Is Linux secure enough?

Although proponents argue that Linux is at least as secure—and perhaps more secure—than Unix, Microsoft Corp.'s Windows NT or Novell Corp.'s NetWare, there is still concern at many federal agencies about the operating system's safety.

The idea that Linux is more vulnerable than other systems, however, "is absolutely a misconception," said Terry Bollinger, principal information systems engineer for Mitre Corp., a think tank that performs federally funded research.

"But because the genesis of Linux comes out of the hacker community — hacker in the good sense, where there's this international global effort to develop a source code that is fully open, fully visible to everyone—that immediately brings up all sorts of concerns and worries about what that means. Can people break in? Can people plan Trojan horses? It's almost a reflex action."

Reflex or not, concerns about security have kept many agencies at bay, especially the Defense Department. Incidentally, the efforts of an agency famous for its suspicious nature may eventually help the rest of government put aside its fears. This spring, the National Security Agency released a prototype of a security- enhanced Linux system and released it to the public.

The prototype boosts Linux with new, stronger protections against tampering and bypassing application security mechanisms and with greater limits on the damage that can be caused by malicious or flawed applications. Among the new features are much-needed access controls at the user level and within the software itself.

The fact that NSA is sharing the source code and technical documentation ensures benefits for industry and government, a spokesperson for NSA said. Some agencies, including a number of DOD service elements and their contractors, have expressed interest in using security- enhanced Linux. Commercial operating system providers are also looking at the prototype for ideas about how they can enhance their products.

"This is a big step toward enabling a really strong security infrastructure, and many organizations have never had such a thing, even with proprietary systems," said Michael Tiemann, chief technology officer for Red Hat Inc. "I would argue that security-enhanced Linux is taking Linux to a level that is comparable to what runs on IBM [Corp.] mainframes."

Still, the prototype has a long way to go before it reaches the status of a full-fledged security solution.

"We feel that this level of interest is appropriate [because] the current offering is a prototype that is complete and stable enough for testing and small pilot efforts," the NSA spokesperson said. "Additional work is needed to make it ready for widespread operational use."


  • Congress
    U.S. Capitol (Photo by M DOGAN / Shutterstock)

    Funding bill clears Congress, heads for president's desk

    The $1.3 trillion spending package passed the House of Representatives on March 22 and the Senate in the early hours of March 23. President Trump is expected to sign the bill, securing government funding for the remainder of fiscal year 2018.

  • 2018 Fed 100

    The 2018 Federal 100

    This year's Fed 100 winners show just how much committed and talented individuals can accomplish in federal IT. Read their profiles to learn more!

  • Census
    How tech can save money for 2020 census

    Trump campaign taps census question as a fund-raising tool

    A fundraising email for the Trump-Pence reelection campaign is trying to get supporters behind a controversial change to the census -- asking respondents whether or not they are U.S. citizens.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.