“Innovative” Government IT

Jennifer Pahlka from Code for America has published a pair of essays on IT leadership that anyone thinking about “organizational transformation” should read. They are very high level and a bit lengthy, but are full of good ideas:

“Innovative” Government IT

In talking about innovation in the second essay, Pahlka has this wonderful section, about the difference between adopting modern development practices and actually innovating.

The problem is that if you want “government technology as good as what we have at home,” you’re going to have to do things like move to the cloud and test prototypes with actual users.

That’s not innovation. That’s just how tech works today.

The practices and tools that result in good digital services vary from organization to organization, to be sure, but there is a lot in common that the private sector, and increasingly the public sector, pretty much agree on as standard.

When we frame these practices as somehow cutting-edge, risky, or non-standard, we do the mission a great disservice.

Sing it! Adopting open source, agile development and cloud technology are not “innovative” any more, they’re just table stakes, the minimum possible ante upon which to build a responsive technology organization.

The other big take home for me is in the first essay, decomposing the functional roles that are traditionally mushed into a single “CIO” position and pointing out how unlikely they are to match the capabilities of any one person:

  1. Digital services: the services residents use to engage and do business with the City. This can also include APIs and open data programs, though this is often the domain of the other CIO (the innovation officer.)
  2. Back office software: Day-to-day core services like email, human resources management, budgeting, fiscal and accounting that all departments rely on.
  3. Mission IT: The business applications that run the internal processes of departments and agencies. These are often custom, but can now make use of underlying commodity technology.
  4. Infrastructure: Network and connectivity, hosting and device management.

I tend to break the IT roles into just two pieces, but I think Pahlka makes a strong case for all four. My two pieces are:

  • Infrastructural. Email, network, desktop, phones, backup, payroll, finance. All skills that are replicated across every organization in existance, where little domain knowledge is required. With appropriate contracting safe-guards, you can outsource all of this stuff.
  • Strategic. Business systems unique to your organization and all the facets thereof. Back-end, front-end, user experience, API, etc. The IT tools are common, but the domain knowledge of the data and business processes are unique to your organization. You should own both the technology and the people creating it, for maximum flexibility.

Either way, the idea that the folks who are best at handling one category are also good at handing the other is dangerous.

You no more want your ultra-cautious infra manager (“let’s map out a 4 month plan for that…”) running development than you want a cowboy lead developer making decisions (“deploy!”) that might affect network uptime.

Anyways, go read! Time well spent.


“Far out in the uncharted backwaters of the unfashionable end of the western spiral arm of the Galaxy lies a small unregarded yellow sun. Orbiting this at a distance of roughly ninety-two million miles is an utterly insignificant little blue green planet whose ape-descended life forms are so amazingly primitive that they still think digital watches are a pretty neat idea.”
- Douglas Adams, HHGTTG

Drowning in Passwords

I like the internet, I use a lot of sites, I don’t fear online shopping or discussion or communication or banking. As a result, I have a pretty healthy footprint of accounts, and I have been finding recently that my brain can no longer keep up.

Drowning in Passwords

So I’ve started using a password manager, LastPass, which works just fine.

Once I fully committed to it, the number of passwords managed started a slow and seemingly relentless climb, as over time I returned to all the many sites at which I had been forced to register accounts in the past. As a result, I’ve learned useful things:

  • The number of sites I have accounts on is far larger than I thought. I have 40 entries in LastPass already, and I imagine I’m only about 2/3 of the way through adding all the sites I use more than once a year. Of those, easily a dozen are what you might call “important”: banks, brokerages, email, OAuth sources (Twitter, Facebook, Google), etc. Far more sites than I kept separate passwords for!
  • The centrality and potential vulnerability of the email account is hard to overstate. For 90% of the accounts I have added, the first step was “reset the password”, since I had forgotten it. (In fact, that was my old access mechanism, since I accessed many sites so rarely.) And “reset” uses access to email as a source of proxy authentication. So, 0wn my email address, 0wn me, entirely. If you haven’t enabled two-factor authentication on your email account yet, you need to, because of this.

Usually, improving security involves things getting more inconvenient but in the case of using a password manager, it has actually been a net improvement. No more time spent trying to remember which of the passwords in my limited brain key-chain I had used for a site. No more reset-password-and-wait for the many sites at which I had no idea what the password was.

LastPass has been very good, and I have only one note/caveat. The password manager works by installing a plug-in into your browser, so if you use multiple browsers (I use both Chrome and Safari regularly) you’ll end up with multiple plugins. The preferences on those plugins are managed separately. Same thing if you use multiple computers (I do, desktop and laptop). Each plugin on each computer has separate preferences.

This is important because the LastPass preferences are, in my opinion, a little loose. Once you provide the master password, by default, the password vault remains unlocked and available until you actually shut down your browser. I can go days without shutting down my browser. So, I changed that preference to a time-out of 15 minutes instead. But I had to change it on every browser and on every computer I owned, which was not intuitive, since the plugin is good about sharing other information to other installs transparently (add a password on one browser, it’s available on all).

