Use of Free and Open-Source Software (FOSS) in the U.S. Department of Defense is a 2003 report by The MITRE Corporation that documented widespread use of and reliance on free software

Free software

Free software, software libre or libre software is software that can be used, studied, and modified without restriction, and which can be copied and redistributed in modified or unmodified form either without restriction, or with restrictions that only ensure that further recipients can also do...

 (termed

Alternative terms for free software

Alternative terms for free software have been a controversial issue among free software users from the late 1990s onwards. Coined in 1983 by Richard Stallman, "free software" is used to describe software which can be used, modified, and redistributed with little or no restriction...

 "FOSS

Foss

Foss may refer toPeople*Foss , people with the last name Foss*Foss Shanahan , New Zealand diplomat*Foss Westcott , English bishop...

") within the United States Department of Defense

United States Department of Defense

The United States Department of Defense is the U.S...

 (DoD). The report helped end a debate about whether FOSS should be banned from U.S. DoD systems, and helped redirect the discussion towards the current official U.S. DoD policy of treating FOSS and proprietary software

Proprietary software

Proprietary software is computer software licensed under exclusive legal right of the copyright holder. The licensee is given the right to use the software under certain conditions, while restricted from other uses, such as modification, further distribution, or reverse engineering.Complementary...

 as equals.

Version 1.0

The FOSS report began in early 2002 as a request relayed to Terry Bollinger

Terry Bollinger

Terry Bollinger is the author of the 2003 MITRE report Use of Free and Open Source Software in the U.S. Department of Defense.-References:...

 of The MITRE Corporation to collect data on how FOSS was being used in U.S. DoD systems. The driver for the request was an ongoing debate within the U.S. DoD about whether to ban the use of FOSS in its systems, and in particular whether to ban GNU General Public License

GNU General Public License

The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....

 (GPL) software. The U.S. Defense Information Systems Agency

Defense Information Systems Agency

The Defense Information Systems Agency is a United States Department of Defense agency that provides information technology and communications support to the President, Vice President, Secretary of Defense, the military Services, and the Combatant Commands.As part of the Base Realignment and...

 (DISA) was also interested, and agreed to sponsor the report. The first draft was completed two weeks later, and version 1.0 was released a few weeks after that. It quickly gained notoriety for its documentation of widespread use of FOSS in the U.S. Department of Defense, and consequently was mentioned in an article about free software in the Washington Post.

The attention resulted in a new round of reviews and edits. Microsoft Corporation requested that Ira Rubinstein, their legal counsel and liaison for DoD software policy issues, be permitted to participate. Rubinstein, who is listed in the preface as the first reviewer, produced the most detailed critique of the report. His recommendations resulted in a massive expansion of the coverage and analysis of free software licenses.

Version 1.2

The final report, version 1.2.04, was completed on January 2, 2003. It was first published on the DISA web site, and is now available on the DoD CIO web site on open source software resources.

Impact

Prior to this report, very little data had been available about how—and even whether—FOSS was used widely in U.S. DoD systems. The report changed this aspect of the discussion immediately, proving beyond any reasonable doubt that the U.S. DoD was already a major user of FOSS. More importantly, the report documented that FOSS was being used in important and even mission-critical situations. One of the more surprising findings documented in the report is that the cyber security community was the most upset of any group at the prospect of FOSS being banned. From their perspective, FOSS provides high code visibility and the ability to fix security flaws quickly and quietly. As a result of the findings, any serious consideration of banning FOSS was dropped. The effort to develop a policy on using FOSS instead moved towards a much more even-handed policy that was initiated with the Stenbit open source software policy, that requires U.S. DoD groups to treat FOSS in the same fashion as proprietary software

Proprietary software

Proprietary software is computer software licensed under exclusive legal right of the copyright holder. The licensee is given the right to use the software under certain conditions, while restricted from other uses, such as modification, further distribution, or reverse engineering.Complementary...

, and subsequently made even more explicit in the 2009 Wennergren clarification of the Stenbit policy.

The broader impact can be realized by recognizing that if the security-conscious U.S. DoD had banned FOSS, it is likely many other federal components, state and local governments, corporations, and international groups would have followed suit. The result would have been a world much less friendly both to FOSS and to FOSS-like efforts such as Wikipedia

Wikipedia

Wikipedia is a free, web-based, collaborative, multilingual encyclopedia project supported by the non-profit Wikimedia Foundation. Its 20 million articles have been written collaboratively by volunteers around the world. Almost all of its articles can be edited by anyone with access to the site,...

