Department of Defense open source software policy
5 Questions with David A. Wheeler
Meet David A. Wheeler. He's a Research Staff Member for the Institute for Defense Analyses (IDA) and a well-known speaker, author, and expert on open source software and security. He helped develop the Department of Defense's open source software policy and FAQ and has written other guidance materials to help people understand how to use and collaboratively develop open source software in government. He has a Ph.D. in Information Technology, an M.S. in Computer Science, and a B.S. in Electronics Engineering. We hope you enjoy getting to know David.
- Name: David A. Wheeler
- Location: Northern Virginia, USA
- Occupation/Employer/Position: Institute for Defense Analyses (IDA), Research Staff Member
- Open source connection:
- Author of various OSS works like "Why OSS/FLOSS? Look at the Numbers" and "Publicly Releasing Open Source Software Developed for the U.S. Government"
- Winner of Open Source for America (OSFA) 2011 Open Source Award - Individual Award
- Developer of sloccount and flawfinder
- Favorite open source tool or application: "The one that helps me now" - including Linux, vim, Python, LibreOffice, Firefox
- Blog: http://www.dwheeler.com/blog
- Website: http://www.dwheeler.com
Questions and Answers
Open up to us.
I'm passionate about making software development better, and I particularly focus on developing secure software and on open source software (OSS aka FLOSS). On the secure software side, I give away a book on how to develop secure software, and I teach the topic at George Mason University. My goal is to help solve the government's (and the people's) problems.
My background is technical, but I am an extremely practical person, and most problems can't be solved just through technology. So when there's an important problem, I try to find whatever approaches will fix it, technological or not. That mindset fits nicely with my work at the not-for-profit Institute for Defense Analyses (IDA).
Which leads me to the usual disclaimer: I'm speaking just for myself in this interview, not for my employer or the government.
An oddity about me is that I usually write my name as "David A. Wheeler." There are lots of "David Wheelers" and using my middle initial reduces confusion.
In 2001, you wrote an oft-cited paper of the "Most Important Software Innovations." What do you think has been the biggest technological innovation (of any type) in your lifetime?
The Internet is the most important technological innovation, of any type, in my lifetime. It's not even a contest; I think the Internet is at the same level of importance as fire, the wheel, and movable type. Information can now be collaboratively developed, shared, and found by people around the world, essentially instantaneously. Of course, many later innovations have made the Internet much easier to use, in particular the World Wide Web and great search engines. But these later innovations required the Internet first, just like wagons and cars required the wheel first.
Although the origins of the Internet go back to the 1960s and 1970s, we are only just beginning to see the Internet's social impact. Open source software and open government existed before the Internet, but they became far more powerful movements once the Internet became widely available. Encyclopedias existed before... but not Wikipedia. As people become more and more connected, with better tools to help them work together, we are going to see even more social impacts from the Internet.
You have written and spoken quite a bit in recent years about intellectual property in software. Any thoughts on going to law school?
I have thought about going to law school; I enjoy learning new things. But I've already spent a lot of time in school – I have a PhD – and I'm more interested in changing the world than just learning about it. So instead, when there are legal issues, I work with people who are already lawyers. They know the law, and I know software; by collaborating, we can take advantage of each others' strengths. I think of myself as a translator on legal issues; I can bring questions to legal experts, and then translate their answers so that non-lawyers (like software developers and program managers) can understand them.
