No Defense for Linux

Linux is being designed into future U.S. defense system, including the Army's Future Combat System (FCS), the Land Warrior, and the Global Information Grid, which will connect all future military systems into a single network. This spread of Linux into defense systems is cause for serious concern. Linux security is inadequate for defense use. If the systems now under development are deployed with Linux, U.S. national security will be at risk.

The operating system used in a defense system is the foundation of its overall integrity. The operating system controls all a system's functions, communications, and security. If the operating system is compromised, an enemy can spy on, disable, or commandeer the entire system.

The Linux operating system is developed by an open source process-a cooperative effort by a loose association of software developers from all over the world. With the knowledge that Linux is going to control our most advanced defense systems, foreign intelligence agencies and terrorists can easily infiltrate the Linux community to contribute subversive software. The risk is particularly acute since many Linux contributors are based in countries from which the U.S. would never purchase commercial defense software. Some embedded Linux providers even outsource their development to China and Russia.

Who would intentionally introduce malicious code into software that they knew was going to be used in military and critical infrastructure systems? In the early 1980's, the U.S. Central Intelligence Agency (CIA) subverted software that was acquired by the Soviet Union. A CIA Trojan horse in the software that controlled the trans-Siberia gas pipeline caused a massive explosion. It would be incredibly naive to believe that other countries and terrorist organizations would not exploit an easy opportunity to sabotage our military or critical infrastructure systems when we have been doing the same thing to them for over twenty years!

Linux in the defense environment is the classic Trojan horse scenario-a gift of "free" software is being brought inside our critical defenses. If we proceed with plans to allow Linux to run these defense systems without demanding proof that it contains no subversive or dangerous code waiting to emerge after we bring it inside, then we invite the fate of Troy.

One of the greatest misconceptions about Linux is that the free availability of its source code ensures that the "many eyes" with access to it will surely find any attempt at sabotage. Yet, despite the "many eyes," new security vulnerabilities are found in Linux every week in addition to dozens of other bugs. Many of these flaws have eluded detection for years. It is ridiculous to claim that the open source process can eradicate all of the cleverly hidden intentional bugs when it can't find thousands of unintentional bugs left lying around in the source code.

Furthermore, source code inspection will never detect vulnerabilities that are only manifest in a system's executable binary code. Ken Thompson, the original developer of the Unix operating system-which heavily influenced Linux-demonstrated how malicious code could be architected to be undetectable at the source code level. He installed a back door in the binary code of Unix that automatically added his user name and password to every Unix system. When he revealed the secret 14 years later, Thompson explained, "No amount of source-level verification or scrutiny will protect you from using untrusted code."

Linux is being selected for defense systems because of the perception that it is more secure than Windows. However, this conventional wisdom is unsupported by quantitative data. In fact, the U.S. National Institute of Standards and Technology (NIST) security vulnerabilities database lists more vulnerabilities for Linux than Windows in every one of the last ten years. In addition, under the internationally recognized Common Criteria for IT Security Evaluation (ISO standard 15408), Windows has been certified to Evaluation Assurance Level 4 (EAL 4), a higher level of security than the EAL 2 that Linux has achieved.

Even if Linux were as secure as Windows, Windows is the wrong benchmark. Defense systems should be held to a higher standard.

The Federal Aviation Administration (FAA) requires software that runs commercial (and many military) aircraft be approved as part of a DO-178B certification. DO-178B Level A is the highest safety standard for software design, development, documentation, and testing. It is required for any software whose failure could cause or contribute to a failure resulting in the catastrophic loss of an aircraft.

DO-178B Level A is the appropriate level of assurance for software upon which many lives depend. Several operating systems have been DO-178B Level A certified. Until Linux is certified to DO-178B Level A, our soldiers, sailors, airmen and marines should not be asked to trust their lives with it.

Linux is being used in defense applications even though there are operating systems available that meet the FAA's highest level of safety certification and that are designed to meet the National Security Agency's most stringent security level, Common Criteria EAL 7. We must not abandon provably secure solutions for the illusion that Linux will save money. One "back door" in Linux, one infiltration, one virus, one worm, one Trojan horse and all of our most sophisticated defenses could crumble. We must not entrust national security to Linux.