September 21, 2016

The Department of Software?



Well-developed software can make or break modern weapons systems. Software problems initially hindered F-35 production, for example. The Department of Defense (DOD) set up a Digital Service team last year to help the military solve its information technology problems. Future work on autonomous systems will heavily rely on software development. Most importantly, the DOD will have to protect its own data. To improve the DOD’s use of software, the Center for a New American Security (CNAS) looked at how the Pentagon could better use “open source software.” While the DOD uses some open source software, its full utilization for military software development will require deeper changes to how the DOD approaches code.

What is Open Source Software?

First, what is open source software? In essence, it is software that anyone can modify or share because its design is widely accessible. If the design of a system can be viewed by developers outside the original programmers, it can be considered open source.

In terms of benefits, open source software can provide more flexible, cheaper software. Updates, bug fixes, and innovation tend to occur at a quicker pace because a wider range of programmers and experts can experiment with the code. Private companies that have seen successes from using, even in a limited sense, open source software include: Microsoft, Apple, Google, Mozilla, and IBM, among others. The list reads like a who’s-who of technology companies, but open source software’s presence goes beyond them. Seventy-eight percent of private companies use some form of open source software.  

Open Source in DOD

But using open source software by itself is no guarantee of innovation or success. In fact, the DOD already uses open source software for several of its databases and projects, including a tool that helps automate aviation mission planning. Open source software is not used throughout the DOD, however, and many critical systems rely on proprietary systems. If using open source software promotes flexibility, upgradability, and innovation, why not push hard to promote it in every critical military software?

Open source software’s value rests as much on the community involved as the availability of the design. Open source software “leverages the work of the community, often at little to no expense.” If a productive and collaborative community does not exist, open software development is not likely to provide the expected benefits.

Within the DOD, this community may be restricted by several factors. These include security, lack of market incentives for industry, and internal turf wars.

Open Source Security

Security is one of the larger issues in play. The CNAS report does discuss this issue, and makes the case that open source software is more secure than generally considered within defense circles. This is true, but security is still an issue for open source software within the DOD for two reasons.

In the private sector, open source software can be useful for both data security and for non-secure applications. With data security, the benefits of having a flaw pointed out quickly by a third party can outweigh the possible risks of one being exploited by a malicious actor. But that cost-benefit calculus is underpinned by the relatively innocuous nature of the data and apathy of the private sector customer. For example, Apple’s stock has not been hit massively in the long-run by disclosures over security weaknesses. Of course, it also helps that the private sector can use large awards to incentivize software-savvy third-parties that find flaws to give them directly to the company.

Security for the military is different. It is not just access to data that needs to be controlled, but the data itself. While leaked details about a credit card number are inconvenient, information on troop locations or future acquisition plans can imperil national security. Just look at the fallout from the leak about the new Australian submarines, or the hacking of information about the F-35. In the defense world, countries also pit national resources against each other to gather as much information as possible about rival capabilities.

This security environment means that use of open source software will result in different outcomes for the DOD than it does for the private sector. This is not to say that there will not be benefits from using open source software, but that the benefits may not be so high as they are in the private sector. The DOD will have to protect exactly how it uses software to make sure capabilities are secure. This will restrict the ‘community’ to those already cleared to work on military projects. That restricted community cannot, because of its much smaller size, produce the same innovations that the larger private sector can.

Lack of Market Incentives

This then ties into the market incentives of the defense industry. In the private sector, individuals can earn a large payoff by pointing out security flaws in a system. Private companies can move quickly to fix problems and are restricted in the markets mostly by their product quality and brand. In the defense community, getting a specific contract with the government may be the only way to stay in business. While defense companies will have to work with the rules provided to them by Congress and the DOD, they are likely to see open source software as a threat to long term viability.

