Linux makes a run for government

The Cyberspace Policy Institute, established a decade ago at George Washington University, plans to push for Linux to be certified under the Common Criteria, a standard grading of technology required by the United States and other countries before products can be sold into sensitive government applications.

If successful, the initiative would lead to a single, standard version of Linux acceptable to the government, and hence make it easier for Linux companies to compete against Microsoft and other large software makers. Certification costs anywhere from $100,000 to millions of dollars and takes up to five years--Microsoft is just finishing the certification of Windows 2000--but the effort could be a boon for Linux companies.

"The government wants to get open-source certified, but they don't want to certify for any specific vendor," Tony Stanco, senior policy analyst for open-source and e-government at the Cyberspace Policy Institute, said at a panel discussion on promoting Linux to the government.

A single agency administering the certification process for Linux is a must, Stanco said. Otherwise, only a few companies would be able to offer products and the entire community wouldn't benefit from the effort.

"Only one company (Red Hat) has enough money to get certified," he said. "I don't think even United Linux has enough money to get Linux-certified."

The initiative would also add the United States to the list of national governments that are supporting open-source efforts to offer a second option, along with Microsoft software, within federal agencies. On Monday, the British government confirmed that it would consider open-source software alternatives to buying Microsoft applications. And, in June, the German government signed a deal with IBM and Linux vendor SuSE to provide an open-source alternative to Microsoft operating systems. Both China and Taiwan, two nations often at loggerheads, have also dipped their toes into Linux.

A better Linux
Strong support for the open-source operating system within the government came from a surprising quarter in early 2001 with the release of Security-Enhanced Linux from the National Security Agency, which for decades stymied researchers' and technology companies' efforts to create broadly available strong encryption.

SE Linux adds military-strength architecture improvements to Linux, the most obvious security improvement being mandatory access controls, or MACs, based on technology developed by Secure Computing Corp. The Cyberspace Policy Institute plans to also add authentication and key management features to the operating system.

Such technologies make computers much less susceptible to attacks. Mark Westerman, managing partner with network consultant Westcam, installed the SE Linux access controls on a critical server for one of his customers after a common security flaw, known as a buffer overflow, allowed a hacker to take control of the company's server. Westerman configured the access rules but left the buffer overflow unpatched on the server as a test.

When the hacker came back a second time to the server and attempted to gain control of the process, the access controls limited what the attacker could do. Instead of taking control of the computer, the hacker could only crash the service that had the buffer overflow, but did no other damage.

"With the access controls, the customer doesn't have to worry about the next buffer overflow that comes along," said Westerman at a panel discussion at this week's LinuxWorld Conference and Expo. "SE Linux gives you military grade security at open-source cost."

Microsoft vs. the NSA
SE Linux may be the NSA's last direct contribution to open-source security, however. Because of loud criticism, the NSA will have a far less direct role in the creation of more secure versions of open-source software.

"We didn't fully understand the consequences of releasing software under the GPL (General Public License)," said Dick Schafer, deputy director of the NSA. "We received a lot of loud complaints regarding our efforts with SE Linux."

Many complaints criticized the agency for providing the fruits of research to everyone, not just U.S. companies, and thus hurting American business.

While stressing that the agency received a loud chorus of support as well, the chagrined Schafer said that the issue was contentious enough that "we won't be doing anything like that again."

Sources familiar with events said that aggressive Microsoft lobbying efforts have contributed to a halt on any further work. "Microsoft was worried that the NSA's releasing open-source software would compete with American proprietary software," said a source familiar with the complaints against the NSA who asked not to be identified.

Microsoft would not comment directly on its lobbying efforts, but did stress that it wanted to ensure the government continued to fund commercial ventures. "The federal government plays an important role in funding basic software research," said a Microsoft representative. "Our interest is in helping to ensure that the government licenses its research in ways that take into account a stated goal of the U.S. government: to promote commercialization of public research."

The debate over whether the government should fund open source projects has been raging for some time. In July, MITRE, a defense contractor and think tank, released a much-awaited report sponsored by the Department of Defense endorsing the use of open-source software in the government.

"Open source methods and products are well worth considering seriously in a wide range of government applications," the report concluded.

After news of the favorable report leaked out in May, a second report appeared in early June from the Alexis de Tocqueville Institution, a newcomer to the open-source debate, calling such software insecure. A press release preceding the report breathlessly announced "open-source software may offer target for terrorists."

Many critics have claimed that Microsoft funded the report, but a Microsoft representative denied that charge, saying that while the software giant does fund the institution, it doesn't fund any specific research.

Despite the intense battle surrounding the open source, the NSA will still fund research on secure operating systems based on Linux as well as work with U.S. companies to create better security in their own operating systems.

Both Red Hat's CEO Matthew Szulik and Chief Technology Officer Michael Tiemann said the company is working with the NSA on security projects, but neither would give details about the initiatives. On Tuesday morning, Tiemann and other technologists from companies including Intel, IBM and Oracle met to discuss the future of Linux in the government, said a source familiar with the meeting.

Through the Composable High Assurance Trusted Systems (CHATS) fund, the Defense Advanced Research Projects Agency, an arm of the Department of Defense, funds open-source initiatives that improve security. A year ago, Network Associates received $1.2 million from the CHATS program to create a common set of security features for open-source operating systems.

Apple Computer also will push its own operating system, the Mac OS X, which is based on the open-source Unix variant, FreeBSD, for government certification. Apple and a coalition of 40 government agencies have formed the Secure Trusted Operating System (STOS) consortium to create security features for the base FreeBSD operating system known as Darwin.

Welcome to certification
The road to certification will not be easy, however.

For one, the co-developer of SE Linux, Secure Computing, has indicated that it plans to enforce patent claims on part of the access control technology based on its research and development.

In addition, the Common Criteria process, run jointly by the NSA and the National Institute of Standards and Technology under the National Information Assurance Partnership (NIAP), is better suited to certify proprietary software coming from a single company. It's ill suited to deal with the myriad updates that the open-source community produces on a regular basis.

"The big issue is how you fit this wild community into the all the little boxes that the government bureaucracy wants," said CPI's Stanco.

NIAP Common Criteria certifications run from Evaluation Assurance Level 1 (EAL), the lowest level, to EAL 7, the highest. The first four levels can be obtained through commercial labs, but the levels 5 through 7 require certification from the NSA themselves.

Because it is Linux's first time through the process, the Cyberspace Policy Institute has modest aims: EAL 2.

"That way we get some validation of open-source security," said Stanco. "Going straight to EAL 4 would be tough."

Shooting for a modest target gives the open-source community time to work out some kinks--not in Linux, but in the government's certification process.