The department made a bid to adjust a White House draft policy that would encourage agencies to code in the open, and to share their code with each other.
Update: DHS now says these comments on the White House open source policy were incorrectly posted and do not serve as the department’s official stance on the policy. Click here for an update.
The Homeland Security Department is advising against a proposed policy that would force agencies to make public 20 percent of their software code.
Supporters of that policy think it could cut government spending by allowing agencies to share custom-developed code instead of getting third parties to redevelop it, and allow outside developers to spot-check it for security flaws.
But publishing source code could also let attackers “construct highly targeted attacks against the software,” or “build-in malware directly into the source code, compile, then replace key software components as 'doppelgangers' of the original,” DHS’ Office of the Chief Information Officer argued in comments posted on GitHub.
Gone wrong, open source code could be the equivalent of “Mafia having a copy of all FBI system code” or a “terrorist with access to air traffic control software,” according to the comments, which asked, “How will this be prevented?”
Such a policy could also discourage developers from writing code for the U.S. government, “knowing that their intellectual property could be poached by overseas competitors,” DHS officials said. It could also encourage some companies to “maintain proprietary code for which they could charge any undetermined amount.”
DHS comments suggested removing the “20 percent” requirement for newly developed code.
FCW first reported DHS' concerns with the open source policy.
The department's strongly worded stance against open source software is at odds with open source advocates, including some in the government, who think 20 percent isn't enough.
Earlier this month, members of General Services Administration's tech consultancy 18F commented code should be “open source by default,” which would “encourage good documentation and coding practices."
Nextgov has requested comment from DHS.