The Government’s Computer Challenge.
There is such waste in Federal Government dealings with the information industry as to warrant second look at modern information management practices for a total overhaul. Even the first look gives a chilling assurance that there is nobody in charge, and perhaps hundreds of millions are wasted annually simply because nobody in the Government is looking at what computers accomplish for us in terms of performance.
Standard software is now inherently unsafe.
The selection of Windows as a standard operating system points directly to the problem. This is a program that runs other programs; and supports those programs at running still other programs. This operating system is our primary security problem; and attempting to "apply security “as some sort of add-on fails.
Windows look-alike programs (such as those to run windows programs on Unix or Linux) are unsafe for the same reason. It is the basic concept of openly executing foreign programs that is the problem, not any specific product or manufacturer.
Windows security application challenge.
To point out the lack of intelligence being applied, look at what is recommended to make windows secure. We apply log-in security to users, and restrict what programs they can run. This is a restriction on the ones who are cleared to use Government systems. The programs of strangers are run without password protection. That is how virus programs and spyware commonly gets on our modern Government systems. Either the user, or the operating system, runs a program that contains an instruction to run other programs – and that runs the hostile code.
Management engineering addresses value. The value of a computer is determined by what the user needs the computer to do in support of their function. There is little added value from having a computer that does something more or something else. Increases in machine capacity and the scope of performance potentials commonly adds no value. We have had many systems that worked; doing what we needed to have done. Our regular periodic replacement of software and hardware by higher capacity systems is an example of fixing something that is not broken. A large portion of the tax-dollars being expended are simply wasted; paying the industry to obsolete programs that work to good effect.
Solutions from the past.
Engineering is based on doing what works. The Government faced a similar problem once before. In the early days of computers, manufacturers each determined their own computer operating environment, and their own data storage approaches. Whenever a computer had to be replaced, it was like starting over. Data had to be converted to new forms, and then be reloaded. Programs had to be rewritten in the new operating language.
We, Government, solved this problem. Two standardized solutions were implemented. The one accepted ASCII code as a data standard; and it standardized the format of information for both storage and communication. The other was the specification of COBOL as a standard functional programming language. With both of these standardized, government programs and data could be moved readily to a new computer when the old one failed. The Government refused to accept industry-driven changes that did not yield value.
The process that initiated solution was the Government taking charge. The Government started managing; it started specifying what it would accept for purchase. It took basic design out of the hands of those who were otherwise rewarded for their excesses.
The implementation was a moderate-sized effort to define customer-based standards, followed by instructions to Government purchasing personnel that they could only procure computers which met basic specifications.
Value-based computer system design is also within reach, and it comes from general management doing its job, rather than passing off its responsibility to technical specialists. We need to have Government Managers taking charge; and this only begins when they have something to gain through Government computer systems. Technical support for government managers is needed.
Such can be accomplished by a moderate-sized working group missioned to establish standards for what the Government will purchase.
Further implementation is common sense – the Government should not have to rent its common purpose software, nor should it buy licenses to use someone else’s property on Government systems. For a user the size of Federal Government, that is a questionable business practice. It needs to buy the basic software it will use, or buy the right to internally use that software as if it was the owner. It then acts as an owner within the Government, putting its purchased software into internal use whenever and wherever it chooses.
Management engineering has the answers to questions of value. It is users who are assigned performance responsibilities, not computers. It is users who work with machines to gain results. Nothing is ever assigned to a machine – and a machine is never able to do its job better as it has no job to do.
Value is an answer to why government employees use computers. Value is in the amount of assigned work that computer-users accomplish. Value is in having the machine do part of the work assigned to a user so that the user’s efforts are multiplied in effect.
This also highlights some of the anti-value characteristics of modern computing. A document publishing program is changed, and everyone has to be retrained. A government database is moved to new software, and every user must be retrained before they can be allowed to access the new system. When they do, there are new screens, new functions, and almost everything has changed, everything that is except for the job that these workers have to do.
In the negative, the more that the users have to do to get the computer to do what needs to be done, the less valuable the machine becomes. The reason we have programming is to limit the amount of work required to get the machine to do what users need them to do. A program that requires a help-database of information (replacing the 500 page manual that was too large and expensive to print) is an indictment of the industry for not having any value concern for its regular business-based users.
