United States Releases Draft National Open Source Software Policy

IMG_1256On September 23, 2014, the White House announced that the United States would create an official policy for open source software. Today, the nation took a big step towards making more software built for the people available to the people.

“We believe the policies released for public comment today will fuel innovation, lower costs, and better serve the public,” wrote U.S. chief information officer Tony Scott in a blog post at WhiteHouse.gov, announcing that the Obama administration had published a draft open source policy and would now take public comments on it online.

This policy will require new software developed specifically for or by the Federal Government to be made available for sharing and re-use across Federal agencies. It also includes a pilot program that will result in a portion of that new federally-funded custom code being released to the public.

Through this policy and pilot program, we can save taxpayer dollars by avoiding duplicative custom software purchases and promote innovation and collaboration across Federal agencies. We will also enable the brightest minds inside and outside of government to review and improve our code, and work together to ensure that the code is secure, reliable, and effective in furthering our national objectives. This policy is consistent with the Federal Government’s long-standing policy of technology neutrality through which we seek to ensure that Federal investments in IT are merit-based, improve the performance of our Government, and create value for the American people.

Scott highlighted several open source software projects that the federal government has deployed in recent years, including a tool to find nearby housing counselors, NotAlone.gov, the College Scorecard, data.gov, and an online traffic dashboard. platform, and the work of 18F, which publishes all of its work as free and open software by default.

The draft policy is more limited than it might be: as noted by Greg Otto at Fedscoop, federal agencies will be required to release 20 percent of newly developed code as open source.

As Jack Moore reports at NextGov, the policy won’t apply to software developed for national security systems, a development that might prove disappointing to members of the military open source community that has pioneered policy and deployment in this area.

The draft policy sensibly instructs federal agencies to prioritize releasing of code that could have broader use outside of government.

The federal government is now soliciting feedback to the following considerations regarding its use of open source software.

Considerations Regarding Releasing Custom Code as Open Source Software

  • To what extent is the proposed pilot an effective means to fuel innovation, lower costs, benefit the public, and meet the operational and mission needs of covered agencies?
    • Would a different minimum percentage be more or less effective in achieving the goals above?
    • Would an “open source by default” approach that required all new Federal custom code to be released as OSS, subject to exceptions for things like national security, be more or less effective in achieving the goals above?
    • Is there an alternative approach that OMB should consider?
  • What are the advantages and disadvantages associated with implementing this type of pilot program? To what extent could this policy have an effect on the software development market? For example, could such a policy increase or decrease competition among vendors, dollar amounts bid on Federal contracts, or total life-cycle cost to the Federal Government? How could it impact new products developed or transparency in quality of vendor-produced code?
  • What metrics should be used to determine the impact and effectiveness of the pilot proposed in this draft policy, and of an open source policy more generally?
  • What opportunities and challenges exist in Government-wide adoption of an open source policy?
  • How broadly should an open source policy apply across the Government? Would a focus on particular agencies be more or less effective?
  • This policy addresses custom code that is created by Federal Government employees as well as custom code that is Federally-procured. To what extent would it be appropriate and desirable for aspects of this draft policy to be applied in the context of Federal grants and cooperative agreements?
  • How can the policy achieve its objectives for code that is developed with Government funds while at the same time enabling Federal agencies to select suitable software solutions on a case-by-case basis to meet the particular operational and mission needs of the agency? How should agencies consider factors such as performance, total life-cycle cost of ownership, security and privacy protections, interoperability, ability to share or reuse, resources required to later switch vendors, and availability of support?

If you have thoughts on any of these questions, you can email sourcecode@omb.eop.gov,
participate in discussions on existing issues on Github, start a new one, or make a pull request to the draft policy on Github. You can see existing pull requests here and view all comments received here.

With this policy, the White House has fulfilled one of the commitments added to the second National Action Plan for open government in the fall of 2014. While there has been limited progress (or worse) on of the dozens of other new and old commitments made in the three action plans published to date, this draft open source policy is a historic recognition of the principle that the source code for software developed by government agencies or contractors working for them can and should be released to other agencies and the general public for use or re-use.

