Open Source Software Critical For U.S. Military, Says Mitre Corp.

Open source software plays a far more critical role in the U.S. military than has been generally recognized, according to a new report by the Mitre Corp.

Not surprisingly, many Web servers, domain name servers and email systems at the Defense Department run on open source software.

But open source is also a key component of the military’s software development efforts, and is found in Defense Department research labs, according to Terry Bollinger, an IT analyst at Mitre and the report’s author.

And one of the more unexpected results of the survey was the degree to which Defense Department security depends on open source applications and strategies, Bollinger says.

Mitre, which is based in Mclean, Vir., identified 115 different open source products currently in use at the Defense Department, including Linux, OpenBSD and other operating systems, the Apache Web server, the Jboss application server and scripting languages such as PHP and Perl.

The study, which was conducted over email, was intended to provide a representative look at open source usage in the Defense Department, and did not aim to be an exhaustive survey. Mitre, a non-profit think tank which does a large amount of military-related work, was well-positioned to conduct the survey, because of its extensive contacts in the Defense Department, according to Bollinger.

Limbo status

Commercial software still makes up the bulk of software used by the military, says Bollinger. That’s due in part to open source’s ambiguous status in the Defense Department, he says.

Open source “is neither approved nor disapproved in most parts of the Defense Department,” according to the report. This “limbo status” makes decisions regarding open source difficult. Developers are often aware of the benefits of open source products for certain types of applications, but are unwilling to share that knowledge with their commanding officers “for fear that they will be told that they are using ‘unapproved’ applications.”

Those policy issues are in the process of being addressed, says Bollinger. To ease the process, Mitre recommended that the military create a “Generally Recognized As Safe” list, consisting of open source products that are commercially supported, widely used, and have proven track records of security and reliability.

Open source’s ambiguous official status has not kept some groups within the military from coming to rely heavily on it. “The security community was particularly adamant about the importance of open source,” says Bollinger. “Some of them got really emotional about it. In a cyber warfare situation, they need to be able to respond almost instantly. They can’t afford to take the time to send out a request to a third party for a code change to plug a security hole.”