The Department of Defense's proposed use of Linux, an open-source operating system, in critical defense systems could pose a significant security risk, warned Dan O'Dowd, founder and president of Green Hills Software.

"If Linux is compromised, our defenses could be disabled, spied on or commandeered," O'Dowd said at an April 8 panel during the NetCentric Operations 2004 conference sponsored by the Association of Enterprise Integration and held in McLean, Va. "Every day, new code is added to Linux in Russia, China and elsewhere throughout the world. Every day, that code is incorporated into our command, control, communications and weapons system. This must stop."

O'Dowd said that software that runs on the Linux system is spreading rapidly through the DoD because it can be freely downloaded from the Internet without a license or up-front fees, which bypasses legal purchasing and security procedures.

The DoD is considering using Linux to control the functionality, security and communications of critical defense systems such as Future Combat Systems (FCS), Joint Tactical Radio System (JTRS) and the Global Information Grid (GIG), he said. The operating system is being developed by a cooperative effort of software developers from around the world. This raises inherent security concerns, he added.

"The very nature of the open source process should rule Linux out of defense applications," O'Dowd said. "The open-source process violates every principle of security. It welcomes everyone to contribute to Linux. Now that foreign intelligence agencies and terrorists know that Linux is going to control our most advanced defense systems, they can use fake identities to contribute subversive software that will soon be incorporated into our most advanced defense systems."

A senior official in the DoD's Defense Information Assurance Program told NetDefense that O'Dowd's claim that using open-source operating system such as Linux could threaten U.S. national security "isn't necessarily true. He is exercising a little bit of literary license in [his remarks]," said the senior official, who did not want to be identified.

"Obviously, he doesn't know how we use software in DoD. If he thinks we are hiding our head on this, or don't know what we're doing, then he's mistaken. To make a blanket statement that says that open-source software is less secure than any other software isn't an accurate statement. To say that some open-source software is less secure than others, that could be [true]."

The official said that the individual project developers for systems such as FCS and JTRS would make the final call on whether or not to use Linux. "I'm sure that [using Linux in next-generation defense systems] is being looked at," the official said. "Whether or not it will be used, will be up to the developer when he looks at risk analysis and other things. That is what they are charged to do."

O'Dowd said Linux serves several useful purposes in the computing world. It is currently used in application servers, database servers, workstations, network servers, cluster computing, and embedded and university systems. "I'm not against Linux," O'Dowd said. "Linux has its place, where security failures do not threaten national security and is easy to update where security failures are not ... [Linux] does not belong in national defense systems. We do not need cheaper security. We need better security. We can't abandon truly provable solutions for some illusion that Linux is going to save money. We can't trust national security to Linux."

O'Dowd's proposed solution to the Linux vulnerability problem is for the DoD to buy "real-time operating systems that have been designed for defense systems," such as his company's INTEGRITY operating system and systems supplied by LynuxWorks and other software companies. He told NetDefense in an April 14 interview that DoD needs proprietary operating systems that have been tested to U.S. government reliability and security standards. "People's lives depend on [the operating system] not failing and not getting hacked," he said.