Open source software could bring a reduction in overly optimistic contract bids used to secure these long-term contracts because, if the company does not deliver, competitors would be able to step in at another stage of the contract. This would make bids more realistic, and perhaps cut down on cost overruns in acquiring new software tools. At the same time, an already small market could see consolidations if some defense companies do not have skillsets needed to implement competitive open software development. This would reduce competition, which would lessen the benefits that could be expected from using open source software. Such consolidations, and the ramifications of them, have been seen previously in the wider defense industry. There were 33 large defense firms in the 1990s, but only five by 2000.

Internal Turf Wars

Another factor that separates the DOD’s use of open software from the private sector is internal competition within the military and defense agencies. The benefits of using open source software only work if changes are implemented willingly and effectively. Outside reforms can fail in the DOD without internal buy-in, and this may be particularly true if the changes are coming from rival agencies.

Different agencies will also have different requirements from software for different missions. While some software tools will be easily transferable, others will not. There may be little potential for cross-team software development if specific tools or adaptations are kept secret to maintain an interagency edge. It may not be easy for successful software to be spread to different agencies that have different bureaucratic processes, rules, and regulations. Finally, differing hiring authorities may pool talent into specific agencies. The special hiring authority at the National Security Agency (NSA), for example, allows the agency to ramp up cybersecurity personnel. This could allow talent to pool in specific agencies because they can attract highly-skilled people with quicker hiring practices and more competitive wages. But this could skew the community needed for open source software development towards solving NSA-like problems, and perhaps away from solving cyber issues for the Defense Logistics Agency.

Since the benefits of using open source software come out of the competition and collaboration of the community, these internal dynamics make the defense community a very different place from the wider technology industry.

What the DOD would need to implement Open Source Software

What would the DOD have to do to beneficially implement open source software? An amenable environment would require changes that, while possible, would be against how the defense community currently operates.

In terms of security, the DOD and defense agencies would have to shift from a culture of default secrecy to one of default openness. Sharing source code won’t necessarily throw a database or program open to intrusion, but the government’s current approach to national security information incentivizes opaqueness. Current drafted policies to encourage the use of open source software include exemptions for national security systems. This seems similar to classification standards, in which vague language drives personnel to classify when in doubt. Without explicit rules about when to share source code or not, the defense community will likely claim national security exemptions by default.

The problematic market incentives would most easily be addressed by drawing new actors into the defense market. Complex intellectual property rules and abundant federal regulations make this difficult for individuals or small startups. Strengthening intellectual property rights would help draw in more companies to work with the DOD. At the same time, using open source software to reduce systems could also reduce incentives for new companies to work with the DOD, as companies would be unsure about maintaining contracts long-term. Balancing these two market forces will be important. Policymakers were aware of this issue, at least, when considering in the 2017 National Defense Authorization Act. The bill included attempts to clarify intellectual property (IP) protections within defense contracts, separating the larger platform from sub-systems that could be awarded strong IP rights. This could have helped allow companies protection for their innovations while allowing the platform itself to be upgradeable.

Competitive turf wars and the internal culture of the DOD will be harder to handle. Because  overarching competition among defense agencies and the military services may not be completely removable (and can have its own benefits), opportunities exist to use that competition for better software development. Hiring authorities for software engineers should be as balanced as possible across the services and agencies. Competition among these agencies and services would help provide the environment in which open source software thrives. While systems could be used across the defense community to reduce redundancies, the ‘we could do this better then them’ competitive nature can be harnessed to provoke innovations. Services, agencies, and individuals could be rewarded for producing better code and systems, and then those improvements could be expanded as necessary throughout the wider community. But innovative thinking may be reduced if talent is constrained into one place with one cultural approach towards problems.

Open Source Useful, Not Panacea

Open source software can be better implemented within the defense community, leveraging its history of innovation and cost savings in the private sector. It’s important to remember, however, that the defense community is a very different market from the wider technology industry. Bureaucratic incentives, different consumer/producer dynamics, and wider national security needs all change how outside processes and tools can be used. As long as these differences are remembered, and expectations are managed, using open source software could solve some of the DOD’s IT problems.