Defence Information Systems modernisation: SITA briefing; Committee Third Term programme

Meeting report

Modernisation of the Defence Force : State information Technology Agency (SITA) briefing
Mr Zukile Nomvete, Acting Chairman, State Information Technology Agency, introduced the SITA delegation. It was noted that a new training programme is going to be introduced in order to capacitate young people to work with the SITA system, on a global level.

Mr Setumo Mohape, Chief Executive Officer, SITA, and Mr Pieter Coetzee, Executive Operations Manager, SITA, presented the plan to the Committee, setting out briefly what issues had been faced in the process to modernise all systems used in government. The Committee voiced concern on the hacking problem, and asked SITA to explain how a breach of that sort could not happen again. SITA reassured the Committee that its new system immediately attacks any foreign log ins. Protocols had been set with regard to government employees sending emails from public accounts such as gmail and yahoo. The issue of lack of skills to operate the old system was then addressed. Committee members then discussed and raised all concerns with SITA. All members then decided to resolve all issues raised in the next meeting, especially with regard to financial figures about relevant programmes. The Third term Committee programme was then adopted by all members with no changes made.

Minutes
Modernisation of the Defence Force : State information Technology Agency (SITA) briefing
The Chairperson asked the SITA delegation to take Committee members through what exactly will be modernised in the Defence Information System, which will be followed by interaction from Committee members and the SITA delegation.

Mr Zukile Nomvete, Acting Chairman, State Information Technology Agency, introduced the SITA delegation. It was noted that a new training programme is going to be introduced in order to capacitate young people to work with the SITA system, on a global level. Mr Nomvete apologised for the breakdown in communication recently but assured Members that they will be notified as soon as possible on all communication issues,  as the government is the second largest client of SITA. He assured the Committee that there would be fundamental changes.

Mr Setumo Mohape, Chief Executive Officer, SITA, and Mr Pieter Coetzee, Executive Operations Manager, SITA, presented the plan to the Committee, setting out briefly what issues had been faced in the process to modernise all systems used in government.

Mr Mohape briefed members on SITA activities to provide context for Committee members. The disorganisation in SITA, as evident in the miscommunication issues, has not allowed for activities to continue to the full extent. All similar institutions worldwide had been able to deliver key services. The internet was created through a programme that was run by the equivalent SITA in the USA, which created the first transmission control internet protocol (TCPIP) network, which was a precursor to the internet.

He suggested that the Committee, in looking at the mandate, should consider what can be raised in the public spectrum that has contributed to the socio-economic and national security challenges of the country, and also focus on technologies that have been developed that have had an impact for the rest of society, in the same way that their SITAs  had done respectively in  other countries.

The object of the SITA Agency is to improve service delivery to the public. For that reason, SITA should be able to measure itself not necessarily on the extent that it had built bigger IT systems, but rather to the extent to which it had created improved capabilities for the people that it served – in this particular context, that would be the military.  In looking at its work in this way, it was easier to consider what the cases were for each different department and how SITA could measure itself against the same objectives. SITA employees were also public servants, and implemented services through the use of information technology, in terms of section 6A of the mandate.

The second part of the mandate was to implement public information technology services in the most efficient way possible. “Efficiency” could be described in the context of operational efficiency, administrative efficiency and also, cost efficiencies. The question is the extent to which the acquisition and the extent of information of technology information services are cost effective as technology improves. He illustrated this by saying that if a person was operating something for R100 ten years ago, was it possible today to use the R100 to achieve more capabilities, or the same capabilities at a lesser cost. Technology is becoming more and more capable, allowing people to achieve more for less money. That covers section 6B of the mandate. SITA was reorganising itself to respond in a fundamental way to aspects of its mandate.

He noted that in section 7 of the mandate there are certain prescribed services that SITA  must be able to provide to government departments. Sometimes that section is construed as forcing government departments to make use of SITA. That was the wrong way of looking at it, because it suggested sometimes that government departments do not see the value of using SITA services, but rather feel obliged to make use of SITA. In a perfect world, it is important that government should run a fully controlled network system, that is controlled and owned by the state. This is not dissimilar to how other countries are operating. There was a need to create a system that would be robust to future challenges.

The question SITA needed to ask was the extent to which it would operate according to SITA's mandate. People should come to SITA because that was the best .

