Not Your Average OS

Linux has been around just long enough to make believers out of some government agencies.

by / September 7, 2006
It's an anniversary of sorts for Linux. The penguin-toting operating system (OS), with roots in Finland and the United States, turns 15 this year.

Much like any teenager, Linux has been eager to find its place, and with governments increasingly turning to it to run heavy-duty projects involving thousands of users, Linux looks to have done reasonably well for itself.

Linux and its worldwide community of supporters are constantly seeking further efficiencies and increasing security measures, leaving only one question for governments who haven't at least tried it yet: What are you waiting for?

Back at the Tiller
Bill Welty, CIO of California's Air Resources Board (ARB), started using open source in 1994, and hasn't looked back since.

In a well documented case, the ARB turned to Linux for a wide-scale project involving more than 700 users and the creation of an interactive Web site. By using open source code, the ARB reduced the project's cost from $27,000 to $59, and over the years, examples of such savings have become commonplace for the ARB.

Today the ARB has more than 80 applications running on Linux -- nearly 65 percent of its total applications -- and hopes to keep adding to its open source platform.

For Welty, however, a key benefit to implementing Linux -- beyond cost advantages -- is that it puts the government back in control of IT spending.

"Taxpayers should almost demand it," he said, adding that when California was going through budget crises, license fees and software upgrades often put agencies in uncomfortable situations. "They had issues trying to afford the ongoing licensing for products they were using. And in some cases, they were going to lay people off to cover the cost."

In addition to renewing license fees, some software upgrades also put unexpected burdens on agencies' finances. "Oftentimes you don't know why they're upgrading their product," Welty said of proprietary software vendors, "but it forces you to change your hardware, in which case you have to buy new hardware, just to deal with the new upgrade."

With Linux, however, agencies not only can install software applications on multiple servers -- for instance on a primary server and on its backup -- but they can also share these applications with other agencies without having to pay licensing fees.

"If I build an application for air monitoring, and I use open source for that, I could theoretically give that application to any air pollution control district in the state," Welty said, adding that as long as the other agency had the staff necessary to run the application, there would be no cost-prohibiting restrictions to interagency sharing.

Moreover, Linux lets agencies control procurement issues.

Because open source software is written to open standards, and is therefore more flexible, if an agency decides to update its computers, it doesn't have to be concerned with hardware-software compatibility, as it would with proprietary software. For instance, as Ed Hammersla, chief operating officer of Virginia-based Trusted Computer Solutions (TCS), pointed out, the IBM AIX operating system cannot run on a Sun piece of hardware, and vice versa.

"But with Linux, whether it's the Red Hat distribution or the Novell distribution -- or whether it's any of them -- you really can run those on all the popular hardware platforms," Hammersla said. "Some are tuned better, and perhaps perform better, but generally you can run them on all hardware."

Flexibility is also an important aspect of Linux as it lets agencies customize software to department needs.

"If you've got an organization that's got 200,000 people, do they all need all the bells and all the whistles all the time?" Welty said. "To some degree, you can stratify your procurements based on what people really do for a living."

Agencies can use free or low-cost open source code to deploy e-mail services or word processing software for departments needing bread-and-butter technology; and with the savings, agencies can afford to purchase more expensive software for highly technical areas that may require specialized applications.

Though the cost savings are obvious in these various scenarios, Welty said, it's the sense of empowerment that sets Linux apart from other operating systems.

"If you can get to a position where you control the rate of change for your own environment, then you basically can control your budget," he said. "Flexibility, lower cost -- you can make decisions about when to upgrade, how long to hold on to hardware versus not ... I think those are the important things, but it all stems from the sense that you own, you're not owned."

A Safe Ride
"The Linux story isn't so much about Linux as it is open source collaboration, taking advantage of worldwide talent, personal pride of authorship and community recognition," said Hammersla. "It's really less about technology than it is about those things."

However utopian it may sound, this sense of community is a recurring theme in the Linux world -- one that yields some very tangible results in the security realm.

"It turns out the fact that Linux is open source doesn't by itself make it more secure or less secure," Hammersla explained. "Where you get the security benefits is the rate at which bugs are found and fixed."

