security investments based on risk rather than trying to do everything everywhere; and thus nothing anywhere; moving from whack-a-mole security to a risk-based focus emphasizing availability and resiliency first.

For those interesting in a practical example, I would recommend looking at what the Department of State is doing in this space, which draws upon the Consensus Audit Guidelines (CAG) effort put together by John Gilligan and Alan Paller, which I had the honor of participating in.

Increasing Power of Mobile Network Endpoints. Cell phones, personal digital assistants (PDAs) continue to proliferate as their computing and communications capabilities increase and their interface to the Internet becomes increasingly robust and integrated.

Here also, three big arguments are being played out:

.   the previously mentioned desktop-client versus remote-client

.  commercialization versus standardization

.  data sharing versus data privacy

Each of these are being dealt with inconsistently across the Federal Government. Their resolution will result in winners and losers organizationally and commercially.

Sensors. While I don’t believe most Government agencies will necessary pay attention to this topic, in fact their increasing power and distribution may overwhelm all of the other suggestions. They bring about two broad changes when they become ubiquitous:

.  they become participants in the network – creating an Internet of Things

.  they allow the collection of real-time data which can then be processed in real-time

This latter change allows virtual environments to become increasingly comingled with physical environments, here virtual refers to environments as Second Life.  Smart cities which interact with their citizens, like San Francisco where it is possible in some places to find out the location of empty parking spaces on your cell phone as you drive around; or the NYU/Cornell experiment wiring some of the NYC rivers so you can check on status from the web including from your cell phone. Applications like layar which provides information about where you are based on web-provisioned information will in the future pick-up its information from the physical surroundings as everything becomes an IP address and/or twitter participant.

Secure SCADA – Dec 2009 a

The presentation consists of two parts.

Part I was prepared by me and talks about the economic basis associated with the impact of the Internet, wanders through a number of topics I like to kick around (‘from earth centered to sun centered to nothing centered and what that means for Enterprise Architecture’, my thought that everything is a cloud, …), and touches on what the Government is thinking about regarding security.

Part II is a subset of what Rus Records, a fellow CSC’er, prepared which provided some thoughts on the state of SCADA systems in the Chemical, Energy, and Natural Resources areas (what CSC refers to as CENR).

I hope to expand on a number of these topics in future blog entries.

My focus, as usual, will be on the strategic reasons behind the movement to SCADA. Oops, perhaps I should back up. SCADA is an abbreviation for Supervisory Control and Data Acquisition. It usually is used as a catch-all term dealing with computer controlled equipment or machinery (or plants or smart grids or, well you get the idea).

Many of these systems were controlled individually by locally provised systems and thus security, while relevant, wasn’t the most critical factor when designing such solutions. Now that many of these systems are managed over the Internet and an increasing percentage of what most would consider our/US economic critical infrastructure touches these systems, cyber issue have become a very hot topic.

So my presentation will focus on why this is happening and also touch a bit on some of the issues the Government is facing in this space. The second presenter from CSC is an industry expert in the utility, chemical and natural resource market and will provide some more detailed oversight and advice.

I adapted some of my past talks on this issue starting with my standard discussion about transaction cost economics and the internet and then push on to cloud computing.

I have started to try and generalize the concept of cloud computing and wanted to get some feedback from anyone who cared to give it regarding what I wrote up. This does NOT include the second part of the presentation which I mention above.

Dan’s SCADA Presentation

My thought is that in a sense every computer and in fact in a broader sense every aspect of an organization could be looked at as being part of a private, community, or public cloud. Your desktop could be considered a small, generally unoptimized private cloud for example.

For the purposes of this presentation, each ‘thing’ has a governance question relating to how decisions are made and a security question relating to how security is provisioned or at least who is responsible for the provisioning of it.

The purpose of this thought experiment ties back to my premise as to why cloud computing has taken off, transactional cost economics + some technological developments, and the difficulty in avoiding these implications.

The whole thing needs work but I think the direction I am heading is increasingly clear.  All feedback welcome either as comments to this post or as emails directly to me.

International Experiences with Integrated Services – United States

The conference has been very interesting. I have met a number of people supporting this effort who work for the Government, consultants associated with the project both from Brazil and other South American countries, and speakers from still other locations including a fellow panalist this morning from Korea who supported the Korean President for a number of years regarding their eGovernment effort and who spent the last three months in Paraguay working for the office of their president doing the same thing.

The power of the idea of eGovernment and its associated themes of empowerment and especially transparency are seemingly very strong everywhere.

At the same time, the issues are equally amazingly similar in each location. The biggest conclusions I draw are that it is very important to:

• have high level political support,
• well-defined goals plus if at all possible a credible supporting enterprise architecture, and
• a willingness to take small steps resulting in quick victories in support of the big rainbow in the sky that will occur when all this is implemented

That last point is the one that seems to be so often overlooked. People responsible for policy want to accomplish big results, which is a good thing. But if the first result is the big result often the end-point is a political investigation into why the whole project failed.

The other issue that has resonated with most people that I have talked to is the importance of exposing as much data as possible even when not in a final form, which is how I interpret one of Vivek Kundra’s big initiatives in the US. Allowing others to manipulate, create mash-ups and improve upon the data allows the government to have significant leverage in a time of tight funds.

The Rest of the Week

The next two days I will participate in meetings to talk in more detail about the current action plans and my associated advice.

The people here have all been extremely friendly. For those sessions or conversations which are not in English (and sessions which are not being translated on the fly into English), one or the other person will take their time to give me a rundown on the issues.

Around the Hotel

This evening I was tired so went to the hotel a bit before the final sessions concluded and then took a walk around the hotel including visiting a nearby shopping mall. I skipped past the McDonalds and Burger King, and of all things a Montana steakhouse, decided that ordering gourmet Chinese Food in Brasilia wasn’t a good idea, and instead ate at a place that seemed to have Brazilian food. I am not entirely sure what I ordered, but it tasted great.

Most important I found on the way back an open-air Shwarma restaurant a block away from the hotel. In the event that I end up on my own tomorrow night, I know how I will cap my time here. I hear that the best Shwarma in South America is in Brasilia (well, maybe I made that up).

Coming Home

So, I am scheduled to arrive at 6:30am Saturday morning at Dulles.

At approximately 3:15pm that afternoon, I and my younger daughter Tamar, get on a bus with a big group of Capitals fans and go up to Philadelphia to see the Ovechkin-less Capitals take on the Flyers, capping <bad choice of words I guess> my out-of-town Capitals hockey games.

I have a feeling that before and in particular afterwards on the way back from Philadelphia I might not be the life of the party on the bus regardless of the game result. No one call my house Sunday morning, please.