SASC Accumulo language pro-open source, say proponents

Tools

Language in a Senate bill that would require the Defense Department chief information officer to certify that a National Security Agency-developed open source database is either unique or a successful open source project--and prohibit DoD components from utilizing it if neither condition is met--has caused concern in the federal open source community. But, it should be viewed as a pro-open source measure, say congressional sources.

The  Senate Armed Services Committee version of the fiscal 2013 national defense authorization act (S. 3254) would require DoD agencies to foreswear the Accumulo NoSQL database after Sept. 30, 2013, unless the DoD CIO certifies that there exists either no viable commercial open source database with security features comparable to it (such as the HBase or Cassandra databases), or that Accumulo is a successful open source project.

Some in the open source community feel the report is "a big gun being pointed at Accumulo," said Benson Margulies, who was a member of the Apache Foundation Accumulo Project management committee (and chief technology officer of Cambridge, Mass.-based Basis Technology).

Accumulo has been in development since approximately 2008 by the NSA; the spy agency contributed the code to the Apache Foundation in September 2011 and it graduated from status as an incubator project to a top-level project in March.

"Being an approved, fully fledged Apache top level project is many people's definition of a successful outside world open source project," Margulies said.

"It's arguable that the criteria set out in the report have already been met," he added. Unlike other open source projects, he added, Accumulo is a genuine multilevel security database since data can be tagged with classification levels at the level of an individual cell. Proponents also tout its speed and ability to avoid batch processing, saying that it allows users to update analyses in near-real time.

Congressional sources, who spoke on condition of anonymity, acknowledged that graduation to top-level project status is a milestone, but said the intent of the language is to ensure defense agencies aren't locked into a commercially unviable solution that would cut them off from solutions being developed in the private sector the for HBase or Cassandra. The fact of Accumulo code now being available as open source isn't by itself sufficient, they said, adding that unless supported by an outside community of users, it would remain specialized, and therefore expensive government-developed software.

The cell-level security tagging could have--and could still--become a part of the HBase code, congressional sources noted, adding that in any case if that feature isn't adopted by HBase or Cassandra, then the DoD CIO only need certify that state of affairs for DoD components to continue using Accumulo.

The ideal outcome would be DoD utilization of an open source NoSQL database that has a vibrant community of users, congressional sources added. The defense authorization act language would task the DoD CIO with making that determination because Congress wouldn't want the NSA assessing open source community support of its own creation, they added.

The bill doesn't specify criteria that the DoD CIO should use, they said, since that should be left to the DoD CIO to develop. However some measures could be how many nongovernmental users contribute code to Accumulo or whether companies have emerged to support it.

Still, the very fact of the Senate committee crafting legislation directly about software utilization isn't favored by some. "Whatever DoD programs might be looking at using Accumulo, they need to make the decision" based on their own technical assessment, said John Scott, a senior systems engineer at Colorado Springs, Colo.-based RadiantBlue and a proponent of military open source software. "I don't think the Congress should be in the business of telling the executive branch what software to use or not to use," Scott added.

For more:
go to the THOMAS page for the Senate Armed Services Committee version of the fiscal 2013 national defense authorization act

Related Articles:
SASC calls for DoD to develop network flow data analysis capability
Ozone Widget Framework to be on GitHub by Sept. 30
Many obstacles to open source in government