The MIT Technology Review published a different spying “story” challenging open source:
"A lot of people are realizing that literally everything we do is underpinned by Linux," says Dave Aitel, a cybersecurity researcher and former NSA security scientist.
“It is a key technology for our society. Not understanding kernel security means we can't secure critical infrastructure.”
DARPA, the research arm of the US military, wants to understand the relationship between the code and community that writes these open source projects, to identify potential risks.
The goal is to be able to identify malicious developers to prevent them from disrupting or destroying vital code before it's too late.
The DARPA's “SocialCyber” program is an 18-month, multimillion-dollar project that will combine sociology with recent technological advances in artificial intelligence to map, understand, and protect these vast open source communities and the code they create. It is quite different from most previous research because it combines the automated analysis of both the code and the social dimensions of the developer community.
Are you confused? Let's explain it….
With the SocialCyber program, DARPA contracts with several groups it calls "performers." In them there are various cyber security companies that deal with deep technical problems. One such performer is New York-based Margin Research, which assembled a team of serious researchers for the project.
Margin Research focuses on the Linux kernel because it is so critical. The company's plan is to analyze the code as well as the community to visualize and ultimately understand the entire ecosystem.
Margin's project maps who is working and on what specific parts of open source projects.
For example, Huawei is currently the largest company with a large number of developers contributing to the Linux kernel. Another partner works for Positive Technologies, a Russian cybersecurity company that – like Huawei – has been deemed dangerous by the US government, Aitel reports.
Margin has also mapped code written by NSA employees, many of whom are involved in many different open-source projects.
Sophia d'Antoine founder of Margin Research says:
"The government is just realizing that every critical infrastructure is running open source code that could literally be written by sanctioned entities."
This type of research also aims to find critical software written by one or two volunteers. The risk is the "bus factor": Does the whole project collapse if just one person is hit by a bus?
SocialCyber will also review other open-source projects, such as Python, which is "used in a huge number of artificial intelligence and machine learning projects."
"Our hope is that greater understanding will make it easier to prevent a future disaster, whether it is caused by malicious activity or not."