As Open Source has become increasingly mainstream and widely accepted for its numerous benefits, the use of Linux as a flexible, transparent and highly secure operating system has also increasingly become a prominent choice among corporations, educational institutions and government sectors alike. With national security concerns at an all time high heading into 2020, it appears that the implementation of Linux could effectively meet the United States government’s critical security needs for application development and installations.
Because of its open-source roots, Linux is foundationally secure, highly reliable, and incredibly adaptable. Linux incorporates a "defense-in-depth" approach to security, meaning robust security measures are implemented at every level of development and deployment. Unlike obscure closed-source counterparts, Linux has a fundamental focus on security through transparency.
In order to be approved for use in critical government functions, software and applications must be certified to ensure that they meet certain security standards. Common Criteria, FIPS 140-2 and Secure Technical Implementation Guidelines (STIG) are three security certifications required by the United States Department of Defense. These certifications indicate that technology meets standardized security protocols and cryptographic tools implement their algorithms properly. Linux has been certified to meet all of these criteria, a rare and notable achievement.
For these reasons, Linux is not only an ideal operating system for the development of critically secure government applications, but the inherent openness and flexibility of Linux also make it a great operating system for installations that demand the highest level of security and precision. However, it should be noted that as with any operating system, Linux must first undergo additional stringent testing and development before being further incorporated into the US government’s IT infrastructure.
SELinux: Enhanced Security through Access Controls
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies. SELinux embodies concepts that can be traced back to United States National Security Agency projects, including research on mandatory access control (MAC) architecture based on Type Enforcement, which gave rise to the Flask. A reference implementation of this architecture was initially integrated into a SELinux prototype system to demonstrate the value of flexible mandatory access controls and how such controls could be added to an operating system. The architecture was recognized for its security benefits and has since been incorporated into the mainstream Linux operating system.
SELinux enforces the separation of information based on confidentiality and integrity requirements, which allows threats to be addressed and damage that could potentially be caused by malicious or flawed applications to be confined. The majority of mainstream operating systems lack this critical ability to enforce separation, and are vulnerable to tampering and bypassing of application security mechanisms as a result.
Initially SELinux was highly controversial. Many people were concerned about the NSA inserting code into Linux, despite its transparency. Rumors of the NSA incorporating backdoors and technology capable of compromising users’ privacy proliferated for many years. Thankfully, these misconceptions have been dispelled and SELinux is now recognized for improving the overall security of Linux.
An Open Source Revolution is Underway
The United States government’s respect for and acceptance of open-source development has steadily grown stronger over the past decade, and the US government is increasingly using open-source software as a way to rollout advanced, highly secure technology in an economical manner. On August 8, 2016, the White House CIO released a Federal Source Code Policy that calls for new software to be built, shared, and adapted using open-source methods to capitalize on code that is “secure, reliable, and effective in furthering our national objectives."
The United States Department of Defense recognizes the key benefits associated with open-source development and trusts Linux as its operating system. In fact, the US Army is the single largest installed base for RedHat Linux and the US Navy nuclear submarine fleet runs on Linux, including their sonar systems. Moreover, the Department of Defense just recently enlisted Red Hat, Inc., the world’s largest provider of open-source solutions, to help improve squadron operations and flight training.
Open Source Freedom
Proprietary software advocates have been stirring an ongoing debate on whether using Linux in matters of national defense is appropriate. It is their opinion that the availability of the source code for open-source applications and the unknown origins of the code can lead to subversive content being deliberately placed into critical codes, putting the security of our entire country at risk.
What makes this debate illogical is the fact that there is not a single mainstream operating system, proprietary or open-source, that in its current state should be used to run critical national security applications. This is because any chosen system would have to be adjusted and re-worked to be a proper fit for the government's unique and critical IT needs. However, assuming that the government is turning to Linux for national defense applications, the availability of the source code is exactly what makes Linux the obvious choice. Linux and other open-source applications provide the freedom to customize programs to suit specific requirements, a liberty unfounded in proprietary systems. If the security provided by a particular installation is insufficient it can be modified to ensure the highest levels of protection.
Additionally, the United States government, especially the Department of Defense, has brutally high standards when it comes to security and confidentiality. As a result, any code chosen for government or military systems must be certified under Common Criteria, FIPS 140-2, and Secure Technical Implementation Guidelines (STIG) and undergo countless hours of analysis and vulnerability assessment before it can even be considered for testing. To imply that our government has not considered the risks of Linux and other operating systems alike and is using insecure infrastructures of any kind is to insult the intelligence and capability of our government and military to protect its citizens.
Linux is not an invitation for IT terrorism, but quite possibly a first step towards preventing it. The flexibility, transparency and unmatched security that open-source development has instilled in the operating system make Linux better suited for government use than any proprietary alternative.
We’d love to hear your thoughts. Please comment below!