In his missive, Chaillan also singled out a part of military culture that features in both the US and the UK: the practice of appointing mid-ranking generalist officers to run specialist projects. “Please,” he implored, “stop putting a Major or Lt Col (despite their devotion, exceptional attitude, and culture) in charge of ICAM, Zero Trust or Cloud for 1 to 4 million users when they have no previous experience in that field — we are setting up critical infrastructure to fail.” The former chief software officer continued: “We would not put a pilot in the cockpit without extensive flight training; why would we expect someone with no IT experience to be close to successful? They do not know what to execute on or what to prioritize which leads to endless risk reduction efforts and diluted focus. IT is a highly skilled and trained job; staff it as such.”
Chaillan went on to complain that while he had managed to roll out DevSecOps practices within his corner of US DoD, his ability to achieve larger scale projects was being hampered by institutional inertia. “I told my leadership that I could have fixed Enterprise IT in 6 months if empowered,” he wrote. Among the USAF’s sins-according-to-Chaillan? The service is still using “outdated water-agile-fall acquisition principles to procure services and talent”, while he lamented the failure of the Joint All-Domain Command and Control (JADC2) to secure its required $20m funding in the USAF’s FY22 budget. He was also quite scathing about the USAF’s adoption — or lack thereof — of DevSecOps, the trendy name for efforts to make developers include security-related decisions at the same time as product-related decisions when writing new software. It appears the service wasn’t quite as open-minded as its overseers in the wider DoD.
Read more of this story at Slashdot.