Open Government and Open Source at the Department of Defense - Part 2

June 26, 1:05 PMDC Technology ExaminerTanya Gupta

Previous Next

Comment Print Email RSS Subscribe

Subscribe

Get alerts when there is a new article from the DC Technology Examiner. Read Examiner.com's terms of use.

Email Address   Include other special offers from Examiner.com Terms of Use

(AP Photo/Musadeq Sadeq)

Continued from Part 1

Do you see any synergies between Web 2.0 and open source for the Government?

Web 2.0 is about mass collaboration and open source is about collaboration also.  There absolutely are some synergies there in both directions.  The collaborative techniques of web 2.0 and mass collaboration are the same things that have driven open source to be successful.  The most successful open source projects are the ones that provide value to people which then encourages those people to become developers, and then they add enhancements and so that same virtual cycle that powers things like wikipedia also powering open source software.  In the opposite direction you can say that a lot of the web 2.0 applications are being done on top of open source softwar .  The same collaboration that makes wikipedia useful as an information resource makes open source software good.  I can also say that look open source software like Mewiki and Apache and php and mysql and squid are the underlying technologies behind web 2.0.  They share the idea of collaboration as in having many eyes on the same products. 

What is the balance between Open Source and proprietary software, is there a place for both? In your perfect scenario do you see only OS ?

No, at least within Defense world we look for the best solution to achieve mission objectives, and most organizations are that way.  If this is a social movement where I am looking for social goals, and advocating individual liberty in software engineering, then you can take the idealistic position that this should be 100% open source.  But if you take a more pragmatic perspective, you are looking for mission benefits associated with open source software, then those are balanced with the business case. 

 When Karen Evans (Office of Management and Budget’s former administrator for e-government and information technology) said you need to consider the Total Cost of Ownership – TCO – she was absolutely right.  I suspect that this argument is made by companies on both sides.  Microsoft argues 100% TCO is lower for their products, while open source is free upfront but then it costs you to do the integration and support.  I think you have to do that analysis and you need to factor in the value of sovereignty, and the ability to control your destiny and take your software in a different direction if you need to.  In the OS world that is called forking and it is sort of frowned upon, because you know, it’s a big deal to fork something and because we know that often the forks don’t survive and fragments the community and now that mass collaboration that helps improve it, is divided and you don’t get the same amount of synergy.  However sometimes you have to go do that.  For management reasons, the people working on it are not accepting changes, or you need new features, whatever the reasons are, you want to have that option if you so needed it.

 With proprietary software there is a clear owner of who owns the software, the proprietor of it and they’ll do what they want to do with it.  You can influence them with dollars, but ultimately its their software and their right to handle it,  We have to balance agility of being able to adapt software, security, potential quality and cost benefits where those are applicable with the value – and proprietary software may have better features, and may have just what you want and the TCO may tell you to buy proprietary rather than OS.

 Its hard to pick one over the other.  You could say that open source has lower licensing costs, but then even with proprietary software, there are products that are free, as the owners, for business reasons have made it free.  100% OS is not desired, for any given purchase, there are trade-offs.  What is important to note though is that we have fallen down in evaluating the benefits of open source, if we had factored in all those things we might have made different decisions.

 What are the three things that *have* to happen for open source to become more widespread?

A lot of education for the federal workforce – conquer fear uncertainty and doubt (FUD).  There are some set of processes, we need to look at how do we adapt those, and what are the rules for acquisitions.  Often you just need to answer the question that at the end of the day I have to get a contract for a product and what do I do when I don’t have to have a contract, when the license is freely available for me to use ?  Typically in these cases all I have to do is internally abide with the terms of the license, which is what I get with most open source – software is there, to use and modify, with certain conditions.  For example with GNU – if I distribute the software, I have to make source code available also and pass on the same right.  If I am the government if I have to acquire something, the solution is already out there and I just have to download that, but then I have to go out and make sure that everybody understands what the conditions of those licenses are.  The biggest thing, from my perspective is education that open source is commercial software and we should be following mostly the same processes.  In the certification and security realm, people have the misconceptions that  how it is less secure because it is open (when academia has told us that the reverse is true), the other issue is foreign involvement and where the software is written – at least in Defense – with respect to influence and control.  In most cases we have no idea where proprietary software was written either, buying from a US company does not mean that it was written here, and should this even be an issue if I have the source code and can review it – there’s some policy issues there and definitely some education and process issues. 

