"It is borderline criminal" -- US Air Force CSO quits with a bang

"Almost no shared repositories and little to no collaboration"

"It is borderline criminal" -- US Air Force CSO quits with a bang

The first ever US Air Force Chief Software Officer, Nicholas M. Chaillan, has quit his job with an excoriating LinkedIn post, which warns bluntly that the Department of Defence's approach to staffing and funding critical software projects across the US's national security estate is "setting up critical infrastructure to fail."

Chaillan, hired in May 2019 to lead on the "implementation and adoption of innovative software best practices, cybersecurity solutions, AI and ML technologies across [the] acquisition community" described the role in a strikingly detailed LinkedIn blog as "the most challenging and infuriating of my entire career."

US Air Force Chief Software Officer Nicholas M. Chaillan quits, drops mic.
Nicholas M. Chaillan, the US Air Force's first (and last?) Chief Software Officer.

From "continuous and exhausting fights" for funding, to poor leadership and inadequate staffing ("IT is a highly skilled and trained job; staff it as such"), via "silos created purposefully to allow senior officials to satisfy their thirst for power" Air Force Chief Software Officer Chaillan let it all out in a blistering LinkedIn post on Sep. 2.

"Please empower the CIO..."

"Lauren Knausenberger, Chief Information Officer for the Department of the Air Force, and I are still largely unempowered to fix basic IT issues, we are running in circles trying to fix transport/connectivity, cloud, endpoints, and various basic IT capabilities that are seen as trivial for any organization outside of the U.S. Government. Please empower her. She can get things done faster than nobody else I know," lamented Chaillan.

(Knausenberger, for what it is worth, is started recruiting for a new CISO this week after Wanda Jones-Heath moved on to a principle cyber advisor at the Department of the Air Force. Those not put off by Chaillan's picture of working in IT at the organisation can apply here: deadline of September 16, 2021).

Among Chaillan's many complaints was leadership ill-equipped to understand the scale of the IT challenges the US Air Force faces. As he warned bluntly: "Please stop putting a Major or Lt Col. (despite their devotion, exceptional attitude, and culture) in charge of ICAM, Zero Trust or Cloud for 1 to 4 million users when they have no previous experience in that field – we are setting up critical infrastructure to fail."

US Air Force Chief Software Officer: Leaders "refused to mandate DevSecOps"

The screed (titled "it is time to say goodbye") was not all complaints. Chaillan painted a picture of some substantial successes in his three-year term, including creating "Platform One", described on its website as a "modern cloud-era platform that provides valuable tooling, hosts CI/CD DevSecOps pipelines, and offers a secure Kubernetes platform for hosting microservices", along with the so-called "Iron Bank" of over 800 hardened and accredited containers. (Upstream software supply chain attacks are a critical fear for a  growing number of security professionals and compromised Docker containers are high on the fear-list...)

He also said his team had worked successfully to "bring Kubernetes on weapon systems, including jets and space systems, where we demonstrated that containerization was not only possible but game-changing on Real-Time OS and legacy hardware."

Chaillan's particular frustration was reserved for a purported failure to resource and support DevSecOps -- an approach that emphasises making software security a core part of the overall software delivery process, rather than relying on post-development security checks.

["Leaders] have repeatedly refused to mandate DevSecOps, not even for new starts in custom software development!", he claimed. "There is absolutely no valid reason not to use and mandate DevSecOps in 2021 for custom software. It is borderline criminal not to do so. It is effectively guaranteeing a tremendous waste of taxpayer money and creates massive cybersecurity threats but also prevents us from delivering capabilities at the pace of relevance, putting lives at risk, and potentially preventing capabilities to be made available when needed whenever world events demand, many times overnight."

Follow The Stack on LinkedIn

Over the years The Stack's team have heard particularly loud complaints about software siloes and a lack of reusable components/not enough off-the-shelf products and too much legacy, heavily customised code in use across the public sector -- large financial services firms are also often guilty.

Few paint quite as blunt a picture as Chaillan. As he put it: "I, as have many of us, have been trying for 3 years now to convince various teams to partner and merge work across the Department. We don’t need different stacks just for the sake of egos. There are 100,000 software developers in the DoD. We are the largest software organization on the planet, and we have almost no shared repositories and little to no collaboration across DoD Services. We need diversity of options if there are tangible benefits to duplicating work. Not because of silos created purposefully to allow senior officials to satisfy their thirst for power.

"Unfortunately, more often than not, I have failed at convincing teams to merge work, or it was so painful that it was designed to fail from day 1 and then used as an excuse not to try again. Some of it, without a doubt, is my fault but I know I certainly tried harder than most of these teams combined. At this point, I am just tired of continuously chasing support and money to do my job. My office still has no billet and no funding, this year and the next."

Sour grapes? He makes a compelling point? Wish you'd walked out on a job that felt like this? Share your thoughts, on or off the record.

See also: US Army CIO applauds cloud migration of “3 most complex ERPs”