[HN Gopher] US Air Force chief software officer quits
___________________________________________________________________
US Air Force chief software officer quits
Author : Ziggy_Zaggy
Score : 112 points
Date : 2021-09-03 19:33 UTC (3 hours ago)
(HTM) web link (www.theregister.com)
(TXT) w3m dump (www.theregister.com)
| chrisseaton wrote:
| > IT is a highly skilled and trained job; staff it as such
|
| I don't think it's highly trained at all!
|
| What kind of training do major tech companies do? I've never done
| any in my career, outside my degrees, and not everyone does that
| even! Is that unusual?
|
| Contrast that with the military, which is obsessive about
| training and invests a huge amount of time and effort into it
| throughout your entire career.
|
| So who are we taking lessons from here?
| akvadrako wrote:
| The training is just doing the job; it isn't something you can
| learn in school.
| chrisseaton wrote:
| If training is just doing the job, then we can describe all
| jobs as highly trained, so what does the phrase even mean?
| a3n wrote:
| In context, it means that the people being put in charge,
| the "majors and lt colonels," have never done the job, so
| they're unqualified, no matter how smart and dedicated.
| spaetzleesser wrote:
| I think it meant "highly skilled and requiring lots of
| training".
| mikewarot wrote:
| It was a bad word choice, I'll agree. Our training is on the
| job, mostly. I'd bet most of us know many different layers of
| abstraction, and ways to just get stuff done, that would take
| years to teach formally, if it could be taught.
| Sevii wrote:
| I've done a lot of paid training as an IT employee. Studying
| for a cassandra certification, getting the Kubernetes Admin
| certification, regular redundant OWASP security trainings.
| Export restriction trainings. There were a lot more that I
| didn't take. We basically had our own khan academy worth of
| trainings you could take at my last job.
| chrisseaton wrote:
| Imagine if when we promoted developers from juniors to
| seniors they were taken off their project and sent on a six-
| month residential retreat to focus exclusively on their own
| professional and personal development. That's the kind of
| approach to training the military has - beats some online
| course and corporate certs!
| spaetzleesser wrote:
| I always get jealous when managers at my company constantly
| go to trainings or are assigned to different roles to add
| skills. There really is a system for developing managers.
| That's opposed to developers who are basically asked to
| stagnate and stay where they are.
| indigochill wrote:
| You should probably sort that out with your current
| employer or find a new one.
|
| Mine provides open access to a ton of online resources as
| well as maintaining a regular budget for developer-
| initiated things like going to conferences/seminars or
| buying books. It's actually rare that the training budget
| gets fully spent, but on the other hand I've never had a
| request turned down.
|
| For a while, my employer was even footing my college bill
| when I decided to back for my MS. That one came with a
| contract to stay on longer to "pay" them back, but that
| was fine because I had no plans to leave.
| dragontamer wrote:
| https://www.linkedin.com/pulse/time-say-goodbye-nicolas-m-ch...
|
| This linkedin post seems way more... balanced... than
| TheRegister.com implied.
| 2OEH8eoCRo0 wrote:
| > _I realize more clearly than ever before that, in 20 years
| from now, our children, both in the United States' and our
| Allies', will have no chance competing in a world where China
| has the drastic advantage of population over the US. If the US
| can't match the booming, hardworking population in China, then
| we have to win by being smarter, more efficient, and forward-
| leaning through agility, rapid prototyping and innovation. We
| have to be ahead and lead. We can't afford to be behind._
|
| > _While we wasted time in bureaucracy, our adversaries moved
| further ahead._
|
| Zoinks! This matches my experience working in defense and is
| one of my biggest fears.
|
| > _I am becoming "technology stale"._
|
| > _The DoD is still using outdated water-agile-fall acquisition
| principles to procure services and talent_
|
| So glad that I left the industry. It's infuriating too because
| it's not a matter of if, but when. When the US faces a
| determined and modern adversary, the ones paying the price will
| be the men and women who serve in the military. It won't be the
| Pentagon brass or defense CEOs paying. This shit keeps me up at
| night. Worst of all the government has known it's a problem for
| decades if you read the Defense Innovation Board reports.
