Defense Department failing to capitalize on open-source benefits

Editor's Note: This article originally appeared on

The Defense Department increasingly relies on software for everything from weapons systems to accounting, but it is failing to capitalize on the power of open-source software, according to a report from the Center for a New American Security.

In "Open Source Software and the Department of Defense," CNAS argues that a number of cultural factors, biases and regulatory barriers are keeping DOD from embracing open-source options.

"Unfortunately, software development is not currently a high-profile, high-priority topic in the discussion about diminishing U.S. military technical superiority," the report states. "It should be."

Industry relies heavily on open-source software with great success, and DOD's continued reliance on proprietary code is more expensive, slows innovation and puts America's warfighters at greater risk, according to CNAS.

The report states that using more open-source code would spur innovation, simplify accreditation, encourage interagency collaboration, increase competition and drive down costs.

A new federal policy released on Aug. 8 calls for greater use of open-source software across government, but DOD and other national security agencies are exempt from it.

CNAS said many of the arguments made by DOD and national security officials that open source is unsecure and vulnerable have been debunked.

"Increased public scrutiny of code has led to identification and reconciliation of problems that were not discovered through 'closed' quality checks," the report states. "Further, closed-source [versions of] products like Microsoft have been riddled with security flaws and issues, some of which were significant zero-day exploits of widely used, commercially available products."

The authors further wrote that, "in spite of clear evidence to the contrary, many defense professionals continue to believe that the use of open-source software licenses means that adversaries will see and manipulate the code used in DOD systems."

However, "the United States does not derive its military technical superiority from source code, but from the effective integration and adaptation of its doctrine, organization, training, materiel, leadership and education, personnel, and facilities."

In addition, the report argues that DOD can create proprietary code based on open source "and can do so without sharing those changes back to the open-source community."

"Considering the DOD's top-down apathy toward and difficulty with using open-source methods, one glaring question remains: Why is there continued bottom-up support for open-source software and methods within the DOD?" the authors wrote.

The report does credit DOD for using open-source software successfully, though it does so "infrequently and on an ad hoc basis." It cites the Persistent Close Air Support system, which relies on Android devices, and General Atomics drones and ground stations that operate on Linux, "a switch that was made after Windows-based systems proved vulnerable to malware."

CNAS said the primary hurdle to greater implementation of open-source code is culture. "The DOD is a large bureaucracy, [and] open-source methods, though widely used in industry and even in the defense establishment, are not considered standard practice inside the Pentagon, and change is hard."

The report highlights additional barriers, such as management philosophies, a system that favors proprietary vendors and outdated acquisition protocols.

Addressing those challenges is among the recommendations in the report.

Other recommendations include having DOD's senior leaders set the tone by embracing open-source software, adopting the use of such software and platforms as their default position, and integrating open source into future innovation and acquisition reforms.

CNAS also urged DOD to create a taskforce to develop methodologies that would ease the sharing of open-source code.

DOD did not provide a response to the report by the time of publication.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.

Reader Comments

Fri, Sep 2, 2016 Joe Mazzafro

Given my experience at government sponsor UARC (independent tech evaluator for DoD and the IC; Oracle ( a large COTS software company) and now CSRA (the largest federal IT integrator) my view is that that any decision on Open Source vs Cots Software needs to be based on at least the following: 1. What is best for the mission or task being addressed 2. Total cost of ownership (including migration, O&M, and tech support as well contracts to Integrators to make OSS work in the IC environment(s)) 3. C&A issues/source code security from intrusion and disruption 4. Performance and reliability Open Source Software (OSS) has much to offer DoD and the IC, but this CNAS report overlooks the costs associated with migrating from proprietary software the government already owns along with the costs associated with training users on the new OSS and for security certification and accreditation (C&A) of adopted OSS. The biggest misconception about OSS is that its “free” because there are no licesing or subscription fees. Beyond cost two keys points seem to get missed when looking at OSS vs COTS software. First is that when we talk "OSS", there are few if any OSS "products" that are one for one substitutes for mission systems. There are plenty of OSS "components" that frankly are being used by COTS and GOTS providers alike. So the idea that DOD's industry base isn't using OSS is incorrect. Second, using OSS components to rebuild what commercial industry has already built is technically a violation of the Economies Act. Where there are requirements unmet by commercial software it makes sense for the government to roll their own with OSS and the requisite (custom) glue code. But if there is a commercial alternative, chances are it's builders leveraged OSS heavily...and the govt should license it rather than carrying the recurring headcount cost to maintain mission-specific s/w baselines. There is no one size fits all answer as to whether COTS or Open Source is the correct software choice for a given situation - - - - - especially in an enterprise environment. What I would caution against is the siren song of “free” that usually accompanies OSS discussions - - - - look at all the costs. I suspect all of us have had some experience over the years with “free kittens”

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

WT Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.