Forgot your password?
typodupeerror
Government Databases Open Source Security Software

NSA Mimics Google, Angers Senate 193

Posted by Soulskill
from the don't-be-evil-just-doesn't-work-for-us dept.
An anonymous reader writes "In a bizarre turn of events, the Senate would prefer that the DoD use software not written by the government for the government. Quoting: 'Like Google, the agency needed a way of storing and retrieving massive amounts of data across an army of servers, but it also needed extra tools for protecting all that data from prying eyes. They added 'cell level' software controls that could separate various classifications of data, ensuring that each user could only access the information they were authorized to access. It was a key part of the NSA’s effort to improve the security of its own networks. But the NSA also saw the database as something that could improve security across the federal government — and beyond. Last September, the agency open sourced its Google mimic, releasing the code as the Accumulo project. It's a common open source story — except that the Senate Armed Services Committee wants to put the brakes on the project. In a bill recently introduced on Capitol Hill, the committee questions whether Accumulo runs afoul of a government policy that prevents federal agencies from building their own software when they have access to commercial alternatives. The bill could ban the Department of Defense from using the NSA's database — and it could force the NSA to meld the project's security tools with other open source projects that mimic Google's BigTable.'"
This discussion has been archived. No new comments can be posted.

NSA Mimics Google, Angers Senate

Comments Filter:
  • Re:Huh. (Score:5, Informative)

    by Chrisq (894406) on Wednesday July 18, 2012 @08:42AM (#40684685)

    I think the point from TFA was "why create a new Open Source project when you could add a new feature to an existing project?"

    That is exactly what they did, Accumulo is an extension of Hadoop [apache.org]

  • by CrimsonAvenger (580665) on Wednesday July 18, 2012 @08:58AM (#40684837)

    This seems like a result of the conservative cry to shrink the size of the federal gubmint. "Gubmint shouldn't be allowed to do internally what they can outsource to some private company" possibly owned by China. THis is sad

    Considering that this is the Democrat-controlled Senate we're talking about, instead of the Republican-controlled House, I suspect you're mistaken....

    *sighs* don't know what I did to my html tags that time....

  • Re:Nah... (Score:5, Informative)

    by ozmanjusri (601766) <aussie_bob@nOsPAm.hotmail.com> on Wednesday July 18, 2012 @09:08AM (#40684933) Journal

    In Australia, we're being gouged by just about every private company that can sink its hooks into our wallets. We should be asking for more regulation, not less.

    Check this out!

    'Mr Levey said in its research Choice [magazine] discovered one Microsoft software development product that was more than $8500 cheaper in the US.

    "It would be cheaper to pay someone's wage and fly them to the US and back twice, getting them to buy the software while they're there,” he said.'

    http://www.theage.com.au/technology/technology-news/downloads-its-cheaper-to-pay-a-wage-fly-to-the-us-and-back-twice-20120718-229in.html [theage.com.au]

  • Posting anon. (Score:5, Informative)

    by Anonymous Coward on Wednesday July 18, 2012 @09:28AM (#40685113)

    In a bill recently introduced on Capitol Hill, the committee questions whether Accumulo runs afoul of a government policy that prevents federal agencies from building their own software when they have access to commercial alternatives

    I work at a large defense contractor, so obviously I'm posting anon. My thoughts on this are as follows: indeed there are requirements to use as much COTS and/or FOSS as possible for things that already exist (and so long as the use of any does not/cannot cause no future licensing issues that can be reasonably foreseen.)

    Is in an effort to avoid the "not invented here" syndrome that plagues commercial and government enterprises alike. But the operative idea is that we should use a COTS if it provides the functionality that we need. If there is some type of deviation in the type of functionality that a project needs, it is perfectly reasonable to add new logic around it (or build one from scratch altogether.)

    The NSA requirements for retrieving and storing massive amounts of data, when taken as is, do sound like something that Google already does. However, there are other requirements a Google-like COTS might or might not meet or might not meet efficiently (.ie. "tweaking the COTS will cause substantial operational costs down the road", just as a hypothetical example.)

    There are needs to attach security label classifiers (TS,S,R,C,SBU,U), and compartment/silos to meet "need-to-know" requirements. There can be security-related non-functional requirements that say the mechanisms for storing/retrieving information above a certain security label be also be labeled with a classifier as strict as the data being handled. Part of the software system might be required to exist within Type 1 cryptography products, with physical shielding and all. It might be required to provide interfaces and protocols aware of sneakernet and airwalls.