Section 7(4) of the SITA Act  says that when SITA operates with government departments it must operate through specific business agreements. Those business agreements outline what is expected from SITA in terms of service delivery, outline the roles and responsibilities and provide a direction of the resources that it should be employing. The second part of the section speaks to SITA's role as a procurement agent. SITA had to ask itself when doing procurement, whether this was a purely administrative exercise, or about SITA taking business requirements and processing  without understanding the content of that business requirement, ICT goods, and services it was asked to provide. Section 7(6) speaks to the need for us to provide standards of ICT goods and services that can be used in the construction of business by Departments. Even if SITA is not providing services and acting as a procurement agent, it must make sure that the things that had been procured support principles , are well interpreted, cost effective, promote operational effectiveness and continuously increase the capabilities of the State. Modernisation must address all those questions in context.

Gap between SITA and Department of Defence (DOD)
Mr Mohape then spoke specifically to the situation with the Department of Defence (DOD or the Department). In respect of military veterans, there was a business agreement that was formed in August 2014.The relationship between SITA and the Department of Defence (DOD) had not been a relationship that had created capabilities. Essentially SITA was  acting as an IT operations function of the Department, in respect to all of the mandatory services and some of the services which are not mandatory. The gap lies where it had to provide strategic support in respect of development of roadmaps for ICT systems, particularly roadmaps that deal with modernisation of the systems.

More detail would be given on the systems that are currently employed within the defence system, particularly the systems that are attached to the Defence Review and recommendations that should be added to the implementation of the defence systems and enterprise. In the 2015 Defence Review, there had not been specific connections made and this meant that SITA had not been providing the strategic support, or strategic direction, thought leadership, and providing the appropriate standards and services. There had been a gap and a vacuum. However, where the strategic work was being attended to by people from outside the Department, SITA would merely get a list of specifications and it acted as a procurement agency.

New support Systems
DOD is not getting the true benefit of a strategic point of view, so SITA had taken a view that it was going to strengthen SITA's strategy and advisory services and standards and capability, and put proper subject matter experts in place. It should also create capability that would focus on creative solutions for SITA's customers. SITA had created a new unit, to service centres and solutions. It was able to offer subject matter experts in enterprise and productivity, and services in enterprise resource planning applications, but also specific subject matter expertise in the different departments, to cater for specific applications in, for instance, police service, health and education.

SITA intended to re-align the SITA's operating model around the Department of Defence and the contracting model. The contracting model is outsourced but the operating model does not allow for outsourcing. SITA is pulling together resources and creating a single point of accountability within SITA, which will be used full time with driving the strategy.

The intention is to incorporate some of the challenges that will be presented into the SITA national ICT modernisation programme. The requirement of such a programme is to look at either system on its own and look at the extent to which it can be satisfied by the national financial system. There will be the opportunity to replace logistics-kinds of systems and to incorporate modernisations. Under the infrastructure modernisation, it was intended to put in place a government cloud, which would be private. It would provide cost effectiveness, as the old systems were expensive to maintain, and the skills to maintain them were not being produced out of the education systems. In addition, SITA would be able to provide for more agile and larger numbers of functions.

One example of enterprise productivity was that SITA was working with National Treasury in the context of procurement reforms. SITA was required to consolidate demand for ICT goods and services and approach the market in the most effective way – for instance, approaching Microsoft and buying all licenses differently, rather than each department approaching Microsoft individually, which was expensive. This should bring immediate short term benefits to the Defence budget.

Mr Pieter Coetzee, Acting Executive Operations Manager, SITA said that he would speak to the impact of the systems, the challenges experienced and the way forward. The current systems have been used for 22 years in the DOD, and SITA was looking mainly at the administrative part of the systems, not much in the control systems. The Defence Review, as mentioned, has mandated the establishment of an integrated defence enterprises system. The integrated defence enterprise system talks about administrative aspects, as well as command and control.

The current systems are outdated, technologically obsolete, not fully integrated, do not support the DOD Business Processes in full and are not compliant with the changes in the government Regulatory Framework. On the ground, different units of defence use different systems for the same function. He noted that the HR systems had been in place for 27 years, but the financial management system had been in place for over 33 years and had very different logistics. All systems were developed using old language. Apart from the risk of maintaining the systems, there is a big demand for skills as they are dying out and this increases the cost of maintenance and support of these systems.