Obama Administration Secretly Lobbied Against FOIA Reform In Congress

IMG_1992

A Freedom of Information Act lawsuit showed that the Obama administration vigorously lobbied against Freedom of Information Act reform in Congress.  The documents and correspondence, which were obtained through the Freedom of the Press Foundation’s lawsuit against the Justice Department and reported out by Jason Leopold at Vice Media, showed that the administration was literally lobbying against its own policy becoming law.

The Department of Justice’s six page memorandum shows that the agency opposed Congress making the exact language in Attorney General Eric Holder and President Obama’s 2009 memorandums on FOIA law.

The Justice Department opposing FOIA reform direct conflicts commitments made in the U.S. National Action Plan on Open Government required as part of its participation in  the Open Government Partnership.

I asked Ambassador Power how the United States can be a credible leader on open government if the White House and DoJ does this. In an alternate universe, she and the administration would respond publicly.

Unfortunately, it’s easy to predict the outcome of this news: publicly committing to open government reforms and then undermining them privately will erode abysmal levels of trust in government even more.

In the face of hypocrisy from the Justice Department on this count, the public should  call on their Senators to make the Freedom of Information Act reform legislation the House of Representatives passed in January into law.

Obama names top Facebook engineer director of White House IT, creates Presidential IT Committee

Davidrecordon

In its search for technology talent, the White House has been recruiting heavily from Google of late, including U.S. chief technology officer Megan Smith. Today, President Barack Obama showed that his administration also likes Facebook, announcing that engineer David Recordon would upgrade the White House’s technology infrastructure. The news was first reported by Yahoo.

“In our continued efforts to serve our citizens better, we’re bringing in top tech leaders to support our teams across the federal government,” said President Obama, in a statement. “Today, I’m pleased to welcome David Recordon as the Director of White House Information Technology. His considerable private sector experience and ability to deploy the latest collaborative and communication technologies will be a great asset to our work on behalf of the American people.”

On the one hand, it’s terrific to see The White House attract top tech talent. Getting David Recordon into public service should be a win for the American people. Based upon a somewhat cryptic hint he posted on Facebook last August, it appeared that he was involved in helping to fix Heathcare.gov and another unnamed important project. The blog post that went up at WhiteHouse.gov confirmed that Recordon was “one of those engineers.” Bringing the best engineers the administration can find into the U.S. Digital Service will help the nation avoid more IT catastrophes, and Recordon, a notable open standard advocate who helped develop OpenID, is clearly one of them.  That’s good news.

On the other hand, while being the first “Director of White House Information Technology” is clearly great copy for the tech press, working to “ensure that the technology utilized by the White House is efficient, effective, and secure” sounds more or less what the White House chief information officer should be — and has been – doing for years.

Just look at the responsibilities for the Office of the CIOPer Federal News Radio, the White House CIO for the past two years, Karen Britton, stepped down in January 2015, without any announced replacement since. Michael Hornsby, the director of engineering and operations within OCIO, served as acting CIO. This all leads me to hypothesize that Recordon has effectively been named the new White House CIO but doesn’t have that title.

Regardless, here’s hoping Recordon’s considerable expertise leads to improvements in an information technology infrastructure that has come a long way since 2009 (read this) but still lags the private sector.

President Obama signed an official presidential memorandum today creating the role and establishing an “Executive Committee for Presidential Information Technology” made up of the “Assistant to the president for Management and Administration, the Executive Secretary of the National Security Council, the Director of the Office of Administration, the Director of the United States Secret Service, and the Director of the White House Military Office.”

According to the memorandum, which is embedded beneath and reproduced in plaintext below (it’s not online at WhiteHouse.gov yet), this committee will “shall advise and make policy recommendations to the Deputy Chief of Staff for Operations and the Director with respect to operational and procurement decisions necessary to achieve secure, seamless, reliable, and integrated information resources and information systems for the President, Vice President, and EOP.”

In other words, these folks will advise the director on how to by, build and run tech for the White House.

