The
Government’s Computer Challenge.
There is such waste in Federal
Government dealings with the information industry as to warrant second look at
modern information management practices for a total overhaul. Even the first look gives a chilling
assurance that there is nobody in charge, and perhaps hundreds of millions are
wasted annually simply because nobody in the Government is looking at what
computers accomplish for us in terms of performance.
Standard software is now inherently unsafe.
The selection of Windows as
a standard operating system points directly to the problem. This is a program that runs other programs;
and supports those programs at running still other programs. This operating
system is our primary security problem; and attempting to "apply security
“as some sort of add-on fails.
Windows look-alike programs
(such as those to run windows programs on Unix or
Linux) are unsafe for the same reason.
It is the basic concept of openly executing foreign programs that is the
problem, not any specific product or manufacturer.
Windows security application
challenge.
To point out the lack of
intelligence being applied, look at what is recommended to make windows
secure. We apply log-in security to
users, and restrict what programs they can run.
This is a restriction on the ones who are cleared to use Government
systems. The programs of strangers are
run without password protection. That is
how virus programs and spyware commonly gets on our
modern Government systems. Either the
user, or the operating system, runs a program that contains an instruction to
run other programs – and that runs the hostile code.
Value-based economics.
Management engineering
addresses value. The value of a computer
is determined by what the user needs the computer to do in support of their
function. There is little added value
from having a computer that does something more or something else. Increases in machine capacity and the scope
of performance potentials commonly adds no value. We have had many systems that worked; doing
what we needed to have done. Our regular
periodic replacement of software and hardware by higher capacity systems is an
example of fixing something that is not broken.
A large portion of the tax-dollars being expended are simply wasted;
paying the industry to obsolete programs that work to good effect.
Solutions from the past.
Engineering is based on
doing what works. The Government faced a
similar problem once before. In the
early days of computers, manufacturers each determined their own computer operating
environment, and their own data storage approaches. Whenever a computer had to be replaced, it
was like starting over. Data had to be
converted to new forms, and then be reloaded.
Programs had to be rewritten in the new operating language.
We, Government, solved this
problem. Two standardized solutions were
implemented. The one accepted ASCII code
as a data standard; and it standardized the format of information for both
storage and communication. The other was
the specification of COBOL as a standard functional programming language. With both of these standardized, government
programs and data could be moved readily to a new computer when the old one
failed. The Government refused to accept
industry-driven changes that did not yield value.
The process that initiated
solution was the Government taking charge.
The Government started managing; it started specifying what it would
accept for purchase. It took basic
design out of the hands of those who were otherwise rewarded for their
excesses.
The implementation was a
moderate-sized effort to define customer-based standards, followed by
instructions to Government purchasing personnel that they could only procure
computers which met basic specifications.
Solution Today.
Value-based computer system
design is also within reach, and it comes from general management doing its
job, rather than passing off its responsibility to technical specialists. We need to have Government Managers taking
charge; and this only begins when they have something to gain through Government
computer systems. Technical support for
government managers is needed.
Such can be accomplished by
a moderate-sized working group missioned to establish
standards for what the Government will purchase.
Further implementation is
common sense – the Government should not have to rent its common purpose
software, nor should it buy licenses to use someone else’s property on
Government systems. For a user the size
of Federal Government, that is a questionable business practice. It needs to buy the basic software it will
use, or buy the right to internally use that software as if it was the
owner. It then acts as an owner within
the Government, putting its purchased software into internal use whenever and
wherever it chooses.
Management engineering has
the answers to questions of value. It is
users who are assigned performance responsibilities, not computers. It is users who work with machines to gain
results. Nothing is ever assigned to a
machine – and a machine is never able to do its job better as it has no job to
do.
Value is an answer to why
government employees use computers.
Value is in the amount of assigned work that computer-users
accomplish. Value is in having the
machine do part of the work assigned to a user so that the user’s efforts are
multiplied in effect.
This also highlights some of
the anti-value characteristics of modern computing. A document publishing program is changed, and
everyone has to be retrained. A
government database is moved to new software, and every user must be retrained
before they can be allowed to access the new system. When they do, there are new screens, new
functions, and almost everything has changed, everything that is except for the
job that these workers have to do.
In the negative, the more
that the users have to do to get the computer to do what needs to be done, the
less valuable the machine becomes. The
reason we have programming is to limit the amount of work required to get the
machine to do what users need them to do.
A program that requires a help-database of information (replacing the
500 page manual that was too large and expensive to print) is an indictment of
the industry for not having any value concern for its regular business-based
users.