Overview of Different Operating Systems 
There were four main areas:
- Supply chain/Logistic systems
- Human resources systems
- Payroll and financial management a
- Military Health Systems  (MHS)

On the supply chain side, there are three different systems in use; The army mainly uses the CALMIS system. The South African Navy and Air force use the OSIS system. The army uses the LIMS system.

On the human resources side there is more integration of full human resources management and payroll for all the different systems, personal recruitment, leave management, housing and so forth. There is a full range of systems, but once again, they are very old.

The financial management system information is fed into the national accounting system. There is no direct interface, just a transfer of numbers between the two systems. There is no day to day integration between the two systems, as well as the government wide  basic accounting system BAS.

The Military Health Systems (MHS) that are deployed are from the laboratory, upwards, patients and deployed health and clinical records. One of the big legacies is the clinical records that are on various platforms from micro film that are in the process of scanning to get them on par with the current technology. The only positive impact of this system is that it is very secure and has been built in an isolated environment, not interconnecting with anything else. The secure systems comply with the security policies, but does not support the DOD business practises in full.

The main challenges were outlined.

The skills pool presented a challenge as most of the people maintaining the system were already in their fifties. It was not sensible to train the new entrants in old technology that only had five to ten years of life left. There were not many people interested in getting into this kind of technology.

There were limited funds for renewal and maintenance., which explained why it was replacing the systems. Replacement implied that at some stage the Department would be paying to keep the old system running, and to develop the new system. There was a big demand for renewal of infrastructure. The nature of the ICT business always requires a separate ICT infrastructure. The cost of security systems was another point, because it is not the same network as the rest of government. There is a cost for the specific systems that run separately, for security reasons.

Mr Coetzee then outlined SITA's recommendation on the way forward. It recommended that the DOD  continue to maintain the legacy systems to ensure that the business continues. There must then also be a focus on the mandate that was given at the Defence Review to finalise the defence enterprise system. The current programmes, IMFS, also cater for some of the portions of DOD, and SITA must ensure synergy and alignment to the work that is happening there. This is to get the process started, an integrated defence enterprise system, through a joint programme with SITA and DOD .

Discussion
Mr K Marais (DA) referred to the Defence Review, which was supposed to have five milestones. He said SITA was referring to milestone 1. However, DOD would require R1.8 billion  to complete milestone 1, and that money has not been granted, so that it could not happen. He asked how this would affect the rollout of the plans. 

Secondly, he asked whether this would include all the arms of the DOD,  including those of Armscor. The hacking was a major security threat to SITA's sovereignty and information, and he asked how breaches would be secured and avoided, although he would also like to hear how something like this was allowed to happen in the first place. Once a hacker had breached one part of the system, he or she could follow different routes and probe deeper. He was sure that Members were aware of the hacking of Hillary Clinton's private e-mails. He asked what SITA had in place on service, firewalls and so forth, and what were the protocols for each and every person in the NMC to follow; including emails, laptops, tablets and cellphones.

In relation to outsourcing to private contractors, he asked what vetting would take place, and whether all those contracted were actually secure and is bound by what was required to protect SITA's information and SITA's national security.

Finally he noted the reference on page 13 to security policies, and said that the security system is going to be compromised, which meant that there were already two matters that did not speak to each other. He wondered how valid these security policies were, especially if they did not talk to each other. Mr J Skosana ( ANC) noted that this whole presentation had to do with systems for managing the information of defence. There was apparently capacity and financial resources, but he asked whether the DOD would be able, within a short time, to deal with these challenges as expected, and set up a programme,. The gap was huge, and SITA was dealing with it .The gap is so huge and we are spending money on skills development and modernising resources to capture information.

Mr S Esau (DA) raised a few issues concerning the modernisation process. There had been an agreement between the Department and SITA, and SITA has expressed its concern over certain limitations because of what DOD allowed it to do. He asked for an indication of any problematic issues in the agreement and in service delivery. He noted the remarks about the old and new systems, but the old system provides services that are guaranteed. He wanted to know what were What are the exact compliance issues with which  DOD could not comply.

