The biggest threat to Linux becoming the software of choice in government circles is that there is no third-party verification, certification or evaluation of it, according to Linda Walsh, a speaker at the UKUUG Linux 2000 Developers' Conference held July 7-9 in London.
Walsh, a member of Silicon Graphics Inc.' Trust Technology group, told LinuxWorld that the OS also fails to meet the Common Criteria (CC) requirements. The CC is an international agreement and protocol regarding security criteria.
It is the result of a 1993 agreement among the governments of France, Germany, the Netherlands, the United Kingdom, Canada, and the United States that specifies both functional and assurance requirements. Its authors say CC is needed to develop trusted IT products that can be used to "help protect important information of the government and private sectors. IT security criteria common to Europe and North America will help broaden the market for these products and further lead to economies of scale."
"Functionally, Linux lacks the ability to audit the necessary events [all security-relevant events] to meet the functional requirements of the Common Criteria Controlled Access Protection Profile (CAPP)," said Walsh. Linux lacks security procedures -- called Mandatory Access Control (MAC) or Labeled Security Protection Profile (LSPP) -- to specify which users are allowed to send or receive information from others, she said.
On the assurance end, "Linux lacks trust and assurance. The assurance requirements are fairly rigorous and tedious -- not something most kernel hackers want to get involved in to any great depth," Walsh added.
The CC requires "source control, production control [guarantees about what sources made what binaries and how they were built] and reproducibility," she said. "Also needed is a definition of what programs and modules are included in the Trusted Computing Base and some security analysis of those components."
To make Linux secure enough for government agencies and major multinationals, Walsh said the US Department of Defense has demanded evaluated systems only by Jan. 1, 2002. It has also recommended the same for other government agencies.
"Specifically, they want systems meeting the CAPP and LSPP," she said.
"Assurance Levels [measured on a scale from a low of 1 to a high of 7] up to Evaluated Assurance Level (EAL) 4 are commonly recognized between member nations of the Common Criteria agreement. Governments require assurance and third party evaluation of trusted systems before they will consider them safe to store or process government data."
When reminded that the French government is reportedly close to passing a law making open source code (and specifically Linux) obligatory for applications used by all its computer systems, Walsh told LinuxWorld, "My impression is the US government shares some of those feelings about Microsoft. The fact that it is closed source and they are at the mercy of such a large and dominant vendor such as Microsoft would seem to be a national security risk."