DHS Claims Open Source Software Is Like Giving The Mafia A Copy Of FBI Code; Hastily Walks Back Statement
from the psst...-your-ignorance-is-showing dept
Late last week, the DHS's Chief Information Officer Luke McCormack (or someone from his office) posted comments to GitHub arguing against the proposed policy of making 20% of its code (whatever that means) open source in the interest of better sharing between agencies. The rationale is that shared code could save tax dollars by preventing paying developers to perform redundant work. The DHS felt strongly about this and said as much using an Excel-based parade of horrors.
Many private companies (especially security companies) do not publish their source code is because it allows attackers to (a) construct highly targeted attacks against the software, or (b) build-in malware directly into the source code, compile, then replace key software components as 'doppelgangers' of the original. How will this be prevented? Government-specific examples: citizenship anti-fraud rules that are coded into software, identification of special codes used to flag law enforcement actions, APT threat indicator scripts, Mafia having a copy of all FBI system code, terrorist with access to air traffic control software, etc. How will this be prevented?Contrary to the CIO's statements, open source software can actually be safer than closed source options. More eyes on the source means more people finding flaws and holes and working towards fixes, rather than simply compiling internal discoveries and forwarding them to the vendor and allowing the company to determine which holes/flaws should be repaired and in which order.
The DHS has now walked back this unfortunate comment, claiming it was just one of those mysterious things that somehow materialized out of the ether.
Those comments were "incorrectly posted" and do not represent DHS' position, agency spokesman Justin Greenberg told Nextgov in an email. McCormack's new comments "serve as the department’s official stance on the policy," the spokesman said. In his new comment, McCormack said the earlier comments reflected "a variety of individual positions across DHS components."This explains next to nothing and leaves readers with the impression that the DHS has been publicly embarrassed by the "source code sky is falling [pending proposal approval]" emailed in by its CIO.
The DHS has a history of walking back things after they've received public criticism. This is good, but the walkbacks seem to be accompanied by obfuscatory statements that give everyone involved a pass on their misguided actions. Back in 2014, DHS component ICE started soliciting bids for a national license plate database (built from the hundreds of automatic license plate readers in use around the nation). Backlash ensued and DHS Secretary Jeh Johnson quickly issued a statement claiming the posting was done without the approval of "ICE leadership." In other words, the issuance was just a governmental glitch and the hasty retreat being beaten entirely unrelated to the public outcry.
Here, the same thing seems to be happening. The DHS CIO posts comments full of alarmism, is called out for it and a spokesperson appears on scene to say that comments released by a DHS official are not the official comments of the agency he represents. To borrow the blame-shifting parlance of law enforcement, a misguided comment "discharged" and no one should have to own up to actually pulling the trigger. Yes, mistakes were made. But apparently no government official should need to acknowledge they were just flat-out wrong.