Eric Rosenbach, Co-Director of the Belfer Center and Former Chief of Staff of the Pentagon, joins Cyber.RAR to talk about the major roadblocks facing innovation within the Department of Defense. Eric, Bethan, and Sophie dive into the challenges facing talent management in national security, overcoming the DoD's aversion to innovative risk-taking, and why the DoD still doesn't have central cloud computing.
Eric Rosenbach, Co-Director of the Belfer Center and Former Chief of Staff of the Pentagon, joins Cyber.RAR to talk about the major roadblocks facing innovation within the Department of Defense. Eric, Bethan, and Sophie dive into the challenges facing talent management in national security, overcoming the DoD's aversion to innovative risk-taking, and why the DoD still doesn't have central cloud computing.
Eric Rosenbach Bio: https://www.hks.harvard.edu/faculty/eric-rosenbach
https://www.dds.mil/about
https://www.defense.gov/News/News-Stories/Article/Article/2327021/diu-making-transformative-impact-five-years-in/
Eric
All right, you guys have fun in the RAR!
Sophie
Hi everyone. And welcome to Cyber.RAR a podcast by Harvard Kennedy school students. My name is Sophie
Bethan
And I'm Bethan.
Sophie
And today we're asking the following question: Why is it so hard to get innovative digital technologies like end-to-end cloud computing deployed in one of the most well funded organizations in government.
We're at a critical juncture. The DOD needs to increase investments in cyber infrastructure and capabilities as cyberspace expands as a core mission area. And yet the bureaucracy of cybersecurity in the US government can be so stifling that it creates more problems and risks than solutions. The department currently lacks many of the baseline capabilities to enable staff to do their day to day.
In this episode, we discuss how we got here and why the DOD needs to walk before it can run in the race to getting the best technology to our war fighters.
Bethan
We're really excited about our conversation today and our special guest for today's episode is Eric Rosenbach. Eric is the co-director of the Harvard Kennedy School's Belfer Center on Science and International Affairs and a Kennedy School public policy lecturer. Several of us have been in his class. He previously served as the Pentagon Chief of Staff from 2015 to 2017 and Assistant Secretary of Defense for Global Security, where he was responsible for leading all aspects of the department, cyber activities, and other key areas of defense policy.
In the private sector, Eric worked as the Chief Security Officer for a large European telecoms firm. He also led the cyber security practice of a global management consulting firm advising the execs of Fortune 500 companies on strategic risk mitigation strategies. Eric, thank you so much for joining us today and for your support of our Cyber.RAR podcast!
Eric
It's so nice to be here with the Cyber.RAR podcast. Thank you for having me.
Bethan
Yeah, absolutely. So we wanted to kick it off with a specific conversation about basic cyber infrastructure. There's been a lot of talk about the need for a central cloud environment in the DOD. In your opinion, what are the most fundamental enabling technologies that are currently lacking, like a central cloud environment, within the DOD structure?
Eric
Yeah, I think this is a very important question. And I would say there are three things that the department needs to work on as far as this goes. Um, the first, which you mentioned is a cloud-based environment and some cloud based technology. Second is the data itself. And then the third, I would like to talk a little bit about commercial satellite infrastructure capability. I think that's something to look to the future.
When you look at the department's cloud strategy and what it's done to move to the cloud over the past 15 years, it’s terrible. It's so sad. If you think about the Department of Defense, which claims to be one of the most innovative and operationally effective organizations in the world, still does not have a cloud-based capability and has been trying very hard. Compare that with CIA, which went to the cloud for its unclassified data almost 10 years ago with Amazon Web Services, AWS.
So there are a couple reasons why this has happened, almost all bureaucratic. It started with the fact that early on in the Department of Defense, the Defense Information Services Agency, essentially the DOD telecom, wanted to do this organically. So this is essentially the government saying we can run our own cloud hosted service provider, which they could not.
Bethan
We’re skeptical.
Eric
Yes, very skeptical. From that, when the decision was eventually made to have one approach and they contracted out, it was made by in retrospect, a very poor decision, the Defense Digital Service, an organization that I had a hand in standing up and running.
