Study: free software in the U.S. Department of Defense [LWN.net]

The MITRE corporation has just released the results of a study it performed on the use of free and open source software (which it calls "FOSS") within the U.S. Department of Defense. It is an interesting look at how the DoD uses free software, and what would happen if an anti-free-software policy were to be adopted. The full study is available as a 160-page PDF file; here you'll find a rather shorter summary of what it says.

The question that this study was meant to answer seems to be "should the military ban the use of free software?" The conclusion they came to is clear:

Neither the survey nor the analysis supports the premise that banning or seriously restricting FOSS would benefit DoD security or defensive capabilities. To the contrary, the combination of an ambiguous status and largely ungrounded fears that it cannot be used with other types of software are keeping FOSS from reaching optimal levels of use.

Looking at one area in particular, the report continues:

The main conclusion of the analysis was that FOSS software plays a more critical role in the DoD than has generally been recognized... One unexpected result was the degree to which security depends on FOSS... Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DoD groups to defend against cyberattacks.

The report looks at free software licenses in considerable detail in a deliberate attempt to address a number of institutional fears about those licenses. Worries about licensing, say the authors, have led to a suboptimal level of free software usage. It is a reasonably straightforward and accurate study; for added fun, they look at the EULA for Microsoft's "Mobile Internet Toolkit" and compare its terms with those of free licenses. "However, unlike the Microsoft MIT EULA, the GPL places no constraints on software simply running on the same system, and actually goes out of its way not to intrude on other licenses outside of that context."

The report includes a survey of how free software is used within the DoD now. They break that usage down into four categories:

Infrastructure, using tools like sendmail and apache.
Software development, especially with gcc and Perl.
Security, including intrusion detection systems, security analysis tools (i.e. SARA and Snort), and secured operating systems like OpenBSD. "Yet another important way in which FOSS contributes to security is by making it possible to change and fix security holes quickly in the face of new modes of cyberattack. This ability, which allows rapid response to new or innovative forms of cyberattack, is intrinsic to the FOSS approach and generally impractical in closed source products."
Research, which benefits from Linux clusters and the general culture of free software.

The report authors looked at costs, of course:

More often than not, the strongest deciding factors for choosing FOSS products were capability and reliability, with cost being an important but secondary factor.

They note one other important factor regarding free software and costs:

Without the constant pressure of low-cost, high-quality FOSS products competing with the closed-source products, the closed-source vendors could more easily fall into a cycle in which their support costs balloon and costs are passed on to their locked-in customers.

The report concludes with three recommendations that, they say, would help the DoD make optimal use of free software. They are:

Create a "generally recognized as safe" list of free software. 115 free applications found by the survey would be the starting point for this list. Suggested "applications" include, however, Linux, OpenBSD, NetBSD, and FreeBSD, so this list would be pretty general.
Develop generic infrastructure, development, security, and research policies. These policies would promote the use of free software in situations where it is deemed appropriate.
Encourage use of FOSS to promote product diversity. "Acquisition diversity reduces the cost and security risks of being fully dependent no a single software product, while architectural diversity lowers the risk of catastrophic cyber attacks based on automated exploitation of specific features for flaws of very widely deployed products."

Finally, a set of appendices provides lists of free software applications in use within the DoD, and the full text of a large number of free software licenses.

If the DoD was seriously considering banning free software, one can only hope that this report will put an end to such thoughts. Through a great deal of detailed research, the report's authors have demonstrated that the Department of Defense is already heavily dependent on free software, and would be badly hurt if use such software were forbidden. Increasingly, free software is crucial part of the systems we all use, and that, of course, is a good thing.

(Log in to post comments)

Links

Posted Oct 31, 2002 18:30 UTC (Thu) by gleef (guest, #1004) [Link]

Gady asks:
It would be really nice if articles which refer to not very generally known stuff would have links. I don't think a link to FreeBSD is really necessary... but one to the mentioned security packages (SARA and something) or maybe even to the Microsoft EULA mentioned, it on the web.

None were particularly hard to find, and its not as if Mitre was producing a webpage, it's a report to the DoD. Regardless, here they all are:

SARA is the Security Auditor's Research Assistant, and can be found at http://www-arc.com/sara/
"something" would be Snort, the other security package mentioned, which can be found at http://www.snort.org/
The Microsoft EULA mentioned would be the Mobile Internet Toolkit EULA, which can be found crammed into an annoying box at http://msdn.microsoft.com/Downloads/eula_mit.htm

Enjoy!

and me, as a pacifist...

Posted Oct 31, 2002 11:29 UTC (Thu) by slat (guest, #7147) [Link]

now heres a problem for me. As i don't belive in militant force as means to solve conflicts, and i try to work as hard as i can for openness and for peacefull, long lasting solutions to conflicts and conflicts to be. I still might end up with the military using my contributions to kill, or training to kill.
I work against a military intervention in Iraq, still, my contributions in GPL might end up helping the military carry through the assault. Now, this is mostly theoretically, I don't think they see much use in what i have done, still.. its disturbing.
As there are ethical funds, where the fund promises not to invest in companies that help produce arms (ericsson, saab, general electronics) maybe there should be an ethical gpl license alternative.. of cource, i have only to write it myself.
Argh, this is mostly distrubing anyway, i belive in the gpl as it is today, and i belive in non-violence. And I would be happier if ceratin scroupless companies wern't allowed to use the code.

and me, as a pacifist...

Posted Oct 31, 2002 12:27 UTC (Thu) by brugolsky (subscriber, #28) [Link]

A library full of licenses, all incompatible ...

Inevitably, one person thinks that nuclear power is abominable, and another thinks that it is the only way to prevent pollution.

One person thinks that the police of a particular state repress freedom; another thinks that they maintain order.

All that such licenses can do is dilute all efforts.

Face it, all technology can be used for good or ill, and there is a vast gray area which is neither or both.

Do you believe in militant force when you and your family are being held hostage in a theatre in Moscow? Should the Moscow police be allowed to use your software?

and me, as a pacifist...

Posted Oct 31, 2002 18:03 UTC (Thu) by rfunk (subscriber, #4054) [Link]

> Do you believe in militant force when you and your family are being held
> hostage in a theatre in Moscow? Should the Moscow police be allowed to use
> your software?

Not if they're going to gas me to death when they try to save me....

DOD and FOSS

Posted Nov 7, 2002 16:05 UTC (Thu) by whitleych (guest, #6866) [Link]

The results do not surprise me. Budgets are always tight for the military (at least at the local level). As for wondering if you want your software being used by the military, did you also ask yourself if you wished to use software improved by the military? Usually the path is in both directions. ARPA is a prime example..... I admit that it is a valid question however and one that only you can answer for yourself.

But try to remember things like the BSD license which precluded the use by South African police, circumstances change. Bad guys today may not be tomorrow. Some corporations may do more to damage the general population with less restriction than the U.S. military (environmental issues, unfair labor practices, etc). This is not indicating that the military is great, just that "any" large organization can have it's abuses and/or negative impact.
Regards
Cecil