Open source courses through DOD

What would happen if open source software were banned in the Defense Department?

A recent study conducted by Mitre Corp. for DOD posed that hypothetical question and found this answer: The department's cybersecurity capabilities would be crippled and other areas would be severely impacted.

Mitre Corp. was asked to develop a listing of open-source software applications at DOD and to collect representative examples of how those applications are being used. Over a two-week period, an e-mailed survey identified 115 applications and 251 examples of use, and Mitre's report acknowledged that actual use could be "tens of thousands of times larger than the number of examples identified."

To help analyze the data, the hypothetical question was posed: What would happen if open-source software were banned at DOD?

Version 1.2 of the report, "Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense," was released Sept. 20 to the Defense Information Systems Agency (DISA), and found that open-source software applications are most important in infrastructure support, software development, security and research.

"The main conclusion of the analysis was that FOSS software plays a more critical role in the DOD than has generally been recognized," according to the report.

In open-source software, such as Linux, the source code is publicly available and gives users the right to use, copy, distribute and change it without having to ask for permission from any external group or person.

After receiving a working draft of the report in May, DISA solicited insights from DOD and the private sector, said Rob Walker, DISA's Net-Centric Enterprise Services program manager, in a presentation at an open-source conference in Washington, D.C., this week.

The examination raised three concerns about the use of open-source software:

* Exposing system vulnerabilities.

* Introducing Trojan software, which is hostile software covertly placed in ordinary applications.

* Developing new software that incorporates "general public license" (GPL) source code. This means the entire new product must be given a GPL, which would impact DOD software development and research areas.

Walker's presentation dismissed the first two concerns, finding that the pre-emptive identification of security holes by friendly analysts outweighs the danger of hostile attacks, and that the introduction of Trojan software in open-source environments is no greater than in proprietary ones.

DOD officials' main open-source concern involves the licensing, but "with reasonable care, GPL software can be used without disrupting other licenses," Walker said. He added that the introduction of unusually restrictive licenses, like some used by Microsoft Corp., "presents a more significant issue."

Mitre's report recommended three policy-level actions to help promote optimum use of open-source within DOD:

1. Create a "generally recognized as safe" open-source software list to provide official recognition of applications that are commercially supported, widely used, and have proven track records of security and reliability.

2. Develop generic policies to promote broader and more effective use of open-source, and encourage the use of commercial products that work well with the software. A second layer of customized policies then should be created to deal with the four major use areas -- infrastructure, development, security and research.

3. Encourage the use of open-source to promote diversity in systems architecture, which would reduce the cost and security risks of being fully dependent on a single software product.