America’s first federal chief information security officer (CISO) says he is “very uncomfortable” with the Defense Department’s (DoD) proposed cloud computing network, citing concerns that the contract would create greater risks by consolidating DoD’s cybersecurity assets in one place.
DoD’s Joint Enterprise Defense Infrastructure (JEDI) cloud has sparked lasting controversy over who will win the project’s 10-year, $10 billion contract. The project is currently being reviewed by both the defense secretary and the Pentagon’s watchdog component.
“It makes me very uncomfortable,” Greg Touhill said when asked about JEDI during an exclusive interview with GovLoop on Thursday during the 10th Annual Billington Cybersecurity Conference. “In the military, we were taught to disperse assets leveraging the lessons learned from Pearl Harbor and other attacks,” said Touhill, who is also a retired Air Force officer. “By consolidating assets in the cyber realm as opposed to dispersing them, it changes the risk calculus.”
Japan attacked the U.S. naval base at Pearl Harbor in 1941, leading America to formally enter World War II.
Touhill added that he considers the widespread prevalence of hybrid clouds noteworthy as DoD seeks to launch JEDI. Hybrid clouds mix on-premise, private cloud services with publicly-accessible environments offered by third-party vendors.
“The reality of the world today is we’re already in a hybrid cloud environment,” Touhill said. “I think the DoD is as well.”
DoD initially imagined JEDI hosting all its applications, data and services to help maintain America’s military advantage over its adversaries. The process to create JEDI, however, unexpectedly froze in August 2019 following fierce public debate over whether DoD should use one or more vendors for the cloud.
DoD announced a request for proposal (RFP) for JEDI in 2018, quickly attracting attention from some of the world’s largest technology companies. RFPs are documents that agencies open to procuring products or services use to solicit business proposals for them, often through a bidding process involving potential suppliers.
After DoD published JEDI’s RFP, for instance, Amazon Web Services (AWS), IBM, Oracle and Microsoft all voiced interest in the project. Google, meanwhile, declined to participate in JEDI’s RFP process as it felt the initiative could compromise its corporate values.
In 2018, Oracle accused DoD of favoring AWS by asking for a single cloud vendor before JEDI bids were due. Oracle also suggested that a DoD employee who worked on JEDI during the procurement process was biased towards AWS, having previously worked there.
Although the Government Accountability Office (GAO) ultimately rejected Oracle’s arguments, the company took them to the U.S. Court of Federal Claims instead. Although the Court handles federal contract claims, DoD selected AWS and Microsoft as finalists for JEDI in April 2019. A federal judge then shot down Oracle’s claims in July 2019, seemingly freeing DoD to award one of the most expensive federal IT procurements in history.
At that moment, though, President Trump caught wind of the JEDI saga following what he labeled “tremendous complaints” about AWS and the project’s bidding process. Trump then vowed in July 2019 that DoD would look “very closely” at JEDI, leading Defense Secretary Mark Esper to declare he would review the project the following month.
Later in August 2019, Chief Information Officer (CIO) Dana Deasy revealed that DoD would not be awarding a JEDI contract that month as previously promised. The Pentagon Inspector General (IG), meanwhile, announced in August 2019 that it would examine major sections of JEDI’s acquisition process, including its RFP and potential conflicts of interest.
Touhill became the nation’s first federal CISO in 2016, stepping down in 2017 as former President Barack Obama’s administration finished transitioning into Trump’s.
Remarks from cybersecurity leaders such as Touhill suggest that JEDI will continue inspiring spirited discussion until the project’s future becomes certain.