We tend to think of the US Defense Department (and corresponding organizations in other countries) as being closed, highly secretive environments, in which everything from the details of the latest stealth weapons technology to the ordering procedure for lavatory paper is classified. While there is certainly some truth behind this idea, it is heartening to learn, as reported recently by Ars Technica, that there is a serious attempt underway to educate staff in the DoD about the potential benefits of using open source software.
The Deputy Assistant Secretary of Defense for Networks and Information Integration, the Deputy CIO of the Department of Defense, has authored a memo for the Department of Defense that outlines the technical and logistical advantages of adopting open source software within the military. It includes a guidance document that aims to clarify how and when open source software can be deployed and selected.
This is not an entirely new phenomenon. In 2003, a report [PDF], commissioned by the Defense Information Systems Agency, and produced by the MITRE Corporation, surveyed the use of free and open source software [FOSS] in the Defense Department, identified 115 FOSS software packages already in use by the US DoD and the military, including the operating systems Linux, OpenBSD, FreeBSD, and NetBSD, the Apache Web server, and the Perl and GCC software development tools. The report concluded that, if FOSS software were for some reason to become unavailable, the negative impact on the DoD’ s Web infrastructure and software development activities would be severe.
The National Security Agency [NSA] has also been involved in free software. For a number of years, the NSA has produced a security-enhanced version of the Linux operating system, called SELinux. (This is not a distribution of Linux, properly speaking, but a set of modifications to the base system to provide specific security facilities.) SELinux is currently available in some free Linux distributions (for example, Debian and Ubuntu), and is available in RedHat Linux with commercial support.
The new report [PDF] is intended to reinforce this trend, and to clear up some misconceptions within the defense community that might affect the use of FOSS. For example, there are some procurement situations in which the use of “commercial” software is preferred or mandated. In this context, commercial software is defined as that which is “sold, leased, or licensed to the general public”. Although FOSS is often not sold to the public, it is certainly licensed (in fact, the whole conceptual basis of FOSS rests on licensing and copyright law); the report makes it clear that FOSS qualifies in these situations. It also notes some of the other benefits of FOSS:
“The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team,” the document says.
The DoD also has up a Web page with an excellent FAQ list on the subject of FOSS. Although it is obviously focused on issues of importance to the defense community, much of the list, particularly the first six sections, is of general relevance.
I have remarked here before on the futility of trying to achieve “security through obscurity”. It is good to know that the people who deal with real security issues understand this.