Open Source Software and the Long Road to Sustainability within U.S. DoD IT System

By John M. Weathersby, Executive Director Open Source Software Institute

DoD Information Technology: The Dilemma of Success

The United States military is the most technically advanced fighting force the world has ever known. The key to success is our ability to continually develop and support an amazing array of computer-based information technology (IT) systems.

From the warfighter in a dusty Humvee, to the quartermaster managing distribution of essential supplies, to strategic command coordinating troop movement and intelligence gathering: all rely on countless software applications and vast, complex networks of IT systems.

But by its very nature, IT is vulnerable. IT is vulnerable to external adversarial attack. And it is vulnerable to internal threats, such as faulty design, incompatibility and exhaustive expense.

In order to realize the benefits of technological superiority we must balance the inherent risk of complexity with the pragmatism of system sustainability. In short, people’s lives depend on IT systems that work. And we must be able to not only afford the initial development costs, but also the support and maintenance expense to keep these systems up and running.

From Challenge to Opportunity

In 2006, the Office of the Secretary of Defense for Advanced Systems and Concepts (AS&C) published a strategic initiative called the Open Technology Development (OTD) roadmap. The document provides an initial overview of potential technical and economic opportunities available to DoD through the adoption of more open and transparent software development and acquisition practices.

The report states that AS&C is tasked “with evaluating new trends, capabilities, and practices for maintaining DoD superiority while responding to new challenges.” However, the document continues by saying, “DoD’s design and acquisition methods are ill-suited to keep pace with accelerating shifts in technology, particularly software and information technology.”

In essence, existing development and support methods will soon outstrip the government’s ability to fund and staff the myriad of proprietary and non-interoperable programs which constitute the majority of DoD IT systems.

The overwhelming challenge of feeding DoD’s insatiable appetite for IT requires a change in the way DoD and its suppliers are building and supporting IT systems. A paradigm shift is at hand for both the technical and business aspects of IT development within DoD.

An Idea Whose Time Has Come

“There is one thing stronger than all the armies in the world, and that is an idea whose time has come.” -- Victor Hugo (Open Technology Development roadmap: page 7)

The opportunity presented within the OTD report relies on the acceptance and adoption of more openness, transparency and interoperability within DoD IT systems, acquisition policies and business practices. The report defines “Open Technology” in broad and inclusive terms that include open standards, open interfaces, open source software, service oriented architectures and other collaborative and interoperable development and production methods.

The report also addresses economic and business model issues which ultimately drive all development and support activities.

Noted examples of early open systems adoption within DoD include: the 2003 Mitre Corporation study: Use of Free and Open Source Software within the U.S. Department of Defense, which identified more than 100 different open source programs and more than 250 instances of their usage within DoD systems.

The importance of this early survey was that it demonstrated that a wide variety of open source programs were being used within DoD systems without the formal structure or recognition usually undertaken in DoD IT acquisition and deployment practices.

Another example of early open source adoption within DoD systems was documented through a series of Cooperative Research and Development Agreements (CRADA) between the Naval Meteorology and Oceanography Command and the Open Source Software Institute. (Navy CRADA-08-001 and Navy CRADA-05-11).

The goal of the initial joint study (NCRADA-08-001) was to assess the current (2001 - 2003) use of open source software at the Naval Oceanographic Office (NAVOCEANO) and to identify additional opportunities for further implementation of open source software within NAVOCEANO’s computing environment.

The CRADA’s findings reported extensive use of open source within NAVOCEANO’s existing infrastructure, particularly as mission critical applications within the ISS60, UNISIPS, Network Attached Storage Servers and QA/Monitoring workstations.

Findings also reported that as legacy systems reached end-of-life, they were increasingly being replaced with open source solutions. “This trend,” the report stated, “coupled with growing interest and enthusiasm for open source in most departments, along with open source’s increasing maturity and suitability in enterprise environments, indicate it is likely that substantial portions of NAVOCEANO’s computing infrastructure will use open source operating systems and applications in the future.”

In addition to the technical system audit, the report evaluated the costs, financial metrics and net savings projected to two of the most critical deployed systems which had adopted open source solutions, the ISS60 and UNISIPS systems. Return on investment (ROI) for these programs to switch from proprietary systems to open source solutions were 833% for the ISS60 system and 721% for the UNISIPS system.

For the study, net savings were defined in hard (USD) dollars and financial returns (Internal Rate of Return (IRR) and ROI) were calculated on an immediate (2002) one-year basis using the U.S. Treasury 5-year real discount rate of 1.9%.

Presentation of these findings at the Southeast Region Naval CIO Conference in August 2003 led the then Department of the Navy Chief Information Officer (DONCIO) David Wennergren to initiate an effort to draft a formal policy for the adoption and usage of open source for the Department of the Navy. Final version of the Navy’s Open Source User Policy is currently under review and is set for signature by the acting DONCIO by Summer 2007.

Rapid Growth in Fertile Ground

At the time these initial studies were being conducted, open source and other open technology solutions were quietly proliferating throughout DoD IT systems. The adoption scenarios were generally accredited to situations where technical solutions were in critical need and project funding was limited or non-existent. In many cases, system administrators would pull an open source variant of the IT application required, configure and implement it into the IT system and move on to the next problem.

Since most open source software solutions are licensed under non-restrictive licensing terms, which grant the user the right to adopt and/or change the code at will, and no royalty fees are required, many open source solutions ran quietly under the radar. As more systems adopted open source components, the comfort level for system administrators and program managers to adopt open source solutions began to grow.

