Can DevSecOps Undo DoD’s Broken Software Failures?

The Department of Defense (DoD) has been developing software intensive systems for the last thirty years. Only in the past decade has the Department openly recognized that these software intensive systems are critical to the future of U.S. National Security. DevSecOps, short for Development, Security, Operations, is one of the hottest commercial information technology (IT) trends. The DoD is now betting that DevSecOps will help the Military Services more rapidly deliver cutting edge Artificial Intelligence (AI) enabled applications to enhance combat operations.

So what is different about DevSecOps compared to traditional software development? Wikipedia defines DevOps as: “DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality.” Because all software today must be deployed with some form of cybersecurity certification, DevOps has morphed to make cybersecurity a central component of all software development: “DevSecOps is an augmentation of DevOps to allow for security practices to be integrated into the DevOps approach.”

DoD DevSecOps

In practice DevSecOps (DSO) is a set of software development and cybersecurity tools used to continuously validate incrementally developed software added to a developing system baseline, generally on a bi-weekly or monthly iterative timeline. Using DSO tools and configuration control processes allows software development projects to integrate high quality software from many small teams, often geographically distributed, more rapidly and with continuing upgrades. In addition, DSO is usually set up to share reusable application code, often using shared-data, to enable the creation of new or enhanced capabilities for the intended users.

To date, DoD’s attempt to better integrate complex Systems-of-Systems (SoS) has been through Lead System Integrator (LSI) contracts set up to integrate previously independent systems into highly integrated warfare capabilities. This is primarily accomplished by sharing data, across software-controlled interfaces, to enable enhanced interdependent functions. More recently, partly as a result of Congressional push against failed industry led LSI efforts, Military Service System Centers have been leading LSI system integration efforts, but these have also resulted in long development timelines, cost overruns, and missed performance requirements.

The software component of complex SoS capabilities have now grown to become the dominant and controlling element of most DoD programs. This is evidenced by terms like software defined radio, big data analytics, autonomous flight control, artificial intelligence/machine learning, and cloud computing to include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Infrastructure as Code (IaC). That complex systems have become dominated by software isn’t a surprise. It’s the natural result of computer processing growth that has continued to follow Moore’s Law over the last half century.

The first integrated chip was built in 1962. By 1965, Gordon Moore, Director of research and development at Fairchild Semiconductor, had already predicted, in a famous Electronics Magazine article, the annual doubling of component density (included transistors, resistors, diodes, or capacitors) on integrated chips. Although modern chips are reaching law-of-physics limits, Moore’s Law has continued to successfully predict the growth of chip density. Based on this, it is currently predicted that by the year 2025 a thousand-dollar computer chip will be able to process more cycles than a human brain and more cycles than the human race by 2045. This has come to be known as the singularity when machine growth becomes uncontrollable and may eventually dominate the human race.

IBM Q Quantum Computer

While classical computing continues its growth, revolutionary quantum computing technology is beginning to make progress by taking advantage of the strange properties of quantum mechanics. Today’s quantum computing is more about research than practical application, but has already given rise to Nevin’s Law of Quantum Computing. Neven’s Law predicts that quantum computing will “doubly double” processing power over conventional computers, and lead to quantum supremacy (the ability to perform a task no classical computer can achieve). In October 23rd, 2019, the scientific journal Nature, published an article detailing Google’s claims that, using their 54 bit quantum computer, they processed a task in 200 seconds that would take a classical computer 10,000 years. IBM refuted that claim by showing how restructuring the task, it could be done in two and a half days, thereby leaving the quest for quantum supremacy open. And on September 5th a Chinese physicist announced that they had a quantum computer, yet to be verified, that is one million times faster than Google’s quantum computer.

The necessary result of classical and quantum processing growth has been the growth in the size of computer programs, or software, because without software to direct compute cycles into needed functions, they are of no use. This has continued to challenge DoD’s LSI efforts that have, more often than not, failed to achieve the required SoS capabilities. More recently government led complex software LSI efforts have also failed to deliver needed capability on an acceptable cost, performance, and schedule, program plan. That brings us back to industry, and now DoD’s, use of DevSecOps tools that are intended to transform the way software is successfully developed. 

The good news is that the commercial growth in software tools, languages, and cloud computing, have radically changed the landscape for software development. The bad news is that during this same software technology growth period, cybersecurity threats have advanced significantly, elevating the need for cybersecurity hardened software in all areas of human endeavor. By bringing together advanced software development tools in combination with cybersecurity tools, DevSecOps has recently matured to become an ideal way to develop and sustain software intensive systems.

Because these modern software development and cybersecurity tools have reached a level of sophistication unavailable in past software development projects, one could consider automated DSO tools, coupled with best practice development processes, to be the equivalent of an automated software Lead System Integrator. Fortunately, this automation has significantly reduced the need for traditional human intensive LSI management functions. Said another way, a robust DSO software development process can be thought of as an Automated System Integrator (ASI), thereby, replacing much of the traditional human-intensive software development and documentation requirements with automation that enables rapid delivery of cybersecurity certified applications, and upgrades, in effective time sensitive cycles.

The net result is that DoD’s future cyber resilient warfare applications should be transitioned from government led LSI, year-to-multi-year development cycles, into quarterly ASI development cycles, delivering application and application upgrades, that are cybersecurity certified with operator validated capabilities. DSO may provide the pathway for today’s IT intensive systems to better pace the rate of change in modern warfare, and help ensure that Military operators are delivered the time-sensitive capabilities they need to prevail on the battlefield! 

Posted in Uncategorized | 22 Comments