Oh, and please let me bring up a pet peeve of mine. I really hate the phrase "intellectual property" – it's a terribly misleading phrase. When most people hear the word "property" they think of physical property like cars. If I take your car, you have no car. But intellectual works, like software, don't work that way at all – if I have a copy of your software, you still have the software. That word "property" misleads non-lawyers, and even many lawyers, in a fundamental way. The Constitution requires that any exclusive rights to intellectual works have a limited time; it's difficult for people to understand why this so when they think of intellectual works as "property" in the usual sense. It also makes people ask the wrong questions – they often try to find out who the copyright holder is, instead of trying to find out what rights they've received, and usually only the latter answer matters. So I think people should avoid using the terms "intellectual property" or "intellectual property rights." Instead use terms such as "intellectual rights" or "data rights" (to replace "intellectual property rights"), and use terms like "intellectual works" (to replace "intellectual property"). I'll gladly talk to people who use the misleading term, and many lawyers do understand the difference. But using that term with non-lawyers is a recipe for misguided thinking. Even if people won't change their terminology, making people aware that the term is misleading reduces its sting. For more, see: http://www.dwheeler.com/essays/intellectual-rights-not-intellectual-property.html
Several years ago, the biggest barriers to uptake of FLOSS (free/libre/open source software) by government agencies were lack of familiarity with open source and concerns about security. What do you think the biggest barriers are today?
Those issues still exist, as well as the fear of doing something different, fear of low quality FLOSS, misplaced concerns about support, and procurement processes that incorrectly assume that commercial software is always proprietary. The good news at this point is that there is so much FLOSS use by the government that it's too late to universally prevent it. Increasingly, FLOSS is being examined for its actual merits, instead of being simply ignored because "it's not the way we've always done it." This is getting accelerated by budget woes; FLOSS isn't free of costs, but it's often the less expensive approach, and that by itself is forcing people to consider it.
The big issue in government today is moving the government, and its contractors, from being merely a consumer into being a partner. There are many advantages to being a collaborator, and many agree in principle about the benefits of public/private partnerships, but it is currently difficult to really make it happen. One government employee put it nicely: "Delay means death" in FLOSS, and when you have to go through extensive export control review, or classification review, to release a change to the public, you can't have effective collaboration. These are not easy problems to solve, but I believe they are solvable. We already have leaders who have managed to make it work; we now need to make it happen widely.
I think a lot of those barriers would disappear if the US government would have a simple policy: If the government pays for development of software, it should be released as FLOSS by default. If people had to justify why software should not be released, and it were released otherwise, it would tear down many barriers. Classified software should not be released to the public, but most government-developed software isn't classified. The current system doesn't make much sense; if we the people paid for it, then we the people should normally get it. I'm not the only person to think so; the U.S. Consumer Finance Protection Bureau recently announced such a policy, and others have started the site "freethecode.org" promoting this idea.
So what do you think of the Senate ordering the National Security Agency to stop using Accumulo in the 2013 Defense Authorization bill?
First of all, again, I'm speaking here as a private citizen of the US. I'm not speaking for my employer or any government department.
Congress has every right to make specific requirements, but I hope that this text will be removed from the final language. Extremely specific requirements like this, which forbids the use of a specific product unless it meets additional requirements not imposed on others, should almost never be in legislative language. Congress should be establishing the goals and broad requirements, not micro-managing exactly which products the executive branch must not use. In particular, Congress should be encouraging competition; telling the executive branch that it can't use one specific commercial product (Accumulo) without special additional requirements is noticeably anti-competitive. And information technology changes too quickly; it's better to give general rules that can be quickly applied as the situation changes. It can probably be argued that Accumulo easily meets the additional Senate conditions anyway; for example, Accumulo became an Apache top-level project in March, and several companies are offering Accumulo support. But the precedent of the Senate picking and choosing specific software programs is disconcerting. Accumulo did begin as government-developed software, but that's irrelevant; it is now a commercial product, and it should be judged fairly on its own merits.
Now I agree that the government shouldn't be developing software when there are better alternative approaches for meeting its needs. But there are already rules that enforce this. What's more, I believe that when Accumulo development started, HBase (one of the main competing products) didn't exist. In any case, Accumulo has capabilities that other products like HBase just don't have. For example, Accumulo has per-cell visibility labels, so that users who don't have access can't even tell that the data exists. This capability can be really useful when handling classified information, and I'm pretty sure that HBase cannot currently do this. But my point isn't a blow-by-blow feature comparison; I'm sure that competition will make various products get better. The executive branch needs to be able to choose the best tool for the job, and not have its options artificially limited. Let competition do its job.