Kundra advocates open source

Open-source software advocates are feeling energized. With the first semi-geek president in power, one who wields a cudgel for the kind of transparency and accountability that the open-source community is based on, they see a golden opportunity to push their case for the type of software that allows anyone to contribute code subject to the scrutiny of their peers.

In February, a group of 15 open-source developers and industry executives sent a letter to President Barack Obama that asks him to require agencies to consider the source of software solutions when they compare acquisition options, thereby making sure that open source gets a fair evaluation alongside commercial products in all buying decisions.

The open-source community is changing the software development world in ways similar to how Obama has promised to change U.S. politics, the letter's authors wrote. “We sincerely hope that you will make the use of open-source software a key component of every new technology initiative the United States government enters into.”

The letter's writers wouldn’t have dared such a bold request 10 years ago. At that time, open-source software was an upstart and lacked credibility. It was free, sure, but it didn’t scale well for the big systems that government runs. In addition, reliable, long-term tech support for it was difficult to find, and its security was suspect at best, detractors said.

Now it’s a different story. Intelligence agencies are knee-deep in open-source software, research-based organizations such as NASA and Energy Department labs would be lost without it, and even the straight-laced Defense Department is becoming something of a poster child for the stuff.

So when Vivek Kundra, the federal government’s new chief information officer, includes open source as one of the technologies he supports using to make government work better and more cheaply, you would think open source is primed for a surge in support.

Apparently not. Even open-source evangelists still see major roadblocks ahead that will take more than lip service, even if it is from the White House, to overcome.

Bill Vass, president and chief operating officer at Sun Microsystems Federal, pointed out that open source is everywhere. Supposedly proprietary products such as Microsoft Windows and Oracle databases include open-source components. And yet he said he is amazed at the persistent lack of understanding in the federal government about whether it’s OK to use it.

“The acquisition process doesn’t support open source, and security people still don’t support it even though they know it’s now much more secure,” he said. “There’s mass confusion and misdirection.”

Others don’t see it in such stark terms. For example, John Weathersby, executive director of the Open Source Software Institute (OSSI), an organization formed to specifically promote the use of open source in government, said he thinks much of the battle has been won, at least in terms of convincing people about the value and effectiveness of the collaboratively created technology.

But he agrees that more education is needed on broader policy and acquisition issues. “We’ve come a long way in 10 years,” he said. “But there’s still a ways to go.”

No stranger to open source

Federal agencies first started using Linux, an open-source server operating system, in the 1990s. In 2000, the President’s Information Technology Advisory Committee recommended that the government allow the use of open-source software development at least for high-end computing.

Since then, a number of government organizations, most importantly DOD, have endorsed the use of open source. In 2003, DOD officials issued a memo to military agencies to approve the use of open source as long as the software met certain security standards.

Earlier this year, DOD launched Forge.mil, a Web site managed by the Defense Information Systems Agency through which developers can work on open-source projects specifically for the military. It’s based on a public Web site called SourceForge.net, which hosts thousands of open-source projects.

In March, DISA also announced a cooperative research and development agreement with OSSI to develop DISA’s internally developed Corporate Information Management System. The plan is to allow other federal agencies and private organizations to use the open-source software.

In early June, the Homeland Security Department’s Science and Technology Directorate is expected to announce the launch of the Homeland Open Security Technology (HOST) program, a collaborative venture to promote the use of open-technology solutions in government.

DHS and the Navy’s Space and Naval Warfare Systems Command are investing $1.5 million in the program, which the University of Southern Mississippi will administer and OSSI will coordinate.

The government offers many open-source success stories, and various agencies can provide a range of resources, Weathersby said. But until the HOST program, no strategy brings them together to make them available to all government users and contractors.

Old habits are still hard to break

Despite these initiatives, open-source use in government remains fragmented. Several factors have limited the spread of open source.

Security concerns have been a bugaboo for open-source software from the get-go. Critics argue that because open source means less direct ownership oversight and support, there's greater potential for compromise and therefore less secure software

It’s one of the perceptions that Vass, for one, has been struggling to overcome. He said many intelligence agencies and DOD tactical systems moved to open source in the 1990s specifically to improve security.

Traditional ways of writing code, which typically involve small teams of developers, can produce security problems. By opening the source code, a community of many developers often can quickly identify security vulnerabilities.

As evidence, he cites Sun's move to open its Solaris operating system in 2005. At the time, it had — and it still does have — the highest security rating the government offers for enterprise operating systems. Before Sun opened the source code, the government's best experts reviewed the code.

Within a month of going open source, the open-source community identified 28 new vulnerabilities.

A misconception about open-source software's status as commercial software also drags the rate of government adoption. Because acquisition relations don't describe open source as commercial software, many agency buyers believe it doesn’t meet requirements that give preference to commercial software. Many agency employees think the use of open-source software is forbidden.

But that’s contrary to what the regulations state, said David Wheeler, an open-source software expert.

“Not only are there no regulations forbidding its use, there are formal letters saying its use is OK,” he said. DOD issued such guidance in 2003, the Office of Management and Budget did likewise in 2004, and a Navy memo in 2007 specifically states that open-source software is equivalent to commercial software. DOD reportedly has had another memo that uses even stronger language to support the use of open source ready since November, but it is awaiting a formal sign-off, Vass and others said.

Because open source is commercial software, Wheeler said, any agency that doesn’t consider open source is violating acquisition laws. However, he added that it’s hard to change ingrained government practices.

In addition, proprietary software vendors do their best to hide information about open source and its capabilities, he said. That’s hardly a new complaint in the open-source community. In government markets, so the story goes, large vendors with profitable stakes in agency technology operations go to enormous lengths to spread fear, uncertainty and doubt about open source among agency executives and lawmakers in Congress.

Many of those vendors have a different take. Susie Adams, Microsoft Federal’s chief technology officer, said vendors such as Microsoft are increasingly unlikely to oppose open-source software. These days, Microsoft developers post comments as often to open-source community boards as they do to those devoted to Microsoft software, she said.

“Proprietary software vendors do understand the value of open source in some situations,” Adams said, so it’s a question of what the best tool is for the job.

In the end, none of this might matter as much as it seems to now. With the move to more flexible fee-based computing architectures such as software as a service and cloud computing, support for open standards is the important thing, Adams said, “and none of that necessarily means opting for open source.”