I used to do consulting with government accounts, and one of their recurring problems was they would hire some recent college grads and start trying to do trendy things without thinking them through.
The canceled Joint Enterprise Defense Infrastructure (JEDI) bid strikes me as one of those problems, because it was a $10 billion cloud bid that should be cheaper and safer to do on-premises than in the cloud.
Let me walk you through the logic.
Unlike large-scale efforts for the private sector, projects for the military have to take into account not only escalating state-level cyber attacks, but also attacks that most cloud providers aren’t set up to defend against and physical attacks, because, you know, the military. You typically need a hardened site — and not just hardened against weather and earthquakes, but hardened against sabotage and air- or ground-based tactical weapons.
In addition, due to this risk of physical attacks, a large-scale Defense Department single-cloud effort would put the related data centers at extremely high risk of being compromised or destroyed, not just damaging the JEDI part of the effort, but every single customer using that facility. In other words, a tactical strike on a data center would not just take down the Defense Department, but large swaths of both the public and private sectors using the same facility.
And enemy states, to make sure they take care of the typical multi-site redundancies, could decide to take out all of a cloud provider’s distributed but, from a military standpoint, poorly defended data centers to cripple the DOD with the added benefit of shutting down much of the country.
The class of projects at this scale should be defended as a critical asset with significant military resources that no cloud provider has. In a war, this move would make a significant civilian resource a legitimate military target, increasing the risk of economic damage over the loss of this DOD resource.
See more: Cloud Data Protection: Best Practices
The economies of scale for a large cloud provider allow a mid-sized company to gain cost advantages similar to a large enterprise. But the economies of scale for a large enterprise generally allow that enterprise to provide similar services internally for less, because they are going directly to the hardware/software sources and enjoy the same volume discounts that the cloud provider enjoys.
The estimated cost of the JEDI contract, $10 billion, was well above what the vast majority of enterprises could afford in an IT project, suggesting that for the government, which gets “most-favored nation” pricing as a matter of course, it would be cheaper, on top of being safer, to move this project on-premises rather than to a cloud provider.
And given that the government can typically buy power and fuel — due to the volumes the government consumes, its relationship with the utilities, and the ability to generate its power — the electricity to power the data center should be cheaper to the government as well.
In short, it should also be at least millions cheaper to make this an on-premises effort rather than a cloud effort.
Almost across the board, employees, particularly some younger employees, have been outspoken about not wanting their company to do government projects. It is not uncommon for employees to act out when they feel this way. Assuring none of these potentially disgruntled employees in these vast companies never gets access to confidential information that they intend to release would be nearly impossible for most large cloud providers. IBM, both because they have a greater focus on security and because they have served governments nearly since their inception, would be likely an exception.
Not everyone is vocal about their anti-government rules, and people move between the cloud providers. They could also act out if they see this could end up at another cloud provider and be motivated to breach the DoD repository.
Wrapping up: A DoD Cloud Contract Doesn’t Make Sense at This Scale
When you take on a large-scale military project, it comes with many risks: economic, physical, civil, criminal, and political. A breach can not only result in criminal charges, but massive political fallout, and collateral damage could exceed the cloud provider’s ability to recover.
Cloud providers aren’t adequately defended against potential military attacks. At the very least, you’d need a super-secure perimeter and ground-to-air defenses to defend against aircraft at every data center in use and at the control hubs, which is impractical for a typical cloud provider. The employees working on the project would need military-grade background checks and monitoring to ensure they aren’t coerced into helping with a breach.
Finally, this approach makes no economic sense, because, at $10 billion, the DoD should be able to get systems for as little or less than what a significant cloud provider could get. They could uniquely ensure this advantage with their “most-favored nation” requirement that assures they get an equal to or lesser price to the cloud provider. And the DoD is capable of building or commissioning custom hardware at scale to the cloud providers.
At this scale, the project would be a target a cloud vendor can’t adequately defend physically. It would likely cost significantly more than an on-premises solution, and the risk of being compromised by an inside attack is higher. I get the cloud is trendy, but, in this case, it doesn’t seem to make economic sense.