Open source seeks growth in government market

Red Hat and Dell Tuesday teamed up as the sponsors of a conference here to “put some facts on the table” about open source software with the long-term goal of increasing its usage in the public sector.

Already the open-source Apache Web server software runs about 2,115 .gov Web sites, or about 36% of the total, and about 669, or about 22%, of the .mil Web sites, according to a survey by Web server information firm Netcraft Ltd. The Linux open source operating system is being rolled out on government supercomputers that will handle virtual nuclear weapons testing, speakers at the conference said.

While open source promoters can claim some territory in the public sector, they want more. One goal of Tuesday’s first-ever Open Source Security Summit was to spark the debate within the government over the scalability, affordability and other attributes of open source software, said Michael Tiemann, CTO of Linux supplier Red Hat.

“We are here to put on the table objective facts about security vulnerabilities, security solutions, security strengths, security architectures, policies which do or don’t achieve their objectives based on how they are composed,” Tiemann said in an interview. If at the end of the debate it becomes obvious that government agencies should use more open source software in “the way that it became obvious that seatbelts saves lives,” then the conference will have achieved its goal. “We are not there yet,” he said. “We are at the beginning.”

Citing the use of Linux to run mission-critical applications used by financial firms on Wall Street, Tiemann said, “generally speaking, I think that the federal government begins to pay attention once there have been private sector commercial successes.” Open source’s performance on Wall Street, he said, gives federal agencies a clear picture of how open source can save money and improve performance in large scale, mission-critical systems.

And he said government agencies are no different when it comes to the challenge of having to do more with less.

This year Linux scored a number of small gains among European government agencies when they chose open-source software for various purposes. Deals reached with German, French and Finnish agencies are examples. Tiemann said one reason those governments are adopting open source is they don’t like Microsoft’s End-User Licensing Agreements (EULA) that Tiemann says allow Microsoft to shut down their computers if it finds they are violating other agreements with Microsoft.

“If you are China and you are deploying Microsoft across the military … are you going to choose to deploy software that has an undocumented interface that allows systems to be shut down because you’ve got a dispute with an American company that has a monopoly?” Tiemann said.

National governments are coming up with the same answer, which is they don’t want to run software that demands they agree to “be hacked” by a single American company. Instead they want to run software they can audit and control, he said.

But a hurdle for greater acceptance of open source in the U.S. government is presented by the National Information Assurance Partnership (NIAP). The partnership between industry, the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST) aims to promote the purchase of software and hardware that have been through the NIAP certification process at a federally approved laboratory.

If NIAP were operating perfectly, the government wouldn’t be buying or using software or hardware that had not been certified in the NIAP process, said Marcus Sachs, director of communication infrastructure protection in the National Security Council’s Office of Cyberspace Security. The government is trying to migrate toward buying only NIAP-certified products, but there are few that are, and none of them is open source.

Linux alone would be difficult to run through the NIAP process because as a collaborative creation, it lacks a sponsor to cover the cost of certification; however, Red Hat Linux, for example, would have a sponsor, he said.

“A bigger problem is those (products) that have no commercial wrapper on them like Apache. Who stands up to sponsor them?” said Sachs in an interview, noting that the NIAP process is expensive. “What we are facing is a recognition that there are very valid products that aren’t commercial that are (open), they have a home within the federal government.”

He said the Office of Cyberspace Security is looking at the problem with an eye toward open source products that the government is already using, but can’t get though NIAP because of the cost or because there’s no sponsor.

The NIAP process has to allow a way to certify those products and do so in a way that’s fair to proprietary products, he said. Currently, the only security certification process the government has is NIAP, but others are being considered, he said, adding that the government’s position on open source is neutral, but it has to be able to certify open source products.

“I hope the message is clear that what we want is security built into software whether it’s open or proprietary,” Sach said. “If you are writing software, regardless of which camp you are in, build security in it.”

Sachs also said there was some encouraging international news on computer security at the close of the recent meeting in Los Cabos, Mexico, of the leaders of the 21-member Asia-Pacific Economic Cooperation (APEC) group.

The APEC leaders’ statement calls on members to enact comprehensive laws on cybersecurity, establish high tech crime task forces and establish CERTs, by the time of the next summit in October 2003, Sachs said.

“It’s the first time we’ve seen something like that happen where a group of countries will all agree that within one year we are all going to raise the bar on computer security,” Sachs said.