The US experience of delivering high-side cloud services, capability procurement, and provisioning has not been smooth sailing and cannot be replicated like-for-like anywhere else in the world.
Whereas in the past, classified information and workloads were almost exclusively run on-premise, in 2023 there is a rapid transition underway to public cloud providers to host classified material and deliver commercial cloud capabilities at all classification levels.
The key program in this regard is the multi-vendor, multi-cloud Joint Warfighting Cloud Capability (JWCC) program currently underway in the US. Awarded in 2022, the JWCC contract is a $9 billion initiative involving AWS, Microsoft, Google, and Oracle and is designed to provide the Department of Defense (DoD) and military services “with enterprise-wide, globally available cloud services across all security domains and classification levels, from the strategic level to the tactical edge.”
Since the JWCCs inception, one of its key issues has been complexity. Multi-vendor, multi-cloud rationalization across each DoD component has created inevitable confusion around if or how users are meant to — or mandated to — use JWCC versus their own existing cloud options.
On August 2nd, the Pentagon issued a new memo about the JWCC program to provide some clarity on this matter.
The memo aims to establish guidelines around how the US Defense Department and military branches should leverage the JWCC ‘to the greatest extent possible’, basically stating the JWCC contract should be utilised as the primary choice for cloud services and procurement with existing cloud contracts to transition to JWCC upon their expiration.
However, using the JWCC won’t be mandatory with the memo also noting that users can still leverage other cloud capabilities and procurement vehicles.
Importantly, it also says users can utilize on-premise cloud offerings (such as Stratus) where applicable. This point is pertinent as it highlights that not all workloads are suitable for the public cloud. Where security, control, and bandwidth are an issue, maintaining private cloud services need to remain a core part of the overarching cloud strategy.
While the memo helps identify how the cloud will be used in the DoD, it also has the effect of reinforcing how extraordinarily complex an undertaking the JWCC is. Hybrid cloud environments are here to stay, but there is no clear strategy on how to make private and public environments interoperable and how they plan to manage their complexity. Multi-cloud is the future in the US but multiple cloud vendors have different motives and technologies and are all competing to provide a larger slice of capability. Combine that with the complexity of existing, legacy cloud environments, third-party capabilities and resellers, and entrenched investment within the DoD, successfully rationalizing cloud services, capability, and procurement is going to be a compatibility and complexity nightmare.
It may be for these reasons that the United Kingdom and Australia are pursuing, at least publicly, what appears to be largely single vendor-led solutions for their Top Secret cloud environments. In the UK, it was announced in 2021 that GCHQ, the UK’s signal intelligence agency, would be leading the procurement of Top Secret cloud services from AWS to enable cloud use across the intelligence community, including MI5 and MI6 as well as the Department of Defence for joint operations.
In Australia, which is admittedly a few years behind the UK and several behind the US, the intelligence services led by the Office of National Intelligence (ONI) pursued a similar single-vendor approach with Microsoft for the provision of a Top Secret cloud capability.
I draw out these examples to demonstrate that the single-vendor solution is not without its own serious challenges. By all accounts the deployment of the three AWS data centers in the UK and the day two management and integration of the cloud has been far from smooth sailing. Additionally, the Top Secret cloud with Microsoft ultimately failed in 2022, with public information largely pointing to a misalignment around business objectives and the strict sovereign requirements of the Commonwealth.
If we look at the US there are some clear lessons about why the single-vendor approach may be challenging. The infamous single-source failed Joint Enterprise Defense Infrastructure (JEDI) contract, which was canceled in 2021, and ultimately led to the formation of JWCC, is a great example of this.
The 10-year JEDI contract was awarded to Microsoft in 2019 to modernize the military’s cloud-computing systems with what was largely commercial off-the-shelf hardware. In the early stages, the Pentagon’s rationale was that having a single technology platform and provider could provide a more unified and easier-to-manage capability.
