Slashdot Mirror
NSA Mimics Google, Angers Senate
An anonymous reader writes "In a bizarre turn of events, the Senate would prefer that the DoD use software not written by the government for the government. Quoting: 'Like Google, the agency needed a way of storing and retrieving massive amounts of data across an army of servers, but it also needed extra tools for protecting all that data from prying eyes. They added 'cell level' software controls that could separate various classifications of data, ensuring that each user could only access the information they were authorized to access. It was a key part of the NSA’s effort to improve the security of its own networks. But the NSA also saw the database as something that could improve security across the federal government — and beyond. Last September, the agency open sourced its Google mimic, releasing the code as the Accumulo project. It's a common open source story — except that the Senate Armed Services Committee wants to put the brakes on the project. In a bill recently introduced on Capitol Hill, the committee questions whether Accumulo runs afoul of a government policy that prevents federal agencies from building their own software when they have access to commercial alternatives. The bill could ban the Department of Defense from using the NSA's database — and it could force the NSA to meld the project's security tools with other open source projects that mimic Google's BigTable.'"
Accumulo runs afoul of a government policy that prevents federal agencies from building their own software when they have access to commercial alternatives
Just arrange to sell it to Google, make them the maintainers, and buy it back for $1.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
It is the result of private corporations lobbying for more privatisation. "Shrink the Government" is the voter-friendly PR spin on it. We have the same in the UK...fortunately the privatised "security" company G4S has just screwed up so massively that the agenda must have been put back a year or so. Personally, I think that any and all national security functions, whether physical or cyber, shouldn't be provided by anybody whose managers I cannot vote out of office.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
I think the point from TFA was "why create a new Open Source project when you could add a new feature to an existing project?"
That is exactly what they did, Accumulo is an extension of Hadoop
In a bill recently introduced on Capitol Hill, the committee questions whether Accumulo runs afoul of a government policy that prevents federal agencies from building their own software when they have access to commercial alternatives
I work at a large defense contractor, so obviously I'm posting anon. My thoughts on this are as follows: indeed there are requirements to use as much COTS and/or FOSS as possible for things that already exist (and so long as the use of any does not/cannot cause no future licensing issues that can be reasonably foreseen.)
Is in an effort to avoid the "not invented here" syndrome that plagues commercial and government enterprises alike. But the operative idea is that we should use a COTS if it provides the functionality that we need. If there is some type of deviation in the type of functionality that a project needs, it is perfectly reasonable to add new logic around it (or build one from scratch altogether.)
The NSA requirements for retrieving and storing massive amounts of data, when taken as is, do sound like something that Google already does. However, there are other requirements a Google-like COTS might or might not meet or might not meet efficiently (.ie. "tweaking the COTS will cause substantial operational costs down the road", just as a hypothetical example.)
There are needs to attach security label classifiers (TS,S,R,C,SBU,U), and compartment/silos to meet "need-to-know" requirements. There can be security-related non-functional requirements that say the mechanisms for storing/retrieving information above a certain security label be also be labeled with a classifier as strict as the data being handled. Part of the software system might be required to exist within Type 1 cryptography products, with physical shielding and all. It might be required to provide interfaces and protocols aware of sneakernet and airwalls.
Things like that do not get solved by deployment schemes and configuration alone. So "mimicking google" might not be descriptive to what's really going on here.
Furthermore, it looks incredibly stupid for Congress to be telling the NSA to shelve their own FOSS and to look for a COTS alternative. Sometimes, for some types of operations, you simply do not want a COTS. Fine for building government owned systems that handles, say, tax or immigration/nationalization records. Not so fine for TS-level material.
The NSA has been guilty of some major pork-barrel mishaps, and needs fiscal supervision. Hell, the whole defense sector is plagued by inefficiencies. However, this particular action by Congress, it's not a solution.