I thought it would be of interest to examine how Linux is currently used in applications important to US national security. If open source/free software were banned in the US, how would the country's security be impacted? Is open source in any way a security risk?

I asked Dr. Billy Harris of the University of Tennessee, Chattanooga, and a Groklaw reader, to research the questions and share with us, from publicly available information only, how Linux is currently being used by the Department of Defense and the government and what the DoD and various governmental agencies think about whether there are security issues related to its use.

Here is his report, which I believe you will see validates Linux security and shows what a significant role it already plays in US national security. The DoD has already investigated the very questions I had in mind, including what the impact would be if FOSS software was banned in the DoD, and their conclusion was that there would be an unacceptable downside if they had to stop using it. It does beg the question: why would they be doing such a study, but since the answer was that FOSS is too vital to ban, I hope my worst-case scenario worries can now be set aside. The Executive Summary of the January 1, 2003 MITRE report [ed: now available here also] states:

The main conclusion of the analysis was that FOSS software plays a more critical role in the DoD than has generally been recognized. FOSS applications are most important in four broad areas: Infrastructure Support, Software Development, Security and Research. One unexpected result was the degree to which Security depends on FOSS. Banning FOSS would remove certain types of infrastructure components (e.g., OpenBSD) that currently help support network security. It would also limit DoD access to -- and overall expertise in -- the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack. Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DoD groups to defend against cyberattacks. . . .

Neither the survey nor the analysis supports the premise that banning or seriously restricting FOSS would benefit DoD security or defensive capabilities. To the contrary, the combination of an ambiguous status and largely ungrounded fears that it cannot be used with other types of software are keeping FOSS from reaching optimal levels of use."

I hope those pushing for indemnification, which also impacts on the ability to rapidly update, realize that they are negatively impacting on user security at the same time, if we extrapolate the results of this report.

And, more significantly, what this report says to me is that if anyone were to try to get FOSS banned in the US, they would be working against the country's national security interests.

I also understand that clearing up "largely ungrounded fears" about GNU/Linux software and the GPL is important, and Groklaw presents this article as a contribution toward that educative goal. For example, as you will see, Dr. Harris notes that GPL software is not left open to the elements, so to speak, when used in sensitive projects. Businesses can also follow this approach, and as long as they never distribute the software they use, they can use GPL software and still keep their in-house software as closely guarded a secret as any governmental agency.

Here is Dr. Harris' article.

*************

LINUX' CONTRIBUTION TO US NATIONAL SECURITY

-- Dr. Billy Harris

I was asked to write about national security issues as they relate to Linux and open source software. First, let me state clearly I have no knowledge of any classified use of Linux software, which is a good thing because I am consequently free to discuss the issue and even to speculate. All information in the article is based on public documents. As to the question of what would happen if open source software were banned, first note that the Department of Defense already looked into this issue. Mitre conducted a two-week survey and identified over 100 open source applications already in use in the Department of Defense. You can read the January 1, 2003 report here. They include OpenBSD, Apache, Perl, PHP, Samba, gcc, MySQL, and many others.

The report ponders the question "What would happen if Open Source software were banned in the DoD?" They separately evaluated Infrastructure Support, Software Development, Network Security, and Research. Here is what they concluded:

Infrastructure:
"significant short-term cost spike"
"No evidence that such a conversion would result in performance benefits"

Software Development:
"ban would have an especially negative impact on DoD software development"

Security:
"Banning FOSS in this area would have immediate, broad, and in some cases strongly negative impacts on the ability of the DoD to analyze and protect its own networks against hostile intrusion."

Research:
"DoD research would also be seriously damaged by a ban on FOSS"

The MITRE report did not identify novel arguments for open-source; people have talked about the lower cost, higher reliability, faster patching, ease of maintenance and so forth for years before before MITRE wrote about them. The MITRE report is important because it confirms that these arguments are true.

What follows is a list of Linux applications being applied to national security problems. Except where noted in a few places, these are not open source projects, except perhaps in the very limited sense that the same restricted set of people who can access the software may also see the source code.

One of the best-publicized examples are a series of Linux-based supercomputer clusters used at Los Alamos National Labs. The most recent, Lightning, is used for the Advanced Simulation and Computing program, which is used to design and modify the US nuclear arsenal without requiring test detonations.

Los Alamos also has additional Linux clusters for non-classified operations.

Lawrence Livermore National Lab makes such heavy use of Linux that it has its own web section here. Lawrence Livermore maintains several Linux clusters, including the ASCI Linux Cluster, which supports "unclassified ASCI code development" and the Parallel Capacity Resource for "Defense & Nuclear Technologies". Lawrence Livermore also maintains the GPL project SLURM (Simple Linux Utility for Resource Management).

Sandia National Laboratories has a software package called SEACAS (Sandia Engineering Analysis Code Access System). Information on the latest version is described here. The license is very interesting; it is not sufficient for you to be a U.S. citizen to download the software. It is not sufficient for you to promise not to distribute to non-US citizens. You must provide a tangible security plan acceptable to Sandia explaining how you will prevent non-US citizens from viewing the source code. For example, they require that the system managers who perform backups be informed of the restrictions, and suggest that backups and the original install disk be stored in a locked desk or file drawer.

Speaking of Sandia, their Visualization Design Center has a home page here. The visualization system uses the Linux operating system.

One state-of-the-art military system the US has is the collection of unmanned spy planes. Little public information is available other than "we have unmanned spy planes", but I find the article here very interesting. They describe a device for real-time remote visualization. Essentially, a remote user can interact with very high resolution video through a relatively low-bandwidth link. Since the structure is about the size of two PCs, it is not a large stretch of the imagination to think that Sandia/DoD might use something similar on the airplanes. The video compression system, in any case, is controlled by a master processor which runs Linux.

The National Security Agency has information on Security-Enhanced Linux available online, and in a nutshell, the NSA has modified the Linux operating system to support mandatory access control which strictly limits a program's privilege. The system no longer gives blanket root access to system servers, so that even if an attacker gained control of a program which would run as root on a normal system, he can not execute arbitrary code because the program is still access-limited. A natural question is whether the NSA uses this software internally; to quote the NSA: "For obvious reasons, NSA does not comment on operational uses."

The US Air Force uses the open-source package Java Collaborative Virtual Workspace [PDF] in its Joint Expeditionary Force Experiment, which develops new tactics for the US Air Force. This is an example of open software being used to support secret activities.

PSSC Labs sells Beowulf clusters --- which run Linux. Its clients include operational and research elements of the US Army, Navy, and Air Force. I have no idea what these groups use their cluster for and whether or not they kept the preinstalled Linux OS. But they do seem relevant to National Security uses of Linux.

I'm sure there are many more uses, but these are the ones I have found with a clear and unambiguous National Security focus. There are many, many more applications of open source software by the US government, all contributing to the well-being of the US. Just using the list of Linux clusters sold by PSSC, we find NOAA, NASA, the CDC, the NIH, and huge numbers of state- and federally-supported research universities who have bought Linux clusters. And this compilation doesn't include the use of open-source Apache / BIND/ Sendmail to serve .gov.