News in December that Amazon Web Services (AWS), Google, Microsoft and Oracle had bagged a potentially $9 billion Joint Warfare Cloud Capability (JWCC) contract to provide the U.S. Department of Defense (DoD) with cloud services is good news for the companies and their shareholders. But does it represent a fair deal for American taxpayers? And can these companies, two of which have recently been fined for unethical business practices, really be trusted with our nation’s top-secret data?
The U.S. government handed the four companies a joint award for an "indefinite delivery-indefinite quantity" work order to provide the DoD with enterprise cloud services. The contract will allow DoD divisions to acquire centralized cloud management, advanced data analytics, elastic storage and network infrastructure services from these companies as needed. Though the contract has a total value of $9 billion, the “indefinite” part means funds will be paid to the companies as orders are placed rather than a set amount of money being delivered on a set schedule.
The companies have been approved to provide services across all mission classification levels, including confidential, secret and top secret. With highly sensitive information on the line, it seems only natural to ask what will be done to protect it. Those questions are particularly pertinent when it comes to Oracle and Microsoft, which have been the subject of bribery accusations in the recent past.
In September, Oracle agreed to pay $23 million to the U.S. Securities and Exchange Commission (SEC) to settle allegations that its subsidiaries in Turkey, the United Arab Emirates and India bribed officials in those countries in exchange for business. The company, however, did not admit wrongdoing as part of the settlement.
In March, The Verge reported a whistleblower had accused Microsoft of paying millions of dollars in bribes to officials in Africa and the Middle East. At the time, Microsoft told the news outlet that it had previously investigated and addressed the allegations and was “committed to doing business in a responsible way.” And as recently as 2019, Microsoft shelled out more than $25 million to settle bribery charges filed by the SEC following an investigation into its business in Hungary.
Security questions and lack of responses
Silverlinings asked all four companies and the DoD multiple times for more information on how the government’s most sensitive information will be handled. Oracle and AWS didn’t reply at all, while Google provided a canned comment, and Microsoft pointed to some old blog posts about its government work. The response – or lack thereof – wasn’t entirely surprising given the nature of the contract.
U.S. Navy Commander Jessica McNulty, a DoD spokesperson, said only that the DoD is “confident in its handling and security protocols and established procedures for protection of sensitive government information.”
Additional information is available for those willing to do a bit of digging. Before the DoD made its JWCC contract award, all four companies achieved certification through the U.S. government’s Federal Risk and Authorization Management Program (FedRAMP), which was established in 2011 to standardize the security assessment, authorization and monitoring of cloud vendors. As part of the certification process, vendors must undergo a penetration test to identify potential weaknesses in their services and applications and complete annual security assessments.
FedRAMP uses National Institute of Standards and Technology SP 800-53 security controls, which include one requiring cryptographic protection for federal data at rest, in transit and authentication for moderate and high-security systems. That means these systems are secured with cryptography covering “digital signatures, encryption, key management, message authentication, random number generation and secure hashing,” the FedRAMP website states.
One other thing: Back in November, the DoD adopted a formal zero-trust strategy which calls for a “never trust, always verify” approach to security across all devices, applications, assets and services. Presumably this will apply to the cloud services provided by AWS, Google, Microsoft and Oracle, though the document notes it only encompasses a strategy for implementing zero trust and doesn’t detail a specific architecture which must be used.
Good deal or bad deal for taxpayers?
The other, perhaps bigger, question is whether the government should be paying these companies full commercial rates at all given the billions in tax breaks they’ve received over the years.
See, there are statutory tax rates – which refer to the standard percentage of income that companies are supposed to pay in taxes – and then there are effective tax rates. The latter refers to the percentage of income that companies actually pay once things like exemptions, credits and other loophole exploitations are factored in.
Take AWS parent company Amazon, for instance. An analysis by the Institute on Taxation and Economic Policy found the company used legal loopholes to skirt about $5.2 billion in corporate federal income taxes last year. While the company’s statutory tax rate in 2021 should have been around 21% given its status as a large corporation, its effective tax rate was just 6%.
That means the federal government lost out on billions in revenue that could have been spent strengthening the Social Security system, national defense, veterans benefits, transportation and highway improvements. National defense, of course, would include military spending like the aforementioned DoD cloud contract, which means Amazon is shortchanging the very system supporting it – again, legally. So, in a sense, they're having their cake and eating it, too.
Google parent company Alphabet’s effective tax rate was 16.2% in 2021. Microsoft’s tax rate was approximately 13% for its fiscal 2022 year that ended on June 30, 2022, while Oracle’s was 12.2% for the fiscal year ended on May 31, 2022.
Citizens also are providing subsidies as states hand out tax breaks to entice construction of data centers – the lifeblood of the cloud – within their borders.
Last year, lawmakers in Nashville, Tenn., approved a 25-year, $175 million property tax break as well as a $65 million economic grant for Oracle to help with the company’s development of a new campus there. Meanwhile, Google snagged a $10 million tax break for a data center in Texas and a 15-year, $54.3 million tax abatement for another in Ohio. Virginia dished out $124.5 million in tax breaks in fiscal 2021 to entice data center construction, though the state didn’t name the recipients.
One county in Oregon reportedly granted property tax breaks for Amazon worth $161 million over the past five years. Mike Rogoway of The Oregonian calculated that Amazon’s deals there save it approximately $50 million each year. Meanwhile, the company ends up paying around just $11 million in annual property taxes.
These tax breaks amount to a special kind of slap in the face for residents in states with high property taxes. Texas, for instance, has the sixth highest property tax rate in the country, while Ohio has the 11th highest. Abatements for thee and not me and all that.
The question, then, is what are Americans getting in exchange for all the money we’re pouring into these companies? “Jobs” doesn’t quite seem to be the answer.
According to a 2017 report from the U.S. Chamber of Commerce, around 1,688 local workers are required to build a typical data center, but these facilities only support 157 jobs once construction is complete. And, as Time reported, companies like Google are increasingly hiring contractors on three-month contracts to run their data centers. That kind of arrangement doesn’t exactly offer long-term stability or benefits.
In the case of the DoD contract, one could make the case that Americans will get a more effective military in exchange for their money. The JWCC request for proposals (RFP) spells out some of the new capabilities the government hopes to gain from the deal, including data analytics spanning predictive analytics, machine learning and artificial intelligence; data portability; the ability to rapidly deploy new applications; automated threat detection; monitoring and logging; and the ability to deploy tactical edge compute and storage as needed. But the math around how these capabilities translate to a dollar value is fuzzy.
If the U.S. government is willing to spend as much as $9 billion on the cloud, why not build its own infrastructure? The RFP notes officials sought access to "no fewer than three physical data center locations, at each classification level, geographically dispersed by at least 150 miles and within the Customs Territory of the United States." But it also states those data centers can be co-located, so long as they can meet relevant clearance requirements. So, why can't the government pop its own servers into a bunch of these existing data centers and create its own cloud with the money it's instead handing to massive corporations?
Would $9 billion really not be enough to do that and recruit some of the talent recently laid off by these giants to innovate based on the military's specific needs?
You can’t exactly blame the companies for taking advantage of legal incentives offered by the government. But officials at all levels – and the citizens who elect them – need to seriously ask whether the billions we’re handing these companies are wisely spent.
Are US taxpayers subsidizing the cloud boom? Send us your thoughts here. We may publish them.