Defense, cybersecurity officials praise 'open source' software
A Defense Department technology expert and a White House cybersecurity official on Tuesday praised government's use of "open source" software and said that its security can be preferable to that of commercial software.
Speaking at a conference sponsored by Dell Computer and Red Hat, which distributes the Linux open-source software, the defense and cybersecurity officials said they anticipate that government use of the software will continue to increase. The source code for Linux and other such software is open for public inspection, unlike that of proprietary software.
"Open source allows us the opportunity to have a pro-active and pre-emptive identification of security holes by friendly analysis," said Ken Linker of the Defense Information Systems Agency. He read the written presentation of Robert Walker, the program manager for the agency, which runs the software for a large portion of the department's command-and-control systems.
"As a result, this early identification and rapid repair of security vulnerabilities has become a major advantage of open source over more proprietary approaches to software development," Linker read. The presentation was replete with positive references to the security advantages of open-source software.
Whether open or propriety software is more conducive to cybersecurity recently has become a matter of debate. The Microsoft-supported Alexis de Tocqueville Institution has said that use the use of open-source software puts the government at greater risk of cyberterrorism.
In his presentation, Walker said Defense has heard three criticisms of open source: that it exposes software vulnerabilities, that it could introduce "Trojan horse" viruses, and that intellectual property rights are jeopardized by the use of the "general public license," or GPL, which is a common open-source license attacked by Microsoft for its "viral" nature.
Addressing the first point head on, Walker said the "con" that open source "facilities subversion by hostile analysts of otherwise reliable software" must be balanced against the "pro" that it "allows pre-emptive identification of security holes by friendly analysts." As a result, he said open source is superior.
Walker also said the "risk of Trojan software in open source appears to be no greater than the risk for proprietary" and may be less because of the ability to conduct friendly analysis.
He said Defense's key open-source concern involves the GPL. "For [the department], 'capture' of proprietary software is a concern for the areas of software development and research support," Walker said. But he also criticized Microsoft for "unusually restrictive licenses."
Marcus Sachs, director of the communication infrastructure protection in the White House cyber-security office, said "the government isn't going to take a position" for or against open source. "I think, personally, there is room for both. The two can absolutely work together. The question is, how do you make it secure?"
Sachs also said that nearly one-third of all government Web sites use Apache, the leading open-source server software. The number of military Web sites using it is 22 percent, second to Microsoft's server software, but military use of Apache is growing rapidly, he said.