A report published on Monday found that what it terms FOSS (free and open-source software) "plays a more critical role in the DoD than has been generally recognized," and noted that if open source was banned the department's security would plummet and costs would rise sharply.
Mitre's report, called Use of Free and Open-Source Software in the US Department of Defense, addresses an increasingly urgent issue: what stance governments should take with regard to open-source software. Because it is freely distributable, open-source software has often come into wide use within governments without having to be officially endorsed.
Recently, proprietary software companies such as Microsoft have labeled open-source software a threat and have called its use into question. At the same time, some governments -- such as those of France and Germany--have begun encouraging open-source procurement as a way of limiting their dependence on proprietary software makers and stimulating local software development.
Software distributed under open-source licenses can be freely modified and redistributed, as long as the modifications are returned to the community. This autonomy from the software vendor is useful for the Defense Department because it speeds the process of responding to threats, but it also creates ambiguities, Mitre said.
"The combination of an ambiguous status and largely ungrounded fears that it cannot be used with other types of software are keeping FOSS from reaching optimal levels of use," the report said.
To solve the problem, Mitre recommends that the department create a "Generally Recognized As Safe" list recognizing widely used, reliable software such as Apache, Linux and the GCC compiler. The department should also encourage the use of proprietary software that works well with open-source, the use of the GNU General Public License in some cases and the use of open-source generally to improve research efficiency and commercial innovation, said the report.
"Use of GPL within groups with well-defined security boundaries should be encouraged to promote faster, more locally autonomous responses to cyberthreats," the report said.
Mitre also said that open-source software should be used to promote product diversity, an increasing concern as Microsoft's Windows software becomes more and more dominant. "Acquisition diversity reduces the cost and security risks of being fully dependent on a single software product, while architectural diversity lowers the risk of catastrophic cyberattacks based on automated exploitation of specific features or flaws of very widely deployed products," the report said.
Mitre noted that some proprietary software licenses, such as Microsoft's MIT EULA (end user license agreement) would effectively ban open-source software if they were widely used, but said that this would be far from desirable for the US government. Besides the security implications, such a move would hurt the DoD's research and software development capabilities, and its ability to support Web and Internet-based applications.