Presidential Memorandum White House IT:

https://www.scribd.com/embeds/259313174/content?start_page=1&view_mode=scroll&show_recommendations=true

[Photo Credit: Brian Solis]

THE WHITE HOUSE
Office of the Press Secretary

For Immediate Release March 19, 2015
March 19, 2015
MEMORANDUM FOR THE SECRETARY OF DEFENSE
THE SECRETARY OF HOMELAND SECURITY
THE DIRECTOR OF THE OFFICE OF MANAGEMENT AND
BUDGET
THE NATIONAL SECURITY ADVISOR
THE DIRECTOR OF THE OFFICE OF ADMINISTRATION
SUBJECT: Establishing the Director of White House
Information Technology and the Executive
Committee for Presidential Information Technology
By the authority vested in me as President by the Constitution
and the laws of the United States of America, and in order to
improve the information resources and information systems
provided to the President, Vice President, and Executive Office
of the President (EOP), I hereby direct the following:
Section 1. Policy. The purposes of this memorandum are to
ensure that the information resources and information systems
provided to the President, Vice President, and EOP are
efficient, secure, and resilient; establish a model for
Government information technology management efforts; reduce
operating costs through the elimination of duplication and
overlapping services; and accomplish the goal of converging
disparate information resources and information systems for the
EOP.
This memorandum is intended to maintain the President’s
exclusive control of the information resources and information
systems provided to the President, Vice President, and EOP.
High-quality, efficient, interoperable, and safe information
systems and information resources are required in order for the
President to discharge the duties of his office with the support
of those who advise and assist him, and with the additional
assistance of all EOP components. The responsibilities that
this memorandum vests in the Director of White House Information
Technology, as described below, have been performed historically
within the EOP, and it is the intent of this memorandum to
continue this practice.
The Director of White House Information Technology, on
behalf of the President, shall have the primary authority to
establish and coordinate the necessary policies and procedures
for operating and maintaining the information resources and
information systems provided to the President, Vice President,
and EOP. Nothing in this memorandum may be construed to
delegate the ownership, or any rights associated with ownership, 2
of any information resources or information systems, nor of any
record, to any entity outside of the EOP.
Sec. 2. Director of White House Information Technology.
(a) There is hereby established the Director of White House
Information Technology (Director). The Director shall be the
senior officer responsible for the information resources and
information systems provided to the President, Vice President,
and EOP by the Presidential Information Technology Community
(Community). The Director shall:
(i) be designated by the President;
(ii) have the rank and status of a commissioned
officer in the White House Office; and
(iii) have sufficient seniority, education, training,
and expertise to provide the necessary advice,
coordination, and guidance to the Community.
(b) The Deputy Chief of Staff for Operations shall provide
the Director with necessary direction and supervision.
(c) The Director shall ensure the effective use of
information resources and information systems provided to the
President, Vice President, and EOP in order to improve mission
performance, and shall have the appropriate authority to
promulgate all necessary procedures and rules governing these
resources and systems. The Director shall provide policy
coordination and guidance for, and periodically review, all
activities relating to the information resources and information
systems provided to the President, Vice President, and EOP by
the Community, including expenditures for, and procurement of,
information resources and information systems by the Community.
Such activities shall be subject to the Director’s coordination,
guidance, and review in order to ensure consistency with the
Director’s strategy and to strengthen the quality of the
Community’s decisions through integrated analysis, planning,
budgeting, and evaluation processes.
(d) The Director may advise and confer with appropriate
executive departments and agencies, individuals, and other
entities as necessary to perform the Director’s duties under
this memorandum.
Sec. 3. Executive Committee for Presidential Information
Technology. There is hereby established an Executive Committee
for Presidential Information Technology (Committee). The
Committee consists of the following officials or their
designees: the Assistant to the President for Management and
Administration; the Executive Secretary of the National Security
Council; the Director of the Office of Administration; the
Director of the United States Secret Service; and the Director
of the White House Military Office.
Sec. 4. Administration. (a) The President or the Deputy
Chief of Staff for Operations may assign the Director and the
Committee any additional functions necessary to advance the
mission set forth in this memorandum.
(b) The Committee shall advise and make policy
recommendations to the Deputy Chief of Staff for Operations and
the Director with respect to operational and procurement 3
decisions necessary to achieve secure, seamless, reliable, and
