Oracle Tells The White House: Stop Hiring Silicon Valley People & Ditch Open Source
from the well,-that's-one-way-to-think-about-things... dept
Even though Oracle is based in the heart of Silicon Valley (I can see its offices from my own office window as I type this), the company has become sort of anti-Silicon Valley. It tends to represent the opposite of nearly everything that is accepted wisdom around here. And its latest crusade is against open source technology being used by the federal government -- and against the government hiring people out of Silicon Valley to help create more modern systems. Instead, Oracle would apparently prefer the government just give it lots of money.
First, some background: over the past few years, one of the most positive things involving the federal government and technology has been the success of two similar (but also very different) organizations in the US government: US Digital Service (USDS) and 18F. If you're completely unfamiliar with them there are plenty of articles describing both projects, but this one is a good overview. But the really short version is that both projects were an attempt to convince internet savvy engineers to help out in the federal government, and to bring a better understanding of modern technology into government. And it's been a huge success in a variety of ways -- such as creating federal government websites that are modern, secure and actually work. And even though both programs are associated with President Obama, the Trump administration has been adamant that it supports both organizations as well, and they're important to continuing to modernize the federal government. The offices are not politicized, and they have been some of the best proof we've got that government done right involves smart, dedicated technologists.
Of course, not everyone is thrilled with these organizations. Old school federal contractors, for one, have been grumbling loudly about 18F daring to do things like making government procurement open to small businesses. After all, these contractors have spent decades charging the government billions for crappy products, in part, because they know how to work the system. Bringing in actual engineers who realize that it's crazy to spend so much money on crappy solutions -- especially when there are much better solutions that are often open, seems to really piss off some folks who grew fat and happy overcharging the government. And they've found some front groups who argue that these programs are a waste of government money, which would be better spent giving billions to private contractors.
Either way, the Trump Administration, following a Trump executive order, requested feedback on how best to modernize government IT. The request for comments and all the submitted comments are on Github (which is nice to see). Many are quite interesting, but the one that really caught my eye, was Oracle's submission, which I can only describe as... curmudgeonly.
A little more background: if it weren't for Oracle's failures, there might not even be a USDS. USDS really grew out of the emergency hiring of some top notch internet engineers in response to the Healthcare.gov rollout debacle. And if you don't recall, a big part of that debacle was blamed on Oracle's technology. So, perhaps it's not surprising that Oracle might hold a bit of a grudge against USDS. Similarly, while Oracle likes to claim that it's supportive of open source technologies, most recognize that open source has been eating Oracle's lunch for a while now.
Even with all that background, the sheer contempt found in Oracle's submission on IT modernization is pretty stunning. The letter complains about three "false narratives" that "have taken the [US government] off track":
False Narrative: Government should attempt to emulate the fast-paced innovation of Silicon Valley. Silicon Valley is comprised of IT vendors most of which fail. The USG is not a technology vendor nor is it a start-up. Under no circumstance should the USG attempt to become a technology vendor. The USG can never develop, support or secure products economically or at scale. Government developed products are not subject to the extensive testing in the commercial market. Instead, the Government should attempt to emulate the best-practices of large private-sector Fortune 50 customers, which have competed, evaluated, procured and secured commercial technology successfully.
Now, this is kind of funny if you follow anything having to do with government and IT projects over the past few decades, as compared to what's happened on projects where USDS and 18F have been involved. For example, remember the big new $600 million (only $220 million over budget) computer system the FBI paid for that was useless for catching terrorists and had to be completely written off? This was the system, built by giant government contractor SAIC, that a computer science professor who was asked to review the system said he was planning to go on a crime spree the day the system launched, knowing the FBI wouldn't be functional. The same system that was so bad that a contractor who was trying to do something so simple as add a printer to the network had to hack the system, accessing the usernames and passwords of 38,000 FBI employees (including then director Robert Mueller) just to do his job.
Is that really the kind of world we want to go back to? And that's just one example, but there are many others like this. Yet, whenever you look at the systems that USDS and 18F are working on, they seem to actually work. They also seem secure. So, sure, it's easy to attack having the government put together these systems, but real world experience seems to show that these groups, staffed with experienced internet engineers does things a lot better.
False Narrative: In-house government IT development know-how is critical for IT modernization. In-house government procurement and program management expertise is central to successful modernization efforts. Significant IT development expertise is not. Substantial custom software development efforts were the norm at large commercial enterprises, until it became obvious that the cost and complexity of developing technology was prohibitive, with the end-products inherently insecure and too costly to maintain long-term. The most important skill set of CIO’s today is to critically compete and evaluate commercial alternatives to capture the benefits of innovation conducted at scale, and then to manage the implementation of those technologies efficiently. Then, as evidenced by both OPM and Equifax, there needs to be a singular focus on updating, patching, and securing these systems over time.
