I started to think about worst case scenarios the other day. SCO's ideological attacks on open source and the GPL seem sometimes to be part of an attempt to get open source banned or altered so much it isn't open any more. So, what would happen if, due to security concerns, or whatever other FUD they might present, free and open source software (FOSS) and the open source method were banned?
I thought it would be of interest to examine how Linux is currently used in applications important to US national security. If open source/free software were banned in the US, how would the country's security be impacted? Is open source in any way a security risk?
I asked Dr. Billy Harris
of the University of Tennessee, Chattanooga, and a Groklaw reader, to research the questions and share with us, from publicly available information only, how Linux is currently being used by the Department of Defense and the government and what the DoD and various governmental agencies think about whether there are security issues related to its use.
Here is his report, which I believe you will see validates Linux security and shows what a significant role it already plays in US national security. The DoD has already investigated the very questions I had in mind, including what the impact would be if FOSS software was banned in the DoD, and their conclusion was that there would be an unacceptable downside if they had to stop using it. It does beg the question: why would they be doing such a study, but since the answer was that FOSS is too vital to ban, I hope my worst-case scenario worries can now be set aside. The Executive Summary of the January 1, 2003
MITRE report [ed: now available here also] states:
The main conclusion of the analysis was that FOSS software plays a more critical role in the DoD than has generally been recognized. FOSS applications are most important in four broad areas: Infrastructure Support, Software Development, Security and Research. One unexpected result was the degree to which Security depends on FOSS. Banning FOSS would remove certain types of infrastructure components (e.g., OpenBSD) that currently help support network security. It would also limit DoD access to -- and overall expertise in -- the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack. Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DoD groups to defend against cyberattacks. . . .
Neither the survey nor the analysis supports the premise that banning or seriously restricting FOSS would benefit DoD security or defensive capabilities. To the contrary, the combination of an ambiguous status and largely ungrounded fears that it cannot be used with other types of software are keeping FOSS from reaching optimal levels of use."
I hope those pushing for indemnification, which also impacts on the ability to rapidly update, realize that they are negatively impacting on user security at the same time, if we extrapolate the results of this report.
And, more significantly, what this report says to me is that if anyone were to try to get FOSS banned in the US, they would be working against the country's national security interests.
I also understand that clearing up "largely ungrounded fears" about GNU/Linux software and the GPL is important, and Groklaw presents this article as a contribution toward that educative goal. For example, as you will see, Dr. Harris notes that GPL software is not left open to the elements, so to speak, when used in sensitive projects. Businesses can also follow this approach, and as long as they never distribute the software they use, they can use GPL software and still keep their in-house software as closely guarded a secret as any governmental agency.
Here is Dr. Harris' article.
LINUX' CONTRIBUTION TO US NATIONAL SECURITY
-- Dr. Billy Harris
I was asked to write about national security issues as they relate to Linux
and open source software. First, let me state clearly I have no knowledge of any classified use of Linux
software, which is a good thing because I am consequently free to discuss the issue and even to speculate. All information in the article is based on public documents. As to the question of what would happen if open source software were banned, first note that the Department of Defense already looked into this issue.
Mitre conducted a two-week survey and identified over 100 open source
applications already in use in the Department of Defense. You can read the January 1, 2003 report here.
They include OpenBSD, Apache, Perl, PHP, Samba, gcc, MySQL, and many others.
The report ponders the question "What would happen if Open Source software
were banned in the DoD?" They separately evaluated Infrastructure Support, Software Development,
Network Security, and Research. Here is what they concluded:
"significant short-term cost spike"
"No evidence that such a conversion would result in performance benefits"
"ban would have an especially negative impact on DoD software development"
"Banning FOSS in this area would have immediate, broad, and in some cases
strongly negative impacts on the ability of the DoD to analyze and protect its
own networks against hostile intrusion."
"DoD research would also be seriously damaged by a ban on FOSS"
The MITRE report did not identify novel arguments for open-source; people have talked about the lower cost, higher reliability, faster patching, ease of maintenance and so forth for years before before MITRE wrote about them. The MITRE report is important because it confirms that these arguments are true.
What follows is a list of Linux applications being applied to national security problems.
Except where noted in a few places, these are not open source projects,
except perhaps in the very limited sense that the same restricted set of
people who can access the software may also see the source code.
One of the best-publicized examples are a series of Linux-based
supercomputer clusters used at Los Alamos National Labs. The most recent,
Lightning, is used for the Advanced Simulation and Computing program,
which is used to design and modify the US nuclear arsenal without
requiring test detonations.
Los Alamos also has additional Linux clusters for non-classified operations.
Lawrence Livermore National Lab makes such heavy use of Linux that it has
its own web section here.
Lawrence Livermore maintains several Linux clusters, including the
ASCI Linux Cluster, which supports "unclassified ASCI code development"
and the Parallel Capacity Resource for "Defense & Nuclear Technologies".
Lawrence Livermore also maintains the GPL project SLURM (Simple Linux
Utility for Resource Management).
Sandia National Laboratories has a software package called SEACAS (Sandia
Engineering Analysis Code Access System).
Information on the latest version is described here. The license is
very interesting; it is not sufficient for you to be a U.S. citizen
to download the software. It is not sufficient for you to promise not to
distribute to non-US citizens. You must provide a tangible security plan
acceptable to Sandia explaining how you will prevent non-US citizens
from viewing the source code. For example, they require that the
system managers who perform backups be informed of the restrictions,
and suggest that backups and the original install disk be stored in a
locked desk or file drawer.
Speaking of Sandia, their Visualization Design Center has a home page here. The visualization
system uses the Linux operating system.
One state-of-the-art military system the US has is the collection of
unmanned spy planes. Little public information is available other than
"we have unmanned spy planes", but I find the article here very interesting.
They describe a device for real-time remote visualization. Essentially,
a remote user can interact with very high resolution video through a
relatively low-bandwidth link. Since the structure is about the size
of two PCs, it is not a large stretch of the imagination to think that
Sandia/DoD might use something similar on the airplanes. The video compression
system, in any case, is controlled by a master processor which runs Linux.
The National Security Agency has information on Security-Enhanced Linux available online, and in a nutshell, the NSA has modified the Linux operating system to support
mandatory access control which strictly limits a program's privilege. The system
no longer gives blanket root access to system servers, so that even if
an attacker gained control of a program which would run as root on a normal system,
he can not execute arbitrary code because the program is still access-limited.
A natural question is whether the NSA uses this software internally; to quote
"For obvious reasons, NSA does not comment on operational uses."
The US Air Force uses the open-source package Java Collaborative Virtual Workspace [PDF]
in its Joint Expeditionary Force Experiment, which develops new tactics
for the US Air Force. This is an example of open software being used to support secret activities.
PSSC Labs sells Beowulf clusters --- which run Linux. Its clients include operational and research elements of the US Army, Navy, and Air Force.
I have no idea what these groups use their cluster for and whether or not they
kept the preinstalled Linux OS. But they do seem relevant to National Security
uses of Linux.
I'm sure there are many more uses, but these are the ones I have found with a clear and unambiguous National Security
focus. There are many, many more applications of open source software by the
US government, all contributing to the well-being of the US. Just using the list of Linux clusters sold by PSSC, we find
NOAA, NASA, the CDC, the NIH, and huge numbers of state- and federally-supported
research universities who have bought Linux clusters. And this compilation doesn't include
the use of open-source Apache / BIND/ Sendmail to serve .gov.