Defense Department failing to capitalize on open-source benefits

Editor's Note: This article originally appeared on FCW.com

The Defense Department increasingly relies on software for everything from weapons systems to accounting, but it is failing to capitalize on the power of open-source software, according to a report from the Center for a New American Security.

In "Open Source Software and the Department of Defense," CNAS argues that a number of cultural factors, biases and regulatory barriers are keeping DOD from embracing open-source options.

"Unfortunately, software development is not currently a high-profile, high-priority topic in the discussion about diminishing U.S. military technical superiority," the report states. "It should be."

Industry relies heavily on open-source software with great success, and DOD's continued reliance on proprietary code is more expensive, slows innovation and puts America's warfighters at greater risk, according to CNAS.

The report states that using more open-source code would spur innovation, simplify accreditation, encourage interagency collaboration, increase competition and drive down costs.

A new federal policy released on Aug. 8 calls for greater use of open-source software across government, but DOD and other national security agencies are exempt from it.

CNAS said many of the arguments made by DOD and national security officials that open source is unsecure and vulnerable have been debunked.

"Increased public scrutiny of code has led to identification and reconciliation of problems that were not discovered through 'closed' quality checks," the report states. "Further, closed-source [versions of] products like Microsoft have been riddled with security flaws and issues, some of which were significant zero-day exploits of widely used, commercially available products."

The authors further wrote that, "in spite of clear evidence to the contrary, many defense professionals continue to believe that the use of open-source software licenses means that adversaries will see and manipulate the code used in DOD systems."

However, "the United States does not derive its military technical superiority from source code, but from the effective integration and adaptation of its doctrine, organization, training, materiel, leadership and education, personnel, and facilities."

In addition, the report argues that DOD can create proprietary code based on open source "and can do so without sharing those changes back to the open-source community."

"Considering the DOD's top-down apathy toward and difficulty with using open-source methods, one glaring question remains: Why is there continued bottom-up support for open-source software and methods within the DOD?" the authors wrote.

The report does credit DOD for using open-source software successfully, though it does so "infrequently and on an ad hoc basis." It cites the Persistent Close Air Support system, which relies on Android devices, and General Atomics drones and ground stations that operate on Linux, "a switch that was made after Windows-based systems proved vulnerable to malware."

CNAS said the primary hurdle to greater implementation of open-source code is culture. "The DOD is a large bureaucracy, [and] open-source methods, though widely used in industry and even in the defense establishment, are not considered standard practice inside the Pentagon, and change is hard."

The report highlights additional barriers, such as management philosophies, a system that favors proprietary vendors and outdated acquisition protocols.

Addressing those challenges is among the recommendations in the report.

Other recommendations include having DOD's senior leaders set the tone by embracing open-source software, adopting the use of such software and platforms as their default position, and integrating open source into future innovation and acquisition reforms.

CNAS also urged DOD to create a taskforce to develop methodologies that would ease the sharing of open-source code.

DOD did not provide a response to the report by the time of publication.