22 November 2017

The Pentagon is set to make a big push toward open source software next year

by Kelsey Atherton 

Nestled hundreds of pages into the proposed bill to fund the Department of Defense sits a small, unassuming section. The National Defense Authorization Act for Fiscal Year 2018 is the engine that powers the Pentagon, turning legislative will into tangible cash for whatever Congress can fit inside. Thanks to an amendment introduced by Sen. Mike Rounds of (R-SD) and co-sponsored by Sen. Elizabeth Warren (D-MA), this year the NDAA could institute a big change: should the bill pass in its present form, the Pentagon will be going open source.


“Open source” is the industry term for using publicly accessible code, published for all to see and read. It’s contrasted with “closed source” or “proprietary” code, which a company guards closely as a trade secret. Open source, by its nature, is a shared tool, much more like creative commons than copyright. One big advantage is that, often, the agreements to run open-source software are much more relaxed than those behind proprietary code, and come without licensing fees. The license to run a copy of Adobe Photoshop for a year is $348; the similar open-source GNU Image Manipulation Program is free.

We don’t typically think of the Pentagon as a software-intensive workplace, but we absolutely should. The Department of Defense is the world’s largest single employer, and while some of that work is people marching around with rifles and boots, a lot of the work is reports, briefings, data management, and just managing the massive enterprise. Loading slides in PowerPoint is as much a part of daily military life as loading rounds into a magazine.

“HOW WOULD THE TROJANS HAVE REACTED IF THE HORSE STATUE THE GREEKS GAVE THEM WAS MADE OF GLASS AND THEY COULD SEE RIGHT THROUGH IT?”

Besides cost, there are two other compelling explanations for why the military might want to go open source. One is that technology outside the Pentagon simply advances faster than technology within it, and by availing itself to open-source tools, the Pentagon can adopt those advances almost as soon as the new code hits the web, without going through the extra steps of a procurement process.

Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.

“How would the Trojans have reacted if the Horse statue the Greeks gave them was made of glass and they could see right through it? They would have seen the malicious implants and removed them before letting the statue into their enterprise,” says Bob Gourley, co-founder of the security consultancy firm Cognitio and former chief technology officer of the Defense Intelligence Agency. “That is my key thought about open-source software. Everyone can examine the code and look for and remove vulnerabilities before they are brought into the enterprise.”

Efforts to push the government toward open source are not new: in August 2016, White House chief information officer Tony Scott released a call for new open-source code to be built and utilized for the federal government, specifically highlighting that such code “is secure, reliable, and effective.”

This year’s NDAA extends the scope of Scott’s memorandum to include the Department of Defense. There are specific exemptions that would keep parts of military software closed source; neither the Obama administration’s technology office nor the authors of the current NDAA want the military to publicize and share the code used for spying, encryption and decryption, relaying commands, or directing weapons. But, as the Center for New American Security argued in 2016, it would be “counterproductive and unwise” for the Pentagon to let security exemptions keep it from using open-source code.

The congressional push for the Pentagon to embrace open source is not without its opponents. In September, Brian Darling, the president of Liberty Government Affairs public relations firm, published an op-ed in the conservative publication Townhall against the open-source amendment to the Senate version of the NDAA, specifically claiming that, “The provision further would set up a database where the defense department would publish the intellectual property. This is the same source codes specially designed to protect the United States national security from ISIS and nations who are intent on harming us.” Darling was previously the senior communications director and counsel for Sen. Rand Paul (R-KY), and has worked with the Heritage Foundation.

IT WOULD BE “COUNTERPRODUCTIVE AND UNWISE” FOR THE PENTAGON TO LET SECURITY EXEMPTIONS KEEP IT FROM USING OPEN-SOURCE CODE

In October, The Washington Times ran a similar unbylined editorial, warning that “The language that Ms. Warren wants included in the legislation would require that the code be made ‘available to anyone for any purpose,’ and ‘anyone’ would necessarily include China, Iran, North Korea and any others with villainous purpose in mind. All of them would love to get a peek at the way America’s military systems operate and, ‘open source’ would provide that peek.” (As of November 10th, the online copy seems to have been taken down, though an archived version is can be seen here.)

Private enterprise has also pushed back on the use of open-source code in the federal government. In 2013, Oracle published a white paper on open source and the Department of Defense, arguing the merits of proprietary software. Specifically, Oracle’s report looks at the costly failures of an open-source project to consolidate health care data between the Departments of Defense and Veterans Affairs.

Both editorials drastically misrepresent the language of the legislation, and experts would argue that Oracle’s argument is faulty: proprietary software is just as vulnerable to failure as open source. In 2013, Oracle software was part of a major failure in healthcare.gov’s launch. Buggy software is a fact of software writ large, not a unique feature of open- or closed-source code. Instead, Oracle’s attack on open source in the NDAA seems driven by self-interest: the DoD paid Oracle $100 million in fiscal year 2017 for use of its proprietary software. It should perhaps be unsurprising, then, that many of the attacks on the proposal appear to be paid efforts by Oracle to discredit open source. When reached for this story, Oracle decline to comment.

The current bill, which is likely to be signed, is less expansive than the original Senate bill would have been. Congress won’t direct DARPA to “reverse engineer existing DOD software for which the source code is unavailable,” for example. That may be a fight for another year. But if NDAA passes as it’s currently written, the Pentagon will lean into open-source software for new projects, trusting in the transparency and security that comes from having all possible eyes on a project.

No comments: