Navy Now Mandated To Consider FOSS As an Option

lisah writes "In a memorandum handed down from Department of the Navy CIO John Carey this week, the Navy is now mandated to consider open source solutions when making new software acquisitions. According John Weathersby, executive director of the Open Source Software Institute, this is the first in a series of documents that will also address 'development and distribution issues regarding open source within Navy IT environments.'"

Re:Is the tide turning?

[zappepcs]

Ahem... excuse me, but I disagree with you. I've been in the Navy, yes the same one, and Training is a regular process, not something that happens only when new systems are installed. Training is part of the job. The cost of adoption will be less of a problem than you think it might be. Porting applications to *nix from Windows will be the big cost as a portion of it is purchased from military contractors. Unless those apps are ready to run on Linux, it will cost. Training a sailor on a new system is a regular part of the job, no big sweat.

In short, I think you are wrong.

No surprise

[GovCheese]

No surprise here. The Navy has a history of being very ahead of the curve with their IT compared to many government counterparts, including cabinet level agencies. When other agencies were begging for connectivity with handhelds, the Navy had already had long rolled them out aboard their ships for connectity with the server operations of different onboard departments. Navy IT has been forward thinking for quite some time now. They'll consider FOSS very seriously and hopefully it'll have a ripple effect in other USG areas.

More paperwork?

[pcraven]

While I heartily support and use FOSS, I wonder if this adds yet more red tape?

A long while back I worked for USGS. We were hampered with hiring people, getting new software, hardware, etc because of all the paperwork. If we made a decision we had to consider 50 different laws and regulations. Individually, they were great ideas. Put together they were paralyzing. This is the reason we were stuck with Data General for so long, because no one wanted to do the paperwork to change vendors.

Re:Cool!!

[Anonymous Coward]

I worked at NRL for many years, and M$'s share of things was *tiny*. Linux workstations ruled to roost, followed by old Solaris machines. All new purchases ran Linux. Nearly 100% of the codes, applications, etc were written using open, platform independent languages and technologies. I'd venture to say that M$ is only the rule for office and administrative applications - any semi-serious technical person used some sort of *nix. This was 5 years ago.

N M C I (No More Computing Inhouse)

[Anonymous Coward]

I work in a Navy research IT environment and have used OSS for years in variety of environments.

In the last few years the Navy has straddled us with the hideous NMCI IT contract that dictates operating systems, software applications, and hardware. When NMCI was conceived, in the womb of ignorance and shortsightedness, they were thinking of providing a common monocultural solution that might work if the only thing the Navy did was to send email and make PowerPoint presentations.

In a research environment you need flexibility in order to match solutions to problems. NMCI forbids the installation "unapproved" software or hardware. This includes software drivers and communication applications for special purpose hardware such as serial/USB/PCI devices. You cannot connect any web enabled devices like cameras, 1-wire control, power control devices, UPS devices, weather stations, data acquisitions, etc.

So what happens at the Navy Labs is there are two networks - the NMCI network and the "Legacy Network" where the work gets down.

In the spirit of reducing cost we have have to maintain two networks and two computers on each desktop and have two exposed flanks to the outside world! It is wasteful, dangerous and inefficient.

Oh did I mention NMCI is inefficient and near useless. I have a NMCI laptop. I would rather have a 286 with two floppy drives and a sharp stick. The other day I needed to access a jpeg image that was on the NMCI network and edit it with Coral Draw (the application they felt I should be using instead of the more useful, efficient and cheaper PSP). I timed the process from pushing the "On" button and loading the remote desktop, mapping the network file system, logging on, clicking thru all the various dialog windows, loading the bloated application and load the file - it took over 27 minutes.

Re:Cool!!

[Registered Coward v2]

Actually, all it says is that OSS can be considered COTS; so a DON entity can now classify OSS as COTS for procurement purposes. Nothing in it says they must consider OSS during procurement; and the requirement to talk to the lawyers when considering it will probably result in it being ignored anyway.

Of interest would be the clause about internal use - if one government agency modifies it can any other use it without requiring a broader release of the source? On theory the DON, as longs the program stays within the US Government, would be under no obligation to release any modifications since they have not distributed it; all they have done is install and run it on machines owned by them.

FOSS in the Navy

[BigPenguin]

As a Navy IT whose responsibilities include administrating one of the largest afloat networks in the world I can tell you two things: Linux and FOSS are already present onboard, but only in a quasi embedded role because the contractors who supplied the system (ala SPAWAR or similar) based the platform on Linux. These systems typically do not exist as a network asset. That is they are a ship's system and not a part of the "network" as user services are concerned. And two: It is a Microsoft shop from top to bottom and will have to remain that way. The Navy simply does not train it's personal to administer a Linux or Unix based network. Finding a few IT's with the requisite Windows admin knowledge is hard enough, but making the fleet utilize Linux? The IT workforce simply does not have the experience or training to make that jump at this time. I don't think it ever will. This is why advancement for the IT rating is so high. IT's with skill sets in Network Administration get out and join the civilian ranks after their first or second enlistment and open the ranks up for new IT's to advance.

Believe me I HATE the Windows 2003 enviorment I am forced to administer. And the SPAWAR forced enviorment on top of that which increases the issues. I'd thank God for reliable servers and workstations, but I don't for see this ever occuring. Alas I have to do my time and move to a sector that does. Nothing to see here. *shews away readers in MiB suit*

COTS =

[Shipwack]

COTS stands for "Commercial, Off The Shelf"... Items that can be found in the civilian world. For example, instead of spending millions of dollars developing a navigation radar, they might just buy a commercial model from Furuno. This is the first step of undoing the stupidity that ensued when they mandated that all official documents be written in the proprietary format of Microsoft Word, a couple of decades ago.

Re:Great! This is what you have to do

[jd]

It was rated C2, which means that it's got the real basic protections but that's about it. C-class operating systems were the lowest that could be used in any Government role, so when the early Windows 2000 failed one of the tests, it was technically unlawful to use Windows 2000 for any Government work, even when totally standalone. (The Orange Book only measured internal security, not network security, so failing on the Orange Book tests was a big deal.)

Although NT4 was certainly used for secret material, I am pretty sure that only B-rated operating systems were entitled to hold secret and some top secret information. A-rated systems could be used for anything. Only one truly general-purpose A-rated OS (Genesis) was ever developed and officially rated - many other A-rated OS' existed, but they were all special-purpose. C-rated systems were only supposed to be used for unclassified and commercially sensitive material, if I remember the system correctly.

Trusted Solaris was rated B1, which meant it was as good as you could get without some very stringent formal proofs of correctness and formal design methodologies. The big difference between B1 and A1 is that a B1 system is bulletproof only according to any tests and evaluations performed on it, but the tests aren't guaranteed comprehensive. With an A1 system, you also know that the implementation exactly matches the design and that there is no obvious flaw in the design.

However, the criteria have shifted over time. Under the Common Criteria, Trusted Solaris and Solaris 9 "only" rate EAL-4+ (out of a maximum of 7), with PR/SM and XTS-400 being the only ones to rate 5. Bear in mind that RHEL4 update 1 is also classed as 4+, as are Windows Server 2003 and Windows XP. The difference in security between Windows 2003 and Trusted Solaris is so vast as to be laughable, and the idea that a highly specialized, highly secure system like XTS-400 is less than a single unit of trustworthiness better than XP is a complete joke. Clearly the method used in the Common Criteria is flawed to the point of not being useful as a measure of trust.

Mind you, the Orange Book was not perfect. Trusted Irix was rated B3, MULTIX was rated B2. The Multicians (a group of surviving kernel developers for MULTICS) let me know that there was no API, but you can't test if the API works if there is no API to test against. This makes testing for code safety difficult at best - you've nothing to tell you what's meant by safe. I'm prepared to believe MULTIX was brilliant, in fact I do believe that, but I have a hard time believing that the level of trust you could place in it was somewhere between that of Trusted Irix and Trusted Solaris. That may well be the case, but it feels more likely somehow that the evaluation criteria are too narrow and too minimalistic.

(I'd develop my own criteria, but having friends and karma on Slashdot doesn't equate to being taken more seriously by industrial leaders on security issues than defense industry specialists. In fact, even being on Slashdot is probably a big minus in the eyes of places like BAE or Sun Microsystems. Which, of course, is stupid - everyone here knows Slashdot readers are the creme a-la creme of the industry.)

Re:FOSS in the Navy

[ChronoFish]

For the several years that I was a Defense Contractor (mid 90's), our shop and the NOCs that we supported were almost 100% Sun Solaris. We did not support the Navy (that I know of) but we did support the Air Force and a few Spook clients.

Later (late 90's) I worked for a company that specializes in Air Traffic Control Systems. Development environment was Linux and production environment was AIX.

Government agencies have accepted *nix flavors for a long time. "Never going to happen" is an incredibly strong term, and the fact that you've already got Linux boxes poking their head in leads me to believe that "Never say Never" is an appropriate response.

-CF

Same thing in Canada

[PhysicsPhil]

I just attended a (non-classified) talk from a department of the Canadian government about the role of FOSS in our military. A few interesting points:

* On average, commercial, off the shelf software (COTS) tended to be slightly cheaper for life cycles in the mid-term range, which seemed to be 5-12 years or so. Shorter than that FOSS was best because of the low up-front costs, while on the longer term the lack of vendor support for COTS was a concern. The number that was thrown out was COTS being about 15% cheaper for the mid-term, although there were cases where FOSS was still better.

* To avoid finger pointing between the OS and application manufacturers during bug hunts, it was desirable for a single company/consultant group to take responsibility for all software. They weren't inclined to wait in a war zone while tech guys played telephone tag while repairing a bug. The ideal would be to purchase hardware from a given supplier, and having one contact point for all software.

* Long-term software support was a concern for both COTS and FOSS, but the ability to either maintain the software yourself (least desirable) or form a consortium with other like-minded entities was an advantage for FOSS.

