The Department of Defense has not adequately implemented a pilot program, mandated by Congress, that would increase the Penatgon’s reliance on open source code, according to a Sept. 10 report from Government Accountability Office.
The Pentagon failed to follow an August 2016 memorandum from the Office of Management and Budget, which directed agencies to create a pilot program that released 20 percent of their new developed code as open source, as well as establishing a metric for measuring success. The fiscal year 2018 National Defense Authorization Act required the Pentagon to follow that policy. Open source programming allows users to modify, reuse and share code. As a result, open source can reduce costs and improve efficiency, the GAO wrote. According to the report, titled “DOD Needs to Fully Implement Program for Piloting Open Source Software,” officials from 11 components within the DoD said there would be efficiency and financial benefits.
“However, there were disparate views on how to manage the cybersecurity risk of using open source software," the GAO wrote. "Specifically, officials from three components noted that security concerns could result in the sporadic use of [open source], whereas eight officials stated that the potential cybersecurity risks were managable [sic].”
According to the GAO, as of July 2019, the Pentagon had released less than 10 percent of its custom developed code, well short of the 20 percent goal.
The Pentagon’s top IT official, Dana Deasy, is responsible for implementing the requirements. Under the OMB guidance, agencies have to issue a policy for government-wide reuse of code, conduct software solutions analysis looking at alternative software options, secure data rights and inventory custom code, and release code in a way that fosters communication between agencies. The DoD has not issued a policy for open source code, but has “partially implemented” the other three requirements.
The Pentagon pushed back on the GAO’s first recommendation - that the DoD should implement the open source pilot program - writing that the Pentagon “does not believe that the pilot program as described in the OMB memorandum is implementable as proposed.” Department leaders argued "most of DoD’s custom developed software is created for weapons systems and releasing the associated code is sensitive for national security reasons,” the GAO reported.
Deasy’s office also said the size of the Defense Department makes it difficult to inventory all the code.
“The CIO reported that the size of the department makes it nearly impossible to inventory all of its source code custom developed since August 2016. As such, the CIO stated that it would be difficult to meet the OMB memorandum’s goal of releasing at least 20 percent of its new custom code as OSS [open source software],” the GAO wrote.
According to the report, the Pentagon also didn’t create a metric to gauge the pilot program’s performance “due to a lack of consensus in the department about what data should be collected.”
“According to the CIO, if the measure is ‘lines of code,’ then it unfairly discounts projects that invest a significant amount on research, but are small otherwise,” the GAO wrote. “If the measure is ‘project hours,’ then it discounts those projects that came about from sparks of innovation that took little time to develop. If the measure is ‘project count,’ then it ignores the other two possible measures.”
Some officials interviewed by the GAO also expressed concerns about cybersecurity risks posed by open source code. An official in the Navy CIO’s office said they worried about malicious code being inserted by a disgruntled employee. Without a process to verify the integrity of open source code, the official told the GAO, the Navy lacks the risk assurance it needs, something the service has with commercial-of-the-shelf products. Another official feared problems due to the lack of governance structure.
Other officials said that security concerns could be mitigated by building security into software, verifying code before its deployed, and creating a repository for verified code could mitigate risks.
“Until DOD fully implements its pilot program and establishes milestones for completing the OMB requirements, the department will not be positioned to take advantage of significant cost savings and efficiencies,” the GAO wrote.
Andrew Eversden covered all things defense technology for C4ISRNET. Beforehand, he reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.