Q&A: David Wennergren, DoD Deputy CIO

InformationWeek Government Logo

David Wennergren, DoD Deputy CIO

InformationWeek: What are you doing to break down information stovepipes across the military?

Wennergren: It's a conundrum any large organization faces. A decade ago, local commands built local IT solutions to meet their local needs, and there was a certain amount of agility to that. However, as the Web emerged, two problems emerged with it. If local commands are only building everything for local needs, you end up with a lot of duplication of effort and information stovepipes.

Like other large organizations, we have been moving toward behaving like a big enterprise. Some of this work has been in place for as long as a decade, like the Department of the Navy moving to a single Intranet, and some has been more recent, like work to reduce the number of legacy applications and move to common solutions.

One answer has been to build big IT systems, but the size of the DoD is so big that those big IT systems tend to be slow to deliver and cumbersome. In parallel, we've seen the emergence of a services-style approach. Web services could get our organization to where we have certain core enterprise services that we demand for use across the entire organization.

Local people would then use those enterprise services and build their own local services. We've mandated certain enterprise services already: a single collaboration tool (which is Adobe Connect), a single content staging service, a content discovery service.

We're continuing to work through that list of services everybody will use. If you can take your data and expose it so other people can consume it and align yourself in a services-oriented approach, you'll be able to break down those information stovepipes and you'll also get capabilities in place much more rapidly than if you build a big IT system.

InformationWeek: What are you doing to ensure your SOA strategy does stay on track and brings real results?

Wennergren: We have to be clear in our approach. We put in place the net-centric data strategy and the net-centric services strategy -- fundamental documents about how you become part of the services-oriented approach. Regardless of whether you are trying to build command and control or you're trying to build logistics support, there's a common way we want you to approach it. There will also be certain core enterprise services delivered for everyone. These common services avoid one of the problems you see sometimes in SOA where everybody wants to go their own way and they do it separately. We really are trying to have everybody be aligned. Wennergren: You have to back up that common direction and vision with policy. We have a DoD Information Enterprise Architecture that sets top-level business rules about moving to the services-oriented world, and to which everyone must comport. We have a DoD Architecture Framework that tells you how to do things architecturally and the different artifacts you need to build.

When people recognize that if you decouple data from applications and expose that data so people can find, reuse, and gain access to it, they see you can move more quickly. With maritime domain awareness, for example, which was about taking legacy information and systems across multiple departments and, instead of replacing them with some giant system that took years to develop and millions of dollars to deploy, we said, let's just expose the data on commercial vessels coming into our harbors so that anybody can use that data to find out what's coming into any harbor in the world. By doing a service-oriented approach, we were actually able to get that capability in place in months, not years, and at a fraction of the cost.

InformationWeek: How has net-centricity changed over time? What does it mean today as opposed to when you first started talking about it?

Wennergren: The fundamental tenets of net-centricity remain the same: if you can get the right information in the hands of the right person at the right time, you can get things done more quickly and more effectively. We're also part of an extended enterprise. We're constantly working with allies and coalition partners, and state and local and tribal governments, and any number of what we call unanticipated users. The tenets of net-centricity have grown to recognize that not only is it about moving away from multiple point-to-point interfaces, but it's about the power of exposing data and being prepared for unanticipated users. The other piece is that today it's all about effectively managing information in a contested environment.

InformationWeek: What direction are you taking in terms of cloud computing for the military?

Wennergren: All of these new ideas come with a great amount of promise and a certain amount of hype, and the priority is to sort through the difference. Where cloud computing really has promise [is in] dynamically scaling and provisioning. That's why I'm really excited about this DISA's Rapid Access and Computing Environment. This idea that if I need to do some big modeling simulation exercise or testing or rapid development or a Website, I can dynamically scale, bring it up, bring it back down, pay for what I use, rather than be stuck with a lot of infrastructure, that's really important.

Even further along what I think of as a cloud continuum are things like the desktop infrastructure. Wouldn't it be amazing for a large organization like ours if the majority of people who work from a desktop could get their desktop services through the cloud so that you could get the stuff done that you need, anywhere that you are, simply by plugging in? Oh, and by the way, with that, there's a lot of cost and security concern about heavy desktops, so this could improve security, too. InformationWeek: Do you foresee any particular public cloud scenarios?

Wennergren: We're going to have to keep an open mind. If I'm working on something where I've got this sensitive conversation, then I wouldn't do that in Facebook; I would use an internal social networking service. However, we're also seeing great power in using mainstream social networking services, where you do want to have a dialog with external partners. It will eventually be like the question of using the public communications infrastructure or not. Do you have your own infrastructure, or do you use the public infrastructure, but you use encryption and segmenting to keep yourself walled away?

InformationWeek: You manage probably the largest IT budget of any single organization out there, period, and the portfolio underneath it is just as complex and the organization is just as complex. How do you keep track of it all?

Wennergren: Spending IT dollars effectively is a team sport. First, you have to have the right policy in place, and then you have to have compliance mechanisms. It starts with an alignment to the strategic plan to the Department of the Defense, which is built with the help of the component CIOs and reflected in their own plans, and then requires alignment to the enterprise architecture. Then, even if the CIO has put in place the right policy, strategy and vision, you still need a partnership with the people who are responsible for getting things done.

If you look at the portfolio management process -- let's take the business side -- we've set up a robust process that says underneath of the information architecture, there's a business information architecture that's all about results for the business mission and aligns the IT spend within the business side. Then we have investment review boards who review any effort of any consequence to make sure it comports with the architecture. For the business mission area, it then actually comes up for a group chaired by the Deputy Secretary of Defense. Relatively small investments get that personal attention.