My own performance rule is: if the instructions cannot be written on two sides of a sheet of paper in number 10 type, it is written for technicians rather than users. The idea that a user might spend twenty minutes looking up some process instead of simply doing their job speaks of a failure in business programming. A valuable computer will be doing work for the user, not requiring the user to do substantial work to gain support from the machine.
The first rule of Management Engineering; Management is an essential; you cannot improve management by replacing it with something else. If Government managers are not in charge, then someone else is. Paying our Government managers for handling automation, and then passing management to industry leaders is wastage.
Management is based on gaining through the efforts of others. If management does not know what it wants the operating system to do, it cannot manage the efforts that will gain the result. The blank-check acceptance of some software producer’s operating system is little more than an invitation to rip-off the taxpayer. It rewards producers for aggrandizing their products, and inventing “improvement” changes that initiate new purchases.
Management is applied by specifying what must be accomplished by the operating system, and then purchasing based on what is specified. This sets customer-driven standards, and provides a foundation for meeting needs without restricting competition.
The first, and most obvious, standard will be the elimination of all potential to execute programs unless they are specifically run by the user or approved by other competent authority. This would apply even to running programs off the boot sector of storage media. For security, the operating system should be self-contained. It needs to be able to read enough from storage media to know and recognize media formats, and then read the data using its own internal code appropriate for that task – eliminating even the potential to load hostile boot-sector code.
Value for an operating system is actually not that challenging. It has to provide user interface. It has to recognize and run programs; including a rich suite of program interfaces for program use. It has to manage memory and peripheral equipment interfaces. It has to support some level of interconnection with other computers. These can all be standardized. Once standardized, the operating system, or its successors, will be able to run all standardized programs without having to rewrite them or purchase new software to go with new or changed operating systems.
Renting operating systems is then no longer sensible. The Government should buy operating systems meeting its specifications for its own use. Buying licenses to load operating systems should be considered only as one questionable economic option – and probably rejected in favor of buying effective ownership of the operating system for use throughout the Government, or buying standard operating systems as part of buying hardware replacements.
And what of upgrades? The value discussion above is appropriate. If there is truly an increase in value, then procurement can be considered. If not, there is little potential benefit from spending public dollars.
Basic business software includes word-processing/publication for text documents, self-calculating electronic spreadsheets, office database (both for local and larger database applications) and communication/e-mail. There is also a good chance for specifying business graphics software as a standard. Data storage for these programs might also be effectively specified.
The most important interface to define and standardize is the interface with users – addressing interrelations through the screen, printer, keyboard, mouse, or other personal input/output devices. The need is to specify and standardize those interfaces so that a user never has to relearn anything just because something changes within the computer.
Perhaps the greatest information-management waste in Government is purchasing replacement for common office software. The old software does not lose its functionality; nor does it become less valuable in performing the ongoing government office efforts. If it is working and doing the job, there is no need to replace it. It only needs replacement if it is broken, or becomes non-functional. Our modern practice of spending public dollars on periodic replacement/upgrades of these programs borders on criminal neglect by managers. Those who continue this practice after fair warning should be prosecuted.
The cries from industry will be immediate – “what about the improvements you will be missing? Your programs will go out of date because you won’t be able to communicate with those outside the Government.”
The answer is easy – if basic software is doing the job, who cares what industry might think are improvements? This threat to development of standardized programs was answered in the standardization of ASCII and COBOL. As soon as these customer-based standards were in place, everyone else was eager to use those same standards. Other computer customers were also glad to stop wasting their money.
Software doesn’t go out of date, it just becomes obsolete because the industry makes it obsolete. If the Government is using software that doesn’t go easily out of date, you can be almost certain that others will begin using that same software – rather than buying the planned obsolescence that the industry would like to sell to them.
For security, it is necessary to specify that standard software cannot run any other program without specific permission from the user, or pre-approval of the program (or source) by the information management authorities as necessary to run a Government program. It can only load video files as video images. It can only load sound files as sound images. It can only load originally-called Html files, and will not load other files without specific permission from the user or acceptance from pre-approved data sources. (first impact – no foreign-program pop-ups. Also, no automatic loading or running of virus or spyware code).
When software is standardized, then it is reasonable to standardize the hardware to run the software. Hardware that won’t run standard software is not a reasonable purchase. It is wastage. Buying hardware that would only run new software was the wasteful practice that led to the establishment of COBOL as a Government standard programming language – and the COBOL standard added incredible value to the industry even as it saved the taxpayers vast amounts of money.