But this organization was so politically loaded that when it went through the RFP process and the original vendor won, in this case Amazon, it was contested and eventually the department had to pull it back. So the lesson learned here is one of the most important things in technology adoption and implementation, it’s not the technology itself – it's finding the right team to put it together, to get it out. And it's thinking really clearly about how a public sector organization, like the Department of Defense will work with the private sector. So just think about, this is the reality, if you work in the Department of Defense right now, your email barely works half the time. You don't have a cloud based account that's anywhere close to as functional as Gmail or some of the Microsoft offerings or others too. And that's just really sad when you have an IT budget of almost 50 billion that you can't do better than that seems ridiculous.
The second thing that I think is important is the data itself. You know, the cloud is good from an infrastructure perspective, but if the data that you want to use–and in this case, I'm talking about unclassified data, not secret or top secret–is often owned by defense contractors who run some of the services they provide for the department. Then you don't have the ability to put together big data and to aggregate it widely, which will lead then to a big shortfall in using AI for non sneaky, freaky applications, like the defense travel service or improving contracting or healthcare provision–things where AI right now could actually help and does in the normal world of the private sector. This is driven primarily by the fact that a lot of defense contractors know they can make more money if they keep hold of the data and they're not willing to do that.
Bethan
So holding the data hostage.
Eric
Yeah, essentially when they're doing the service provision, something in the contract will say, um, if the department wants access to the data, you have to pay extra or only work through that specific contractor, right. It's not like it would be in most places in the private sector, where it's more freely available, especially when you're the organization paying the service provider. Very strange the way that works out.
The third is increasingly the world is looking to commercial, satellite technology for internet connectivity. Here's the most perfect example. Look at what's happened in Ukraine and the fact that Elon Musk shipped 50 Starlink terminals there. And it's had a major role in why Zelensky and the Ukrainians have been able to withstand Russian cyber attacks.
The Department of Defense uses a lot of commercial, satellite technology and organic satellite technology because in the mission, you're going to crazy parts of the world. You can't be connected to fiber if you're on a ship or a plane or a tank in the middle of nowhere. But, you know, a little bit like the cloud based environment it has really fallen behind on that commercial satellite technology, which is the pipes to the people doing operations in the most important parts of the world.
And here's why it matters. Imagine we do have a conflict with the Chinese in the South China Sea or the Russians, God forbid somewhere, you know, on the Eastern front. The Chinese and the Russians know if you really wanna take down the US, just take out their satellite capabilities. And they likely won't be in contact with all of the things we do to use data, to fight wars and do operations too.
So those are the three things I think I’d look at if I were there today.
Bethan
I'm glad to hear that Elon Musk did something helpful as opposed to just offering to fight Putin and then acquire Twitter.
Eric
Yeah. Now he is in charge of Twitter. Watch out world!
Bethan
For the record, that transaction was announced yesterday, given that this podcast will be coming out later.
Your point about the disparity between the public and private sector, infrastructure, access and capabilities is really striking, particularly given that the vast majority of small businesses, right, mom and pop shops across the US use these cloud capabilities, Microsoft 365, Google Workspace, Azure. Then compare this with the news that the Army only announced in December 2021, that it was planning to switch to a Microsoft 365 platform. The goal was March 2022, but we've yet to see any news on that actually happening. So it's truly a stunning disparity.
Eric
And I think it's like this–security concerns of course, make it different when you're in the Department of Defense, but that has become so invasive that people don't realize they're posing more operational risk to the mission by looking at security so closely that they don't use modern technology, right. That I think is important.
Also, I know a lot of people, graduates from the Kennedy School who say I'm not working in the Pentagon anymore because I don't have functional IT. Like we can't use Slack. We can't actually have a Zoom meeting from the Pentagon, with someone at the Kennedy School without doing two hours of prep. Like that is not the world we should be living in right now, if we're trying to be a modern organization in the Department of Defense, right?
Bethan
Yeah wanting to recruit talent, right?
Eric
Yeah. People don’t wanna go work where you're like stuck using an old windows machine, you know, that seems like it has squirrels in the hard drive.
Sophie
That makes a lot of sense. I also think it's pretty interesting your point on data. One of the most striking stories that I read recently identified that the DOD actually owns the world's largest repository of disease and cancer related data because one of obviously our most important responsibilities is maintaining our service members' health data. And we go to great lengths to make sure that we do that carefully.