My own performance rule is:
if the instructions cannot be written on two sides of a sheet of paper in
number 10 type, it is written for technicians rather than users. The idea that a user might spend twenty
minutes looking up some process instead of simply doing their job speaks of a failure
in business programming. A valuable computer will be doing work for the user,
not requiring the user to do substantial work to gain support from the machine.
The first rule of Management
Engineering; Management is an essential; you cannot improve management by
replacing it with something else. If
Government managers are not in charge, then someone else is. Paying our Government managers for handling automation, and then passing management to industry leaders
is wastage.
Management is based on
gaining through the efforts of others.
If management does not know what it wants the operating system to do, it
cannot manage the efforts that will gain the result. The blank-check acceptance of some software
producer’s operating system is little more than an invitation to rip-off the
taxpayer. It rewards producers for
aggrandizing their products, and inventing “improvement” changes that initiate
new purchases.
Management is applied by
specifying what must be accomplished by the operating system,
and then purchasing based on what is specified.
This sets customer-driven standards, and provides a foundation for
meeting needs without restricting competition.
The first, and most obvious,
standard will be the elimination of all potential to execute programs unless they
are specifically run by the user or approved by other competent authority. This would apply even to running programs off
the boot sector of storage media. For
security, the operating system should be self-contained. It needs to be able to read enough from
storage media to know and recognize media formats, and then read the data using
its own internal code appropriate for that task – eliminating even the
potential to load hostile boot-sector code.
Value for an operating
system is actually not that challenging.
It has to provide user interface.
It has to recognize and run programs; including a rich suite of program
interfaces for program use. It has to
manage memory and peripheral equipment interfaces. It has to support some level of
interconnection with other computers.
These can all be standardized.
Once standardized, the operating system, or its successors, will be able
to run all standardized programs without having to rewrite them or purchase new
software to go with new or changed operating systems.
Renting operating systems is
then no longer sensible. The Government
should buy operating systems meeting its specifications for its own use. Buying licenses to load operating systems
should be considered only as one questionable economic option – and probably
rejected in favor of buying effective ownership of the operating system for use
throughout the Government, or buying standard operating systems as part of
buying hardware replacements.
And what
of upgrades? The value discussion above is
appropriate. If there is truly an
increase in value, then procurement can be considered. If not, there is little potential benefit
from spending public dollars.
Basic business software
includes word-processing/publication for text documents, self-calculating
electronic spreadsheets, office database (both for local and larger database
applications) and communication/e-mail.
There is also a good chance for specifying business graphics software as
a standard. Data storage for these
programs might also be effectively specified.
The most important interface
to define and standardize is the interface with users – addressing
interrelations through the screen, printer, keyboard, mouse, or other personal
input/output devices. The need is to
specify and standardize those interfaces so that a user never has to relearn
anything just because something changes within the computer.
Perhaps the greatest
information-management waste in Government is purchasing replacement for common
office software. The old software does
not lose its functionality; nor does it become less valuable in performing the ongoing
government office efforts. If it is
working and doing the job, there is no need to replace it. It only needs replacement if it is broken, or
becomes non-functional. Our modern
practice of spending public dollars on periodic replacement/upgrades of these
programs borders on criminal neglect by managers. Those who continue this practice after fair
warning should be prosecuted.
The cries from industry will
be immediate – “what about the improvements you will be missing? Your programs will go out of date because you
won’t be able to communicate with those outside the Government.”
The answer is easy – if
basic software is doing the job, who cares what industry might think are
improvements? This threat to development
of standardized programs was answered in the standardization of ASCII and
COBOL. As soon as these customer-based
standards were in place, everyone else was eager to use those same
standards. Other computer customers were
also glad to stop wasting their money.
Software doesn’t go out of date, it just becomes obsolete because the industry makes it
obsolete. If the Government is using
software that doesn’t go easily out of date, you can be almost certain that
others will begin using that same software – rather than buying the planned
obsolescence that the industry would like to sell to them.
For security, it is
necessary to specify that standard software cannot run any other program
without specific permission from the user, or
pre-approval of the program (or source) by the information management
authorities as necessary to run a Government program. It can only load video files as video
images. It can only load sound files as
sound images. It can only load
originally-called Html files, and will not load other files without specific
permission from the user or acceptance from pre-approved data sources. (first impact – no foreign-program pop-ups. Also, no automatic loading
or running of virus or spyware code).
When software is
standardized, then it is reasonable to standardize the hardware to run the
software. Hardware that won’t run
standard software is not a reasonable purchase.
It is wastage. Buying hardware
that would only run new software was the wasteful practice that led to the
establishment of COBOL as a Government standard programming language – and the
COBOL standard added incredible value to the industry even as it saved the taxpayers
vast amounts of money.
