Why the Pentagon’s $10 billion JEDI deal has cloud companies going nuts

By now you’ve probably heard of the Defense Department’s massive winner-take-all $10 billion cloud contract dubbed the Joint Enterprise Defense Infrastructure (or JEDI for short).
Star Wars references aside, this contract is huge, even by government standards.The Pentagon would like a single cloud vendor to build out its enterprise cloud, believing rightly or wrongly that this is the best approach to maintain focus and control of their cloud strategy.

Department of Defense (DOD) spokesperson Heather Babb tells TechCrunch the department sees a lot of upside by going this route. “Single award is advantageous because, among other things, it improves security, improves data accessibility and simplifies the Department’s ability to adopt and use cloud services,” she said.

Whatever company they choose to fill this contract, this is about modernizing their computing infrastructure and their combat forces for a world of IoT, artificial intelligence and big data analysis, while consolidating some of their older infrastructure. “The DOD Cloud Initiative is part of a much larger effort to modernize the Department’s information technology enterprise. The foundation of this effort is rationalizing the number of networks, data centers and clouds that currently exist in the Department,” Babb said.

Setting the stage

It’s possible that whoever wins this DOD contract could have a leg up on other similar projects in the government. After all it’s not easy to pass muster around security and reliability with the military and if one company can prove that they are capable in this regard, they could be set up well beyond this one deal.

As Babb explains it though, it’s really about figuring out the cloud long-term. “JEDI Cloud is a pathfinder effort to help DOD learn how to put in place an enterprise cloud solution and a critical first step that enables data-driven decision making and allows DOD to take full advantage of applications and data resources,” she said.

Photo: Mischa Keijser for Getty Images

The single vendor component, however, could explain why the various cloud vendors who are bidding, have lost their minds a bit over it — everyone except Amazon, that is, which has been mostly silent, happy apparently to let the process play out.

The belief amongst the various other players, is that Amazon is in the driver’s seat for this bid, possibly because they delivered a $600 million cloud contract for the government in 2013, standing up a private cloud for the CIA. It was a big deal back in the day on a couple of levels. First of all, it was the first large-scale example of an intelligence agency using a public cloud provider. And of course the amount of money was pretty impressive for the time, not $10 billion impressive, but a nice contract.

For what it’s worth, Babb dismisses such talk, saying that the process is open and no vendor has an advantage. “The JEDI Cloud final RFP reflects the unique and critical needs of DOD, employing the best practices of competitive pricing and security. No vendors have been pre-selected,” she said.

Complaining loudly

As the Pentagon moves toward selecting its primary cloud vendor for the next decade, Oracle in particular has been complaining to anyone who will listen that Amazon has an unfair advantage in the deal, going so far as to file a formal complaint last month, even before bids were in and long before the Pentagon made its choice.

Photo: mrdoomits for Getty Images (cropped)

Somewhat ironically, given their own past business model, Oracle complained among other things that the deal would lock the department into a single platform over the long term. They also questioned whether the bidding process adhered to procurement regulations for this kind of deal, according to a report in the Washington Post. In April, Bloomberg reported that co-CEO Safra Catz complained directly to the president that the deal was tailor made for Amazon.

Microsoft hasn’t been happy about the one-vendor idea either, pointing out that by limiting itself to a single vendor, the Pentagon could be missing out on innovation from the other companies in the back and forth world of the cloud market, especially when we’re talking about a contract that stretches out for so long.

As Microsoft’s Leigh Madden told TechCrunch in April, the company is prepared to compete, but doesn’t necessarily see a single vendor approach as the best way to go. “If the DOD goes with a single award path, we are in it to win, but having said that, it’s counter to what we are seeing across the globe where 80 percent of customers are adopting a multi-cloud solution,” he said at the time.

He has a valid point, but the Pentagon seems hell bent on going forward with the single vendor idea, even though the cloud offers much greater interoperability than proprietary stacks of the 1990s (for which Oracle and Microsoft were prime examples at the time).

Microsoft has its own large DOD contract in place for almost a billion dollars, although this deal from 2016 was for Windows 10 and related hardware for DOD employees, rather than a pure cloud contract like Amazon has with the CIA.

It also recently released Azure Stack for government, a product that lets government customers install a private version of Azure with all the same tools and technologies you find in the public version, and could prove attractive as part of its JEDI bid.

Cloud market dynamics

It’s also possible that the fact that Amazon controls the largest chunk of the cloud infrastructure market, might play here at some level. While Microsoft has been coming fast, it’s still about a third of Amazon in terms of market size, as Synergy Research’s Q42017 data clearly shows.

The market hasn’t shifted dramatically since this data came out. While market share alone wouldn’t be a deciding factor, Amazon came to market first and it is much bigger in terms of market than the next four combined, according to Synergy. That could explain why the other players are lobbying so hard and seeing Amazon as the biggest threat here, because it’s probably the biggest threat in almost every deal where they come up against each other, due to its sheer size.

Consider also that Oracle, which seems to be complaining the loudest, was rather late to the cloud after years of dismissing it. They could see JEDI as a chance to establish a foothold in government that they could use to build out their cloud business in the private sector too.

10 years might not be 10 years

It’s worth pointing out that the actual deal has the complexity and opt-out clauses of a sports contract with just an initial two-year deal guaranteed. A couple of three-year options follow, with a final two-year option closing things out. The idea being, that if this turns out to be a bad idea, the Pentagon has various points where they can back out.

Photo: Henrik Sorensen for Getty Images (cropped)

In spite of the winner-take-all approach of JEDI, Babb indicated that the agency will continue to work with multiple cloud vendors no matter what happens. “DOD has and will continue to operate multiple clouds and the JEDI Cloud will be a key component of the department’s overall cloud strategy. The scale of our missions will require DOD to have multiple clouds from multiple vendors,” she said.

