Mitre: Open-source code rife at DOD
Pentagon concerned about potential vulnerabilities
The use of open-source software within the Defense Department continues to gain momentum, especially in the critical area of cybersecurity, despite the fact that DOD and industry leaders have raised numerous concerns about vulnerabilities associated with the technology.
But what if open-source software applications and development were banned in DOD?
A recent study conducted by Mitre Corp. for DOD posed that hypothetical question and found that without open-source software, DOD's cybersecurity capabilities would be crippled and other areas would be severely impacted.
In open-source software, such as Linux, the source code is publicly available and gives users the right to use and change it without asking permission from any external group or person.
DOD officials asked Mitre to list the agency's open-source software applications and collect examples of how that software is being used.
A two-week e-mail survey identified 115 applications. The survey also found 251 examples of how the software is used, but the company acknowledged that actual use could be "tens of thousands of times larger than the number of examples identified."
The report, titled "Use of Free and Open-Source Software (FOSS) in the U.S. Department of Defense," was released last month to the Defense Information Systems Agency. The report found that open-source software is most important in infrastructure support, software development, security and research.
"The main conclusion of the analysis was that FOSS software plays a more critical role in the DOD than has generally been recognized," the report stated.
But the Mitre report is flawed because it is based on a question that assumes that open-source software would be banned within DOD, said Robert Kra.mer, vice president of public policy at the Computing Technology Industry Association Inc. and executive director of the Initiative for Software Choice (ISC).
"I know of no one who is saying that," Kramer said. "The ISC is not for that at all. The premise is unusual to say the least."
After receiving a working draft of the report in May, DISA solicited insights from DOD and the private sector, said Rob Walker, DISA's Net-Centric Enterprise Services program manager, in a presentation at an open-source conference in Washington, D.C., last month.
The comments collected raised three potential downsides to using open-source software:
n Exposure of system vulnerabilities.
n The introduction of Trojan software, which is hostile software covertly placed in ordinary applications.
n Conflicts with new software that incorporates "general public license" (GPL) source code. If personnel use GPL source code in the course of research and development, the entire product of that work is protected, whereas other open-source licenses are not as restrictive.
DOD officials' main concern is the licensing question, but "with reasonable care, GPL software can be used without disrupting other licenses," Walker said. He added that the introduction of unusually restrictive licenses, like some used by Microsoft Corp., "presents a more significant issue."
Open-source software is increasingly being used by government agencies, and the Mitre report proved that by saying there are thousands more applications within the Pentagon than were identified, Kramer said.
"Why do you need a policy to point to either [open-source or proprietary] software" when it is continuing to be competitive in the government marketplace? he asked.
DISA officials said that how much DOD uses open-source software in the future will largely depend on the results of the ongoing policy review.joint development Mitre Corp.'s report for the Defense Department recommended three policy-level actions to help promote use of open-source software in DOD:
n Create a "generally recognized as safe" open-source software list to provide official recognition of applications that are commercially supported, widely used and have proven track records of security and reliability.
n Develop generic policies to promote broader and more effective use of open-source software, and encourage the use of commercial products that work well with the software. A second layer of customized policies then should be created to deal with the four major use areas — infrastructure, development, security and research.
n Encourage the use of open-source software to promote diversity in systems architecture, which would reduce the cost and security risks of being fully dependent on a single software product.Related links: