If a proposed amendment to the U.S. National Defense Authorization Act for next year gets the nod, it will enable the Department for Defense to use open-source software for several of its digital activities.
Using an open-source software will help the Pentagon plug security vulnerabilities and save money on licensing fees for proprietary software.
Security researchers across the world are viewing the amendment as a positive step for the Department for Defense. Not only will the adoption of open-source software bring in countless benefits for the organisation’s cyber security, but will also help it save costs on proprietary software that come with complex agreements as well as additional costs for each security upgrade.
The main advantage of an open-source software is that it is visible to everyone, including security researchers and cyber freelancers who burn their midnight oil to find security holes in such software and alert organisations as soon as they find any. As such, the constant vigilance ensures that hackers cannot exploit existing vulnerabilities for too long.
Another long-term benefit is the cost, or lack of it. A proprietary software, or a closed-source software as some may term it, comes with complex agreements and due to its secret nature, drills a big hole in an organisation’s cyber security budget. In contrast, as open-source software is free to use and organisations have the ability to customise such software for their respective usage.
However, even though open-source software is cheaper to use and easier to understand, it needs huge investments in terms of time and effort from organisations to fill in the gaps in enterprise deployment of such software.
‘While it might seem clear that open source is less expensive, it often comes with increased requirements for staff and skills. Filling in the gaps in enterprise deployment of open source is the founding principle behind successful companies like Red Hat and Sourcefire.
‘While the principle that open source is more secure because the code is transparent makes sense, it’s not always reality. In order to reap benefits from that transparency, someone has to actually spend the time and effort to examine the code. Popular open source projects have plenty of resources looking at the code, but less well known projects may not,’ says Tim Erlin, VP at Tripwire.
As such, adopting open-source software just to save costs may not be ideal for organisations who may not be willing to hire additional cyber security staff to help streamline the adoption and plug any existing gaps.
‘Neither open or closed source software is a panacea. There are benefits and drawbacks to both approaches. A balanced, rational process for choosing between open and closed source solutions is the best strategy,’ Erlin adds.
Of course, the Department for Defense, many of whose communications and operations form the core of national security, cannot be expected to whole-heartedly embrace open-source software, as it may not be ideal for them to upload sensitive documents on such portals. As such, the department will, as Erlin says, need to streamline its cyber-security efforts in order to protect both open-source and closed-source software.
The National Defense Authorization bill has made it clear that existing closed-source software, for which the source code is unavailable, won’t be reverse-engineered to migrate the data they contain into an open-source software. However, the Department for Defense will be free to run new projects on open-source software and test their viability before migrating existing data into such software.
Pentagon may soon embrace open-source software for its digital activities