    Things like that do not get solved by deployment schemes and configuration alone. So "mimicking google" might not be descriptive to what's really going on here.

    Furthermore, it looks incredibly stupid for Congress to be telling the NSA to shelve their own FOSS and to look for a COTS alternative. Sometimes, for some types of operations, you simply do not want a COTS. Fine for building government owned systems that handles, say, tax or immigration/nationalization records. Not so fine for TS-level material.

    The NSA has been guilty of some major pork-barrel mishaps, and needs fiscal supervision. Hell, the whole defense sector is plagued by inefficiencies. However, this particular action by Congress, it's not a solution.

  • Re:Nah... (Score:5, Informative)

    by RaceProUK (1137575) on Wednesday July 18, 2012 @09:30AM (#40685143) Homepage

    It is the result of private corporations lobbying for more privatisation. "Shrink the Government" is the voter-friendly PR spin on it. We have the same in the UK...fortunately the privatised "security" company G4S has just screwed up so massively that the agenda must have been put back a year or so. Personally, I think that any and all national security functions, whether physical or cyber, shouldn't be provided by anybody whose managers I cannot vote out of office.

    As a fellow Brit I have been following the G4S Olympic security blunder in the news too. I will be very surprised if it actually makes any difference in the long run to privatisation though.

    We have already let G4S run several prisons as part of a pilot scheme, once the pilot is over in a year or two we will outsource more to them I'm sure. Even before this G4S had a piss poor record when it came to prisoner transport yet they were still given more contracts in a similar vein.

    The simple fact is that government loves privatising stuff as it means they can push costs of large infrastructure projects down the line to the next generation. It also means they can make lots of friends in business and those friends will repay them with a nice cushy non-executive director role later on.

    Not to forget the Tories' attempt to privatise the NHS. Also, the railways were privatised under a Tory government. Look how well that's turned out (for non-UK /.ers: the UK railway network is overpriced, severely limited in capacity, and slowly falling apart).

  • by Dr_Barnowl (709838) on Wednesday July 18, 2012 @09:32AM (#40685159)

    Indeed. Support contracts give the private contractors a disproportionate amount of power.

    I work for the UK National Health Service ; back when I was defining interoperability standards for medical records communication, I was revising the standard for GP (General, or Family Practitioner) health record communications. The messages were declared in terms of a common standard for interoperability. Somewhat naively, I specified that the messages should use the standard means to convey unknown information (the absence, and the reason for it's absence), rather than the "magic numbers" that were being used at the time. I was promptly told that I couldn't actually make things consistent with the standard, because to change those bits of the vendor system would, under the terms of the contract, result in a full system test, which was a chargeable item costing millions of pounds.

    So they had nicely arranged things such that you couldn't promote interoperability (by using a well-defined standard available to all vendors), because you couldn't afford the work they would have to do in order to fix their system to follow the government-dictated standard which they had known they would have to use all along ....

    And we actually help them. I think the system testing clause is in there at the insistence of the government side ; when I was on the other side of the divide working for a private sector supplying an NHS hospital, I was told I couldn't fix bugs in our system because it would necessitate a full system test - even though I point-blank told them that this was NOT necessary because the component concerned was covered by rigorous unit tests. Instead, they rolled back the changes in their system that had broken ours (having been told not to change that aspect of the configuration in the first place).

    Accumulo is an Apache 2.0 licensed extension of other OSS components - so there is no downside from the commercial side, apart from not being able to justify charging for it's cost of development. Which is what I suspect the problem is.

    First rule in government spending: why build one when you can have two at twice the price? S R Hadden - Contact

  • Who benefits? (Score:4, Informative)

    by time961 (618278) on Wednesday July 18, 2012 @09:52AM (#40685399)
    Clearly, someone must have paid for this charming little legislative tidbit. But who?

    I mean, I could understand if Lockheed-Martin had a proprietary solution that they were offering (with just a few change orders needed to satisfy NSA's requirements, of course), but the beneficiaries here seem to be the Cassandra and HBase projects, neither of which seem likely to have much of a lobbying budget. Was it their forebears at Facebook? Could they possibly care enough?

    And blaming it on "conservatives-want-smaller-government" seems pretty silly, too. Sure, turfing Accumulo might conceivably further that goal in some tiny, tiny way, but it's not like some senator was likely to have figured this out by himself. No, clearly someone put them on to it, but who and why?

    It's an intriguing mystery. Any ideas?

Uncompensated overtime? Just Say No.

Working...