Open Source

DHS warns on cyber risks of open source

Shutterstock image for a line of faulty code.

The Department of Homeland Security has suggested striking significant passages from a draft White House policy on open software out of concern that baring too much source code will increase the government's vulnerability to hacking.

Many private security firms don't publish their source code because it allows attackers to "construct highly targeted attacks against the software" or "build-in malware directly into the source code," DHS said in comments posted to GitHub. The comments were attributed to DHS' CIO office.

The DHS feedback reflects an administration that is mapping out the benefits and potential drawbacks of making more government code public.

The draft policy, released for public comment in March, asked agencies to partake in a three-year pilot program requiring that at least 20 percent of custom code be published. The goal is to save money and spur innovation by making the software used by agencies more open, sharable and reusable.

For some open-source advocates, the 20 percent benchmark is too low.

"In a world increasingly dominated by the success of open source, requiring that the world's largest producer of code release only 20 percent of its software is a missed opportunity to modernize government," GitHub project manager Ben Balter wrote in an April 11 op-ed in FCW.

But the DHS comments were rife with concerns about source code-enabled vulnerabilities.

"Government-specific" examples of source code risks listed by DHS include the "mafia having a copy of all FBI system code" and terrorists accessing air traffic control software. "How will this be prevented?" the department asked. The department requested that those drafting the policy provide a rationale for the 20 percent baseline.

DHS, whose mission includes civilian cyber defense, also asked that the policy set clear guidelines for publishing source code used in "inherently government functions," such as law enforcement and security.

"The policy seems to rely on the CIO's best judgement [sic], but does not sufficiently address the procedures necessary for agencies to make proper determinations," the DHS comments said.

DHS also requested an analysis of how publishing source code affects government software development.

The comment period on the draft policy, originally slated to close April 11, has been extended to April 18.

About the Author

Sean Lyngaas is a former FCW staff writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.