Sunday, January 9, 2011

Linux for DoD?

Prime Minister Vladimir Putin Vladimir Putin signed a 20-page executive order requiring that all public institutions in Russia to replace proprietary software, developed by companies like Microsoft and Adobe, with free open-source alternatives by 2015. Such move will save billions of dollars in licensing fees, but Mr. Putin's motives are not strictly economic. In all likelihood, his real fear is that Russia's growing dependence on proprietary software, especially programs sold by foreign vendors, has implications for the country's national security. Free open-source software, by its nature, is less likely to feature secret back doors. *

There are also indications that China, Saudi Arabia, Turkey and Iran are making attempts to switch from proprietary software made in the USA to open source software which is primarily open source Linux.

The potential of reaping substantial savings are not the primary incentive for a decoupling from US vendors. It is motivated to contain within security-defined boundaries the vulnerability to Internet-conveyed attacks or to manage exfiltration of information from internal sources.

The Russian government will now start managing the Open Source Linux software environment so that they can add security add-ons for its private and limited version of an Operating System. This may also include control of additional software that provides security features.

Can DoD attempt standardization of Operating Systems by adopting a security-enhanced version of Linux? Can USCYBERCOM implement such a change as a way of improving network security while reducing costs? Will the DoD component oppose such a move?

It turns out that over 40% of total DoD IT spending is already in the hands of Agencies, and not with the Components. Agencies have about twice as much as the IT money as what remains in each of the Components.

By far the greatest amount of Agency IT spending is in DISA, now controlled by USCYBERCOM, which is now in a position to dictate the formation of a DoD secure infrastructure. Such a move would have economic as well as security advantages since the DoD infrastructure costs are now over 50% of total IT spending and is increasingly diverting funds from innovation to security assurance. The reason why DoD IT infrastructure spending is so high, and why little money is available for innovation, is that we have now hundreds of duplicate infrastructures within the Components plus the additional cost of supporting the DISA infrastructure.

The role of the Components would have to be then restricted to the development and operation of applications, all riding on the shared DoD infrastructure that provides most of the required security features. The Components would have to stop funding projects where each develops their customized infrastructure and security protection.

Time has come for DoD to start considering the adoption of an open source version of Operating Systems software, such as one of the versions of Linux. What would make the DoD Linux unique are the security add-ons that would remove most of the rapidly changing security features from the application servers and from client computers.

The responsibility for implementing such change should be managed by USCYBERCOM. Controlled versions of what would be a DoD-specific operating system is more likely to offer a much smaller “security risk surface” than generic software that is readily available for examination and exploitation by attackers.