In August, the U.S. government released its long-awaited open-source software policy, and on Nov. 3 it unveiled Code.gov, a portal—itself open source—aimed at helping government agencies share code in order to save taxpayer money and make IT projects nimbler. Tony Scott, CIO of the U.S., made the announcement in a White House blog post:
“Built in the open, the newly launched Code.gov already boasts access to nearly 50 open-source projects from over 10 agencies—and we expect this number to grow over the coming months as agencies work to implement the Federal Source Code Policy. Further, Code.gov will provide useful tools and best practices to help agencies implement the new policy. For example, starting today agencies can begin populating their enterprise code inventories using the metadata schema on Code.gov, discover various methods on how to build successful open-source projects, and much more.”
(Related: Disney has its own open-source program)
National security-related agencies are exempt from the policy—a very wise choice I feel. There are obvious security concerns around releasing software used by governments for essential activities. I, for one, don’t really want the code for critical infrastructure and defense under a blanket open-source mandate.
Further, the government needs to be extremely mindful of systems managing the personal information of employees and taxpayers. Initially, agencies are obligated to open-source 20% of the code built by or for them, and officials should ensure projects shared through Code.gov have had a rigorous review and validation process. However, it seems obvious that much of the open-source software managing non-critical data could be useful, in whole or in part, for use by the private sector. If managed properly, sharing open-source code across federal agencies and the public makes sense for a number of reasons.
More open source
Development teams are embracing open source for good reasons. Open source accelerates development while lowering costs. The more open source that becomes available, the more we all benefit. Assuming the code released by the government has genuine utility, it will attract attention from the open-source community. Independent developers will build enhancements that will be available to both public and private enterprises.
I’m not arguing for the “many eyes make all bugs shallow” Linus Law in general. But eyes focused on open-source security are still undoubtedly useful, and the source of virtually all open-source vulnerability disclosures in NVD. As Scott noted in his blog post, “We will enable the brightest minds inside and outside of government to review and improve our code, and work together to ensure that the code is secure, reliable, and effective in furthering our national objectives.”
Understanding what is being “custom built” can shed light on inside deals where commercial solutions may already exist.
Taxpayer funds were used to create the code, and making that code available to other federal agencies can reduce waste. Assuming the software meets the needs of several agencies, maintaining a single codebase should simplify code maintenance as well.
NASA pioneered efforts to make public the technologies they developed in the space program. Technologies such as anti-icing systems, infrared ear thermometers, firefighting gear, and memory foam mattresses have resulted from shared technology. In a world where software integrates into almost everything, access to the government’s building blocks should spur more advances.
Given the results of the election, it’s too early to know if the government’s policy toward open source will remain the same, as the new president may appoint a new U.S. CIO who may have a completely different perspective on open-sourcing governmental code. However, the cost efficiencies that can be realized from such a program should cross party lines. And in closing, I’ll reiterate that if the policies do remain in place, the programs must be managed carefully from a security standpoint. But overall, open-sourcing software from some of the largest consumers of custom code—governmental agencies—could benefit us all.