US CIO Vivek Kundra Advocates Open Source Software

According to a feature article in Federal Computer Weekly, the Obama Administration’s new CIO Vivek Kundra has specifically called out open source as one of the key technology initiatives he will support to make the government work better at a lower cost (and with greater transparency). But the article continues to point out what seem to be persistent talking points of the FUD spinner, and this is where we need to make some real progress.

The first bit of FUD is the notion that ten years ago, open source software didn’t scale. The fact is, ten years ago Linux and Perl (and a whole bunch of AMD-based PCs) were on pace to solve one the grand-challenge science problems, the sequencing of the Human Genome, outpacing a venture-backed startup that had hundreds of millions of capital invested in proprietary software, hardware, and a plan to “own” every human’s genetic code. If humans were the product of “intelligent design”, the proprietary play was to claim ownership on the Designer’s original work. That didn’t happen, and today, the Human Genome is part of the basic science that all may share and that any may safely invest in.

The next bit of FUD (coming from Sun Microsystems) is to confuse open source as a mix-in ingredient into proprietary software (whereupon many of its benefits are lost) with open source as an observable, and improvable first-class entity. If you cannot read, modify, and share the source code, it’s not open source to you.

On the other hand, and to be fair, kudos to Sun Microsystems for making Open Solaris finally available to the open source community and proving this part of the open source story:

Traditional ways of writing code, which typically involve small teams of developers, can produce security problems. By opening the source code, a community of many developers often can quickly identify security vulnerabilities.

As evidence, [Bill Vass] cites Sun’s move to open its Solaris operating system in 2005. At the time, it had – and it still does have – the highest security rating the government offers for enterprise operating systems. Before Sun opened the source code, the government’s best experts reviewed the code.

Within a month of going open source, the open-source community identified 28 new vulnerabilities.

For as long as I can remember, the lede of the story about security in open source always starts with the critics, who have an agenda. I think the right way to tell this story is from the beginning, which is:

[Sun Microsystems’ Bill Vass] said many intelligence agencies and DOD tactical systems moved to open source in the 1990s specifically to improve security.

Traditional ways of writing code, which typically involve small teams of developers, can produce security problems. By opening the source code, a community of many developers often can quickly identify security vulnerabilities.

There’s no reason to start the discussion about open source security with a quote from critics, who have an obvious anti-open source agenda, and whose own security records are so dismal as to not really rank any authority in a discussion about what makes systems secure.

And then there’s this, which states a misconception (which is FUD-y, but not actual FUD) and then it asserts as fact the premise of the misconception (which is FUD itself). Read the following (emphasis mine):

A misconception about open-source software’s status as commercial software also drags the rate of government adoption. Because acquisition relations don’t describe open source as commercial software, many agency buyers believe it doesn’t meet requirements that give preference to commercial software. Many agency employees think the use of open-source software is forbidden.

But that’s contrary to what the regulations state, said David Wheeler, an open-source software expert. “Not only are there no regulations forbidding its use, there are formal letters saying its use is OK,” he said. DOD issued such guidance in 2003, the Office of Management and Budget did likewise in 2004, and a Navy memo in 2007 specifically states that open-source software is equivalent to commercial software. DOD reportedly has had another memo that uses even stronger language to support the use of open source ready since November, but it is awaiting a formal sign-off, Vass and others said.

Because open source is commercial software, Wheeler said, any agency that doesn’t consider open source is violating acquisition laws. However, he added that it’s hard to change ingrained government practices.

It is equally difficult to change ingrained reporting practices when it comes to open source, as this quote demonstrates:

In addition, proprietary software vendors do their best to hide information about open source and its capabilities, he said. That’s hardly a new complaint in the open-source community. In government markets, so the story goes, large vendors with profitable stakes in agency technology operations go to enormous lengths to spread fear, uncertainty and doubt about open source among agency executives and lawmakers in Congress.

Some have gone to such great lengths for so long that even a good news story, like open source finding support from the highest technology executive in the country, can inadvertently beat the same FUD-FUD-FUD drumbeat we’ve been hearing these past ten years, just by trying to follow the standard formula of any story told about open source over the past 10 years in the trade press. As an antidote, I propose more talk about the specifics of what people are actually doing and less time talking with those who, contrary to all evidence, claim it cannot be done.