NSA: Open source provides extreme security at lower cost
In one of the biggest testaments yet of open source's security credentials, and of its ability to deliver security at lower cost, the US National Security Agency (NSA) has turned to open source to create part of the Tokeneer System. The Tokeneer System is a biometric security software system, but that isn't why it's significant.
No, open sourcing part of the Tokeneer System is significant because it "shows that highly dependable software can be developed cost-effectively," as noted by Martyn Thomas of Oxford University. The same or better security than proprietary approaches...for much less.
For those that continue to cling to the principle that security is best achieved through obscurity, the US' most secretive agency has a response: open source is better.
The unprecedented release of the project into the open source community aims to demonstrate how highly secure software can be developed cost-effectively, improving industrial practice and providing a starting point for teaching and academic research. Originally showcased in a conference paper in 2006, it has the long-term aim of improving the development practices of NSA's contractors. Tokeneer was created as a fixed-price project, taking just 260 person days to create nearly 10,000 lines of high-assurance code, achieving lower development costs than traditional methods per line of code.
This result should not be underestimated. As Professor Daniel Jackson of MIT Computer Science Lab suggests, "Finally, we have a full and open example of a development from a world leader in high integrity systems." In other words, this is a significant proofpoint from an established security leader that open source can deliver industry-leading security at lower cost than standard procedures.
In a booming market, perhaps this wouldn't matter. But the market is not booming. If anything, it's headed to a bust. As such, open-source principles are critical to ensuring that governments and enterprises can stretch budgets to the maximum.
Matt Asay brings a decade of in-the-trenches open-source business and legal experience to The Open Road, with an emphasis on emerging open-source business strategies and opportunities. Matt is vice president of business development at Alfresco, a company that develops open-source software for content management. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure. You can follow Matt on Twitter @mjasay. 
Seriously.. Is it not the case that NSA didn't quite 'turn to open source', but commisioned the software and then open sourced it? Are US gov agencies not obliged to do that? Anyway, it seems non-obvious exactly what is open source - the software commissioned by the NSA is released under an 'agreement' not specified.
No. Given the amount of software commissioned by such a sizeable government this announcement should be a hint of just how little is released even as freeware.
Also, 10 minutes with Google found http://www.adacore.com/home/gnatpro/tokeneer/downloads/ with the NSA/Praxis Technology Transfer Agreement included in the main download. The short form is that the NSA is under no obligation to help with your use of the code, there is no warranty (as standard with every license ever) and there's a copyright notice (within redistributed code) requirement. It's not that different from BSD, although more wordy.
So no they didn't have to do this and the license is both specified and very liberal. With any luck someone'll convert it from Ada at some stage.
- by RamboTribble October 9, 2008 10:46 AM PDT
- Now I am worried. It looks like they may know what they're doing, after all.
- Like this Reply to this comment
-
(3 Comments)Let's not forget that SE Linux was an NSA development. Spooks and other informed paranoiacs have long recognized the superiority of Unix and its derivatives.