Does Sourcefire investigation reflect lack of understanding of open source?

Yesterday, the Committee on Foreign Investments in the United States announced it was investigating the acquisition of a small American company - Sourcefire - by the Israeli company CheckPoint. The concern is nominally that Sourcefire has a number of sensitive defense and government contracts. But the real concern has to do with Snort, open source intrusion detection software invented by Sourcefire's founder Martin Roesch. While Sourcefire has commercialized Snort, the software is completely open source. In an article in today's Washington Post, Sourcefire CEO Wayne Jackson notes:

"What nobody's talking about is the fact that Snort, which is at the center of all this hubbub, is open source. . . . China could be using it. Iran could be using it. North Korea could be using it. Nothing's being transferred except control, and those are issues that could certainly be addressed with the committee."

While some defense executives are concerned because so many government computers run Snort, control of the software doesn't rest in Sourcefire's hands. If the concern is that Roesch, as a CheckPoint employee, would insert some backdoor into  a future version of Snort, the fact that it is open source would quickly expose such a vulnerability. There is far less vulnerability because the source code is not secret and development is not limited to a single company.

The Post quotes Tony Fratto, a spokesman for the Treasury Department, which leads CFIUS, as saying,  "Certain members of the committee have outstanding concerns that there's potential risks to national security were the transaction to proceed."

Jackson said he is "confident that measures can be put in place to mitigate whatever risks the federal government believes might exist." He also said the firm will continue to serve its federal customers throughout the investigation, which is expected to conclude this month with a report to the president.