US Air Force chief software officer quits

I&#x27;m honestly surprised this is on HN, but it&#x27;s good that it is.<p>I worked with Nic on and off for almost his entire tenure while I was CTO for Kessel Run and I can state with full confidence that this is at best him mis-representing his importance and the problems with the DoD IT; and at worst this is his attempt to spin his being fired (or being asked to resign ala Nixon) by the incoming Secretary (timing here is not just a coincidence).<p>A couple of core points, that are important to keep in mind that have nothing to do with Nic&#x27;s character, integrity, communication style or technical capabilities (which is a separate and important topic but not suitable for this public forum IMO):<p>- The CSO position was made up by him, it&#x27;s not related to any GSA Schedule and it had about the kind of charter you would expect for the position: Namely ill-defined and loosely empowered.<p>- There was no office of the CSO in the sense that it was not congressionally funded, had no budget, no personnel and no real authority for writing, implementing policy or actually doing engineering.<p>- Nic never held a clearance, and as a result was never actually involved or aware of most of the programs that he intended to impact<p>- His primary mission seemed to be to push any organization that was developing software for the USAF to immediately adopt microservices architectures, containers&#x2F;kubernetes and a couple of very specific &quot;DevSecOps&quot; practices - and specifically to the specifications that he approved&#x2F;suggested. Make of that what you will.<p>That said, a lot of what he says is true and IT&#x2F;network infrastructure, development and test etc... in the DoD is far from modern and in some places completely broken. Other places, where it matters a lot it&#x27;s like nothing you&#x27;ve ever seen or will likely see in the commercial sector for decades.<p>Bottom line, I suggest taking this tirade with an EXTREME amount of salt.

I feel Nic&#x27;s pain. Here is the original article about the talk he gave before leaving: <a href="https:&#x2F;&#x2F;www.airforcemag.com&#x2F;air-force-leadership-chief-software-officer-devsecops&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.airforcemag.com&#x2F;air-force-leadership-chief-softw...</a><p>&gt; One of Chaillan’s main concerns is incorporating security into software development, a practice known among IT professionals as DevSecOps. With a lack of basic IT infrastructure, implementing DevSecOps has proven difficult, he said. What’s more, there has been some resistance among those used to the more traditional approach of considering security after development and operations.<p>We&#x27;re standing up basically everything ourselves from scratch. The mandate was basically &quot;we have a critical need for a new capability. Here is an AWS account and five developers, so make it happen.&quot; That&#x27;s it. So everything from standing up CI&#x2F;CD pipelines, to building out a cluster, to configuring storage and networking, to writing and testing the application code, to maintaining environments and deployments, is falling on us, with no support.<p>I&#x27;m not going to say what the product is for reasons of OPSEC, but it is inherently a product that has extremely high security needs. Yet in the rush to be able to tell some high-ranking people we have put an &quot;MVP&quot; in production, we&#x27;ve skimped in every which way it is possible to skimp. I am aware of so many holes in the system, but Air Force pen testers didn&#x27;t find them, so our product manager is being pushed to go forward and we&#x27;ll worry about security later.<p>To my mind, this is absolutely unacceptable for a critical defense system, but nobody is asking my opinion. Supposedly, we keep being told we&#x27;ll lose funding and get the plug pulled if we don&#x27;t hit some important milestone at some exact date. By being &quot;agile,&quot; we can deliver a broken, insecure &quot;MVP&quot; and &quot;iterate&quot; on it until we have a real product that actually meets its requirements.<p>You can&#x27;t do this crap with defense systems. This isn&#x27;t Etsy. Deploying broken shit has far different implications than when all the exemplars from the DevOps Handbook do it in order to find all their bugs in prod and turn their users into beta testers.

Sidenote, he lists &quot;Push over-the-air software updates to weapon systems (U-2) while flying the jet&quot; in his list of accomplishments. Is this what it sounds like? It sounds like a terrible idea.

&gt; IT is a highly skilled and trained job; staff it as such<p>I don&#x27;t think it&#x27;s highly trained at all!<p>What kind of training do major tech companies do? I&#x27;ve never done any in my career, outside my degrees, and not everyone does that even! Is that unusual?<p>Contrast that with the military, which is obsessive about training and invests a huge amount of time and effort into it throughout your entire career.<p>So who are we taking lessons from here?

<a href="https:&#x2F;&#x2F;www.linkedin.com&#x2F;pulse&#x2F;time-say-goodbye-nicolas-m-chaillan&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.linkedin.com&#x2F;pulse&#x2F;time-say-goodbye-nicolas-m-ch...</a><p>This linkedin post seems way more... balanced... than TheRegister.com implied.

&gt;My office still has no billet and no funding, this year and the next.<p>From his LinkedIn post... this really is the crux of the matter... they want to whitewash security, not actually implement it.

&gt; Among the USAF&#x27;s sins-according-to-Chaillan? The service is still using &quot;outdated water-agile-fall acquisition principles to procure services and talent&quot;,<p>Wait, what?

For those of you either contributing to PlatformOne or customers of PlatformOne struggling to get to prod, shoot me a message on LI and we will see if we can support you in cARMY&#x2F;CReATE. I’m easy to find on LI or 365.

&gt; We would not put a pilot in the cockpit without extensive flight training; why would we expect someone with no IT experience to be close to successful? They do not know what to execute on or what to prioritize which leads to endless risk reduction efforts and diluted focus. IT is a highly skilled and trained job; staff it as such.<p>Isn&#x27;t this (general pattern) what led to the creation of the USAF as a separate military branch from the Army?<p>Perhaps we need a use military branch - The U.S. Software Force!

probably to make more money

Fun fact about the USAF: pilots are selected based on personnel&#x27;s assessment of a cadet&#x27;s probability of making general officer. Aptitude for flying and piloting ability have nothing to do with the assessment, which occurs before pilot training. As a result, many Air Force pilots are awful pilots, but they are world class ass kisssers and social climbers.