|
| https://media.defense.gov/2019/May/01/2002126691/-1/-1/0/SWA...
|
| > _Nothing is changing: most of this has been said before and
| the 1987 DSB report on military software pretty much says it
| all. What is it going to take to actually do something?_
| trhway wrote:
| >If the US can't match the booming, hardworking population in
| China, then we have to win by being smarter, more efficient,
| and forward-leaning
|
| one of the most efficient way to balance the scales is by
| taking away that smartest and hardworking top of the
| population through immigration.
| toomuchtodo wrote:
| So they can toil for Orgs with too many chiefs at the top?
| Better to toil in China where there is respect for STEM,
| engineering, etc.
| kube-system wrote:
| People do immigrate and work in the US, despite how much
| of a PITA it is to do so.
|
| https://en.wikipedia.org/wiki/Immigration_by_country#/med
| ia/...
| platz wrote:
| c.f. the argument put forward in "One Billion Americans" by
| matthew yglesias
| AndrewKemendo wrote:
| I'm honestly surprised this is on HN, but it's good that it is.
|
| I worked with Nic on and off for almost his entire tenure while I
| was CTO for Kessel Run and I can state with full confidence that
| this is at best him mis-representing his importance and the
| problems with the DoD IT; and at worst this is his attempt to
| spin his being fired (or being asked to resign ala Nixon) by the
| incoming Secretary (timing here is not just a coincidence).
|
| A couple of core points, that are important to keep in mind that
| have nothing to do with Nic's character, integrity, communication
| style or technical capabilities (which is a separate and
| important topic but not suitable for this public forum IMO):
|
| - The CSO position was made up by him, it's not related to any
| GSA Schedule and it had about the kind of charter you would
| expect for the position: Namely ill-defined and loosely
| empowered.
|
| - There was no office of the CSO in the sense that it was not
| congressionally funded, had no budget, no personnel and no real
| authority for writing, implementing policy or actually doing
| engineering.
|
| - Nic never held a clearance, and as a result was never actually
| involved or aware of most of the programs that he intended to
| impact
|
| - His primary mission seemed to be to push any organization that
| was developing software for the USAF to immediately adopt
| microservices architectures, containers/kubernetes and a couple
| of very specific "DevSecOps" practices - and specifically to the
| specifications that he approved/suggested. Make of that what you
| will.
|
| That said, a lot of what he says is true and IT/network
| infrastructure, development and test etc... in the DoD is far
| from modern and in some places completely broken. Other places,
| where it matters a lot it's like nothing you've ever seen or will
| likely see in the commercial sector for decades.
|
| Bottom line, I suggest taking this tirade with an EXTREME amount
| of salt.
| ryanmarsh wrote:
| _Other places, where it matters a lot it 's like nothing you've
| ever seen or will likely see in the commercial sector for
| decades._
|
| It's weird how the federal govt is like this across the board.
| Most things are "fine" being held together with bubblegum and
| duct tape. Some things matter a lot though, and when they do
| you get to see really smart people apply themselves in ways
| that are cooler than the movies.
| enkid wrote:
| The idea that he could fix Air Force IT in 6 months if
| empowered seems absolutely ridiculous given the size of the
| organization. What do you think the US gov needs to change to
| get better at it?
| ElijahLynn wrote:
| I encourage you to leave this comment on the article itself on
| The Register since you already made it public here.
| phkahler wrote:
| >> Other places, where it matters a lot it's like nothing
| you've ever seen or will likely see in the commercial sector
| for decades.
|
| That's something I'd really like to see. How does that kind of
| difference come about? My guess is that it requires a certain
| degree of funding and commitment that may be impossible in
| wallstreet companies. But what else does it take for an
| organization to get there?