 I think that the acquisition rules and processes are not broken, in the sense that they are adequate but they could be better.  It’s not so much an issue that the rules are problematic in terms of acquiring things, but the processes that have been created around the rules, and the people who are executing those rules.  For instance the contracting officials, if you tell them “have you considered open source software” they often don’t know what OS is, the idea that I can just go out and get this capability that I am paying so many dollars for, that I can just go out and download that and get that for free – that is bewildering to people sometimes, they would say “that can’t be allowed”.  I am not a lawyer but I have had this discussion with government lawyers too.  One issue was that only a contracting officer can obligate the Government and agree to a contract so you get into case law issues such as agreeing to an open source license.  There is a lack of clarity about do I need a contracting officer to accept an open source license, it’s not a contract, it’s a license and there is a subtle legal difference between the two.  When I talked to the DOD lawyers the first time they didn’t get it the first time, and then they acknowledged that I was right.  But I think that that interpretation depends on a lot of things, we can’t say this is true for all OS licenses (that they are all licenses not contracts). 

In the proprietary software world – people talk about an end user license agreements - that is a bilateral agreement, if I am a user I have to agree to it, whereas in the open source world, they will talk about software licenses, a license is a permission to go do something, it is actually a one-way street, that says I give you permission maybe subject to some conditions.  You don’t have to accept the conditions but if you fail to do so, that permission goes away.  So you don’t *have* to accept that and its not like you signed on the dotted line.  So there is that fairly subtle distinction that is important for people to understand. 

 So the barriers are - education for people on what those differences are, clarification of acquisition regulations for contracting officers and acquisition officials on this issue.  I made the point that as defined by law and regulation, OS is commercial software, ok but what’s the difference, if I acquire at zero cost does it mean that the rules change, and I think the answer is that in some ways they do and some ways they don’t.  To do your job you need to do a complete TCO analysis and do your research on the options you have, as there is a legitimate interest on part of the government to make sure you do those trade-offs, that is where the existing processes need a few footnote here and there and maybe the next couple of years we will see something come out of it.  Some areas are out of the CIO control such as acquisitions, CIO can’t do that much – I suspect reforming defense acquisitions would be much harder.

 What is the role of standardization?

Standardization continues to be a real issue for the government as consumers of software of any kind.  Typical market pressures and market differentiation make you want to be different from the rest of market so people will buy your product. This is true whether you are a software vendor or a newspaper.  On the other hand, you want standardization, you don’t want for instance, newspaper to come in many different shapes and sizes - in the newsstand they have to fit in the rack and so they have to be so many inches for pragmatic reasons. 

 Standardization helps you drive interoperability and commonality, where you have achieved a certain amount of commoditization.  This is as true of OS as it is anywhere else.  The existence of OS has two impacts on those sorts of standardization processes – one is that the existence of OS competitor in any given market niche can help drive standardization, and as people now have to compete with the lowest common denominator – the lowest bidder becomes the OS product.  You now have people who don’t want to diverge too much as there are always going to be people who go for the free product – browser or actually web server market – for instance, standardization efforts for the web are at least partly driven by  Apache, which dominates the market. 

 Second, not just driving standardization but when you have standards organizations IEEE, OASIS, IETF, that process is facilitated greatly by having a standard with a reference implementation, if I have a standard of this is how things should work, everyone does their own implementation, they spend their time arguing about who did the implementation correctly.  If you have a real reference implementation that here is a standard, and here is a reference implementation of that standard. And you can point out examples with reference implementation, x-windows, standard graphics environment of UNIX systems, browser market, Apache, web server, you can now compare, say look if you are going to build a competitor, that Apache is accepted a reference implementation.  X windows had the official reference implementation MIT X11 R6, later R7 reference implementations.  If your software did not work like that it was wrong.  The W3C had a reference browser, Maya, they maintained it, not many people used it, its whole purpose was render web pages according to the html stack.  If your web page was funky on Maya it was not compliant with the stack, and that was maintained in conjunction with the same people who were writing the standard.  OS facilitates dialogue in the standards process – here is what the code does you can poke the code, forces the standards process to be implementable, a lot of standards bodies will go out and develop standards for how things should work, but in the absence of reality, these standards will be difficult to implement if not impossible.  What we are saying if you develop a standard with a reference implementation that we can all look at the code for, and that is the OS part, allows the standards group to really focus (on what is needed).   IETF actually has a standards body – they do not require OS implementation, I believe, but they do require, before they bless something as a recommended standard, at least two different independent implementations of it.  So you get to this idea that the standards that I am promulgating really need to be interoperable and the standards have to implementable.  So I think OS facilitates that.