There's at least some truth to the idea that developing things from scratch is not ideal in many cases, but claiming that those making decisions on federal IT shouldn't have development knowledge is ludicrous. When you don't have that kind of knowledge, that's when you get the big federal contractors coming in and selling you $600 million FBI computer systems that are useless at catching terrorists. I'd be curious if any software developers out there actually think they get better requirements docs from those with dev experience, or those without? Because over and over and over again, I've seen that when the management side actually understands software development, then the process tends to go much more smoothly, because people are much more realistic. Having non-technically inclined managers making these decisions tends to go poorly. Remember the massive computer system that the Copyright Office wasted millions on? That involved a failure of the Copyright Office to set requirements with the outside vendor who never could actually build a working system.
False Narrative: The mandate to use open source technology is required because technology developed at taxpayer expense must be available to the taxpayer. Here there is an inexplicable conflation between “open data,” which has a long legacy in the USG and stems from decades old principles that the USG should not hold copyrights, and “open source” technology preferences, which have been long debated and rejected. There is no such principle that technology developed or procured by the USG should be available free for all citizens, in fact that would present a significant dis-incentive to conducting business with the USG.
This is the most ridiculous of all. Copyright law is pretty clear on this: works of the US government shouldn't be subject to copyright -- and many in the government have embraced variations on open source to live up to that requirement. The idea that open source somehow creates disincentive to working with the US government is hilarious. Maybe for a company like Oracle, but tons of others are happy to work with the US government and lots of open source technologies have made government IT faster, cheaper and more secure.
But Oracle really wants to dig in on this point, with some complete bullshit about how open source is somehow less secure... because the Equifax hack came via a vulnerability in open source:
Developing custom software and then releasing that code under an open source license puts the government at unnecessary security risk as that code is not “maintained by a community,” but is rather assessed and exploited by adversaries. Further, this practice puts the government – most likely in violation of the law – in direct competition with U.S. technology companies, who are now forced to compete against the unlimited resources of the U.S. taxpayer. The Equifax breach stemmed from an exploit in the open source Apache Struts framework.
The Equifax breach stemmed from Equifax failing to patch a widely discussed bug that competent administrators should have patched. The bug was found and patched because it was open source.
Speaking of "false narratives," Oracle also claims that open source technology is being used less and less in the corporate world:
Open source software has many appropriate uses and should be competed against proprietary software for the best fit and functionality for any given workload, but the fact is that the use of open source software has been declining rapidly in the private sector. There is no math that can justify open source from a cost perspective as the cost of support plus the opportunity cost of forgoing features, functions, automation and security overwhelm any presumed cost savings. The actions of 18F and USDS plainly promote open source solutions and then propagate those mandates across government with the implicit endorsement of the White House. The USG’s enthusiasm for open source software is wholly inconsistent with the use of OSS in the private sector.
If you actually follow the open source software market, Oracle's claim here is laughable. Open source is now commonplace in the enterprise and that's only increasing, not decreasing.
Also, somewhat hilariously, Oracle tries to argue that letting USDS and 18F develop things means that there will be extra costs, compared to letting private companies develop stuff:
The largest contributor to cost and complexity is customization, yet actions of the USG and the Report seem to embrace both government developed bespoke technology and customization. Custom code needs to be maintained, patched, upgraded and secured over the long-term. The cost of technology comes almost entirely from labor, not from component parts, whether software, hardware, or networking. The goal should be to seek leverage and scale by engineering out labor costs, including process engineering. Government developed technology solutions must be maintained by the government. Every line of code written by 18F, USDS or another government agency creates a support tail that results in long term unbudgeted costs.
But, again, looking at historical IT implementations pre-USDS and 18F and you see example after example of it being the outsourced, private, large government contractor companies whose work results in massive unplanned maintenance costs.
Seriously, this entire filing by Oracle is one giant false narrative of people living in denial about how the world works these days.
There's even more nuttiness in the filing, but you can go through it yourself and count how frequently you gasp at just how wrong it is. This is an old, legacy company trying to cling desperately to old, obsolete, legacy ways. Oracle's entire business was originally created to serve the US government as a customer, and it clearly doesn't want to give that up. But, once again, things like this just make it clear why the top engineers coming out of school today don't have much interest in going to work for a company with views like Oracle's.
Filed Under: 18f, it modernization, open source, usds
Companies: oracle
