The MITRE corporation has just released the results of a study it performed
on the use of free and open source software (which it calls "FOSS") within
the U.S. Department of Defense. It is an interesting look at how the DoD
uses free software, and what would happen if an anti-free-software policy
were to be adopted. The full study is available as a 160-page PDF file
you'll find a rather shorter summary of what it says.
The question that this study was meant to answer seems to be "should the
military ban the use of free software?" The conclusion they came to is
Neither the survey nor the analysis supports the premise that
banning or seriously restricting FOSS would benefit DoD security or
defensive capabilities. To the contrary, the combination of an
ambiguous status and largely ungrounded fears that it cannot be
used with other types of software are keeping FOSS from reaching
optimal levels of use.
Looking at one area in particular, the report continues:
The main conclusion of the analysis was that FOSS software plays a
more critical role in the DoD than has generally been
recognized... One unexpected result was the degree to which
security depends on FOSS... Taken together, these factors imply
that banning FOSS would have immediate, broad, and strongly
negative impacts on the ability of many sensitive and
security-focused DoD groups to defend against cyberattacks.
The report looks at free software licenses in considerable detail in a
deliberate attempt to address a number of institutional fears about those
licenses. Worries about licensing, say the authors, have led to a
suboptimal level of free software usage. It is a reasonably
straightforward and accurate study; for added fun, they look at the EULA
for Microsoft's "Mobile Internet Toolkit" and compare its terms with those
of free licenses. "However, unlike the Microsoft MIT EULA, the GPL
places no constraints on software simply running on the same system, and
actually goes out of its way not to intrude on other licenses outside of
The report includes a survey of how free software is used within the DoD
now. They break that usage down into four categories:
- Infrastructure, using tools like sendmail and apache.
- Software development, especially with gcc and Perl.
- Security, including intrusion detection systems, security
analysis tools (i.e. SARA and Snort), and secured operating systems
like OpenBSD. "Yet another important way in which FOSS
contributes to security is by making it possible to change and fix
security holes quickly in the face of new modes of cyberattack. This
ability, which allows rapid response to new or innovative forms of
cyberattack, is intrinsic to the FOSS approach and generally
impractical in closed source products."
- Research, which benefits from Linux clusters and the general
culture of free software.
The report authors looked at costs, of course:
More often than not, the strongest deciding factors for choosing
FOSS products were capability and reliability, with cost being an
important but secondary factor.
They note one other important factor regarding free software and costs:
Without the constant pressure of low-cost, high-quality FOSS
products competing with the closed-source products, the
closed-source vendors could more easily fall into a cycle in which
their support costs balloon and costs are passed on to their
The report concludes with three recommendations that, they say, would help the
DoD make optimal use of free software. They are:
- Create a "generally recognized as safe" list of free software. 115
free applications found by the survey would be the starting point for
this list. Suggested "applications" include, however, Linux, OpenBSD,
NetBSD, and FreeBSD, so this list would be pretty general.
- Develop generic infrastructure, development, security, and research
policies. These policies would promote the use of free software in
situations where it is deemed appropriate.
- Encourage use of FOSS to promote product diversity.
"Acquisition diversity reduces the cost and security risks of
being fully dependent no a single software product, while
architectural diversity lowers the risk of catastrophic cyber attacks
based on automated exploitation of specific features for flaws of very
widely deployed products."
Finally, a set of appendices provides lists of free software applications
in use within the DoD, and the full text of a large number of free software
If the DoD was seriously considering banning free software, one can only
hope that this report will put an end to such thoughts. Through a great
deal of detailed research, the report's authors have demonstrated that the
Department of Defense is already heavily dependent on free software, and
would be badly hurt if use such software were forbidden. Increasingly,
free software is crucial part of the systems we all use, and that, of
course, is a good thing.
to post comments)