The DOD accepted final bids in August, then extended the deadline for Requests for Proposal to October 9th. Unless the deadline gets extended again, we’re probably going to finally hear who the lucky company is sometime in the coming weeks, and chances are there is going to be lot of whining and continued maneuvering from the losers when that happens.

U.S. Air Force drone documents found for sale on the dark web for $200

You never quite know what you’ll find on the dark web. In June, a threat intelligence team team known as Insikt Group at security research firm Recorded Future discovered the sale of sensitive U.S. military information in the course of monitoring criminal activity on dark web marketplaces.

Insikt explains that an English-speaking hacker purported to have documentation on the MQ-9 Reaper unmanned aerial vehicle. Remarkably, the hacker appears to have been selling the goods for “$150 or $200.”

According to Insikt Group, the documents were not classified but also contained sensitive materials including “the M1 Abrams maintenance manual, a tank platoon training course, a crew survival course, and documentation on improvised explosive device (IED) mitigation tactics.” Insikt notes that the other set of documents appears to have been stolen from a U.S. Army official or from the Pentagon but the source was not confirmed.

The hacker appeared to have joined the forum explicitly for the sale of these documents and acknowledged one other incident of military documents obtained from an unaware officer. In the course of its investigation, Insikt Group determined that the hacker obtained the documents by accessing a Netgear router with misconfigured FTP login credentials. When the team corresponded with the hacker to confirm the source of hacked drone documents, the attacker disclosed that he also had access to footage from a MQ-1 Predator drone.

Here’s how he did it:

“Utilizing Shodan’s popular search engine, the actors scanned large segments of the internet for high-profile misconfigured routers that use a standard port 21 to hijack all valuable documents from compromised machines.

“Utilizing the above-mentioned method, the hacker first infiltrated the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada, and stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper AMU. While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.”

Insikt Group notes that it is “incredibly rare” for hackers to sell military secrets on open marketplaces. “The fact that a single hacker with moderate technical skills was able to identify
several vulnerable military targets and exfiltrate highly sensitive information in a week’s
time is a disturbing preview of what a more determined and organized group with superior
technical and financial resources could achieve,” the group warns.

Google reportedly backing out of military contract after public backlash

A controversial Google contract with the U.S. military will not be renewed next year after internal and public outcry against it, Gizmodo reports. The program itself was not particularly distasteful or lucrative, but served as a foot in the door for the company to pursue more government work that may very well have been both.

Project Maven, as the program was known, essentially had Google working with the military to perform image analysis on sensitive footage like that from drones flying over conflict areas.

A small but vocal group of employees has repeatedly called the company out for violating its familiar (but now deprecated) “Don’t be evil” motto by essentially taking a direct part in warfare. Thousands of employees signed a petition to end the work, and several even resigned in protest.

But more damaging than the loss of a few squeaky wheels has been the overall optics for Google. When it represented the contract as minor, and that it was essentially aiding in the administration of open source software, the obvious question from the public was “so why not stop?”

The obvious answer is that it isn’t minor, and that there’s more to it than just a bit of innocuous support work. In fact, as reportage over the last few months has revealed, Maven seems to have been something like a pilot project intended to act as a wedge by which to gain access to other government contracts.

Part of the goal was getting the company’s security clearance fast tracked and thus gaining access to data by which it could improve its military-related offerings. And promises to Pentagon representatives detailed far more than facilitation of garden variety AI work.

Gizmodo’s sources say that Diane Greene, CEO of Google Cloud, told employees today at a meeting that the backlash was too much and that the company’s priorities as regards military work have changed. They must have changed recently, since discussions have been ongoing right up until the end of 2017. I’ve asked Google for comment on the issue.

Whether the expiration of Project Maven will represent a larger change to Google’s military and government ambitions remains to be seen; some managers are surely saying to themselves right now that it would be a shame to have that security clearance go to waste.

US military reviewing tech use after Strava privacy snafu

 The US military has responded to privacy concerns over a heatmap feature in the Strava app which displays users’ fitness activity — and has been shown exposing the location of military facilities around the world — by saying it’s reviewing the rules around usage of wireless devices and apps by its personnel.  Read More

DJI adds an offline mode to its drones for clients with ‘sensitive operations’

 DJI is working on a “local data mode” for its apps that prevents any data from being sent or received from the internet. The feature will be welcomed by many, but it’s hard not to attribute the timing and urgency of the announcement to the recent ban of DJI gear by the U.S. Army over unspecified “cyber vulnerabilities.” Read More

DJI adds an offline mode to its drones for clients with ‘sensitive operations’

 DJI is working on a “local data mode” for its apps that prevents any data from being sent or received from the internet. The feature will be welcomed by many, but it’s hard not to attribute the timing and urgency of the announcement to the recent ban of DJI gear by the U.S. Army over unspecified “cyber vulnerabilities.” Read More

Female Marines group appeals to Sheryl Sandberg to fix Facebook’s revenge porn problem

 With a letter straight to the top, a group of Marines is demanding that Facebook get a grip on the systemic harassment that plagues its female servicemembers. In March, Facebook became the epicenter of the Marines United scandal, which exposed a massive online community where users shared often intimate photos of servicewomen without their consent. While such content isn’t limited… Read More

Marine Corps updates social media guidance to address online misconduct

 As its revenge porn scandal continues to unfurl, the Marine Corps took steps this week to bolster its standards for online behavior. Following a hearing before the Senate Armed Services Committee, Marine Commandant Gen. Robert Neller signed off on a set of guidelines that expand the definition of sexual harassment to include online activity. Just like with offline infractions, Marines deemed… Read More