NSA Steps Out of the Shadows with Open Source Software

February 5, 2019

Photo of Jacob Depriest

If you’re a software developer, the highly classified environment of the National Security Agency is a cool place to work, but until recently, it wasn’t a place where public sharing was actively encouraged (to say the least).

Enter Jacob DePriest and his band of open source evangelists.

“We want to share and publish what we’re doing, we want to partner, we want to learn what other big organizations are doing to see if we can improve things,” DePriest told a crowd of open source enthusiasts at the 2018 OSCON conference in Portland, Oregon.

He and others at the agency are off to a good start. Visit code.nsa.gov and you’ll find more than 40 NSA contributions to open source, including work in data distribution, orchestration frameworks, the cloud and software defined radio. You can jump from there to NSA’s GitHub site and dig into the fine-grained details of projects that used to live only in the shadows.

It hasn’t been easy to ease the world’s most secretive signals intelligence agency into the bright lights of open source. National security, of course, relies on the power of classification to keep important software innovations away from the peeping eyes of foreign adversaries.

But the truth is, some of the innovations behind the fortified gates of NSA can also benefit the OSS community and private sector, and NSA can benefit from the sharp eyes of private industry developers. Many of the biggest technical innovations of the past few years have evolved as OSS projects, and NSA developers not only want to be a part of that, they have a lot to offer.

“Our big goal is to create a paved road,” DePriest said. “We want to make open source participation a straightforward process so our developers can fully engage the open source community.”

One of the first challenges was how to let NSA developers contribute to the open source work of others. Traditionally, any code written at NSA went through a lengthy approval process before it could be viewed by outside eyes. But DePriest and his colleagues were able to reduce the length of the approval process from weeks to hours, in the simple cases.

Next was developing a model that lets NSA developers share NSA projects and engage with outside developers to move the work forward.

“One of the things we’re encouraging our people to think about is, don’t just post code out there and walk away from it, don’t dump and run. We want them to answer questions on Stack Exchange, through email, in GitHub tickets, and we don’t want them to go through a lengthy process to get every response approved. Being a part of the OSS community is more than posting code. It’s about collaboration, community and helping others.”

One of the reasons DePriest champions open source so passionately is because he knows that many serious developers love open source work, and he wants those developers to join NSA, contribute to national security AND engage with the open source community.

One example that set the course for NSA’s entry into open source several years ago was Security Enhanced (SE) Linux, which helps to mitigate the risk posed by flawed and malicious applications.

NSA released SE Linux in 2000, it was accepted into the Linux kernel in 2003 and included in Red Hat Enterprise Linux in 2005. NSA released SE for Android in 2012, and it was adopted by Android in 2013. As of this year, DePriest said, more than 84 percent of Android devices benefit from SE Linux.

“It’s really benefited the government and the general public,” he said. “That was a pathfinder for us to say, ‘hey, this is great, and we should do more of it.’”

Moving forward, DePriest is creating an internal OSS Center to further enable developers to collaborate with the OSS community. This enduring team will be responsible for streamlining processes, providing tools and managing the resources needed to be an active participant in the OSS world.

Check out NSA’s code on GitHub and jump over to our application page to learn how you can write code for national security that might just make its way into the commercial market.