* Licensing was identified as a major hassle. The speaker identified that computer types are very highly trained from a technical perspective, but not trained from a legal standpoint, so navigating through licensing conditions was a problem. They were hoping our Treasury Board could handle government-wide licensing issues.

* There was definite interest in shifting the computer systems on-board our latest warships from HP-UNIX to Linux-based systems to avoid the vendor end-of-lifing the systems.

The talk continued on to discuss issues related to hardening systems from attacks, but I didn't stay for the whole thing. Just before I left, the speaker was bemoaning that while FOSS gave great tools for the good guys, they also empowered the foreign script-kiddies as well, so it was a two-edged sword.

Re:First OPSEC gets the axe...

[JustNiz]

Well the point is that you don't need the source code to be able to find exploits. See the fiasco that is Windows.

Also having source-code to secure systems in the public domain doesn't hurt. In fact it actively can be of benfit as the more people look at it, the more loopholes get found and fixed. PGP source code has been freely available for decades but the algorithm that the code implements is still widely understood to be one of the most secure encryption methods out there.

Re:Inconceivable!

[ozmanjusri]

With a commercial app they go to the vendor, with FOSS they go to whom?

Sun, IBM, Novell, Oracle, Red Hat, UTS, SCO, HP, etc, etc, etc...

Re:Great! This is what you have to do

[jd]

Ok, here's a rundown on what I'd consider to be the criteria for measuring the trust of an OS:

• Privileges should be defined on a gross level using role-based access controls and then on a fine level using hierarchical access controls:
  • Privileges should be universal. In other words, they should not just apply to applications or system calls, but also to address ranges, network ports, network types of service, disk directories, memory regions, shared memory regions, login and authentication methods, swap space quota and rights, run queues available - everything.
  • Privileges can never increase, but they can decrease. If a thread loses the right to run, any time to run in, or any ability to do anything if running, then it can be used for denial of service but nothing else and should therefore be eliminated.
• The OS should not allow a user to escalate their privileges, even if a flaw is found within an application or Operating System:
  • Programs either run or accessed by a "local" user (or remotely by an identified "local" user) should never have greater rights than that subset of rights that exists for both program and user.
  • Programs either run or accessed by any other remote user should always be run with minimal rights.
  • The same is true for all other communication between any combination of users, processes, activities and resources.
• The OS should not allow a user to escalate anyone else's privileges either (a major requirement of systems on classified networks):
  • If any resource of any kind is placed somewhere another user can access it, that resource must have privileges that are no greater than the subset of it's own privileges, that of the source user/process and that of the destination user/process.
  • The source and destination must be of a compatible nature - some roles cannot transfer resources to other roles, transfers that would result in the elimination of a mandated right would not be permitted, etc.
  • Where the transfer is of a pipe or other communications mechanism, nothing coming through the pipe can have greater rights than the pipe itself.
• There should be no bypass mechanism:
  • This means no superuser, no special kernel components and no supervisory element. Everything that runs, including all kernel threads, should run with relative not absolute rights. When bugs are found - and they will be - the damage should be restricted to within a smaller scope than could have been inflicted without the bug.
• The overall design of the software should be structurally correct.
  • In other words, if you draw out how the data flows, there should be no arc that would invalidate the security model by running out of rights or by having too many.
• Those components for which a mathematical model can both exist and be verified should have such a model that has been verified.
  • Formal Methods are extremely hard to use well for giant projects, but there are many subsets for which they are ideal. An example of a formal method would be the Z Specification language, which is now an ISO standard. Tedious in the extreme for anything that's long and complex, it would be very usable for privilege management, key functions such as kmalloc/kfree, and other fundamental components on which the OS depends.
• All components and combinations of components should be fully specified in some form and tested to that specification.
  • A specification needn't be formal in the mathematical sense, but it should be possible to derive valid cases, extreme (ie: corner) cases, and invalid cases. Both component-level and integrated test harnesses should then validate that all identified cases produce the expected results. Integrated testing should include both shotgun and continuous tests.
  • Distributed and massively parallel algorithms can be extremely difficult to prove, but it is essential for any level of confidence that they be pr

NSA trusted computing

[DragonHawk]

so when the early Windows 2000 failed one of the tests, it was technically unlawful to use Windows 2000 for any Government work

What law require(s|ed) evaluation according to the NSA "rainbow books" before a system can be used for government work? Where I work, even systems which process Classified information are not required to have trusted system software. You have to protect the system, but that's most often accomplished by far less sophisticated means. It is what is called "system high" or "dedicated" operation -- you treat everything as classified, lock everything up, and only let cleared people near it. The OS is not part of the safeguarding. Hell, eight years ago, there were plenty of Windows 95 and Windows 98 systems processing Classified information.

The more sophisticated measures -- an OS supporting multi-level security -- is only required if you want to let people who are not cleared to the information access some other part of the system. In other words, if you want to have Joe Blow without a clearance store his order for janitorial supplies on the same system that has SECRET data.