Drafting Software Policy at DoD

We have been focusing in recent months on the expansion of the IT revolution from the digital industries, such as entertainment and communication, to the physical industries such as manufacturing, construction, and transportation.

But in some sense, the ultimate physical industry is the Department of Defense, and that’s why we found the latest National Defense Authorization Act, now moving through Congress, to be so interesting, and well, puzzling.

First, the bill *appears* to require companies to turn over the software source code for any products purchased by the Department of Defense. Second, the bill as written takes a strong position in the long-running debate between open source and proprietary software.

 § 2320a. Use of open source software

“(a) Software Development.—All unclassified custom-developed computer software and related technical data that is not a defense article regulated pursuant to section 38 of the Arms Export Control Act (22 U.S.C. 2778) and that is developed under a contract or other transaction awarded by the Department of Defense on or after the date that is 180 days after the date of the enactment of this section shall be managed as open source software unless specifically waived by the service acquisition executive.

“(b) Release Of Software In Public Repository.—The Secretary of Defense shall require the contractor to release source code and related technical data described under subsection (a) in a public repository approved by the Department of Defense, subject to a license through which the copyright holder provides the rights to use, study, reuse, modify, enhance, and distribute the software to anyone and for any purpose.

“(c) Applicability To Existing Software.—The Secretary of Defense shall, where appropriate—

“(1) apply open source licenses to existing custom-developed computer software; and

“(2) release related source code and technical data in a public repository location approved by the Department of Defense.

By itself the requirement that all existing and future custom-developed software be treated as open source is odd, because most everyone acknowledges that open source and proprietary software both have their pros and cons. Indeed, the Internet seems to be living happily integrating a mixture of open source and proprietary software.  Sometimes proprietary software has problems, sometimes open source software does.  The Equifax hack, for example, was due to a problem in an open source component.  Shouldn’t any policy promote competition among all models, rather than pre-determine one outcome?

But I’m primarily concerned with the impact of these provisions on leading edge technologies such as the Internet of Things. The old model of a software program that runs on a single computer no longer holds.  Instead, more and more software development is focused on physical objects such as connected cars and trucks, smart watches, 3D printers and IT-intensive medical equipment, which all contain millions of lines of carefully-developed code.

This cutting-edge code is what gives American companies their advantage against foreign competitors, and what will power the next wave of the information revolution in the United States and around the world.

Does it really make sense to force these companies to make their software open-source if they make any changes requested by the Department of Defense? Does configuring a car’s software for DOD requirements trigger the “open-source” requirement? If a leading 3D printer company wrote altered its operating software to DOD specs, is that operating software now going to be open source?

As the Internet of Things moves forward, the Department of Defense needs the best applications of IT to the physical world that it can get.  Moreover, the best American companies need to be able to modify their technology to fit DOD requirements without worrying that foreign companies will lift their best ideas.

Related Articles & Press