| Ziggy_Zaggy wrote:
| This is a very insightful and contrasting response.
|
| Do you have any other articles/materials that we can reference
| for additional information related to this topic?
| GartzenDeHaes wrote:
| Fun fact about the USAF: pilots are selected based on personnel's
| assessment of a cadet's probability of making general officer.
| Aptitude for flying and piloting ability have nothing to do with
| the assessment, which occurs before pilot training. As a result,
| many Air Force pilots are awful pilots, but they are world class
| ass kisssers and social climbers.
| bodhiandphysics wrote:
| Fun fact... this is completely false!
| tablespoon wrote:
| Yeah, it doesn't pass the smell test. I wouldn't be surprised
| if both piloting skill _and_ advancement potential were
| requirements, though.
|
| It's sort of like people who are both awesome software
| developers and good managers. Those qualities often do not
| overlap, but they do sometimes. If you can afford to be
| selective enough (which is rare), you can check both boxes
| for everyone you hire.
| bodhiandphysics wrote:
| That is in fact what the air foce does. It uses a numerical
| rating based on a) an exam of pilot related skills. B) a
| general knowledge exam c) number of hours piloting you
| already have
| alarge wrote:
| I'll take a slightly more nuanced position than a peer poster
| and say this is "mostly wrong" and somewhat backwards.
|
| (I've been out of this area for a few years, so my perspective
| might be a little dated, but I doubt it has changed that much)
|
| Pilots aren't simply "selected". You have to get through
| multiple gates to become a pilot in the USAF. Most of those
| gates involve demonstrating some degree of devotion and/or
| skill at flying (for example, having a private pilot's license
| before competing for a pilot slot is a really good idea).
|
| Having said this, pilots for the most part either end up in
| combat roles (e.g., fighters, etc.) or in leadership roles (as
| in, you have a whole crew you for which you are responsible).
| Furthermore, pilots are officers and all officers are expected
| to be effective leaders. So sure, leadership qualities are one
| of the things you look for - because you look for them in _all_
| your officer candidates. Now, you may not agree with the
| personality traits identified as leadership traits. In general,
| it is true that the military tends to favor personality traits
| over management skills (the argument being that management
| skills can be learned, but some innate personality traits
| cannot). They judge that things like "likeability" and
| "ability to get others to trust and follow you" matter.
|
| And here comes the backwards part. General officers are
| selected for their perceived ability to understand the mission
| of the USAF and move it forwards. This requires leadership
| skills and so is biased towards those with those skills. But
| there is also a general belief that the people who have most
| directly been involved in executing that mission are the people
| who are best positioned to lead that mission. In this case,
| being a "rated" officer (this used to be
| pilot/navigator/missile launch officer, but now seems to
| include a couple of other designations) actually dramatically
| improves your chances to make O6+ (Colonel -> 4-star General).
| So it isn't that you are selected to be a pilot because they
| think you'd be a good General - they think you'd be a good
| General because you've been a pilot.
|
| A final note - while all officer candidates are selected based
| on leadership skills, there are other factors that are also
| considered. For example, if you are competing for a technical
| slot, having a STEM degree is generally a requirement. But
| traditionally, the rated slots didn't have any particular
| educational requirements (other than a 4-year university
| degree). As a result, pilot candidates generally just have two
| things in common: * Those personality traits
| * A demonstrated commitment to become a pilot
|
| Given this, I can see why the original comment was made. But to
| actually _become_ a pilot, you have to demonstrate the ability
| to fly. The training is both rigorous and very expensive, and I
| 'd seriously doubt they'd keep the system as is if it routinely
| produced "awful" pilots.
| mikewarot wrote:
| >My office still has no billet and no funding, this year and the
| next.
|
| From his LinkedIn post... this really is the crux of the
| matter... they want to whitewash security, not actually implement
| it.
