Nicolas Chaillan, the U.S. Air Force’s first chief software officer dropped his resignation letter, on LinkedIn, on September 2; he gave the reason as a lack of support. His resignation had been preceded by the stepping-down of Brett Goldstein the director of Pentagon’s Defense Digital Service (DDS) in June. Goldstein had announced his intention to move into consultancy following the end of his three-year term. Further, on September 7, the Pentagon released a technical bulletin showing that it had resumed control of over 125 million IP addresses, which had been handed over to a private company. This series of events raises questions.
Defense Digital Service
DDS is a Pentagon office, stood up in 2015, to handle emerging cyber threats and potential vulnerabilities to Pentagon networks. Staffed with “a team of highly-technical nerds from the private sector and government” DDS leverages emerging technology and technological skills to identify vulnerabilities in network systems, pinpoint attack sources, and lean-forward to find issues that may emerge.
Since its inception, DDS has butted heads with the bureaucratic juggernaut that is the DoD. Some Pentagon members worry that the service is redundant, considering that the branches each have their own cyber-security offices. Others take issue with the office bypassing conventional red tape to push programs through. The office hosts events that attract hackers from around the world to play aerospace and avionics hacking “games” like Hack-A-Sat, which give DoD techs insight into network vulnerabilities. While the hacking takes place against stand-alone simulations, the science behind it has real-world implications.
DDS is funded by the U.S. Digital Service (USDS). USDS was originally stood up in 2014 to administer healthcare.gov. In 2019, USDS encompassed the Office of Management and Budget (OMS), DDS, and VA Digital Services. It had around 180 personnel across the three departments.
Brett Goldstein took over as head of DDS in 2019. During his tenure, DDS doubled in size. Yet, his operations attracted dozens of IG complaints. An Inspector General report in 2020 outlines allegations of hostile work environment, favoritism, and unauthorized software usage. Findings determined that Goldstein was only guilty of using unauthorized messaging software to discuss official DoD business.
As budgets are cut, the Office of Management and Budget is looking to operate DDS as an emergency measures department. Deputy Director of OMB, Margaret Weichert, stated in an interview that she sees DDS providing “rapid-response capability that’s highly technical and very agile and can be deployed literally overnight.” Weichert wants individual military departments to operate their own digital services divisions. By providing stop-gap measures to identified cyber vulnerabilities, DDS gives departments an outline on how to run digital services in-house. Essentially, it acts as an intermediary between the problem and the department, giving a way-forward without implementing it themselves.
Air Force Tech Woes
Nicolas Chaillan was appointed in May 2018 to the post of chief software officer, under the assistant secretary of the Air Force for Acquisition, Technology, and Logistics. As CSO, Chaillan was responsible for the Air Force’s cloud-migration, and for analyzing and approving commercial-off-the-shelf (COTS) software and hardware for use by the USAF. Prior to taking the CSO position, Chaillan was a co-lead on the Pentagon’s Development, Security, and Operations (DevSecOps) initiative. DevSecOps is an initiative designed to streamline cyber security allowing for automation of cybersecurity at all phases of software integration. In layman’s terms, DevSecOps is the automated security system for DoD software systems.
After spending just three years in his new job, Chaillan announced on September 2 that he was stepping down. In his public resignation letter, he boldly stated his frustrations with the way the DoD operates. He cited lack of support for programs; senior leadership not “walking the walk;” and DOD’s unwillingness to implement requested programs. Significantly, Chaillan spearheaded the Joint All-Domain Command and Control (JADC2) system, a cloud-based system that allows information-sharing across all services and departments, and acts as a repository for hard-learned digital information. In 2018, this was a top priority, but after developing a working prototype model, funding for the program was cut.
Chaillan also called out the services for personnel and project management. In his letter on LinkedIn, he wrote,
“Please stop putting a Major or Lt Col. (despite their devotion, exceptional attitude, and culture) in charge of ICAM, Zero Trust or Cloud for 1 to 4 million users when they have no previous experience in that field – we are setting up critical infrastructure to fail. We would not put a pilot in the cockpit without extensive flight training; why would we expect someone with no IT experience to be close to successful?”
Military departments often put mid-level Officers and NCOs in charge of projects they have no, or very little, experience with. They do this to foster growth in those ranks, taking people with limited experience and putting them in roles they may have a chance to shine in. As officer development it makes sense, but as program leaders, those officers need some real-world experience with the program they are now in charge of. Imagine taking your local librarian and putting them in charge of sewer systems in your town. Just because they work for the city does not mean they can do ANY job for the city. Chaillan’s frustration and departure make sense in that context.
The Pentagon’s Corner of the Internet
The Department of Defense oversees a large chunk of the internet. In the early days of the internet, DoD bought up millions of IPv4 IP addresses. These have sat dormant since the early ’90s. Three minutes before President Trump officially left office, control of 56 million of those addresses went to a small Florida-based company called Global Resource Systems LLC. By mid-2021, Global Resource System had control of over 125 million IP addressed. In September, the DoD quietly announced it was taking back control of those addresses.
Former Defense Digital Service director Brett Goldstein had said control of those addresses was given to Global Resources in order to evaluate the space and locate potential vulnerabilities.
Global Resource Systems is a relatively unknown limited liability corporation whose mailing address is in a Florida business park. It has no history of defense contracts and not much of a history at all. Therefore it came as a surprise to those in the cyber industries that the DDS, the Pentagon’s premier technology office, would hand over control of six percent of the internet to an unknown company.
Although the addresses’ control has since reverted to the Pentagon, the reasoning behind the initial transfer still is a mystery. According to the Pentagon, the transfer was part of a pilot program concerning IP security and vulnerability, but nothing else was released.
Doug Madory, a former Air Force software officer and current director of Internet Analysis for Kentik, a network monitoring company, said he believes the handover was part of an intelligence-gathering initiative. Activating those IP addresses that have lain dormant for years caused a flurry of internet activity. Routing traffic through those military networks allows for analysis of outside systems, thus letting DoD examine vulnerabilities and exploits available to hackers. However, it is still unclear why the Pentagon would choose Global Resource Systems as its partner.
The Rule of Three
The departure of the DDS chief, the resignation of the Air Force’s software chief, and the quiet retaking of millions of IP addresses may be portentous.
The approaching great-power competition will test America’s cyber infrastructure. It is imperative that the Pentagon has the best people at the job and partners with the most capable companies in order for the U.S. to have cyber supremacy.