Then there's performance management, what are the outcomes we're all looking at in the dashboards at the department, what are you doing as you look through your statutory responsibilities, and then on through certifications. During the process of actually getting the work done, there are all manners of reviews in terms of, are you hitting your target dates, am I staying within cost and schedule, am I performing well, and reviews the team participates in with the acquisition management team to make sure that we're getting the work done correctly. InformationWeek: How involved are you in procurement reform, what can you tell me about what you are thinking about there right now?

Wennergren: We're very involved. The key for us is helping everyone understand you need to use the right tool for the right job. Sometimes to get some process done effectively, you need to build an IT system. However, a lot of times, it can be about leveraging Web services, quickly deploying apps and exposing data. You focus first on optimizing a process and determining how to insert technology to get that process done effectively, and then will be able to decide where you're going to build a big IT system, versus where you're going to leverage SOA or Web services, mash things up, overlay data on top of Google Earth or something, and get it in the hands of everybody really fast. It's about understanding there's a continuum of how you deliver IT capabilities and you don't have to do one size fits all.

I am thrilled DISA decided they wanted to have a common collaboration service we all use, that they went out and got it as a managed service. These ideas of managed service arrangements and performance-based contract arrangements, part of this is just opening the aperture that the answer isn't always just building a traditional IT system.

InformationWeek: How do you accelerate the actual acquisitions? Deputy secretary William Lynn, for example, recently bemoaned that by the time you get a big IT system built, it's often a few generations behind.

Wennergren: Right, and so you better make sure you're choosing wisely before you decide to build a big IT system. However, having said that, if you are going to build an IT system, we have to make sure we're looking at the process so we can streamline it as much as possible.

InformationWeek: How much more important does DISA become in a world that relies so heavily on ideas like shared services and cloud computing?

Wennergren: DISA is a classic type of organization to be the provider of common services. Just like they provide the long-haul connectivity, they ought to be the provider of common collaboration services everyone uses. You can imagine DISA having a very crucial role in this future that says “I'm going to offer up services that I'm going to demand you to use, so don't go and build your own directory service, use the directory service that's out there for everybody to use.” DISA can provide this core stuff, and then local commands can call common services and quickly develop a Web service that meets their local needs. It's amazing the speed and agility you can have in that kind of world. Couple that with the fact you can quickly put into place a cloud environment through RACE and use Forge.mil as the test bed for the app that you're building, and you can see how much more speed you can have. InformationWeek: What's the most important thing to you right now in terms of cybersecurity?

Wennergren: For any information leader, the two most important things at this point are information sharing and information security, and they have to be managed together. In the past we tended to look at them as two separate disciplines. My priority is secure information sharing. The security efforts of the department and the sharing efforts of the department have to be looked at as a consistent set of activities that allow you to raise the bar for security and share your information with unanticipated users.

Certainly, there's basic blocking and tackling in information security we have to get done. The networks are all under attack, and if we're not thoughtful, the intellectual capital of our nation is at risk. It's something we're all in together. It's not good enough that I just get these things done within DoD because people can get to my information through other government agencies and contractors. Everybody has to reduce their internet access points, work on things like host-based security systems, data-at-rest encryption, the Federal Desktop Core Configuration.

Having said that, we have to look at security in new and different ways so when push comes to shove, we can share securely. We need to be thinking about secure browsers, how we do trusted computing from untrusted computers in this world where people are doing self-service computing from any number of devices, even across organizational boundaries. The nature of security is changing, and the tools we'll have to use to be effective will have to change too.

InformationWeek: How will your role and the way DoD does cybersecurity change as the Cyber Command gets stood up?

Wennergren: U.S. Cyber Command is about aligning our assets so that we share best practices and embrace a common risk management approach. We'll also have a consistency of purpose and the best of understanding what others do, so we know what we need to do when we defend.

InformationWeek: So, with this being a separate command, how do you make sure that you maintain this mission of secure information sharing? Wennergren: That's part of the work of standing it up. There's great power in bringing together the defensive and offensive capabilities of information management, but clearly Cyber Command has to be part of the effective governance structure we have in place with the CIO and with operational commanders. You can't just think of security in a vacuum anymore.

InformationWeek: You recently wrote a memo that seemed to open up the possibilities for open source in the military a bit more. Walk me through your thinking on open source.

Wennergren: It was sort of a reiteration of policies we already had in place, but it seemed that there was still a lot of misperception about open source. We wanted to help people understand that open source software could be a potential answer. There's value in open source. More and more you've got to be able to look toward the power of peer review, both for open source stuff and not-open source stuff, to bring more scrutiny and attention to the software. Don't avoid good solutions that will help you move with speed and agility.

InformationWeek: What's your take on real, robust enterprise search that has role-based security built into it?

Wennergren: Content discovery is already one of our enterprise services, but there's a lot more work that has to happen. Data has to be exposed so it can be visible and found, and you have to have services like federated search available, and then you have to make some advances to what I might call the enterprise user.

We live in a world where the infrastructure needs to be joined. An Army guy needs to be able to get on a Navy computer and find Air Force stuff. It's about moving into a different way of using our enterprise infrastructure, using the technology we already have like our access cards to create and use attributes about me -- the clearance I have, the kind of work I'm doing, where I work -- that allow me to see information.