Earlier this year, the Georgia Tech Research Institute’s Cyber Technology and Information Security Laboratory was tapped by the U.S. Department of Homeland Security to head up a five-year, $10 million initiative to investigate and identify open-source security models and technologies to be used in support of the United States’ national cybersecurity efforts.
Led by GTRI, the Homeland Open Security Technology (HOST) program will balance investigatory research with real-world outreach, sharing and collecting information across government agencies and with members of industry and academic communities to better grasp where open-source security technology stands now and how it might evolve.
Impressive, sure. But Joshua Davis, MBA 07, GTRI’s Cyber Technology and Information Security Laboratory associate division head and the HOST program’s principal investigator, knows you may have a lingering concern.
“‘Open security’? It sounds like an oxymoron,” he affirms.
But it’s far less counterintuitive than the name might suggest.
Rather than one company holding tight to a program’s source code, doling out updates and charging users for each new iteration, opens source software makes its code readily available for any programmer or developer to tweak and publish their own version, usually for free.
Software fixes and updates can be executed within hours, rather than weeks or months—important in any industry, but especially crucial in the cybersecurity world, where threats can shift by the day.
The Alumni Magazine talked to Davis about the wonders of open source, his work with HOST and the nebulous but potent threats the program seeks to eliminate.
I think now people associate the Department of Homeland Security with things like border patrol and immigration. But it also involves Internet security, which is way behind the scenes and also intangible.
There is a cyber war going on right now. This is me talking on an unclassified level. The power distribution of what folks can do with the Internet, it’s scary. And the reason it’s scary is economic systems are built upon the Internet. You and I communicate with friends and family, stay abreast of the news, everything—it’s on the internet. Small organizations of people that have problems with us can cause disruption. If someone wanted to monitor you and I and wreak havoc on our personal lives, they can find ways to get into our systems of communications, track us, and create problems. It’s really scary what an individual—let alone an organization, let alone a nation-state—can do to us on the Internet. If you look at [organizations] like Anonymous or 4chan and where they come from, they’re able to elicit power with limited consequences and limited attribution, so what do government agencies do? How can you go kill something that doesn’t have a head and that’s distributed throughout the globe?
How do you maintain the security of open-source security software?
Just because it’s open doesn’t make it more vulnerable. You should never trust, really, any software. The supply chain is going to dictate how safe you are. A piece of software written by Microsoft [involves] individuals all over the globe, and what are the motivations of those individuals? Could organizations pay them to come in and get within the supply chain to [tamper with] part of the software? … [Someone] could get [the software] box from, say, Fed Ex, open it up and put a different DVD in there that has an exploit on the DVD and you get it thinking its safe. And that’s closed source. With open source software, if I can get the source code, I can look at the source code and see what I’m going to go build. And, honestly, that’s what the government does a lot of times. The government wants to review the source before it builds it, because then it can control the supply chain.
It’s like buying processed food versus growing your own in your backyard.
I never thought of it that way, but yeah. … There’s an analogy we draw: Imagine if we give a guy that’s going to go on the front lines a gun that he cannot add a scope to, that he cannot clean, cannot fix it, cannot do anything to it. Imagine if I gave him that weapon. That’s what we’re doing with software. Right now, if I give the warfighters software, the vendors are the only one that can change it, and it’s scary because a for-profit entity has, in some ways, a little bit of control of the business practices of our government defending us. As a citizen, if that vendor is not doing what the government needs it to do to solve its problem for us, I feel they should be able to give it to any other vendor who can. And when you have the source code in hand you can do that.
Tell me about your background.
I did undergrad up the street at Southern Poly. I got a job at GTRI doing IT stuff in 1997. I started full-time as a researcher in 1999 at GTRI. I also graduated from Tech’s MBA program in 2007. I started doing a lot of test and evaluation work with the Marine Corps and the Army. … For many, many years I would get in a vehicle, in 29 Palms in the desert, wearing flac and a helmet, with a laptop, shooting these little text messages through a system to emulate a war to guys in a vehicle. … Being in that environment, doing that work, let me see the waste in our government and how we use software and it gave me this personal mission, which led me to start this open-source software community called Mil-OSS. … We had the first working group in Atlanta [and] we brought about 100 people together who were military folks, who were civilian government employees, citizens, and contractors like myself, coming together, who get these models, and are trying to help learn how to use them. It was a nerd conference.
Has there been any resistance to the open-source model?
Take the proprietary business model: I’m going to go take risk up front and build some software, or take a little bit of my money and some of the government’s money and I’m going to make something that’s proprietary, that’s mine. And I’m going to say, “OK, government, I’m going to sell you a license to use what I’ve built. You’re going to pay me for it. You’ll pay me whenever there’s a new version, etc.” And there are a lot of businesses that make money that way. And what the open-source software model brings is, “OK, instead of this thing here that I own and I control, I’m now putting it out there that I’m licensing, and I still hold the copyright, but you and anyone else or any vendor who wants to pay me can make money of this too, and also contribute to it.” … It’s almost like what researchers do on campus with publishing and sharing ideas. It’s the same thing—except when I publish, that knowledge is now in software, and if it’s really good knowledge it’s going to stay, and if it’s not someone’s going to come in and remove it. The best sort of analogy is that it’s like the roads. The roads are built for you and I to go make money off of. And there’s probably different competitions for how you innovate a road, but a lot of it’s probably shared knowledge.
You’re not reinventing the wheel every time.
Right, and if you look at security—security’s not a luxury. Right now, though, in places, to get real network security, it costs a lot of money. … The cyber security problem is not just the United States. It’s everybody.
Are you pulling talent from the Tech campus, recruiting for the cyber war?
There is a dearth of talent in security. … Right now, if you go to Georgia Tech and get a security focus, you probably won’t have a problem finding a job. If you want to go back to school ever, go security. Because, oh my gosh, if you have any knowledge, there’s somebody willing to pay you.
Twitter