U.S. Considers Open-Source Software for Cybersecurity
CREDIT: U.S. Department of Defense
Open-source software may not sound compatible with the idea of strong cybersecurity, but the U.S. Department of Homeland Security sees such software, which anyone can tinker with, as a possible tool for defending government networks from both online thieves and professional cyberspies.
A new five-year, $10 million program aims to survey existing open-source software to find those that could fill "open security" needs. Called the Homeland Open Security Technology program, or HOST, it also may plant seed investments where needed to inspire innovative solutions that can fill gaps in cybersecurity defenses.
"We're not pushing the perspective that open-source software is the silver bullet," said Joshua Davis, a research scientist at the Georgia Tech Research Institute and principal investigator for HOST. "But it can help to raise the nation's security posture."
Open-source software often gives users the right to change its code to suit their purposes, as well as to share or give away copies. That means the U.S. government could modify such software to suit its cybersecurity needs.
It also means that a federal agency could distribute software copies to all of its 10,000 employees without paying extra licensing fees, said John Weathersby, executive director of the Open Source Software Institute. That institute is another participant in HOST.
"Our ultimate goal is for open source and open security to be considered whenever there's a tech solution needed," Weathersby said. "We don't want it mandated for the government; we just want a level playing field."
The security of open-source software
Open-source software allows anyone to tinker with its guts, so to speak, but that doesn't make for bad security. On the contrary, having such transparent innards means that a big open-source community of savvy programmers can root out any weaknesses.
"People can put a backdoor or Trojan horse in anything," Weathersby told InnovationNewsDaily. "The open-source model's ability to include transparency in development and maintenance can make it as secure, if not more secure than existing processes."
In fact, more than half of all Internet websites rely upon a popular open-source software product called Apache. That software runs the Web servers that serve as the "heart pumps of the Internet."
"If someone says they've never used open-source, ask them if they've been on the Internet," Weathersby said.
The open-source perk also means that the U.S. government is not at the mercy of companies that hold the license for proprietary cybersecurity software. If bugs crop up or an exploiter penetrates the cybersecurity defenses, programmers can dive right into open-source software to fix it.
Opening the doors for innovation
Many government employees who purchase security software simply don't realize that open-source choices exist, according to Davis at the Georgia Tech Research Institute, based in Atlanta. The HOST program aims to change that.
The Homeland Security effort has already begun comparing existing open-source products with the needs of government users, so that it can decide where to invest seed capital to encourage innovative solutions to meet those needs. But any open-source solutions for cybersecurity must ultimately stand on their own commercial success or they will die, Davis said.
Open-source software may have a competitive edge when it comes to lower costs for taxpayers. That matters during a time when the U.S. government has focused on cutting its budget even as cybersecurity threats have increased.
"Right now, security is extremely expensive and it's only going to increase," Davis said. "The government is not in a position to absorb growing costs, so we're exploring open security to find more affordable and effective ways to combat cybersecurity problems."
This story was provided by InnovationNewsDaily, a sister site to TechNewsDaily. You can follow InnovationNewsDaily senior writer Jeremy Hsu on Twitter @ScienceHsu. Follow InnovationNewsDaily on Twitter @News_Innovation, or on Facebook.