The issue is that all of that data is stored in physical tissue form within the DOD. But imagine the statistical richness of that data set, if it was digitized. Like the algorithms you could run on top of data like that, even data that exists, uh, within government.
So you were making the point that a lot of this data is siloed outside of government, but I think the lack of this kind of basic infrastructure plays on both sides. We have such rich data, even within the government that we're not leveraging fully because of these pretty fundamental inabilities to access tech.
Eric
Right. I think it's a great point. I did not know about the case that you highlighted, but I can imagine it's probably even more valuable than people might think because it's probably one of the most representative data sets, from a demographics perspective, that you could get in the United States, just knowing the makeup of the military, which I think also could be very helpful.
And that's one of those things where you would hope for an organization that's, you know, committed to keeping the country safe, that you'd be willing to share data like that so that the sum could be more than just the parts, I think. And I bet that's just the tip of the iceberg in terms of finding different data that would be available to help, you know, a lot of other people, not just the military itself, but you know, the broader public sphere too.
Bethan
Definitely goes back to our point about how you have to walk before we can run. Sure we're hiring a new AI director and doing all this interesting work. But at the end of the day, we still have so much data stored on physical tissue form and the potential there is limited, even if we hired the best private sector talent in AI.
Eric
Yeah. There's something that is really, you know, kind of odd that if you go into the top secret space and you're looking at special kinds of imagery, either from drones or overhead, certain type of data collected by the intelligence community. There the data flows much more freely, but that's not gonna help a lot of Americans aside from a pure security mission. And it does get more complicated when it is, you know, US person's data or someone who's in there too. But again, I think the department's probably a decade or two behind in terms of trying to figure out how to deal with data and put it on infrastructure that could actually help it run, you know, being much more modern.
Sophie
Definitely. So you kind of told us about how the military is operating on these outdated computer systems. And the DOD has spent many billions of dollars trying to modernize those systems while protecting classified information. As you mentioned earlier, we talked about how people love to call out the DOD for having an innovation problem, but we discussed how that's not really the fundamental challenge. The DOD actually has a technology adoption problem.
So we'd love to get your perspective. What do you think is the root of this problem? Why is it so hard to get digital technologies like an end-to-end cloud computing system into one of the most well funded organizations in government?
Eric
I think the most important thing is that there are a lot of very firmly entrenched defense contractors that quite frankly don't want there to be innovation in smaller organizations. There's a long history of bigger defense contractors acquiring small innovative firms all the time, not only so they don't have to compete with them, so they don't have to invest in R & D themselves. And I think that's a problem.
In terms of more basic IT infrastructure. Again, you know, if you're the person who's been running DOD networks or the Army network or the network of networks, why in the world would you want there to be a big contract with AWS or Microsoft? Right. They're new. They will work better. It's a new entrant. These are $10 billion contracts, right? There's a lot of money on the line.
The other thing is, you know, it is hard to draw up a good contract for service provision as opposed to stuff. The department is pretty good at, you know, knowing how to do contracts for building a ship or a plane. Although, definitely not, I shouldn't say pretty good. They're okay. It's a lot different for service provision and data, and you don't have a lot of people in there who have the expertise and you… The third point finally would be, there's just like no reward for someone who would take risk on that. Imagine the person who eventually made the decision to go for a new cloud contract in DOD. You know, which was a $10 billion contract. Only to have it then show up on the front page of the Washington Post. And why would you do that? There's more to the story there in terms of probably not running a clean process, but I think that does deter a lot of people from being more bold in terms of promoting technology adoption.
Sophie
Yeah. That's what happened with the JEDI contract sort of. By the time that those costly discussions had been had, the technology itself was obsolete. So Jedi stands for the Joint Enterprise Defense Infrastructure, which was the DOD’s bid to actually roll out one of these end-to-end cloud environments, but it's been delayed significantly for a number of years, and it hasn't really been able to come to fruition largely because of what Eric is telling us about the lack of appetite for risk.
But I wonder, Eric, you've pointed out that part of the reason that these things don't happen is because no one in DOD is willing to assume that risk. So how do you think that the DOD could go about creating more of a culture that encourages responsible risk taking?
