Listening to some Linux critics, you might think that the open-source operating system is more of a threat to U.S. national security than a gaggle of Islamic jihadis lugging rocket-propelled grenade launchers around Fallujah, or mad Pakistani nuclear scientists selling secrets to rogue states.
At yesterday’s Net-Centric Operations Industry Forum in McLean, Virginia, near Washington D.C., the CEO of Green Hills Software, Dan O’Dowd, generated national publicity when he opined that the “proliferation of the Linux open-source operating systems poses a serious and urgent security threat.”
O’Dowd said that the open-source coding movement — a cooperative endeavor by loosely affiliated programmers around the globe — was inherently insecure. “The very nature of the open-source process should rule Linux out of defense applications,” said O’Dowd, whose company is headquartered in Santa Barbara, California, and has international operations in the UK.
“The open-source process violates every principle of [information] security,” he said. “It welcomes everyone to contribute to Linux.”
The risk to national security posed by Linux is grave, he said, for now that foreign terrorists and foreign intelligence agencies know that the software is being used in advanced U.S. defense applications, these subversives will “use fake identities to contribute subversive software that will soon be incorporated into our most advanced defense systems,” said O’Dowd.
Although O’Dowd was clearly trying to be provocative with his remarks, it’s not as if the Pentagon hasn’t considered the risks of Linux before. As far back as last spring, the chief information officer of the Pentagon was issuing public policy statements on the use of open-source software.
The Pentagon produced a memo on open-source computing last May, stating that open-source deployments comply with the Department of Defense’s computer-security regulations. The military has more than 200 open-source projects underway, according to a report by the military think tank and consultancy, Mitre Group. This has grown substantially over the last year.
The report noted that open-source computing is becoming a “critical component” of the IT infrastructure at the Pentagon and that everything from Linux firewalls to the Emacs text editor and Linux encryption tools were being used by the warriors.
The Pentagon also has noted, separately, that it customizes much of the Linux used for its projects.
Fear, Uncertainty, Doubt
Are O’Dowd’s remarks credible? To the trained ear, his rhetorical tactics are reminiscent of the old strategy of sowing “fear, uncertainty, or doubt,” or FUD, used by IBM in decades gone by to dissuade upstarts from buying into the concept of personal computers.
O’Dowd provided no evidence that subversives had actually developed malicious Linux software products that have been used by the Pentagon with adverse consequences. But he raised the possibility of this happening in the future.
“Developers in Russia and China are also contributing to Linux software,” said O’Dowd. “Recently, the CEO of MontaVista Software, the world’s leading embedded Linux company, said that his ‘company has two-and-a-half offshore development centers. A big one in Moscow, and we just opened one in Beijing.'”
Fears About Russia
Apparently not knowing or caring that Moscow, along with the United States, is part of NATO’s extended alliance, called the Partnership for Peace, O’Dowd also cautioned that another embedded Linux supplier, LinuxWorks, has a development center in Russia.
Noting that the developer of Unix installed a back door on the operating system, O’Dowd fears that a similar vulnerability could be hidden in the Linux code contributed by international Linux developers.
“If Linux is compromised, our defenses could be disabled, spied upon, or commandeered,” said O’Dowd.