| RobRivera wrote:
| probably to make more money
| evilos wrote:
| Sidenote, he lists "Push over-the-air software updates to weapon
| systems (U-2) while flying the jet" in his list of
| accomplishments. Is this what it sounds like? It sounds like a
| terrible idea.
| nonameiguess wrote:
| Two notes on this:
|
| 1) If the military gets it right with anything, it's
| encryption. This isn't connecting to the aircraft over the
| Internet using Verisign PKI. You're not gonna man-in-the-middle
| inject your own code into the update. The only attack vector is
| the software supply chain itself, but that is already an attack
| vector regardless of how the software gets loaded.
|
| 2) Part of the purpose of being able to do something like this
| is to push new software capabilities to platforms that can't be
| brought back to manually do it at all, like satellites in
| orbit. A software update that doesn't require you to launch a
| new rocket into space can save billions.
| wolverine876 wrote:
| > If the military gets it right with anything, it's
| encryption. This isn't connecting to the aircraft over the
| Internet using Verisign PKI. You're not gonna man-in-the-
| middle inject your own code into the update. The only attack
| vector is the software supply chain ...
|
| What gives you this confidence?
| cryptonector wrote:
| I second this question.
|
| Developers who know how to do this are relatively scarce.
| The military almost certainly does not have enough of them.
| tablespoon wrote:
| >>> If the military gets it right with anything, it's
| encryption.
|
| > Developers who know how to do this are relatively
| scarce. The military almost certainly does not have
| enough of them.
|
| FYI: the NSA is part of the DoD. They most certainly have
| plenty of people who know how to do encryption properly,
| and securing military communications is also part of
| their job.
|
| https://en.wikipedia.org/wiki/National_Security_Agency:
|
| > The National Security Agency (NSA) is a national-level
| intelligence agency of the United States Department of
| Defense... The NSA is also tasked with the protection of
| U.S. communications networks and information systems.
| markdjacobsen wrote:
| See https://www.c4isrnet.com/air/2020/10/09/the-air-force-
| update...
| ethbr0 wrote:
| U-2s are surveillance platforms. Hint: look at the letter.
|
| He means the initiative to provide in-air updating of the
| surveillance payload in response to tasking. Probably ELINT-
| related.
|
| _Edit:_ He 's probably talking about this
| https://mobile.twitter.com/WILLROP3R/status/1318161379304591...
| and this https://www.thedrive.com/the-war-zone/38162/u-2-spy-
| plane-ta...
| panzagl wrote:
| 'Weapon System' is acquisition speak for a project of a certain
| size that has to go through certain processes involving design,
| funding, acceptance, etc. Whether it is actually intended to
| harm someone is somewhat orthogonal to the designation.
| chrisseaton wrote:
| If you're watching a target, and it's going to be gone in a few
| hours, and the plane is already in the air, and you want to run
| a program to run the sensors in a certain way to get what you
| need, makes sense to me.
| nonameiguess wrote:
| I feel Nic's pain. Here is the original article about the talk he
| gave before leaving: https://www.airforcemag.com/air-force-
| leadership-chief-softw...
|
| > One of Chaillan's main concerns is incorporating security into
| software development, a practice known among IT professionals as
| DevSecOps. With a lack of basic IT infrastructure, implementing
| DevSecOps has proven difficult, he said. What's more, there has
| been some resistance among those used to the more traditional
| approach of considering security after development and
| operations.
|
| I currently work on Platform One, as a contractor from a vendor
| brought on as an expert consultant for Kubernetes, but have ended
| up on a product team doing mostly Python development but really a
| bit of everything just because there is so little expertise among
| the actual Air Force personnel and no infrastructure set up
| whatsoever in terms of process for requesting and getting
| resources. We're standing up basically everything ourselves from
| scratch. The mandate was basically "we have a critical need for a
| new capability. Here is an AWS account and five developers, so
| make it happen." That's it. So everything from standing up CI/CD
| pipelines, to building out a cluster, to configuring storage and
| networking, to writing and testing the application code, to
| maintaining environments and deployments, is falling on us, with
| no support.
