Remember when governments were gung ho about mandating open source adoption? That was bad policy back in 2009 when I railed against it, and it’s equally bad policy now. It sounds great that governments want to reclaim their sovereignty from private corporations (wielding software licenses), as the City of Barcelona recently announced it would do, but problems arise when good intentions (more open source!) run up against the reality of an organization’s actual requirements.
Just ask the US Department of Defense (DoD).
SEE: Open source champion Munich heads back to Windows (free PDF) (TechRepublic)
More and faster
The DoD has been a long-time advocate for open source. A decade ago, the DoD instituted guidelines that observed open source would be superior to proprietary software in some use cases. Perhaps in response, open source spread throughout the DoD. Even so, by 2016 one analyst declared it wasn’t enough, and that “The DoD must overcome bureaucratic hurdles and embrace open source software as a critical element of its efforts to maintain military technical superiority in the 21st century.”
In 2017, it heeded the call.
Two years ago the DoD put its feel-good advocacy into serious motion with a plan (under section 886 of the National Defense Authorization Act for Fiscal Year 2018) that required any unclassified, custom-developed software created six months after the section was passed be open sourced. There were ways to get around the requirement, but it mostly stuck.
Fast forward to 2019 and FCW, which covers federal technology trends, offered this headline: “DoD pushes back on open source.” What? The DoD, so long an advocate for more open source adoption, is now pushing back?
As described in a September 10 report from the Government Accountability Office (PDF), the DoD hasn’t been living up to the requirements under section 886: No open source policy has been issued, and only half-measures have been attempted on other commitments (e.g., analyzing its use of open source). Why? Well, according to DoD CIO Dana Deasy (quoted in the FCW article), it’s not clear the open source pilot program “is implementable…as proposed.” More fundamentally, Deasy stressed that most of the DoD’s custom software (that would need to be open sourced under section 886) “is created for weapons systems like the F-35 and the F-22, and as such, release of such source code is sensitive for national security reasons.”
The punchline? “It’s unclear that 20% of the Department’s custom code is releasable at all.”
SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (free PDF) (TechRepublic)
In other words, the DoD is exercising common sense, rather than being forced into a knee-jerk open source policy fueled by happy thoughts about sharing. As analyst Simon Wardley has noted, “I cannot emphasize enough the importance of ‘open by thinking’ over ‘open by default’ …open is a weapon, look before you fire.”
Open source, in other words, should be at the heart of thoughtful IT strategy, not treated like some magical, moral imperative. Should government have a preference for open source? This seems reasonable. Should it have a mandate for open source? That seems less so.