Hammersla said in the proprietary software vendors' world, threats are handled with a finite amount of brainpower. "If you have a bug in a piece of software, and you find it, you send it to the company that built the software and it goes on one of their bug lists," he explained. "They have a finite number of people who fix the software, and so they just go down the list and fix one thing at a time.

"In the Linux world, when you find a bug -- and it's found usually much more rapidly -- you have a worldwide community of literally tens of thousands of people who are just on it and try to fix it," he added, saying that the desire to be the "hero who fixed the bug" is an effective incentive.

This worldwide safety net has proven itself to Welty and his IT shop, who in 12 years of using Linux have not had any security problems.

But Linux is not just guarded by scattered groups of open source enthusiasts worldwide; big software companies have also jumped on the bandwagon.

IBM, for instance, has hundreds of employees solely dedicated to Linux, Hammersla said. "All 600 of those people are paid by IBM -- their salary, their benefits and their office -- and none of them work on IBM products. They work on Linux."

Other companies sell commercial versions of Linux, and while the notion of selling free software sounds counterintuitive, Welty explained that what these companies really sell is their expertise and support services.

Yet agencies nationwide are still slow to get onboard. According to Hammersla, a recent study by Shawn McCarthy, a senior analyst at the research firm IDC, shows that only 12 percent of government agencies are using Linux, and the projected increase for 2009 is a mere 3 percent. These statistics seem to indicate a lingering hesitation to try open source.

Some recent news on the Linux front may ease some die-hard concerns.

TCS partnered with IBM and Red Hat to build on the National Security Agency's Security Enhanced Linux to create a "trusted" Linux operating system. A trusted operating system, Hammersla explained, is one that has gone through the common criteria -- an international standard for computer security evaluation.

"When you pass through common criteria, you come out with a rating, and if you get a rating of EAL 4 [evaluation assurance level 4], then you're allowed to call yourself a trusted OS," Hammersla said. "Right now the only other popular mainstream trusted OS is Trusted Solaris, but of course that runs only on Sun."

Making Linux a trusted OS is a highly collaborative process and TCS and its partners have weekly meetings with other members of the open source community, which often involve more than 50 people and several organizations.

"It's quite a powerful collaboration effort anytime you do something with Linux, but in this particular case, [it's] making it a trusted Linux," Hammersla said. "If you talked to the head of the Linux security at IBM, he'll tell you that when they started the project a few years ago, nobody thought you could make an open source system that trusted or that secure. It is culturally interesting, and many people have to get over the fact that it's open source at first, but it's quite a helpful thing when you get to know it."

TCS's Trusted Linux is scheduled to go through the common criteria at the end of 2006, and the outcome may encourage agencies nationwide to give further thought to Linux.

Remembering Where We're Going
In California, state CIO J. Clark Kelso said he is doing more than just encouraging agencies to try Linux. His office created an IT Council composed of several state department CIOs who advise him on policy matters.

"We have established within the IT Council a series of committees and working groups to study various issues," Kelso said. "Some of the groups we have established deal with forward-looking technologies we know we want to adopt and we need to learn more about."

One of these groups is the Open Source Software Working Group (OSWG).

"I've been working with Bill Welty, who is the chair of this group, to figure out how we can establish a good training and educational program for people [interested in open source]," Kelso said. "Two years ago, we said, 'Everybody should be looking at open source as an alternative.' What we realized is that for many of our CIOs, this is a different enough approach to developing IT programs that we needed to actually provide some additional training and additional opportunities for departments to learn about open source," he added, mentioning that in the proprietary world, there is no shortage of information from vendors, whereas with open source, the flow of information is less organized.

Participants of the OSWG include the Department of Motor Vehicles, the Department of Justice, the Treasurer's Office and several others.

Kelso stressed, however, that open source isn't an end but rather a means.

"What I am asking departments to do is examine open source solutions as an alternative for their IT systems," Kelso explained. "This all has to link back to well defined business objectives. One of the business objectives, of course, is running a cost-effective and efficient IT shop."
Corine Stofle Staff Writer