FEATURES & COMMENTARY
Washington, D.C. — Security was a hot topic at Monday’s first-ever federal Linux user’s conference.
The news that Microsoft Corp.’s network had been breached and that hackers had gained access to source code underscores the need for effective security systems to protect large institutions – like the government – from such attacks, said speakers and delegates alike at the conference here.
While many people view the Linux operating system with suspicion, believing it to be even more vulnerable to security breaches and attacks than other systems, this is not the case, said Piers McMahon, a senior security business manager at Computer Associates International Inc. in Islandia, N.Y.
“The view that all open-source software is vulnerable and that the open-source movement can only benefit by paying more attention to security is incorrect,” McMahon said.
Security for any system is only as strong as the weakest link, he said. As the Microsoft attack showed, it took just one computer to compromise the entire security system.
What Linux needs is a successful intrusion detection system that meets the requirements of the federal government, McMahon observed. The industry has so far not addressed this issue.
Mark Norton, principal technical adviser for the Office of the Assistant Secretary of Defense/Command, Control, Communications and Intelligence, said Linux is not officially approved for use by the department. It has also not been security tested or validated against the department’s security standards.
In spite of that, Linux has been included in many early-level research and development programs. But program managers have been reluctant to use it at more advanced levels as security issues remain a concern, he said.
“What we need are programs that guide and reduce the risk of open-source use, such as making Linux compliant with our Common Operating Environment,” Norton said. “The community also needs to be doing far more to promote and document its ease of use, and they should be looking at establishing a set of standards for easier application installations.”
Stephen Ryan, an Internet program analyst for the Bureau of Public Debt, said the adoption of Linux has been slow in the government. One of the main reasons for this is the perceived lack of security around the system.
James Craft, who chairs the Federal CIO Council Security Practices Subcommittee, said no Linux best security practices are included in the Federal best security repository.
“We really need the Linux community to demonstrate and share its best practices with us, which will result in a greater acceptance of open-source software in the government,” Craft said.