So far I’ve been using the free version of LastPass, but as I move into the mobile world I will probably have to buck up for the paid version for support on mobile devices. Given how much it has simplified my life, I won’t begrudge them the dollars.

Bonus paragraph: Isn’t saving all my passwords on a cloud service really dumb? Not so much. The passwords are only ever decrypted locally by the password manager plugin. The cloud just stores a big encrypted lump of passwords, and I have a lot of faith in AES256. However, my security now has one big central point of failure: the master password. But since I only have to remember one master password, I have been able to make it nice and long, so any remote technical attack on my security is unlikely. That just leaves all the other kinds of attack (social engineering, keylogging, device theft, human factors, etc, etc).

Intellectual Capital vs Intellectual Property

Building enterprise IT projects as “capital investments” is something I consider potentially dangerous, because it lumps IT “assets” along with much more durable and valuable physical assets.

A key question to ask of an “IT asset” is just how valuable and permanent the asset is. In the venture capital world, nothing makes investors happier than hearing that a company is spending their investment dollars creating “intellectual property”. This is an intellectual product that is defensible and ownable: it’s not locked up between some employee’s ears, it’s owned by the company.

In contrast, building “intellectual capital” is a much more risky proposition. Intellectual capital is my stock in trade, it’s what distinguishes me from a random C/C++ programmer: I know some very detailed things about some specific open source projects that would take quite a long time to learn from scratch. It’s valuable capital, but it lives between my ears. It’s mine and mine alone.

Intellectual Capital vs Intellectual Property

Why is this important for enterprise IT projects? Because so much of the value created in IT projects is “intellectual capital”. Staff are assembled by a consultancy and take months and years to learn a business domain and the particular tools for the problem, and the particular code base that is the system itself.

And then when the project is done… they are sent off to consultancy’s the next project. Flush…

Treating enterprise IT projects as capital projects encourages miscategorization all over the place:

  • The “system” is perceived as the target of the investment. But the value of the pile of code and hardware rapidly diminishes to zero once the knowledgeable staff are removed. Changes and enhancements that would take the original developers minutes now require days and weeks of staff learning time before they can be attempted.
  • The nature of the funding assumes that at some point the system will be “complete”. It will be in “maintenance” mode. Except the budget assigned to maintainance is too low to make any substantial changes in response to unexpected future needs. So when serious new requirements arise, the response is always to start again from scratch. With a new team.

It’s weird that IT projects get this special treatment, because other areas of government are perfectly aware that when staff leave, they carry out the accumulated intellectual capital of years of learning.

The very nature of the outsourced IT relationship has obscured the fact that government is routinely building up very expensive stores of intellectual capital and then sending them on their way only a handful of months or years after they’ve built them.

Maybe it’s time to get back to building systems in house?

Open Source & the Changing of the Guard

Back when I first discovered open source software, at the dawn of my computing and consulting career, I was pretty sure it was some kind of rainbow magic, better than sliced bread. Once other folks found this stuff, it was going to catch on like wildfire, and why not?

  • It was way more flexible to build systems with than proprietary black boxes.
  • The community around it was helpful and knowledgable, further speeding development.
  • The price of deployment was (obviously) unbeatable, and just as importantly, the lack of legal restrictions neatly avoided convoluted “licensing oriented architectures”.

That was over 15 years ago, so clearly I was really, really wrong, at least from the point of view of governments and large corporate enterprises (in the start-up space, the revolution happened over 10 years ago, and nobody is looking back). Over time, I began to reformulate my thesis:

Open Source & the Changing of the Guard

  • Open source is a toolkit best appreciated by tool users, and,
  • Managers have generally moved beyond direct tool using and use proxy data for decision making, but
  • Today’s young staffer is tomorrow’s manager, so,
  • Eventually the sands of time will deliver an open source literate population of managers into decision making authority.

This morning, I saw this tweet, which is fun:

That’s one good data point, hooray!

But in all honesty, I don’t feel like there is necessarily an open source wave cresting, certainly not in the big organization I’m nearest to, the BC government.

  • Yes, there are some young (and not so young) advocates, who have increased their decision making power over time. But, there is a larger population of similarly aged folks who, from an innovation and risk-taking point of view, might as well be from the last generation. Their ascendance will assure continuity: the only change will be from expensive proprietary on-site software to expensive proprietary SaaS solutions.
  • Yes, the overall IT environment is more accepting of open source in general (there is even Linux being run in government!! ooo!). But, in general there is a mismatch in sales fire power between solutions that have high-priced outside sales people promoting them and those that have to be dragged in by staff. Managers (even young ones) have moved beyond direct tool use, and are sitting ducks for a good sales presentation.

So it still falls to in-house innovation centers like GDS or the US Digital Service to try to demonstrate, mandate, and teach a new way of doing things to the old guard of IT.

GDS team

It’s not clear they are succeeding, even on their own terms. More on that another day.

Do you have links to interesting experiments in doing enterprise IT in a new way? Drop them in the comments, I think it’s time to revisit government enterprise IT and what kind of program can chip away at the culture that has accreted over the last generation.

There’s some interesting experiments out there, let’s hear about them.