Mitre, a not-for-profit engineering and IT organisation that works with the US federal government, has recommended that the US Department of Defense take steps to encourage open-source software in the department's infrastructure.
A report published on Monday found that what it terms FOSS (free and open-source software) "plays a more critical role in the DoD than has been generally recognised," and noted that if open source was banned the department's security would plummet and costs would rise sharply.
Mitre's report, called Use of Free and Open-Source Software in the US Department of Defense, addresses an increasingly urgent issue: what stance governments should take with regard to open-source software. Because it is freely distributable, open-source software has often come into wide use within governments without having to be officially endorsed.
Recently, proprietary software companies such as Microsoft have labelled open-source software a threat and have called its use into question. At the same time, some governments -- such as those of France and Germany -- have begun encouraging open-source procurement as a way of limiting their dependence on proprietary software makers and stimulating local software development.
Software distributed under open-source licences can be freely modified and redistributed, as long as the modifications are returned to the community. This autonomy from the software vendor is useful for the Defense Department because it speeds the process of responding to threats, but it also creates ambiguities, Mitre said.
"The combination of an ambiguous status and largely ungrounded fears that it cannot be used with other types of software are keeping FOSS from reaching optimal levels of use," the report said.
To solve the problem, Mitre recommends that the department create a "Generally Recognised As Safe" list recognising widely used, reliable software such as Apache, Linux and the GCC compiler. The department should also encourage the use of proprietary software that works well with open-source, the use of the GNU General Public Licence in some cases and the use of open-source generally to improve research efficiency and commercial innovation, said the report.
"Use of GPL within groups with well-defined security boundaries should be encouraged to promote faster, more locally autonomous responses to cyberthreats," the report said.
Mitre also said that open-source software should be used to promote product diversity, an increasing concern as Microsoft's Windows software becomes more and more dominant. "Acquisition diversity reduces the cost and security risks of being fully dependent on a single software product, while architectural diversity lowers the risk of catastrophic cyberattacks based on automated exploitation of specific features or flaws of very widely deployed products," the report said.
Mitre noted that some proprietary software licences, such as Microsoft's MIT EULA (end user licence agreement) would effectively ban open-source software if they were widely used, but said that this would be far from desireable for the US government. Besides the security implications, such a move would hurt the DoD's research and software development capabilities, and its ability to support Web and Internet-based applications.