Government, through
purchasing 100,000+ computing machines each year, can certainly specify this in
such terms that the industry will produce machines to run Government-standard
programs.
These machines will not go
easily out of date. They will again form
the basic standard for non-government machines as they are likely to be less
expensive than industry-progressive machines; and they will also be guaranteed
to run basic software that is not going to go easily out of date.
The primary loss for massive
upgrades will address non-standard private uses, such as playing games.
There are two networking
concepts, information passing (the WAN network) and resource sharing (the LAN
network). The Internet runs on
information passing, and information passing networks have been operating
without major change over the last three or four decades. Rather than upgrades, we find add-ons that
permit LAN type communications through WAN type connections.
It is about time the
industry learned from what works instead of pushing ever-increasing
complexity. Resource sharing, the
current LAN goal, is a very different animal than basic information passing. This LAN approach reached perfection in the
1960s with the centralized computer using dumb terminals. All resources could then be reached by any
user – our information industry has targeted itself on recreating this 1960’s
computer concept on modern hardware. We
are most certainly not making progress in this arena – no matter how much hype
we get from the industry. Instead, we
are rapidly locking out any user-based intelligent use for the computer, and
giving control back to the centralized LAN manager – the basic situation that
existed in the 1960’s.
Access can be standardized,
and should follow a different understanding of the value of communication. There is no public access into the gold
vaults at
The first control should be
on who receives access. For intelligent
management, granting access is an exception action involving human interface to
establish the working relation. Even
Government owned public servers are not to be lightly granted open access to
secured Government servers. Passing
information is sufficient for most purposes; LAN access is to be avoided unless
it can be conveniently and economically managed.
Secured Government servers
are not to be responsive (LAN concept) to any computer address (hardware-ID
level) that has not been made known to it and been pre-approved. The specific hardware address access is to be
controlled by the server administrator.
Plugging an unknown computer into any secured Government network should
raise alarms.
We have no problem with
existing internet communication except for the addition of running other
people’s programs (an add-on to basic internet email) – as with video and sound
files that support “execution” of other programs. We have windows-based files passed that run
other people’s programs – another piece of insecurity added to basic
communication by the industry. If we
eliminate the ability to execute foreign programs from the operating system and
from the software it runs, we are back to basic communication that can be more
conveniently secured against hostile access.
There is still the question
of security associated with passage of information through unsecured channels,
but this is a different challenge, not one involving basic networking or
standard communication. Sensitive information
should not be sent by regular email, any more than by being written in a letter
form and dropped in a corner mailbox.
That is properly addressed as prohibited behavior.
Real improvements to
computers and software are made on a regular basis. Some of these will have impacts on basic
computing, and can be incorporated into the standards for Government Computer
systems. There must be a standing group
with the mission of examining proposed improvements for cost and benefit. This is a management group, and must be
keenly aware of what must be gained through the standards being applied; and
they must have good estimates of what expense will be incurred in gaining those
benefits. It is then possible to manage
improvements – a concept that is not even a part of our present information
environment.
This group would continue
after initial establishment of standards as a way to achieve benefit for the
Government as to computer software and hardware upgrades. The commercial firms interested in selling
hardware or software to Government should have responsibility for presenting
and demonstrating the benefit so that it can be incorporated. The idea of buying hundreds of millions of
dollars in off the shelf hardware and software just because industry wants to
sell it is not good business operation.
Also, just because the IT
industry claims an improvement does not indicate that there is some need to
incorporate it as standard. A faster
piece of hardware may not have to be specified as a standard. It just has to be available as an
option. A new and wider computer screen
would not have to be standardized, just the interface it has with the users and
computer processing units. A publication
program that is able to do advanced language conversion would not lead to a new
standard, but would be available as an option among the products from other
software producers who would also be able to provide the standard support.
And what
of the cost?
The industry is currently
caught up in a capacity-based race as to both hardware and software. It is expending its resources to do massive research
programs, and maintain a dizzying rate of change. It should be a lot less expensive to program
for standard software packages that serve office users, and standard operating
systems that are simpler and more direct than what we now experience.
And the cost of the
standardization is not the cost of developing these programs, only of defining
them to the point where a contracting officer can put out solicitations based
upon them. It will probably cost more to
test the new hardware and software than to identify needs and establish
standards.
And after these standards
have been established, there is room for all manufacturers who meet the
standards. Standard hardware will run
standard operating systems. Standard
operating systems will run those central programs that have common office uses. Any computer meeting the standards can be
plugged in, loaded with standard programs, and expected to run acceptably –
supporting the user in a known and accepted way.