Mr Esau was aware of problems with the asset register. He noted the comment on the government cloud, and wondered whether this could be classed as an “own cloud” since clouds are normally hosted by other entities – such as Google, Vodacom, which could be high risk. He said that many people were already resorting to more secure systems.

He noted that SITA had been in operation for a long time, but it had been found that many departments operated still on their own platforms with different systems, at a huge cost for the state. SITA had said that it was in a position to negotiate and wondered if it had looked to any administrative cost efficiencies. He had not seen proposals, but this was based on what he had heard. For a system like the Department of Military Veterans, the information was not particularly sensitive as it did not have any current defence information, but there was a huge problem with the database. Simple things could be achieved without any enterprise system. He asked then what had really been achieved? Despite such a sophisticated Agency, government is dragging its feet on many fronts although the end goal could be achieved in a few months. He expressed concern that SITA is not playing its role as it should, and he wanted it to explain why it does not achieve its capability to improve services and cost efficiencies. No cost efficiencies had been demonstrated today; no figures or budgets had been presented. He wanted to know how the rollout would actually happen and where SITA was, right at this moment, in piloting the business enterprises before implementation of the system. What exactly had been done?  Had SITA been able to vet this process in terms of DOD and DMV to actually do those processes, in terms of  designing a platform or a system that can deal with all the issues? He noted the comment on lack of compliance and legacy problems, but wondered if this had been properly investigated.

Mr Esau asked about the length  of time for implementation, and how long the whole platform and enterprise system was planned to take, as well as whether DOD had made a commitment to fund the entire process. He was worried that the country would reach a point and only have half-service.

Speaking to the IP and software licences, usually Microsoft would charge per user. Government normally applies for licenses, based on the number of employees and units within government. He asked whether SITA, in saying that it could procure licences, was taking everything into account, whether there were different prices for government and the huge staff component, and hosting. Members actually did not know the cost to government departments and where savings could be made but SITA should know this as it had access to the needs of different Departments, and knew what was happening in the government sector, and could possibly project the costs and possible savings.

Mr Esau noted that his colleague had already expressed concern with the economy and future of the Department not reaching the expected rate of growth. Given this, he wondered how this special project, which is absolutely necessary, was going to be funded by the Department? Members needed the figures.

Mr D Gamede (ANC) asked whether SITA did subscribe to speedy, efficient service delivery. He asked if SITA thought it fair that clients, such as DMV, and beneficiaries should go through SITA if they wanted to communicate issues within the Department. SITA  was like a middle man in the communication challenge stakes, but he was worried that the ordinary citizen might get fobbed off by the Department claiming that it was not in charge of this communication. Why should beneficiaries not be able to communicate their issues  directly to the Department?

He asked if SITA thought it had the capacity to serve the huge and sensitive Department? He asked for reasons why there were personnel in acting posts.

He made the point that if the essence of the presentation was around modernisation – and what exactly was being done here – he expected to see the costs, and a more comprehensive setting out of what the Committee could do to assist in order to hold the Department accountable.

Mr Zukile said he had recognised the importance of stability of the organisation. Some issues had been investigated, but he pointed out that in the past, there was a frequent change of Chief Executive Officers whenever ministers were appointed. SITA should maintain a consistent attitude and approach.

The representatives dealt with the milestones of the project.

Mr Mohape said that the Armscor system was not managed by SITA.  The mandate does not require such institutions to use SITA. SITA was, however, created to deliver value in a system that allowed people to feel safe. It worked with government departments, security and clearance for police. The standards in this arena must be higher than anywhere else. SITA should offer such good services that departments should not do things on their own. Government departments who had not developed websites through SITA would not approach SITA to check that they were secure, and often SITA was not even asked to host the site. The solution had not been there to date, but SITA had completed a whole design and business case for a new zone, for all systems., which would be secure because it would be possible to come through as public interface, not to access web content but to use a private and secure route. There will be monitoring and robust management of the system in anticipation of hacking threats. The business plan would be put forward to the committee who would meet in October and implementation should start then. 

Part of this initiative addressed protocols, although it did not go so far as to address private emails, as that could be addressed through a separate and dedicated process. The mandate provides standards to see to usage of ICT Services. The SITA initiative now sets standards and procedures that people must follow when they construct, host or operate government websites. SITA would be able to report people who do not comply with standards. There was a much bigger job to be done on email usage. Much of the potential hacking was underground, and more could be said on this later. 

