Why can’t the Pentagon use more open source code?


The Defense Department failed to adequately implement a pilot program, mandated by Congress, that would increase Penatgon’s reliance on open source code, according to a Sept. 10 report from the Government Accountability Office.

The Pentagon did not follow an August 2016 memorandum from the Office of Management and Budget, which called on agencies to create a pilot program that would release 20% of their new developed code to open source, as well as establish a metric to measure success. The National Defense Authorization Act for Fiscal Year 2018 required the Pentagon to follow this policy. Open source programming allows users to modify, reuse, and share code. As a result, open source can reduce costs and improve efficiency, GAO wrote. According to the report, entitled “The DOD must fully implement the pilot program for open source software, the heads of 11 components within the DoD said there would be efficiency and financial benefits.

“However, there were divergent views on how to manage the cybersecurity risk associated with the use of open source software,” GAO wrote. Specifically, the makers of three components noted that security concerns could result in the sporadic use of [open source], while eight officials said potential cybersecurity risks were manageable [sic]. “

According to the GAO, as of July 2019, the Pentagon had released less than 10% of its custom-developed code, well below the 20% target.

The Pentagon’s top IT official, Dana Deasy, is responsible for implementing the requirements. Under OMB guidance, agencies are to issue a government-wide code reuse policy, perform software solutions analysis by examining alternative software options, secure data rights and inventory custom code, and publish the code in a way that promotes communication between agencies. The DoD has not issued an open source policy, but has “partially implemented” the other three requirements.

The Pentagon rejected GAO’s first recommendation – that the DoD should implement the open source pilot program – by writing that the Pentagon “does not believe that the pilot program as described in the OMB memorandum is feasible as offers”. Department officials argued that “Much of the software custom developed by the DoD is created for weapon systems and the release of associated code is sensitive for national security reasons,” GAO reported.

Deasy’s office also said the size of the Department of Defense makes it difficult to inventory all of the code.

“The CIO reported that the size of the department makes it almost impossible to inventory all of its custom-developed source code since August 2016. As such, the CIO said it would be difficult to meet the goal of the memorandum. of the OMB to release at least 20% of its new personalized code as OSS [open source software]”the GAO wrote.

According to the report, the Pentagon also failed to create a measure to assess the performance of the pilot program “due to a lack of consensus within the department on what data to collect.”

“According to the CIO, if the measure consists of ‘lines of code’ then it unfairly reduces projects that invest a large amount in research but are otherwise small,” the GAO wrote. “If the measure is ‘project hours’, then it does not take into account projects born out of sparks of innovation that took little time to develop. If the metric is “number of projects”, then it ignores the other two possible metrics. “

Some officials interviewed by GAO also expressed concerns about the cybersecurity risks posed by open source code. An official with the IOC’s office in the Navy said he was concerned about the insertion of malicious code by a disgruntled employee. Without a process to verify the integrity of open source code, the official told GAO, the Navy doesn’t have the risk insurance it needs, which the service has with commercial products. Another official feared problems due to the lack of a governance structure.

Other officials said security concerns could be mitigated by building security into software, verifying code before deployment, and creating a repository for verified code could mitigate the risks.

“Until the DOD fully implements its pilot program and establishes milestones to meet OMB requirements, the department will not be able to take advantage of significant savings and efficiencies,” wrote the GAO.


Comments are closed.