However, upon the award to Microsoft, Amazon sued to block the contract. The premise of Amazon’s argument was that Microsoft did not have the technical capabilities to fulfill the military’s needs and that the process had been biased against Amazon because of President Trump’s repeated criticisms of Mr. Bezos.
There were also other considerations at play internally within the Pentagon.
By 2021, an over-reliance on a single company was being seen as an unacceptable risk. Recent security breaches of Microsoft made it clear that relying on one company would be a threat to national security. Additionally, a single vendor reduces price competitiveness, creates significant lock-in, slows technological advancement, and ultimately reduces mission efficacy.
With all of these issues, the Biden administration came to the conclusion that a single-vendor cloud solution presented an unacceptable risk and less optimal outcomes than multi-vendor, multi-cloud solutions.
It also demonstrates that with single-vendor solutions, there is always a risk that any contract can spiral out of control. At least with multi-vendor solutions, there is competitive tension keeping it all together and a fallback in case something goes wrong.
It’s clear that regardless of the methodology utilised for a cloud modernisation program, there is enormous complexity to deploying classified clouds. It’s also clear that Australia and the UK can learn from the US’ mistakes but they can’t follow directly in its path.
Implementing a similar JWCC program in the UK or Australia is simply out of the question. There is a level of complexity and cost that would be unmanageable and ultimately a lack of scale would make it commercially unviable.
It’s also a matter of sovereignty. Relying on a single US company to provide technology, capability, and security, while also having limited to no visibility over the systems or information running on the platform is a recipe for complexity and failure. Also, if the US company decides to limit the sensitive data services and responsibility it offers foreign governments, it can impact the long-term viability of the program. Sovereignty matters and there’s a reason why, historically, secure information technology has always been built, compiled, and maintained in-house.
It’s a relatively obvious statement but what works in the US doesn’t always work elsewhere. Concerns around sovereignty and scale simply do not exist and in the US there will almost always be a business case.
But how do other countries mitigate these risks and issues where true cloud capabilities are only delivered by a handful of US companies?
It ultimately boils down to controlling and limiting the reliance on public cloud providers, while also continuing to reap the benefits. Large-scale private clouds, managed and built in-house, are one possible solution as they enable you to keep the most important data under control while using public clouds where and when it makes sense.
Traditionally this has been a difficult approach. Secure cloud technologies that have been developed on-premises are typically not consumable like a public cloud or capable of delivering the same outcomes. However, new technologies like HyperCloud are now uniquely capable of delivering a public cloud-like experience on-premises and can provide more control over everything that matters for high-side cloud environments.
HyperCloud provides the same consumable experience that the public cloud offers, from multi-tenancy to self-service management for compute, storage, and network infrastructure. It can deliver rapid elasticity, resource pooling, chargeback and metering, and broad network access across dispersed sites and workloads. It can run fully functional and be updated seamlessly in completely air-gapped environments or be interoperable with the public cloud. This means it can burst on-demand into the public cloud, making the public cloud a utility to be used when required, not simply by default.
These true cloud capabilities can be delivered securely with unique audibility over the entire design process and supply chain. The hardware can be built onshore in sovereign manufacturing facilities rather than in China and it can be managed as a single, consistent technology fleet by cleared government or military personnel. All of these factors combine to give more control over management, cost and information flows after the cloud is deployed. It also limits the reliance on the few cloud providers and delivers greater sovereignty and oversight over cloud infrastructure.
Whether a single-vendor or multi-vendor approach is adopted in the deployment of classified environments, there is inevitable complexity in any digital modernisation activities. It’s still too early to say whether the rationalization under JWCC will be successful, however, it’s clear that adopting a purely US-centric approach elsewhere has its issues. With HyperCloud, private cloud solutions can paradoxically help alleviate complexity by providing interoperability between any public cloud environment and by limiting day-two management.
Ultimately, in an evolving information environment and rapidly changing technology landscape, future cloud computing capabilities and services at the Secret or Top Secret classifications should seek to utilise more on-premises cloud offerings.