The National Geospatial Intelligence Agency is in many ways taking a leap of faith that many in the intelligence community wouldn’t dare to endeavor.
NGA is taking advantage of open source and crowdsourcing through the GitHub platform to help it develop apps across 16 different topics ranging from an anti-piracy to a request for information generator for geospatial analysts. GitHub is an open source platform that provides registered users the opportunity to suggest changes to software in a collaborative process.
“We have this capability outside of our normal IT infrastructure protected behind appropriate next generation firewalls. By doing that, we are able to tap into the robust talent source that is available across the broader community even though we continue to make great strides in our hiring of multigenerational employees,” said Dave White, NGA’s chief information officer. “The talent that is out there across the broader community in industry and across the government really provides a really impressive opportunity. While there are some security concerns, I believe the way we deployed this architecture really address those security concerns and gives us the balance of benefitting from the GitHub capability versus the cyber risk.”
White said the benefits of using open source and GitHub far outweigh the risks.
“What we’ve seen today is that the risk is very manageable but what we are getting in return is innovation,” he said. “It’s innovation, it’s out of the box thinking and it’s really advancing our mission. Yes, there are some cost savings associated with using open source, but the most impressive thing that I’ve noticed is the innovation.”
White credited Chris Rasmussen, NGA’s public software development lead, for taking the use of GitHub from an idea to reality.
In fact, NGA became the first intelligence agency to put its GitHub-developed apps in Apple’s iTunes store. Rasmussen said NGA will expand to Google Play in the coming weeks.
The use of GitHub is new to the Defense Department and the intelligence community mainly because of the size of the open source community of users, more than 6 million in all.
Other DoD and intelligence agencies have looked to open source previously. The Defense Information Systems Agency hosts some internal government open source platforms, and the National Security Agency has roots in the open source community as well by developing and donating a software product to the Apache Software Foundation.
“What makes this different is NGA has an organization account within GitHub. We aren’t doing it through any go-betweens. We are going right out in an organization manner and people can see all the offerings we have for ease of discovery,” Rasmussen said. “There are some open source projects DoD has out there, but they’ve named them after the project, which is kind of esoteric and makes it harder to find.”
Rasmussen said NGA is using GitHub to continually update and add features to current software, but also develop apps for new mission needs.
And the use of the crowd brings innovation to a project where it may not have existed before.
“You can’t crowdsource something without a crowd,” Rasmussen said. “I’m a big fan of going to places where there already are huge network effects, and when you have 6 million users that’s where the most eyeballs will be. People’s default is to go to these small communities and those are appropriate and they will never go away. But sometimes you need to go out and go to these huge platforms to try to catch the largest pool of talent.”
The decision to put code or project on GitHub comes from a board of cybersecurity, developers and legal experts to ensure it’s appropriate for public release.
“We have a GitHub governance board and it has to pass the ‘cool functionality’ factor. What we don’t want is our property to be up there and we have a bunch of dumpy scripts. It has to be pretty decent and we think there will be decent value up there. It’s Alpha,” he said. “We will not put up there anything that is really buggy or of low value. It has to be of some value and not be crude to make the cut and get out there because we don’t want to dump a bunch of scripts that have marginal value.”
White said getting to the point where leadership felt comfortable using GitHub wasn’t an easy task. He said the security and cybersecurity concerns were among the biggest obstacles NGA had to overcome.
“It was hard all the way around,” he said. “We spent considerable time addressing the security and cybersecurity concerns. We worked with NSA and we also worked across other agencies in the IC.”
Rasmussen said security of the code is a major concern for NGA, which is why the agency is taking a risk management approach.
“You can’t guarantee that any software whether it be proprietary or open is completely malicious free. It’s a matter of managing risk. But with the open source ethos, the idea is there is constant revision and more eye balls on it,” he said. “One of the things when I was socializing this through the agency to get approval for this, I spent a lot of time about myths. That these random people will show up and do this. Well, it’s not really random. You have to be a developer. You have to be able to speak that language. A lot of the people who show up are former employees or run in similar circles. It’s a pretty tightly controlled group. In addition to that, everything works in a trusted repository model. No one can just randomly inject anything. They have to make a suggestion and then it’s approved. So you have total control over what is brought in.”
NGA also has internal procedures to scan code, conduct two-team reviews of the code and a software assurance process to look for potential problems.
Rasmussen said other agencies or CIOs should consider open source and platforms such as GitHub if they are comfortable with the transparency this approach brings and if they understand the need to debunk myths and convince leadership about the value of open source platforms.
“U.S. Geological Survey reached out and we had a teleconference with them,” he said. “We sent them our forms on the sign-off procedures to document the intellectual property, to make suggestions for licenses and the language to craft in the Read Me files.”