He noted that outsourcing happened because there was a need to find skills outside. SITA would get a request as protocol to outsource .

He told Members that in the US government some divisions were still working with old eight-inch floppy disks, which cost up to US$50 billion to keep running; this emphasised the importance of balancing changes in a conservative environment with new technology and capabilities. He could say that around R200 billion was used to support legacy systems. If SITA were to  modernise, there would be  capital expenditure over the first term, but most certainty the cost of operating that later, over five to ten years, would be less and it would allow for positive returns. Very few under-25s knew the systems, so there was a large dependency on the sector where the skills are getting thinner on the ground, and the risks are getting bigger and bigger.

The Chairperson asked for an example with the national certificate (vocational) exam system, where there was a backlog in the issuing of certificates, so that students were not sure whether they had passed. He said that SITA would have to think outside the box in order to clear the backlog.

Mr Mohape agreed that since 2011, the state system had not been able to provide certificates for all who have gone through the NCV, causing great harm. However, from February a new programme had started and by August 99.5% of the backlog of about 250 000 certificates had been cleared. That required a different way of thinking and also highlighted the risk of operating on these old systems. The social and financial costs of operating on these systems are not tenable as they pose too many risks.

He noted that the functionality in the IDIS system had also been captured in the IMF system, which is fully funded. The questions was thus how to implement the enterprise functions on financial management, HR management and supply chain management. When the IMFS failed  before, SITA was not in partnership with National Treasury and DPSA but it was now starting an implementation programme.

SITA had found that the defence and military systems were not part of the “leak sites” for IFMS, and now had a fairly good handle on what was happening in the different departments and provinces. There is a steering Committee working to IFMS being fully funded and approved.

Mr Mohape asserted that SITA could indeed deal with the transfer of skills. At the moment, SITA's training programme and internship programme had not been the most constructive, because it had been spending R50 000 on training but R300 million on contractors, which was not absolutely necessary. In this year the focus was changed so that SITA  trainees actually were to get real capacity not just obtain certification through being at a course. SITA was no longer doing the training it had, but was looking at all different offerings and capabilities with a view to training IT people to be benchmarked against the rest of the world.

Money was available but it had not been used properly. He would like to speak to some of the issues in the previous years. He himself had sat down with representatives of DOD, to discuss the needs, but later found that in fact the main problems arose on the military veterans side, and that no one from that side had attended the discussions. He pointed out that there had been problems with a fault line; SITA would receive a request and because it was only a custodian of the IT system, and not the data, it ended up having to give data. There were forums to discuss the problems. 

Speaking to the Cloud, he said that many software vendors are dangling public cloud proposals to government. However, it is never known where the cloud is hosted, and where the data is held. SITA represents the government cloud, but hosts all the data on a private cloud system, on mainframes. It uses modern technology that is used in other clouds but the principles of security remain the same, and this is more cost -effective and can include other departments.

SITA's customers accounted for their budgets differently. National Treasury had issued a circular, that Microsoft users should not be entering longer term renewals. SITA was to consolidate the demand and use it to gain economies of scale, automating the buying of Microsoft products. He illustrated this by saying that departments were buying far more than they actually needed. Microsoft knew this. In the SITA approach, one department would pick up excess parts from another, resulting in large savings. SITA has identified goods and services and submitted the proposals to NT. It was starting to fix systems with Microsoft . Currently SITA was changing the business model and by the end of the financial year things would look very different. It was working currently on the licence and on some desktop support, and professional procurement of software assets.

He agreed that the impact on society was very important; a child could not get into the economy because they failed the basic education. SITA was able to deliver e-learning platforms, where the state is willing to pay. He asserted that the lazy and corrupt should not be in the public service, and the public would suffer if they were. Even where SITA did not have its own capabilities, it was possible for it to go out and find the best people. SITA needs help to delivery with the military veterans as it did not have data.

Mr Coetzee noted that there was no project where SITA is involved, only within the IDIS system. Currently there were not time-scales. That was why SITA's recommended  that there must be focus on establishing a programme for IDS .