.

Findings

Below is the executive summary of the report. The full report was published in multiple formats, which can be found along with related open source software resources on Bollinger's personal website.

This report documents the results of a short email-mediated study by The MITRE Corporation on the use of free and open-source software (FOSS) in the U.S. Department of Defense (DoD). FOSS is distinctive because it gives users the right to run, copy, distribute, study, change, and improve it as they see fit, without having to ask permission from or make fiscal payments to any external group or person. The autonomy properties of FOSS make it useful for DoD applications such as rapid responses to cyberattacks, for which slow, low-security external update processes are neither practical nor advisable, and for applications where rapid, open, and community-wide sharing of software components is desirable. On the other hand, the same autonomy properties complicate the interactions of FOSS with non-FOSS software, leading to concerns—some valid and some not—about how and where FOSS should be used in complex DoD systems.

The word free in FOSS refers not to fiscal cost, but to the autonomy rights that FOSS grants its users. (A better word for zero-cost software, which lacks such rights, is "freeware

Freeware

Freeware is computer software that is available for use at no cost or for an optional fee, but usually with one or more restricted usage rights. Freeware is in contrast to commercial software, which is typically sold for profit, but might be distributed for a business or commercial purpose in the...

.") The phrase open source emphasizes the right of users to study, change, and improve the source code—that is, the detailed design—of FOSS applications. Software that qualifies as free almost always also qualifies as open source, and vice versa, since both phrases derive from the same set of software user rights formulated in the late 1980s by Richard Stallman

Richard Stallman

Richard Matthew Stallman , often shortened to rms,"'Richard Stallman' is just my mundane name; you can call me 'rms'"|last= Stallman|first= Richard|date= N.D.|work=Richard Stallman's homepage...

 of the Free Software Foundation

Free Software Foundation

The Free Software Foundation is a non-profit corporation founded by Richard Stallman on 4 October 1985 to support the free software movement, a copyleft-based movement which aims to promote the universal freedom to create, distribute and modify computer software...

.

The goals of the MITRE study were to develop as complete a listing of FOSS applications used in the DoD as possible, and to collect representative examples of how those applications are being used. Over a two-week period the survey identified a total of 115 FOSS applications and 251 examples of their use.

To help analyze the resulting data, the hypothetical question was posed of what would happen if FOSS software were banned in the DoD. Surprisingly, over the course of the analysis it was discovered that this hypothetical question has a real-world analog in the form of proprietary licenses that if widely used would effectively ban most forms of FOSS. For the purpose of the analysis, the effects of the hypothetical ban were evaluated based on how FOSS is currently being used in survey examples. In the case of niche-dominating FOSS products such as Sendmail

Sendmail

Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol used for email transport over the Internet....

 (ubiquitous for Internet email) and GCC

GNU Compiler Collection

The GNU Compiler Collection is a compiler system produced by the GNU Project supporting various programming languages. GCC is a key component of the GNU toolchain...

 (a similarly ubiquitous compiler

Compiler

A compiler is a computer program that transforms source code written in a programming language into another computer language...

), a large amplification factor must also be taken into account when estimating such impacts. The actual levels of DoD use of such ubiquitous applications is likely to be hundreds, thousands, or even tens of thousands of time larger than the number of examples identified in the brief survey.

The main conclusion of the analysis was that FOSS software plays a more critical role in the DoD than has generally been recognized. FOSS applications are most important in four broad areas: Infrastructure Support, Software Development, Security, and Research. One unexpected result was the degree to which Security depends on FOSS. Banning FOSS would remove certain types of infrastructure components (e.g., OpenBSD

OpenBSD

OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...

) that currently help support network security. It would also limit DoD access to—and overall expertise in—the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack. Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DoD groups to defend against cyberattacks.

For Infrastructure Support, the strong historical link between FOSS and the advent of the Internet means that removing FOSS applications would result in a strongly negative impact on the ability of the DoD to support web and Internet-based applications. Software Development would be hit especially hard for languages such as Perl

Perl

Perl is a high-level, general-purpose, interpreted, dynamic programming language. Perl was originally developed by Larry Wall in 1987 as a general-purpose Unix scripting language to make report processing easier. Since then, it has undergone many changes and revisions and become widely popular...

 that are direct outgrowths of the Internet, and would also suffer serious setbacks for development in traditional languages such as C and Ada

Ada (programming language)

Ada is a structured, statically typed, imperative, wide-spectrum, and object-oriented high-level computer programming language, extended from Pascal and other languages...