As more open source systems were being acknowledged, certain proprietary vendors started applying pressure to policy makers for open source to be rejected as a legitimate option within DoD environments. The issue was not the technical proficiency of the solution, but a threat to the existing economic model which relied all but exclusively on proprietary software development and vendor-specific service and support agreements.

A core tenet of the argument against the continued adoption of open source within DoD revolved around the issue of whether or not open source software could be considered “secure” by DoD standards. Certain proprietary vendors argued that since an open source program’s code could be changed by a developer, then in general the software’s integrity could not be ensured. This flawed argument assumed that while anyone is granted access to the software’s code through the open source license associated with the software, that a malicious coder could easily insert a virus or “back-door” into the code and pass it on into a DoD system.

This alarmist argument also assumed that any open source program in question would have no formal governance structure to manage committal rights or be subject to review or quality control by either the rest of the development community or the implementing client. These types of inflammatory statements became known as “FUD” as they were designed to spread and instill “Fear, Uncertainty and Doubt” about open source in general.

As these types of protests were being issued by vendors who did not wish to see open source become a viable competitive option within DoD systems, the DoD itself stepped in and issued a mandate that open source solutions would simply have to be judged on the same level playing field as any other software program considered for acquisition or use within DoD systems.

In a May 2003 memo* titled “Open Source Software (OSS) in the Department of Defense (DoD),” then DoD CIO John P. Stenbit stated, “DoD Components acquiring, using or developing OSS must ensure that the OSS complies with the same DoD policies that govern Commercial off the Shelf (COTS) and Government off the Shelf (GOTS) software. This includes, but is not limited to, the requirements that all information assurance (IA) or IA-enabled IT hardware, firmware and software components or products incorporated into DoD information systems, whether acquired or originated within DoD: 1) ” Comply with the evaluation and validation requirements of National Security Telecommunications and Information Systems Security Policy Number 11 (NSTISSP No. 11) and; 2) be configured in accordance with the DoD-approved security configuration guidelines available at http://iase.disa.mil/ and http://www.nsa.gov/.”

The memo also stated that any DoD entity employing an open source solutions must comply with all lawful licensing requirements. It encouraged anyone using or considering the adoption of an open source program to consult their legal counsel in order to understand any new or different obligations assumed through an open source license.

This Train Has Left the Station

In the short time since DoD began seriously wrestling with the concept of open source adoption, commercial open source market interests have flourished.

From a technical perspective, practically every IT application niche now has multiple open source offerings readily available. From operating systems, web services, middleware, databases, security, office suites and business applications, it is now difficult to think of a general IT category which does not have a viable open source alternative to existing proprietary offering.

Of course within DoD settings, there is always specialty development needs when dealing with weapon systems or programs which manage different levels of classified information. But even these very specialized areas are finding that open source can meet their most stringent technical requirements as well as provide the extra levels of security and reliability essential to such a system.

From the business perspective, the wholesale incorporation of open source as part of the mainstream product, service and support offerings by the major IT vendors such as IBM, Hewlett-Packard, Intel, Oracle Red Hat and Novell clearly demonstrates that open source is now thoroughly considered a mature, mainstream component in the IT marketplace.

While traditional commercial vendors have now committed to the open source bandwagon, the system integrator community is just now trying to figure out what role open source will play as part of their offering to their DoD clientele.

During a recent conference hosted in Washington by the Association for Enterprise Integration (AFEI),** Ted Davies of Unisys’ Federal Division stated that open source was now a core element in Unisys’ strategic business platform and they were going to aggressively promote it to their government clients. As he put it, “open source has changed the rules of the game just as the three-point shot changed forever the way basketball was played. Teams could only ignore it for a while, but as soon as someone started capitalizing on the new strategy, then everyone else had no choice but to join in.”

I believe this is a poignant and appropriate analogy for where open source and open technologies are in the adoption curve within DoD IT environments. And this is also what shall secure the sustainability of open source within government and particularly DoD systems for the long-run.

Open source has proven itself as a viable technical solution even under the most rigorous and demanding conditions. And it has secured the financial backing and strategic confidence of the industry IT juggernauts --- a feat which does not come lightly. This momentum ensures a continual supply of resources and functional development talent as well as product and service support for open source.

In addition, a major DoD system integrator has publicly cast down the open source chalice and stated that they are going to take full advantage of “the new three-point shot.” Therefore, I think it’s safe to say the game is on. Open source is here to stay.

*http://iase.disa.mil/policy-guidance/oss-in-dodmemo.pdf

**http://www.afei.org/brochure/7a03/hidden.cfm

About the Author

John M. Weathersby, Jr. is the founder and executive director of the Open Source Software Institute (www.oss-institute.org). The Open Source Software Institute is a U.S.-based non-profit organization founded in 2001 whose mission is to promote development and implementation of open source software solutions within U.S. federal, state and municipal government agencies. He currently serves as an adviser on open source software issues to a number of federal government entities including the Office of the Secretary of Defense (OSD), the Assistant Secretary of the Air Force, the Defense Information Systems Agency (DISA), and the U.S. Department of the Navy, Office of the Chief Information Officer (DONCIO). He is the founder of the National Center for Open Source Policy and Research and a founding executive board member of the National Association of Call Centers. Weathersby also serves as a technology and policy adviser to The University of Southern Mississippi’s Office of Technology and Economic Development and is a member of the International Advisory Panel for Enterprise Open Source Magazine. He received his undergraduate degree in Journalism and Political Science from the University of Mississippi.

Author Contact Information

Email: jmw@oss-institute.org

Phone: 601.427.0152