Speaking to the hacking of emails he said that the DOD  is the one Department that is secure in the sense that it has a separate physical infrastructure, not integrated into the web and very strict protocols on sending classified documentation by email. It had a  manual data leakage information prevention system implemented. If any classified documentation is sent to a public email address, the person responsible will be sanctioned very quickly. That protocol was already in place. The challenge was how to integrate that into the rest of government, where there were far more open systems. In the DOD there was a demilitarized zone which is a layer of six to seven firewalls including one manufactured with the South African algorithm, which will ensure that when it opened up for certain cases, the protocols could not be hacked or abused by anyone.

SITA had a very strict vetting process for outsourced staff members. SITA had its own field unit. All members working in the defence area go through a vetting process with regard to the level of classification that is required. The final vetting is done by Defence Intelligence. Any new supplier also goes through Defence Intelligence processes to be vetted.

He repeated that in relation to the question on policies versus process, the benefit was that the processes were separated out by layers of firewalls.

There had been issues when government policy had changed  - for instance there were issues to actually clear the audit findings on assets. National Treasury can foresee changes and implement through the  BAT system, but currently through a manual process. 

The new IFMS will ensure that all enterprise systems will be synced centrally and centrally managed. There was an indication that all information systems will not be consolidated with information from IFMS.

He noted concerns with the date of 2020 that had been given, and SITA could give more feedback on that, although he asserted that five years to develop a system was actually very short.

On the question of beneficiaries, he said that DOD was a new department for SITA, and SITA had helped it to establish  a new IT infrastructure. There were funding problems in establishing a CIO function and establishing the relationship, but the agreements were now signed and DOD would start paying for SITA services, and SITA could buy in services and contractors for it. More results would be given on military veterans systems later.

Mr Zukile responded to the questions on the call centre, that SITA would, at the minimum, ensure that it was operating effectively. Strategically SITA was becoming more responsive. The model of SITA provides the core of capability, but would determine exactly how on a case-by-case way that looked at the businesses. In relation to DOD, the problem was the absence of strategic level engagement. SITA must be engaged by government Departments. Its obligations had to be changed in view of the new cyber threats, which in turn needed modernised approaches. If departments could understand the  importance of main-streaming ICT, the rest will fall into place.

The Chairperson had made the point that everyone wants to procure for themselves because the industry had deep pockets. They don’t want to use their buying power through government. This becomes a fundamental problem. It is important to instil a discipline in the whole public service, and to perceive SITA not simply as a middle man, but to actually use its benefits.

Mr Gumede said that the interaction was fruitful, SITA had a legislative mandate to service the Department, yet there is an option for the Department to use SITA. There is some synergy where it is able to execute its legislative mandate. He asked that the costs of the project be sent through in writing. He pointed out that SITA was strategically placed to play a leading role in radical economic transformation, and the Committee would like to hear how it would play that role. There was an expectation that SITA would  play a minimum role in investing in the training in ICT, and  the Committee wanted to hear how far SITA was on that. If training was not geared to the needs of the future, then the future would be in jeopardy.

Other business: Third Term Committee Programme.
Mr Esau raised concerns that there was no programme for the week of the oversight.

The Chairperson said that there was, but three days was not enough.

Mr Marais said that he had already written to the Chairperson about problems with the Air Force base. The Committee knew about the encryption intelligence and long-term storage and this was really an observation, not really oversight. The Committee had been concerned in the past that the challenges had never really been addressed in visits, and the Committee did not want to spend the whole day travelling, with no outcome, The Committee already knew that C120 and some training facilities have been flagged as matters of concern, and the Committee knew why pilots had to be sent abroad to be trained.

Mr Esau asked the Committee Secretary to look at the last issues . He referred to the invitation for the 14th but Members had to be here at Parliament.

Mr Marais said that the Committee had not visited Armscor.

Other Members said that they had, prior to Mr Marais joining the Committee.

Mr Marais still thought it had to be visited because it had some challenges around facilities and equipment needed for peacekeeping missions. 

The Chairperson said Mr Marais should be specific about what he thought that the Committee must address during oversight.

Mr Marais said if he had known what was on the draft programme in advance of the meeting, he could have given input in writing.

The Chairperson  apologised that this was not sent out because of administrative problems. beforehand that he can give input he would’ve given in writing to the Chairperson.

The draft programme was adopted.

The meeting was then adjourned.