|
| I'm not going to say what the product is for reasons of OPSEC,
| but it is inherently a product that has extremely high security
| needs. Yet in the rush to be able to tell some high-ranking
| people we have put an "MVP" in production, we've skimped in every
| which way it is possible to skimp. I am aware of so many holes in
| the system, but Air Force pen testers didn't find them, so our
| product manager is being pushed to go forward and we'll worry
| about security later.
|
| To my mind, this is absolutely unacceptable for a critical
| defense system, but nobody is asking my opinion. Supposedly, we
| keep being told we'll lose funding and get the plug pulled if we
| don't hit some important milestone at some exact date. By being
| "agile," we can deliver a broken, insecure "MVP" and "iterate" on
| it until we have a real product that actually meets its
| requirements.
|
| You can't do this crap with defense systems. This isn't Etsy.
| Deploying broken shit has far different implications than when
| all the exemplars from the DevOps Handbook do it in order to find
| all their bugs in prod and turn their users into beta testers.
| wolverine876 wrote:
| That sounds disturbing. However, that is how the military has
| done things in other domains for generations, and probably
| forever.
|
| Remember that the term SNAFU came from the military; watch some
| WWII through Vietnam depictions of it: Before the modern era of
| its glorification, the US military was synonymous with absurd,
| screwed-up systems and policies that the soldiers overcame with
| chewing gum, duct tape, initiative and a sense of humor. (Some
| say the reputational change is due to the shift from the draft,
| which caused a wide segment of the population to be familiar
| with the military, to volunteer professional personnel, which
| results in most people having no clue about it.)
|
| I'm not saying it's a good thing or that it shouldn't be
| improved, but the military (and every large institution) have
| always had a lot of that crap. I remember a Marine officer
| telling me that to never fly in one of their tilt-rotor
| aircraft unless I see a lot of hydraulic fluid on the ground -
| because if I don't, then it's out of hydraulic fluid. As they
| explained, they go to war with - their lives depend on - tools
| made by the lowest bidder.
| eitally wrote:
| I would wager that Etsy (and most big cloud-native unicorns)
| probably has far, far, far superior infra, SW & ops in place
| than just about any gov agency... and the ones that don't
| (Zoom) get called out and are forced to fix it.
| stult wrote:
| I can echo these concerns having been a contractor working on
| applications in more than one of the DoD cloud platforms,
| including CloudOne (a subset of PlatformOne, for readers not
| familiar with the flurry of DoD cloud offerings that have
| sprung up over the last few years). I recently changed jobs in
| no small part because of the massive incompetence on the USAF
| side. It's really quite stunning. My entire schedule was eaten
| up by unnecessary meetings where wholly unqualified USAF
| officers (current and retired) in PM or similar roles would
| pontificate endlessly about just absolute nonsense concerns.
| Like hours of arguing about how to label a button on a form.
| Constant bike shedding. No users involved meaningfully in the
| feedback cycle. And I swear all these old USAF guys just
| straight up hate their users. They will suggest the most user-
| abusing possible design because they think their users are
| stupid and need 10000 confirmation dialogs to avoid making
| mistakes.
|
| And on the legacy non-cloud side of things... it's a horror
| show. No CI/CD. No testing (a lot of my job was bolting awkward
| test harnesses on to existing legacy software to compensate).
| Inconsistent and ever changing project management systems (they
| switched from TFS to Jama to Azure DevOps to Jama again and
| then when I left were talking about moving to JIRA. Our
| cocontractors were insanely unqualified. They were really proud
| of how cutting edge they were for adopting git for VCS. In
| 2019. It's crazy how bad all of this software is, but at least
| it wasn't on some internet connected server before.