Government, through purchasing 100,000+ computing machines each year, can certainly specify this in such terms that the industry will produce machines to run Government-standard programs.
These machines will not go easily out of date. They will again form the basic standard for non-government machines as they are likely to be less expensive than industry-progressive machines; and they will also be guaranteed to run basic software that is not going to go easily out of date.
The primary loss for massive upgrades will address non-standard private uses, such as playing games.
There are two networking concepts, information passing (the WAN network) and resource sharing (the LAN network). The Internet runs on information passing, and information passing networks have been operating without major change over the last three or four decades. Rather than upgrades, we find add-ons that permit LAN type communications through WAN type connections.
It is about time the industry learned from what works instead of pushing ever-increasing complexity. Resource sharing, the current LAN goal, is a very different animal than basic information passing. This LAN approach reached perfection in the 1960s with the centralized computer using dumb terminals. All resources could then be reached by any user – our information industry has targeted itself on recreating this 1960’s computer concept on modern hardware. We are most certainly not making progress in this arena – no matter how much hype we get from the industry. Instead, we are rapidly locking out any user-based intelligent use for the computer, and giving control back to the centralized LAN manager – the basic situation that existed in the 1960’s.
Access can be standardized,
and should follow a different understanding of the value of communication. There is no public access into the gold
The first control should be on who receives access. For intelligent management, granting access is an exception action involving human interface to establish the working relation. Even Government owned public servers are not to be lightly granted open access to secured Government servers. Passing information is sufficient for most purposes; LAN access is to be avoided unless it can be conveniently and economically managed.
Secured Government servers are not to be responsive (LAN concept) to any computer address (hardware-ID level) that has not been made known to it and been pre-approved. The specific hardware address access is to be controlled by the server administrator. Plugging an unknown computer into any secured Government network should raise alarms.
We have no problem with existing internet communication except for the addition of running other people’s programs (an add-on to basic internet email) – as with video and sound files that support “execution” of other programs. We have windows-based files passed that run other people’s programs – another piece of insecurity added to basic communication by the industry. If we eliminate the ability to execute foreign programs from the operating system and from the software it runs, we are back to basic communication that can be more conveniently secured against hostile access.
There is still the question of security associated with passage of information through unsecured channels, but this is a different challenge, not one involving basic networking or standard communication. Sensitive information should not be sent by regular email, any more than by being written in a letter form and dropped in a corner mailbox. That is properly addressed as prohibited behavior.
Real improvements to computers and software are made on a regular basis. Some of these will have impacts on basic computing, and can be incorporated into the standards for Government Computer systems. There must be a standing group with the mission of examining proposed improvements for cost and benefit. This is a management group, and must be keenly aware of what must be gained through the standards being applied; and they must have good estimates of what expense will be incurred in gaining those benefits. It is then possible to manage improvements – a concept that is not even a part of our present information environment.
This group would continue after initial establishment of standards as a way to achieve benefit for the Government as to computer software and hardware upgrades. The commercial firms interested in selling hardware or software to Government should have responsibility for presenting and demonstrating the benefit so that it can be incorporated. The idea of buying hundreds of millions of dollars in off the shelf hardware and software just because industry wants to sell it is not good business operation.
Also, just because the IT industry claims an improvement does not indicate that there is some need to incorporate it as standard. A faster piece of hardware may not have to be specified as a standard. It just has to be available as an option. A new and wider computer screen would not have to be standardized, just the interface it has with the users and computer processing units. A publication program that is able to do advanced language conversion would not lead to a new standard, but would be available as an option among the products from other software producers who would also be able to provide the standard support.
And what of the cost?
The industry is currently caught up in a capacity-based race as to both hardware and software. It is expending its resources to do massive research programs, and maintain a dizzying rate of change. It should be a lot less expensive to program for standard software packages that serve office users, and standard operating systems that are simpler and more direct than what we now experience.
And the cost of the standardization is not the cost of developing these programs, only of defining them to the point where a contracting officer can put out solicitations based upon them. It will probably cost more to test the new hardware and software than to identify needs and establish standards.
And after these standards have been established, there is room for all manufacturers who meet the standards. Standard hardware will run standard operating systems. Standard operating systems will run those central programs that have common office uses. Any computer meeting the standards can be plugged in, loaded with standard programs, and expected to run acceptably – supporting the user in a known and accepted way.