Update: This story has been updated with a statement from DHS.
The Homeland Security Department appears to be dialing back warnings it made last week about publishing federal source code, a practice it previously compared to giving the Mafia a “copy of all FBI system code.”
On Monday, a GitHub posting containing a “formal” comment from DHS’ Chief Information Officer Luke McCormack appeared to discredit those warnings. Releasing code to the public “can have extensive cybersecurity benefits” and DHS “strongly supports” the proposed policy, he wrote.
“Security through obscurity is not true security: we cannot depend on vulnerabilities not being exploited just because they have not been discovered yet,” McCormack said.
Last week, employees in that office had objected to parts of a White House draft policy that would require agencies to publish 20 percent of their custom-built software code, so other federal groups could share it. The Office of Management and Budget published those email comments and attributed them to the DHS Office of the CIO and components.
Such a policy would be the equivalent of a “terrorist with access to air traffic control software,” those comments said, noting later it could discourage developers from creating software for the U.S. government, “knowing that their intellectual property could be poached by overseas competitors.”
Those comments were "incorrectly posted" and do not represent DHS' position, agency spokesman Justin Greenberg told Nextgov in an email. McCormack's new comments "serve as the department’s official stance on the policy," the spokesman said. In his new comment, McCormack said the earlier comments reflected "a variety of individual positions across DHS components."
The previous DHS comments recommended removing the 20 percent requirement altogether. In his comments, McCormack said such a number would “encourage releasing code without thinking thoughtfully about how the government and community can get the most value from it.”
Instead, he suggested the policy be modified to require “significant portions of at least 20 [percent] of systems in an agency” be released as open source.
Still, some critics think OMB’s 20 percent requirement is too low, and that software should be open source by default. Vidya Spandana, vice president of the Presidential Innovation Fellows Foundation, which represents alumni of that program, told Nextgov that including the 20 percent rule in the policy could cause more confusion.
Developers can interpret 20 percent in various ways, she said. “Does it mean 20 percent of their technology needs to use open source technology that already exists?” Spandana asked.