The U.S. Department of Department of Defense has been incrementally adopting open-source software and methodologies to improve efficiency and reduce costs. In a session at the Open Source Summit on Aug. 31, Jordan Kasper of the Defense Digital Service (DDS) outlined the steps the DoD has taken thus far and some of the lessons learned.
The DDS is part of the U.S. Digital Service (USDS), which embeds developers inside of U.S. government agencies as part of an effort to advance the state of technology development and usage. The USDS got started in 2014 under the Obama administration and has been continuing its work ever since.
“The U.S. Digital Service is a SWAT team of nerds,” Kasper said.
The USDS has been working to improve technology development within the government, with a particular focus on the use and development of open-source technology across multiple agencies, including the DoD, he said. Kasper outlined multiple reasons why open source is a model that has value for the DoD and other government agencies.
One of the greatest benefits of open source is the ability to easily reuse code, Kasper said. With open-source language frameworks in particular, developers can rapidly become productive by reusing code elements, he added.
“You don’t have to reinvent the wheel. You can just find something someone else has done and you can get up to speed very quickly,” he said.
At the DoD, finding solutions to complex problems rapidly is essential, according to Kasper. For example, there are times when the DoD has to come up with technology in a very short period of time to prevent loss of life. Building everything from scratch using custom code takes significantly longer than reusing existing open-source code elements.
Reusability at the DoD isn’t just about reusing publicly available code; it’s also about making use of code already available within the DoD. Additionally, open-source reusability helps to reduce the overall cost of ownership for software operated by the DoD.
“Open source enables us at the DoD to reuse our own things extremely easily,” he said. “The fact is the U.S. government spends hordes of money on tech and specifically on software development. Being able to reuse that is absolutely essential.”
Open source also enables collaboration and contribution, both with the general public and within the DoD. Kasper said that collaboration for the DoD is about bringing in a diversity of opinion and views on software development issues.
“Having a diverse group of individuals will help solve problems much faster,” he said.
Security can also benefit from the open-source model.
“Vulnerabilities are much easier to find in open source code and are much easier to patch,” he said. “Patches can come in at a speed that is much faster than with proprietary code.”
By open sourcing more of its code, the DoD can be more secure, Kasper said, though he noted that one of the things that he commonly hears from people is that open source is in fact insecure. The argument is that if the code is open source, then anyone will be able to see it and know how to hack it.
“The Defense Media Agency [DFA] runs approximately 800 web properties across the DoD, and in the first quarter of this year they were on the receiving end of 280 million malicious attacks,” he said. “Foreign actors know how to hack us. That is not the problem. The problem is we’re not fixing problems.”
DDS runs a bug bounty program along with HackerOne called Hack the Pentagon, which rewards security researchers for responsibly disclosing vulnerabilities to the DoD.
Kasper said that vulnerabilities exist whether code is open source or not. “It is critical that vulnerabilities are identified and patched quickly, and that is why it’s important to open-source code,” he said.
When it comes to open-sourcing code that has been developed by the DoD or its contractors, Kasper said that one question that comes up is about ownership. Some people will tell him that since the DoD paid for software development it belongs to the DoD and it is illegal to make it open-source.
Kasper noted there is lots of case law that indicates that it is not illegal for the U.S. government to open-source software. Additionally, he said the government has taken steps to adjust its contractual language with third-party developers to make it clear that the government prefers code that can be open-sourced. The effort to make more government code available as open-source was first required in August 2016 under the Federal Source Code Policy.
For the DoD, the effort to open-source code is tracked under the code.mil website, which includes guidelines, policies and project tracking features. Among the tools that the DoD has open-sourced is a malware detection tool for executable binaries. Across the U.S. government, the code.gov site also has a help wanted open listing of areas where help is needed to advance certain projects and add various features.
“The U.S. Digital Service is always looking for people that want to help make the situation better,” Kasper said. “We want to make tech not suck so bad in the federal government.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.