Open Source

DHS warns on cyber risks of open source

Shutterstock image for a line of faulty code.

The Department of Homeland Security has suggested striking significant passages from a draft White House policy on open software out of concern that baring too much source code will increase the government's vulnerability to hacking.

Many private security firms don't publish their source code because it allows attackers to "construct highly targeted attacks against the software" or "build-in malware directly into the source code," DHS said in comments posted to GitHub. The comments were attributed to DHS' CIO office.

The DHS feedback reflects an administration that is mapping out the benefits and potential drawbacks of making more government code public.

The draft policy, released for public comment in March, asked agencies to partake in a three-year pilot program requiring that at least 20 percent of custom code be published. The goal is to save money and spur innovation by making the software used by agencies more open, sharable and reusable.

For some open-source advocates, the 20 percent benchmark is too low.

"In a world increasingly dominated by the success of open source, requiring that the world's largest producer of code release only 20 percent of its software is a missed opportunity to modernize government," GitHub project manager Ben Balter wrote in an April 11 op-ed in FCW.

But the DHS comments were rife with concerns about source code-enabled vulnerabilities.

"Government-specific" examples of source code risks listed by DHS include the "mafia having a copy of all FBI system code" and terrorists accessing air traffic control software. "How will this be prevented?" the department asked. The department requested that those drafting the policy provide a rationale for the 20 percent baseline.

DHS, whose mission includes civilian cyber defense, also asked that the policy set clear guidelines for publishing source code used in "inherently government functions," such as law enforcement and security.

"The policy seems to rely on the CIO's best judgement [sic], but does not sufficiently address the procedures necessary for agencies to make proper determinations," the DHS comments said.

DHS also requested an analysis of how publishing source code affects government software development.

The comment period on the draft policy, originally slated to close April 11, has been extended to April 18.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.