| jrochkind1 wrote:
| > Among the USAF's sins-according-to-Chaillan? The service is
| still using "outdated water-agile-fall acquisition principles to
| procure services and talent",
|
| Wait, what?
| dragontamer wrote:
| The full paragraph reads:
|
| > The DoD is still using outdated water-agile-fall acquisition
| principles to procure services and talent instead of leveraging
| "Capacity of work" agile contracts to staff teams. Improving
| acquisition ensures teams have the ability to groom their
| backlog and move at the pace of relevance. Only Platform One,
| and teams like Kessel Run, are truly end-to-end agile, from
| what I have seen to-date.
|
| I don't know what "water-agile-fall" is exactly, but he's
| probably talking about some terms in the Air Force. Maybe he
| means that the waterfall model still exists, and a bunch of
| people are trying (unsuccessfully) to convert to agile. But
| he's only seen Agile properly happen in a minority of projects.
| jrochkind1 wrote:
| that is somewhat clarifying! Still trying to wrap my head
| around "to procure service and talent" with regard to
| agile/waterfall.
| markdjacobsen wrote:
| HN has two threads on this now. I just replied on the other but
| will copy here:
|
| I can't speak for Chaillan, but as a military member who led an
| agile software development team similar to his during the same
| timeframe, I think he's referring to DoD's fondness for
| buzzwords.
|
| Because "agile" is the new hotness, every DoD office and vendor
| tries to slap the language of agile onto a waterfall model. See
| this wonderful report from the Defense Innovation Board on
| "Detecting Agile BS":
| https://media.defense.gov/2018/Oct/09/2002049591/-1/-1/0/DIB...
| Ziggy_Zaggy wrote:
| Do you might linking the other HN thread?
| markdjacobsen wrote:
| Other thread: https://news.ycombinator.com/item?id=28407219
| Ziggy_Zaggy wrote:
| Much appreciated.
| bink wrote:
| I presume he means they're claiming to be agile while really
| continuing to use a waterfall process for deploying software.
| They create specs, hire a vendor, do regular reviews before
| testing, approvals, deployment, provide specs for changes, pay
| for those changes, test, approvals, deploy, and then repeat.
| nonameiguess wrote:
| It's not explained, but I know exactly what he means. We
| mandate that development teams and integrated product teams
| have to use agile methods, but the procurement process itself
| is inherently not agile. Contracts come with fixed dollar
| amounts, milestone delivery dates, and requirements that need
| at least signoff from senior agency officials to change and
| possibly acts of Congress. Further, the way your "customer" is
| always an acquisition office rather than actual users of your
| system, developers can't receive, solicit, or respond to direct
| feedback from users, which is a pretty basic core tenet of
| agile development, without which it's hard to see how it can
| ever work.
| ethbr0 wrote:
| This. If you want to read more into the precise ordering of
| the neologism, it's agile sandwiched in the middle of
| waterfall.
|
| Which is to say, the upstream and downstream didn't change
| how they do things at all, and somehow developers acting
| differently is supposed to convert everything to agile.
|
| Or to put it another way, this is what you get when you tell
| everyone they need to "do agile" without actually retraining
| people on what that means and update processes to enable it.
|
| Source: experience with healthcare "agile" and "sprints"
| AnimalMuppet wrote:
| Stronger: Somehow developers acting differently _without
| the inputs that agile processes require_ is supposed to
| convert everything to agile. And somehow it never does...
| panzagl wrote:
| In practice most contractors end up hiring a bunch of
| former users to act as stand-ins for the real operators.
| These former users then get to engage in continual
| pissing matches with the acquisition office over how
| things really get done. Hilarity ensues.
| tablespoon wrote:
| > Which is to say, the upstream and downstream didn't
| change how they do things at all, and somehow developers
| acting differently is supposed to convert everything to
| agile.
|
| Sounds like my corner of the private sector.
___________________________________________________________________
(page generated 2021-09-03 23:02 UTC)