Give Linux security clearance, US told UK

The British intelligence services pushed the open source Linux operating system through security clearance in order to meet a US request for operational interoperability of computer systems.

GCHQ, the signals intelligence arm of the Ministry of Defence, fast-tracked a version of Linux through computer security checks that must be passed by any software to be used in government communications. The procedure is usually off-limits for open source software because there aren’t single large corporate backers prepared to sponsor it.

Kevin Wallis, lead architect at the Ministry of Defence, told an open meeting of the British Computer Society’s Open Source Specialist Group last week that it was the only instance he knew where CESG, the information assurance arm of GCHQ, had vetted and approved genuine open source software.

“This one came about because it was an interoperability issue with a partner nation,” Wallis told the meeting. “This was an operating system,” he said.

“A Linux variant,” he told Computer Weekly after the meeting.

“It was certified by NSA (the signals intelligence arm of the US Department of Defence) in the US.

“And then CESG, because there was a government use for it, were prepared to put it through the accreditation and accept it accordingly.

“We needed it. It got through. Its now in the catalogue. It may now be built upon,” said Wallis.

Wallis joined a chorus of leading public sector figures who said at the meeting government departments should sponsor open source software through the CESG approval process. If they didn’t do it, no-one else would and government open source policy would fall at the first hurdle.

Wallis said it was a “vicious circle”.

The fact that open source software didn’t get sponsored for CESG approval had impeded government policy to increase the public sector’s use of open source software.

Ravi Vitankar, chief technology officer in Fujitsu Services Government Division, told the same meeting that open source software “needs sponsorship from a government department”. CESG could not be expected get open source through security clearance without help.

“It can be done but it still needs the sponsorship from the government department. Otherwise, CESG is so over-stretched that you put it there and it will probably sit there for a couple of years because they won’t get around to touching it,” he said.

Tariq Rashid, Home Office lead architect, called the meeting to ask why open source software was not being used in government despite a two-year old policy that said it would.

There are a number of Linux variants on CESG’s list of security assured products. It does not specify which are proprietary and which are open source versions. Linux variants on the CESG list of approved products include those carried by Red Hat, Oracle, MIRACLE LINUX, and SUSE.