Eric
Mmhmm, I think there have been successes where you pick specific projects that are of a more manageable size put together a small team, and then have them work on it in a way that it's kind of competing with the establishment. When Ash Carter was the Secretary of Defense, we established the Defense Digital Service, which did a number of very innovative things with the existing infrastructure, because they are empowered to take on the establishment. Those can be very successful.
That said, it was the same Defense Digital Service, and the leader at the time, who, because they had so much success and loved the spotlight and headlines so much, ended up dooming the JEDI contract. Because they kind of wanted to show how big and bold they had been and didn't run a good contract process. Also kind of put it in the face of some of the other people there. So when it comes down to it, usually it's something that's starting smaller then building up. And if you are gonna go big, you just have to be very aware of the fact that there are a lot of small P and big P political opponents to big change because we're talking billions of dollars–and in DC that incentivizes people to attack you–and think about the way to get that done. When it comes down to it, for me, this is about leadership and people being in jobs who are willing to change things within the environment they operate.
There are plenty of authorities and within existing law that would allow you to do this. You just have to know how to make it work and be willing to do it quietly without a lot of fanfare. The problem is, that there are not still a lot of people who are willing to go into the hardest jobs and DOD to make these things happen. And at the same time, not try to grab the spotlight that eventually dooms some of the projects they're working on. And I think DOD does have a little bit of an ego problem when it comes to this–they want to talk about fancy tech, they don't seem to really want to do the gritty work of getting it to the people who are fighting wars in the services in a way that really matters.
And it could, again, counterintuitively be the case that one of the ways you could really spur some innovation is by cutting the budget by a significant percent and telling them that they actually have to be scrappy and creative. There are a lot of places in the uniform services where if they don't have that much money, they end up with a better tech IT environment because they have to be creative and they don't have all this other stuff.
Bethan
So another important area that we've been thinking about both in this episode and podcast more broadly is about talent management and public private sector connectivity in regards to cyber. Even if the DOD does eventually get it right in terms of tech adoption and cyber infrastructure, we're still limited by talent. With so much cyber talent going into the private sector. How should the DOD be thinking about attracting and retaining a competitive or cyber workforce?
Eric
I think there are a few things. The first is that you again need to recognize there are some existing authorities that can be pretty effective to bringing people in for short durations of time, which is actually what you want.
You want to be able to attract someone who may have worked in the private sector in Google–to use the, you know, trite example, for example–come into DOD and work really hard for three years on really hard problems. And we've seen that there are a lot of people interested in doing that. They want to serve. They don't care if they take a big pay cut. They don't want to be there for life. However, I think not only DOD, but a lot of other government organizations need to take more advantage of that and do it on a regular basis, you know, but even in a huge organization of a couple million people, like the Department of Defense, if you bring in 100 or 200 new high end people every year, And you give them specific projects upon which to work, it can make a big difference.
Now there's something though that you need to be aware of that I have to admit, I think we may have underestimated when we stood up the Defense Digital Service, which is the model for the first thing I just mentioned, which is that there are a lot of very hard working smart people in the department who are career civil servants, who also want to do new and interesting stuff, but they don't get the training. They don't have the opportunity to learn and grow new skills. And that's something that I think all bureaucracies really need to work out. Because you can build your own talent. And it can come from unexpected places. You know, there, I think would be a great opportunity to improve the diversity of the IT workforce by looking to existing civil servants, kind of retraining them, upskilling them, you know, is the way that you hear about a lot too.
The other thing is just the hiring process. We see here at the Kennedy School all the time, how many talented grads want to go work in tech for the Department of Defense. And even if they get a fellowship, they still can't get into the department. It is maddening. It's so insane that the bureaucracy can't get out of its own way to get new people in the door. And I have to be honest again, that's a leadership issue. Senior people in government are focused on the policy issues, political issues. They don't spend enough time investing in the human capital of their organizations and you really have to do that.
Bethan
Yeah, that's a big issue for many of us around the table. We've all personally felt that and that really resonates as both graduate students and aspiring policy makers or public servants.
So, you know, we have been talking about getting private sector talent and through rotational fellowships, like the White House Fellowship or Presidential Innovation are some examples outside of the DOD. However, you've seen a tension between the private sector employees and, um, not wanting to work with the military.
