Is Linux the Key to Securing Cyberspace?

WASHINGTON -- The debate over securing cyberspace collided with the rivalry between open source and proprietary technologies Tuesday--but the government still says it's not getting involved.

A security summit here Tuesday explored how open source technologies can secure networks and computer systems, particularly in government agencies and offices. It was sponsored by Red Hat, the largest distributor of open source software, and Dell.

Their goal was to raise awareness of open source technology and its security capabilities, said Michael Tiemann, chief technical officer of Red Hat. The forum also aimed to get users to recognize their common issues, he said.

Open Opportunities

Because users can more readily customize open source code, software like Linux offers security options not always or easily available in proprietary technology, several attendees noted.

"For security in an Internet world, I have to have control of my server," said Bill Caelli, a professor of software engineering in Queensland, Australia. "Gone are the days of where I know where my software is coming from."

In an open source system, one can repair and improve systems as needed, Caelli said. With a closed system like Microsoft's proprietary operating systems, "we cannot make incremental changes in security infrastructure."

Caelli stopped short of saying open source always provides greater security, and noted that neither option is perfect. However, he said it may be easier to secure open source code quickly because glitches in the system can be fixed right away--and that is an increasing priority.

The federal government is not taking a position on the debate between open and closed software, said Marcus Sachs, a White House cybersecurity official. It wants to leave the battle to market forces. However, federal agencies can choose to implement Linux or other open source technologies, and some have done so.

Attendee Dwight Gibbs, who is taking a new job as director of technology acceleration for a large financial institution, said he is specifically charged with considering open source technology as a potential solution for greater security. He personally converted from Microsoft Windows NT to Linux four years ago. A mixed environment may be best, he noted.

Who Locks the Door?

Still, terrorist threats, proliferation of worms and viruses, and the recent attack on the Internet are convincing government and corporations that cyberspace is uncomfortably vulnerable. Some say the federal government should step in to secure the Internet.

It took a while for the administration to admit there was a cybersecurity problem, but the White House recognizes that the country's critical infrastructures are vulnerable, Sachs said.

The Bush administration's National Strategy to Secure Cyberspace was released as a draft document in September. It calls on individuals, corporations, universities, and government agencies to each implement appropriate security practices. Richard Clarke, special adviser to the president for cyberspace security, is asking for feedback on the plan.

The administration recognizes that we are a nation fully dependent on cyberspace, Sachs said. The strategy calls on agencies and companies to focus on the vulnerabilities, not the threats.

"Our role is to show leadership," he said, urging companies to secure their own corner of cyberspace.

But leaving the issue to the market has "left us with lousy software," said James Griffin, an Internet security expert. He contends that behavior--by organizations or individuals--will change only if they're motivated.

Griffin advocates regulation, saying there is no accountability in the software industry. If tech companies have to report their products' vulnerabilities publicly, they may become more responsible, he said. "People don't do what you expect them to do, people do what you inspect them to do," Griffin said.