Is Linux Ready for National Security?

The popularity of the Linux open source operating system is exploding in the public sector, both in the U.S. and abroad. In May, IBM
Corp. alone announced a deal to supply the Air Force, Department of Defense (DoD), Department of Agriculture,
Department of Energy, and Federal Aviation Administration (FAA) with Linux systems. But now at least one group (aside from
Microsoft) is raising questions about possible security risks posed by open source software.

The Alexis de Toqueville Institution, a conservative U.S. think tank, plans to release a white paper Friday which will go so far as
to suggest that terrorists may find it easier to hack U.S. networks run on open source infrastructure.

“Computer systems are the backbone to U.S. national security,” said Gregory Fossedal, chairman of ADTI. “Before the Pentagon and
other federal agencies make uniformed decisions to alter the very foundation of computer security, they should study the potential
consequences carefully.”

But the Pentagon has conducted its own study, one that has led the traditionally close-mouthed Defense Department ally itself the
open source movement, and not with vendors of proprietary systems as ADTI advocates.

“Banning open source would have immediate, broad and strongly negative impacts on the ability of many sensitive and security-focused
DOD groups to protect themselves against cyberattacks,” concluded a May 10 report prepared by Mitre Corp., a non-profit which
operates federally funded research and development centers for the DoD, FAA and IRS.

The Mitre Corp. report further suggests that open source software is often more secure and less expensive than proprietary software.

The even more secretive National Security Agency (NSA) — which specializes in cryptography — is also working with Linux, though it
has not taken sides on the open source vs. proprietary debate and is only working with the platform in a research capacity.

The agency’s Information Assurance Research Group has been heading up a project to create Security-Enhanced Linux, a modified
version of the Linux kernel with “strong, flexible mandatory access control architecture incorporated into the major subsystems of
the kernel.” The agency said its system provides a mechanism to enforce the separation of information based on confidentiality and
integrity requirements. “This allows threats of tampering and bypassing of application security mechanisms to be addressed and
enables the confinement of damage that can be caused by malicious or flawed applications.”

The agency said it selected Linux for the platform because “its growing success and open development environment provided an
opportunity to demonstrate that this functionality can be successful in a mainstream operating system and, at the same time,
contribute to the security of a widely used system. Additionally, the integration of these security research results into Linux may
encourage additional operating system security research that may lead to additional improvement in system security.”

U.S. agencies are not the only ones turning to Linux. On Monday, the German Ministry of the Interior forged a deal with IBM to
standardize the German government on Linux and open source IT. Military and intelligence agencies in North America, Europe and
Asia — including the U.S., Canada, Germany, France, England, Spain, China and Singapore — have invested in Linux systems. China’s
post office runs on the platform; so too do France’s culture, defense and education ministries.

But Ken Brown, author of ADTI’s forthcoming Opening the Open Source Debate white paper, argued the U.S. needs to slow down
and hold a national debate on the suitability of open source systems in vital areas that touch on national security.

“We’re recommending further study,” Brown said. “We’re not saying that one type of software, proprietary, is better than open

Brown, who characterized himself as pro-open source, noted that ADTI is not composed of open source experts or cryptographers,
though it interviewed many experts to create its report. He also noted that when it comes to security, ADTI is more concerned with
the terms of the GNU General Public License (GPL), which requires
that any changes to open source code licensed under the GPL which is then distributed must be made part of the GPL and be made
freely available to all.

“There isn’t a software that cannot be cracked,” he said. “Our position is that if a platform is proprietary it is vulnerable
because not enough people can see it. We feel that a platform everyone can see may be even more vulnerable.”

Brown explained that while ADTI believes pooled talent is highly beneficial in software development, it is naive to allow “bad guys”
as well as “good guys” into that talent pool. “This volunteer community of people is as good as a group of people that’s been
screened for security? Screened for credibility? Screened for reliability?” he asked.

He also raised the specter of back doors and viruses woven into critical software patches.

“I don’t see any reason why we shouldn’t have a national debate, with in-depth discussion and rigorous testing on this topic,” he

Brown neither confirmed nor denied that ADTI receives funding from Microsoft or firms representing the company, which has been at
pains to denounce open source software as insecure.

“We don’t discuss funding,” Brown said.

News Around the Web