Re: [ISN] Public Disservice

From: InfoSec News (isn@private)
Date: Thu Mar 10 2005 - 01:03:53 PST


Forwarded from: matthew patton <pattonme@private>

> "It's hard to run multiyear projects when money is doled out year to
> year," Balutis explains. "The biggest difficulty is that you do a
> plan and then all of a sudden you're $50 million short."

I was intimately involved in the annual DoD budgeting process as a
USAF officer at the Pentagon and have to agree that maybe it's time to
put the budget on a 3-year cycle instead of an annual one. Congress
turns over staff every 2 years, the Prez every 4 so maybe 3 years
makes sense? Obviously when things are as politicized as they are and
Washington has millions of self-serving beaurocrats and contractors
feeding at the gov't trough without regard for the fact that it's the
people's money they are playing with, fraud and waste are ubiquitous.
Almost never do the best and brightest fill gov't posts so the quality
of management is always of poor quality - the ability to kiss the
right asses is what makes for a successful administrator. Having to
fight political wars to keep the money rolling in for a long-term
project distracts from the management thereof and lowers the
worker-bees' interests in doing a decent job in the first place.

It's all fine and good for the FBI to lay some or a large share of the
blame at the ex-CIOs' doors and indeed the FBI was grossly lacking in
basic project management skill. I worked for SAIC on Virtual Case File
too. Thing is, VCF was a multi-year project and it was funded as such.
No, the ink wasn't technically dry on every year's congress-critter
allocation but there was almost no doubt about it being funded year
over year. As convenient as it is to blame the FBI for VCF's failure,
the blame more squarely belongs on SAIC's shoulders. Even if the FBI
had the best project managers the world has to offer, bad design, poor
programming skill, and an attitude of "make-work" on the part of SAIC
is why VCF was such a boondoggle. Good FBI project managers can not
eliminate the problem with SAIC's failure to manage their own people.

VCF didn't fail lack for specifications. I've personally read all 3+
inches of program specifications that the FBI and SAIC signed off on.
Unfortunately, the people who wrote the specs on both sides and those
who read and blessed them weren't very smart nor frankly very good at
their jobs. Page after page of stupid and inane things were specified
which would only hamper and interfere with the product. Like other
naive specification documents that plague IT efforts, it frequently
tried to dictate the 'how' instead of the 'what'. SAIC failed to
examine and study how the field agents actually worked in real life
and take into consideration how much VCF deviated from that daily
practice. FBI agents aren't geeks. Yet geeks design things only geeks
can love and then wonder why the rest of the world thinks they're
nuts. SAIC's data-analysis team was poor too, making all kinds of
mistakes in entity relationships and failing to think thru the product
enough to spot some of the traps they were setting for themselves. I
plastered their data-diagram with stickies pointing out their errors.

When a contract operates on a cost and materials basis which is what
VCF was, then it's open season on the budget and accountability goes
out the window unless you've got some SERIOUSLY good managers on the
gov't side. The contractor has absolutely no economic incentive to do
well or act responsibly. When I was on the project SAIC had 200+
people, most of them programmers doing practically no work. There was
a lot of water-cooler angst over the C programmers getting let go in
favor of the Java ones because maybe management had changed their mind
about which language to use. There was a whole pizza party/pep rally
one day to settle the nerves. Programmers are not cheap, and idle ones
less so. Yet the FBI was paying probably at least 1.5x their salary
(the general DC cost multiplier) to produce nothing. And this is a
full year into VCF!

Given the immature status of VCF in August of 2002, the SAIC team
should have been about 2 dozen people at the most. A dozen bright
engineers of varying disciplines needed to get locked in a room, slide
in the coke and pizza, until they figured out all or at least most of
the angles before the minions are recruited to sling code as needed.
SAIC didn't have 2 dozen bright engineers and they hired the minions
many, many months before the project was even sketched out. Instead
they were trying out different GUI's and button colors, icon screen
placement and trying to get the FBI to sign off on it without having
any notion of what they were supposed to accomplish.

IT systems in general and in particular of the scale and varied
clientel that represents the FBI, require many iterations before
getting reasonably close to a workable model. Iterations are cheap
when it's pretty much all on paper and only costing the salaries of
20-odd people. But those kinds of numbers don't impress superiors who
are looking for profit. Superiors want to see head-count. They want to
see lots of zero's in a row on the monthly invoice. Afterall, if there
is 50million in the pot they damn well want every last panny. 20 guys
spending weeks or months laying and relaying the groundwork isn't
likely to suck up even a tenth of that. And what of the FBI who asked
for 50mil and so far has only spent 10? Congress is going to come
right back at them the following year and say, C: "well, you only
spent 10 last year and you want 50 this year again like you asked for
last year? Hell no, you get 5." F: "But we're starting
implementation!" C: "Use the 40m in the bank and get lost." F: "But
we're going to need the 40 and then some" C: "like we care"

Congressional budgeting is a disaster and will likely remain so. Any
entity that doesn't burn every last penny every year will have it's
budget summarily sliced. Extenuating circumstances? One-time or
recurring cost reductions? Not on your life. Gov't doesn't reward
thrift or wisdom. Never has and never will. Instead it encourages
waste, neigh mandates it and penalizes those who don't. Afterall, it's
somebody else's money so what do they care. So why should contractors
behave any different? VCF should have been a fixed cost contract with
rewards for quality, thrift, and achievement but congress-critters
don't tolerate that kind of discretion or innovation and they don't
even begin to know how to handle agencies having money left over. Not
to mention a pissed-off contractor can trivially file a law suit and
try to get a court to give them what they think they deserve even if
they don't.

Whatever the case, the FBI desperately needs to find a project manager
with some clue and hefty clout. Frankly Congress and the FBI, or
better yet the GAO should fine SAIC a 100 million. Afterall, the GAO
has been on SAIC's case about VCF for several years running. But when
"accountability" is defined as making the statement "I am accountable"
yet failing to resign or appologize, or biting a quivering lip in a TV
interview and "feeling your pain" how are things going to change?
Congress has never been about having the balls to do what's right.
It's far more lucrative and expedient to coddle incompetence, accept
donations from grateful contractors to better cement one's power and
status, and perpetuate the corrupt and unaccountable system. Those of
us who care either get co-opted by the system, give up and leave,
soldier on and try to ignore the corruption, or get booted out the
door by daring to question and confront the powers on high.

The VCF trainwreck could have been halted in the fall of 2002 if
anybody cared to listen to those who said it already was a mess.
Competent management by both the FBI and SAIC could have backed the
problem up another 6 months if not prevented it in the first place.
Alas, nobody will ever learn. The faces on the congressional panel
will change, the faces of the accused will change but nothing short of
a free market or the elimination of free money will actually improve
the situation in Washington.



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005



This archive was generated by hypermail 2.1.3 : Thu Mar 10 2005 - 01:55:13 PST