Serving Our National Security on a Silver Platter: Open Source Code in NDAA 2018


Deep within the National Defense Authorization Act (NDAA) adopted by the Senate for fiscal year (FY) 2018, provisions were introduced that could harm the already vulnerable computer systems (IT) of the Ministry of Defense. Defense (DOD) and put national security at the forefront. risk.

NDAA Sections 881 to 886 pave the means for the DOD to use open source software for most of its systems. Open source code allow anyone to easily inspect, modify and improve a computer system since it is accessible to the general public. DOD generally uses proprietary or “closed source” software, which only allows the creator of the code to maintain control and to keep the management of the source code confidential between the partner organization and the DOD. However, in February 2017, the DOD started experiment with open source code, although this practice has not been adopted department-wide.

The recent Equifax breach highlights the dangers of open source software. September 7, 2017, Equifax announcement a cybersecurity hack had occurred on its open source system (Adobe Struts) between May and July 2017, in which the personally identifiable information of approximately 143 million people was extracted.

Making the source code public to a centralized software network not only opens the door for attackers, but also makes it very difficult for an organization to take into account issues within complex systems, especially when there are thousands of open source components. that developers need to sift through and integrate. Additionally, companies using open source products often have difficulty properly monitoring software changes and modifications, and are therefore ill-prepared to deflect a potential attack.

Hackers are constantly on the lookout for vulnerable computer systems, and open source code gives them a virtual key to the susceptibilities of a large-scale enterprise. Once weaknesses are detected, hackers can exploit them again and again on the dark web. Gitlinks CEO Ian Folau even predicted that “we are likely to see larger scale attacks on popular open source components against multiple companies at once.” Based on the unfortunate example provided by the Equifax breach, the open source provisions of the NDAA would be a target for any hacker wishing to break into defense computer systems.

In addition to national security risks, these provisions of the NDAA threaten intellectual property and have the potential to stifle innovation and competition.

As currently drafted, Section 881 violates U.S. copyright laws, as well as trade secrets law, by encouraging companies creating software for DOD to return the source code to the native electronic format. . Such drastic measures could have serious consequences for the innovation economy. Asking tech companies to turn their source code over to the government decreases competition and gives them less reason to innovate. Additionally, Section 883 codifies the use of an Obama-era initiative, Office 18F of the General Services Administration (GSA), to procure software for the DOD.

Launched in March 2014 by a group of Presidential Innovation Fellows, 18F has come under heavy criticism from GSA Inspector General reports published on October 24, 2016 and February 21, 2017. It just isn’t credible to believe that this fledgling operation with around 200 employees scattered across the United States can possibly deliver better software for DOD than long-established private sector companies with tens of thousands of employees. Congress should not close the DOD to any software options that might better serve taxpayers.

While most of these provisions are limited to DOD, Section 886 sets a precedent that could establish open source as the preferred method for purchasing software across government. This would cancel the acquisition of the software from the Office of Management and Budget of July 1, 2004. memorandum which requires federal software purchases to be technologically neutral. This potential snowball effect could put the government at risk of larger cybersecurity attacks and infringe on the intellectual property rights of technology companies that contract with the federal government.

The federal government should quickly learn from high-profile incidents like the Equifax breach, which demonstrates that even the private sector is struggling to manage and protect open source code. Beyond the government’s inherent problem with imposing technological solutions, requiring the DOD to start using open source code as its preferred software solution is a national security and intellectual property risk that simply cannot be done. The Citizens Council against government waste, along along with nine other organizations, urged NDAA speakers to remove these problematic provisions to avoid potentially disastrous results.


Comments are closed.