SE Linux Advocates Affirm Momentum Among Feds

Open-source software fans cheered when the code for Security-Enhanced Linux was released, arguing that when the most secretive federal agency conducting highly classified operations was using open-source software, nagging doubts about Linux's security might finally be laid to rest.

In developing SE Linux, the NSA was "looking for an answer to a problem," said John Weathersby, chairman of the Open Source Software Institute, an Oxford, Miss.-based nonprofit agency focused on promoting the use of open-source technologies. "The NSA does not endorse products, and that's the beauty of it," he said. "If someone says Linux is not secure, then I ask, 'Why would the NSA be [developing on it [if it wasn't?' "

The OSSI this month inked a partnership with the National Technology Alliance, a unit of the National Imagery and Mapping Agency, Bethesda, Md. Together, the NTA and OSSI will seek to educate government agencies on the development and implementation of open-source technology under the nascent NTA Open Source Program.

With a new urgency in government to fight terrorism with technological superiority and other means, the NSA's tacit support of SE Linux bodes well for the acceptance of open-source products at all levels of government, observers said.

"The NSA needs SE Linux for a number of technical reasons," said Larry Loeb, principal at pvc enterprises, a Wallingford, Conn.-based IT consulting firm. "They have a whole bunch of air-gap computer systems that are physically separate from each other, in logical and physical ways, and they want to replace them with [fewer machines but still keep the security advantages of an air-gap system."

Loeb said few commercial clients would require the stringent level of security that SE Linux provides. "I would think the market for SE Linux is primarily the feds," he said.

Dow Williamson doesn't necessarily agree. As vice president of marketing at Trusted Computer Solutions (TCS), a Herndon, Va.-based solution provider that caters to the needs of federal agencies, Williamson said SE Linux has broad appeal for a number of constituencies.

"If we can get SE Linux to the point that it's commercially viable, I think banks, telcos and health-care and even manufacturing [companies will find this kind of technology very interesting," he said.

TCS works extensively with SE Linux as well as Sun Microsystems' Trusted Solaris. "Over the last 10 years, Sun really is the only vendor to go through the hoops that the government demands" in terms of security testing and certification, Williamson said. "Our customers have been limited to Trusted Solaris. Having an SE Linux option opens up a huge new customer base."

Yet some vendors that profit from the sale of software licenses are balking at the spread of open-source software. Microsoft, for one, objected loudly in 2001 when the NSA made its SE Linux code available for download.

"Proprietary software vendors do not want to lose business, so they put up a fight," said one open-source advocate who requested anonymity. "They will use any excuse that they think sounds plausible. But many people feel that a government of the people should be utilizing products that benefit the people instead of products that benefit a few corporations."

For its part, Microsoft contends that broad adoption of GPL-covered software could harm innovation. The General Public License dictates that open-source applications can be viewed, modified and redistributed. If the software is redistributed, the source code must be made available. Yet GPL-licensed software can, in fact, either be sold for a fee or given away.

Many IT experts believe that it is only a matter of time before SE Linux is as common in federal deployments as other flavors of Unix or Windows.

"The intention of the [NSA SE Linux project was to work on using SE Linux to service the NSA's secret and unclassified networks," said Kevin Robinson, a systems engineer at the Defense Supply Center, Richmond, Va. "It is a promising endeavor that, if followed through, will result in amazing advancements in Linux and systems security."