Oracle, IBM push for Linux certification

WASHINGTON – IBM and Oracle have both launched efforts to get the Linux operating system a security certification required by the U.S. Department of Defense, so that Linux vendors aren’t cut off from the huge defense IT market.

On the same day earlier this month, both companies announced efforts to get Linux certified under the International Common Criteria for Information Technology Security standard.

The Defense Department, in National Information Assurance Acquisition Policy No. 11 dated January 2000, requires commercial software used in national security-related functions be certified in the Common Criteria or an alternative certification from the National Institute of Standards and Technology.

The policy says software having those certifications would be preferred after Jan. 1, 2001, and be required in the Defense Department by July 1, 2002, but a source close to the standards process said the Defense Department hasn’t actively enforced that deadline yet. Those pushing for a Linux certification believe the requirements will be enforced as soon as this summer.

Microsoft and Sun operating systems have Common Criteria certifications at the fourth level of assurance, but Linux does not, which would put it at a competitive disadvantage for Defense Department IT bids, said Tony Stanco, associate director of the Cyber Security Policy & Research Institute at George Washington University in Washington. The institute is working on putting together a coalition to push for a Linux Common Criteria certification, the first step a level two certification, which isn’t as difficult as level four.

“This is how they’re going to say they have secure software,” Stanco said of competing operating systems to Linux.

The goal of the coalition is to “make sure the Linux community is not denied a place at the table,” Stanco said. The fear is that without the certification, Linux vendors will not only be shut out of the $27.7 billion Defense Department IT budget, but also from other government agencies that might follow the Defense Department’s lead, Stanco said.

Linux, an open-source operating system that’s distributed by several vendors and independent groups, faces certification challenges that proprietary vendors do not, Stanco added. The Common Criteria certifies to one code base, and Stanco’s institute is attempting to get several vendors on board with a certification push for a “generic” Linux server that Linux vendors and companies like IBM and Oracle could use.

“Everybody knows this is important,” Stanco said. “Everybody has to figure out how to do it. Right now, the government is just trying to get people to play.”

Stanco welcomed the IBM and Oracle efforts as moving the Linux certification in the right direction. Both companies, on Feb. 13, announced efforts to have Linux meet the Common Criteria certification.

Oracle was approached by several U.S. government customers asking for the certification, said Mary Ann Davidson, Oracle’s chief security officer.

“We believe that evaluating Linux… will provide our federal customers with a secure, open-source alternative, which they are already embracing,” Davidson said by e-mail. “The benefits of higher assurance will accrue to the entire open-source community and customer base, which is also in everyone’s interest.”

Oracle announced it would submit Red Hat’s Advanced Server for a level two certification and its Oracle9i Database, already certified on Windows and Solaris, for level four.

“Evaluation of Linux is important, but the reality is that customers who care about evaluations also want applications (e.g. databases) that run on the evaluated operating system,” Davidson said. “We felt it was not enough to sponsor an evaluation of Linux; we wanted to support Linux as a secure platform for mission-critical applications by evaluating our core products on it.”

Both IBM and Oracle said they are talking with Stanco about joining the coalition sponsored by the Cyber Security institute.

Dan Frye, director of IBM’s Linux Technology Center, said his company said last week it will begin the certification process shortly.

The certification is “additional validation” that Linux is secure, Frye said, and both IBM and Oracle cheered the other for also announcing its Linux certification drive. “This is a market-growing exercise for all of us,” Frye added.