Open Source

DHS warns on cyber risks of open source

Shutterstock image for a line of faulty code.

The Department of Homeland Security has suggested striking significant passages from a draft White House policy on open software out of concern that baring too much source code will increase the government's vulnerability to hacking.

Many private security firms don't publish their source code because it allows attackers to "construct highly targeted attacks against the software" or "build-in malware directly into the source code," DHS said in comments posted to GitHub. The comments were attributed to DHS' CIO office.

The DHS feedback reflects an administration that is mapping out the benefits and potential drawbacks of making more government code public.

The draft policy, released for public comment in March, asked agencies to partake in a three-year pilot program requiring that at least 20 percent of custom code be published. The goal is to save money and spur innovation by making the software used by agencies more open, sharable and reusable.

For some open-source advocates, the 20 percent benchmark is too low.

"In a world increasingly dominated by the success of open source, requiring that the world's largest producer of code release only 20 percent of its software is a missed opportunity to modernize government," GitHub project manager Ben Balter wrote in an April 11 op-ed in FCW.

But the DHS comments were rife with concerns about source code-enabled vulnerabilities.

"Government-specific" examples of source code risks listed by DHS include the "mafia having a copy of all FBI system code" and terrorists accessing air traffic control software. "How will this be prevented?" the department asked. The department requested that those drafting the policy provide a rationale for the 20 percent baseline.

DHS, whose mission includes civilian cyber defense, also asked that the policy set clear guidelines for publishing source code used in "inherently government functions," such as law enforcement and security.

"The policy seems to rely on the CIO's best judgement [sic], but does not sufficiently address the procedures necessary for agencies to make proper determinations," the DHS comments said.

DHS also requested an analysis of how publishing source code affects government software development.

The comment period on the draft policy, originally slated to close April 11, has been extended to April 18.

About the Author

Sean Lyngaas is a former FCW staff writer.

Featured

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

  • FCW Perspectives
    remote workers (elenabsl/Shutterstock.com)

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

Stay Connected