. Finally, Research would be impacted by a large to very large increase in support costs, and by loss of the unique ability of FOSS to support sharing of research results in the form of executable software.

Neither the survey nor the analysis supports the premise that banning or seriously restricting FOSS would benefit DoD security or defensive capabilities. To the contrary, the combination of an ambiguous status and largely ungrounded fears that it cannot be used with other types of software are keeping FOSS from reaching optimal levels of use. MITRE therefore recommends that the DoD take three policy-level actions to help promote optimum DoD use of FOSS:

1. Create a "Generally Recognized As Safe" FOSS list. This list would provide quick official recognition of FOSS applications that are (a) commercially supported, (b) widely used, and (c) have proven track records of security and reliability—e.g., as measured by speed of closures of CERT reports in comparison to closed-source alternatives. Initial applications for consideration would include, but not be limited to, the set of 115 already-used applications identified by the survey in Table 2, plus other widely used tools such as Python
   Python (programming language)
   Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...
   
    (http://www.python.org) that did not appear in this first set of results. In formulating the list, quick consideration should be given in particular to high value, heavily used infrastructure and development tools such as Linux
   Linux
   Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
   
   , OpenBSD
   OpenBSD
   OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
   
   , NetBSD
   NetBSD
   NetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...
   
   , FreeBSD
   FreeBSD
   FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
   
   , Samba
   Samba (software)
   Samba is a free software re-implementation, originally developed by Andrew Tridgell, of the SMB/CIFS networking protocol. As of version 3, Samba provides file and print services for various Microsoft Windows clients and can integrate with a Windows Server domain, either as a Primary Domain...
   
   , Apache
   Apache HTTP Server
   The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
   
   , Perl
   Perl
   Perl is a high-level, general-purpose, interpreted, dynamic programming language. Perl was originally developed by Larry Wall in 1987 as a general-purpose Unix scripting language to make report processing easier. Since then, it has undergone many changes and revisions and become widely popular...
   
   , GCC, GNAT
   GNAT
   GNAT is a free-software compiler for the Ada programming language which forms part of the GNU Compiler Collection. It supports all versions of the language, i.e. Ada 2005, Ada 95 and Ada 83; it allows already some constructs of Ada 2012...
   
   , XFree86
   XFree86
   XFree86 is an implementation of the X Window System. It was originally written for Unix-like operating systems on IBM PC compatibles and is now available for many other operating systems and platforms. It is free and open source software under the XFree86 License version 1.1. It is developed by the...
   
   , OpenSSH
   OpenSSH
   OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol...
   
   , BIND
   BIND
   BIND , or named , is the most widely used DNS software on the Internet.On Unix-like operating systems it is the de facto standard.Originally written by four graduate students at the Computer Systems Research Group at the University of California, Berkeley , the name originates as an acronym from...
   
   , and sendmail
   Sendmail
   Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol used for email transport over the Internet....
   
   .
2. Develop Generic, Infrastructure, Development, Security, & Research Policies. The DoD should develop generic policies both to promote broader and more effective use of FOSS, and to encourage the use of commercial products that work well with FOSS. A good example of the latter is the Microsoft Windows Services for UNIX
   Unix
   Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
   
    product, which relies on FOSS (GPL) software to reduce development costs and dramatically increase its power. A second layer of customized policies should be created to deal with major use areas. For Infrastructure and Development, these policies should focus on enabling easier use of GRAS products such as Apache
   Apache HTTP Server
   The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
   
   , Linux
   Linux
   Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
   
   , and GCC that are already in wide use, but which often suffer from an ambiguous approval status. For Security, use of GPL within groups with well-defined security boundaries should be encouraged to promote faster, more locally autonomous responses to cyber threats. Finally, for Research the policies should encourage appropriate use of FOSS both to share and publish basic research, and to encourage faster commercial innovation.
3. Encourage use of FOSS to promote product diversity. FOSS applications tend to be much lower in cost than their proprietary equivalents, yet they often provide high levels of functionality with good user acceptance. This makes them good candidates to provide product diversity in both the acquisition and architecture of DoD systems. Acquisition diversity reduces the cost and security risks of being fully dependent on a single software product, while architectural diversity lowers the risk of catastrophic cyber attacks based on automated exploitation of specific features or flaws of very widely deployed products.