U.S. military adopts more open source: is that secure enough for you?

Military is busily creating secure forges for its many open source projects

The U.S. military and researchers at the Georgia Institute of Technology are putting their heads together to help the military adopt more open source software. The military wants in on the cost savings, speed and flexibility which OSS offers to users, as opposed to being stuck waiting on proprietary software vendors to modify their tools when changes are needed. If the open source model can be secured enough for the military, surely it can be secured enough for the enterprise.

Specifically, researchers at the Georgia Tech Research Institute (GTRI)  are working with the military on a three-pronged plan-of-attack to bring more open source to DoD developers. First, the GTRI will make more source-code tools and applications "available and practical" for military use. An example of the type of open source software that GTRI is developing is FalconView, an open sourced PC-based mapping application.

I asked the GTRI researcher heading up this project, Joshua Davis, what "available and practical" means -- after all, open source is already available to everybody. My assumption was that they meant licensing issues -- perhaps avoiding the "copyleft" provision, particularly in the GPL. After all, the military may not want people distributing and modifying the source code for, say, a nuclear missile. Davis, who is a research scientist and the associate branch head of the GTRI's Information Operations Branch Electronic Systems Laboratory, says he doesn't think copyleft will be much of a hurdle.

"I would say that licenses aren't the primary concern for most in this arena.  The value of the technology will in most cases overcome any potential hurdle they could create," he says. He further clarifies, "'Available and practical' to the military is very different than downloading the software onto your living room computer or installing it on your corporate server.  There is much to be considered when equipping a base, vehicle, soldier, etc.  There is also significant policy to ensure that this is accomplished safely, legally, ethically, and effectively.  However policies can be an area of significant debate, misunderstanding, and in some cases require clarification."

Davis points to a memorandum written about a year ago that listed policy recommendations for the adoption of open source for military big wigs (such as the directors and Joint Chiefs of Staff). The memo states, "There is a misconception that the government is always obligated to distribute the source code of any modified OSS to the public, and therefore that OSS should not be integrated or modified for use in classified or other sensitive DoD systems. In contrast, many open source licenses permit the user to modify OSS for internal use without being obligated to distribute source code to the public."

So if not licenses, what will they be doing to make tools more available and practical? "The work mainly concentrates on security, communication/collaboration, and by just doing it."

Therefore, the second prong is that the military is setting up its own secure forges where those with the proper credentials can access a growing stash of open source software. The military's main forge, www.forge.mil, allows developers from the DoD and credentialed outside contractors to collaborate on software development.  Forge.mil is managed by the Defense Information Systems Agency. Progress is being made on this front. As of last week, the Defense Information Systems Agency (DISA) announced that Forge.mil is now accessible over the DoD's secure IP network SIPRNet. Developers with access to SIPRNet can gain entry to the forge.

(ASIDE: Ironically, when I typed in the URL www.forge.mil, both Mozilla and Google warned me off the site as being unsecured and unsafe. It doesn't present a trusted certificate from the browser's favored Certificate Authorities. Struck me as funny that the nation's military secure forge causes security warnings in my browsers.)

GTRI is also working on developing another secure forge where the tools it creates for the DoD use are stored. Researchers have already developed a secure Web site for downloading the source code for software tools that are used to test tactical radio systems.

The third prong in the attack is to build a friendly community of developers. Georgia Tech has already hosted one meetup of the nearly 1-year-old Military Open Source (Mil-OSS) working group. "Mil-OSS has been established to connect and empower an active community of civilian and military open source software and hardware developers across the U.S," explains Davis.

The working group bills itself as a grassroots movement of "a collection of the geeky, coffee drinking, sandal wearing patriots that work for the U.S. DoD and believe that we must adopt open technology innovation philosophies to effectively defend this nation." Actually, I saw a picture of these folks -- and there wasn't a sandal or a coffee cup in it. But shoe ware aside, that meetup attracted about 120 people who listened to 40 speakers. A second conference is planned next week, Aug. 2-5 in Washington, D.C. and will cost  $450 for attendees and $350 for speakers. The conference is open to everyone.

If the military can find a way to write and share open source code for its highly dangerous assets, than an enterprise surely must give up the myth that open source code is inherently less secure because the source is visible. "AMEN!" Davis says to that idea. "I would say that open source software can be made to be more secure than proprietary.  With proprietary it is all based on trust.  Without the source you never really know.  With the source I don't have to trust you to trust the software you wrote."

I also like the thought of a half-way step to secure a forge. Perhaps enterprises can gather together to create their own forges where all who use it must be identified and validated. Perhaps an opportunity exists for a public-but-secured forge as well. If an enterprise knew the people modify the software, would they feel better about trusting open source? I think Mil-OSS proves that they would.

Like this? Here's more:

• All of today's open source news and blogs
• Qbo wants to be the Model T of Robots
• The Open source legal maze: an open trap?
• Extreme CRM Makeover, Open Source Edition - Episode 2, Sweet is Sugar
• Security expert releases Ubuntu Linux distro for malware analysis
• Open Source Business Models Become More Attractive
• Marten Mickos says the cloud won't kill open source
• Subscribe to all Open Source Subnet bloggers.

Follow Julie Bort on Twitter @Julie188

Follow all Open Source Subnet blog posts on Twitter @OSSubnet

• ce
• forge.mil
• Georgia Institute of Technology
• military
• open source
• open source in the military