Serving Our National Security on a Silver Platter: Open Source Code in the 2018 NDAA
The WasteWatcher
Deep in the depths of the Senate-passed National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2018, provisions have been injected that could harm already vulnerable Department of Defense (DOD) information technology (IT) systems and place national security at risk.
Sections 881-886 of the NDAA pave the way for the DOD to use open source software for most of its systems. Open source code allows anyone to easily inspect, modify, and enhance an IT system since it is accessible to the general public. The DOD typically uses proprietary or “closed source” software, which allows only the creator of the code to maintain control over it and keeps private the management of source code between the partner organization and DOD. However, in February 2017, DOD began experimenting with open source code, although the practice has not been adopted department-wide.
The recent Equifax breach highlights the dangers of open source software. On September 7, 2017, Equifax announced a cybersecurity hack had occurred to its open source system (Adobe Struts) between May and July 2017, in which the personal identification information of roughly 143 million people was extracted.
Making public the source code to a centralized software network not only unlocks the door for attackers, but also makes it very difficult for a company to account for problems within complex systems, especially when there are thousands of open source components developers must sift through and integrate. In addition, companies using open source products often have difficulty in properly monitoring changes and modifications to the software, and therefore are ill-prepared to divert a potential attack.
Hackers are constantly seeking vulnerable IT systems, and open source code hands them a virtual key to a company’s susceptibilities over a wide scale. Once weaknesses are found, hackers can exploit them over and over again on the dark web. Gitlinks CEO Ian Folau has even predicted that, “we are likely to see larger scale attacks on popular open source components against multiple companies at once.” Based on the unfortunate example provided by the Equifax breach, the NDAA open source provisions would provide a target for any hacker wanting to crack into defense IT systems.
In addition to the national security risks, these NDAA provisions threaten intellectual property and have the potential to stifle innovation and competition.
As currently written, Section 881 violates U.S. copyright laws, as well as the Trade Secrets Act, by encouraging companies creating software for the DOD to turn over source code in native electronic format. Such drastic steps could results in grave consequences for the innovation economy. Asking tech companies to turn over their source code to the government decreases competition and gives them less of a reason to innovate. In addition, Section 883 codifies the use of an Obama-era initiative, the General Services Administration’s (GSA) Office of 18F, to procure software for the DOD.
Started in March 2014 by a group of Presidential Innovation Fellows, 18F has been the recipient of harsh criticism from the GSA’s Inspector General reports issued on October 24, 2016 and February 21, 2017. It is simply not credible to believe that this fledgling operation with approximately 200 employees scattered throughout the U.S. can possibly provide better software for the DOD than long-established private sector companies with tens of thousands of employees. Congress should not effectively close DOD to any software option that might better serve taxpayers.
Although most of these provisions are limited to the DOD, Section 886 sets a precedent that could establish open source as the preferred method for software procurement throughout the government. That would reverse the July 1, 2004 Office of Management and Budget software acquisition memorandum which requires federal software purchases to be technology neutral. This potential snowball effect could expose the government to the risk of greater cybersecurity attacks and impinge on the intellectual property rights of technology companies that contract with the federal government.
The federal government should quickly learn from high-profile incidents like the Equifax breach, which demonstrates that even the private sector has difficulty managing and protecting open source code. Beyond the inherent issue of government mandating technology solutions, requiring the DOD to begin using open source code as its preferred software solution is a risk to national security and intellectual property that simply cannot be made. The Council for Citizens Against Government Waste, along with nine other organizations, has urged the NDAA conferees to remove these problematic provisions in order to prevent potentially disastrous results.