So looking at the protests from Google employees in 2018 about Project Maven. For reference, Project Maven was a contract between Google and the DOD to use AI to analyze drone footage. And there was a lot of pushback from employees and the contract was canceled. So how should national security policy makers and DOD leadership think about maintaining trust and building better relationships with private companies who may get pushback from employees. At the end of the day you're right. Like people wanna serve. And is it a messaging problem that led to the protest of Project Maven and more generally the civ mil divide.
Eric
I'm not sure to be honest that the Department of Defense should be worrying about attracting Google employees who are opposed to Project Maven when the same Google employees are willing to work on contracts for the People's Liberation Army and their AI and helping prop up the great firewall of China and one of the biggest authoritarian dictatorships in the world.
So I know that makes me sound like some kind of defense hawk, but honestly, it's about a values thing. And if you work at a firm like that and you can't be honest enough with yourself to understand what your firm is doing to try to make money. And in a lot of ways, you know, even at the cost of Americans' privacy, then I'm not sure those are the people who are gonna go for public service anyway.
So maybe that is a messaging thing. But I would say also, I think some of that has dissipated over the past few years. In 2018, you know, 2016 is a little bit more, kind of like on showcase. But I think one of the things that has happened that has been helpful is people both outside the tech sector and in Silicon Valley have been a little more honest with recognizing that they have an important role to play making the world a better place and being a little more honest about some of their shortcomings. And I think that's kind of equalized, you know, think about some of the things that Facebook has done and continues to do to prop up dictatorships and human rights abusers, whether it's through WhatsApp or others. You know, you could go down the line. So I think it's a challenge for everyone in a democracy. And the more people in the private sector see they have an opportunity to help out and maybe come the better, but I'm not sure we should worry too much about the specific people who are never gonna come work in the Department of Defense.
Bethan
That's a very good point. We definitely wanna leverage your personal experience here and hear more about your insights from within the DOD. And so you were the chief of staff of the Pentagon, and we imagine you've seen some of the best and the worst of DOD technology. Can you share with us some moments or stories that stand out of both of the challenges and opportunities for tech advancement?
Eric
I think one of maybe the biggest failures that I saw when I was chief staff, when it comes to getting really important data for crucial issues, was when we had launched an initiative publicly. Ash Carter when he was the Secretary Defense publicly tasked the Defense Digital Service to improve the collection of data from the services on sexual harassment and sexual assaults in the military. This is a really big problem. In the military services, the number of women who are sexually harassed and sexually assaulted is about twice what it is in the normal population in the United States. And for a lot of reasons, including fear of retaliation, and unwillingness to come forward if you fear you won't get promoted, huge negative environment in the organizational culture about reporting these things. So the idea was why don't we task the Defense Digital Service to find an innovative way to collect this data in a more granular way that would give us more insight into the problem. And hopefully then change policies around this in a way that could protect more of the women from sexual harassment and sexual assault.
And unfortunately that I think is the only major project that they failed in. I have to admit I was, you know, involved with the project also, so probably some of that is on me for not driving it harder and making sure that they did that. But just think about how sad that is, that in an organization that's dedicated to teams, people watching out for each other, that we even, when the Secretary himself makes it a priority, can't collect the data we need on sexual assault in a way that would help us protect women who are vulnerable and have suffered through this too. That was really sad for me personally.
Bethan
Yeah, no, absolutely agree. It's a heavy topic. And one that continues, I think, to lead to this toxic culture for many service members who wanna serve their country, but are put in an organization that often doesn't have their safety and best interests in mind. So I think that's an example, a really powerful example of how data could have been leveraged to make a safer environment for the women and the men who wanna serve this country.
I feel like this conversation could have gone on for a lot longer, cause there were so many issues, but this has definitely given us a lot to think about. And we'll definitely be encountering these in all of our careers.
Eric
Thank you for what you're doing at the school, with the podcast, that you both want to go into public service too. It's all great. So let's hope your podcast inspires some people to make things a little bit better.
Background
Oh, it's very spicy. I like a lot. Yeah.
Sophie
Thanks for listening to Cyber.RAR a podcast by Harvard Kennedy School students. And a special thank you to Eric Rosenbach for joining us today to offer his insights.
This podcast was recorded on April 26th, 2022 and does not reflect the views of any institution or even our own after that day, as we're just students trying to navigate the murky area of cyber policy. Thanks for tuning in.