VA’s Baker: Commercial software is often the best option

The Veterans Affairs Department will continue building out its software systems with commercial products and cloud services rather than trying to develop things in-house, VA CIO Roger Baker said in a keynote address at the Management of Change conference May 17.

"I'm not going to build the next application," he told the ACT/IAC conference in Hot Springs, Va. "I am convinced that the government cannot build a better Facebook or e-Bay" than the private sector can.

The VA could add proprietary software to its open-source systems if that meets the needs of the department, he added.

He said that as technology has matured, the government's needs have become, by and large, less unique and therefore less dependent on creating its own technology. When developing a solution, it’s increasingly common to find a commercial offering that can do almost everything the agency needs, at which point agencies usually can find ways to work around the rest – if they are willing, he said.

Baker recalled one incident when he found a commercial package that could meet 80 percent of the stated requirements for a project, but the manager in charge insisted the solution must meet all the requirements.

"I said, well that was your requirement last time and you got zero percent of your requirements over the past 10 years," Baker said. "Would you rather have zero percent or 80 percent?"

However, when accepting products from the private sector, Baker said it is a CIO's responsibility to ensure that they are secure and will keep sensitive information out of unauthorized hands.

"We don't go down the path of 'we want to look at all your code,'" he said, in response to an audience member's question. "We're interested more in where the data is going to be stored. When you store it, are you encrypting it."

Look at source code isn't effective, he said. "If you're a good hacker, you can bury a hack deep enough in the code that a cursory examination" won't find it.