integrated information resources and information systems for the
President, Vice President, and EOP. The Director shall update
the Committee on both strategy and execution, as requested,
including collaboration efforts with the Federal Chief
Information Officer, with other government agencies, and by
participating in the Chief Information Officers Council.
(c) The Secretary of Defense shall designate or appoint a
White House Technology Liaison for the White House
Communications Agency and the Secretary of Homeland Security
shall designate or appoint a White House Technology Liaison for
the United States Secret Service. Any entity that becomes a
part of the Community after the issuance of this memorandum
shall designate or appoint a White House Technology Liaison for
that entity. The designation or appointment of a White House
Technology Liaison is subject to the review of, and shall be
made in consultation with, the President or his designee. The
Chief Information Officer of the Office of Administration and
the Chief Information Officer of the National Security Council,
and their successors in function, are designated as White House
Technology Liaisons for their respective components. In
coordination with the Director, the White House Technology
Liaisons shall ensure that the day-to-day operation of and
long-term strategy for information resources and information
systems provided to the President, Vice President, and EOP are
interoperable and effectively function as a single, modern, and
high-quality enterprise that reduces duplication, inefficiency,
and waste.
(d) The President or his designee shall retain the
authority to specify the application of operating policies and
procedures, including security measures, which are used in the
construction, operation, and maintenance of any information
resources or information system provided to the President, Vice
President, and EOP.
(e) Presidential Information Technology Community entities
shall:
(i) assist and provide information to the Deputy
Chief of Staff for Operations and the Director,
consistent with applicable law, as may be necessary to
implement this memorandum; and
(ii) as soon as practicable after the issuance of
this memorandum, enter into any memoranda of
understanding as necessary to give effect to the
provisions of this memorandum.
(f) As soon as practicable after the issuance of this
memorandum, EOP components shall take all necessary steps,
either individually or collectively, to ensure the proper
creation, storage, and transmission of EOP information on any
information systems and information resources provided to the
President, Vice President, and EOP.
Sec. 5. Definitions. As used in this memorandum:
(a) “Information resources,” “information systems,”
and “information technology” have the meanings assigned by
section 3502 of title 44, United States Code.4
(b) “Presidential Information Technology Community” means
the entities that provide information resources and information
systems to the President, Vice President, and EOP, including:
(i) the National Security Council;
(ii) the Office of Administration;
(iii) the United States Secret Service;
(iv) the White House Military Office; and
(v) the White House Communications Agency.
(c) “Executive Office of the President” means:
(i) each component of the EOP as is or may
hereafter be established;
(ii) any successor in function to an EOP component
that has been abolished and of which the function is
retained in the EOP; and
(iii) the President’s Commission on White House
Fellowships, the President’s Intelligence Advisory
Board, the Residence of the Vice President, and such
other entities as the President from time to time may
determine.
Sec. 6. General Provisions. (a) Nothing in this
memorandum shall be construed to impair or otherwise affect:
(i) the authority granted by law to an executive
department, agency, entity, office, or the head
thereof; or
(ii) the functions of the Director of the Office of
Management and Budget relating to budgetary,
administrative, or legislative proposals.
(b) This memorandum shall be implemented consistent with
applicable law and appropriate protections for privacy and civil
liberties, and subject to the availability of appropriations.
(c) This memorandum is not intended to, and does not,
create any right or benefit, substantive or procedural,
enforceable at law or in equity by any party against the
United States, its departments, agencies, or entities, its
officers, employees, or agents, or any other person.
BARACK OBAMA
# # #

White House moves WhiteHouse.gov to HTTPS by default, tying privacy to security

The_White_House-https

A .gov website that uses HTTPS encryption by default for its visitors is a superb example of “privacy by design.” On March 6th, the Federal Trade Commission enabled encryption for FTC.gov. When I visited whitehouse.gov tonight, I found that the White House digital team had flipped the site for what’s likely the most prominent government website in the world. The White House Web team confirmed the change just after midnight.

According to Leigh Heyman, director of new media technologies at the White House, over the next few days, the team be migrating other domains, like the bare domain name, whitehouse.gov, and m.whitehouse.gov, over to HTTPS as well, joining http://www.whitehouse.gov.

“Americans care about their privacy, and that’s what the White House’s move to HTTPS by default is about,” said Eric Mill, an open government software engineer at 18F. “The White House’s use of HTTPS protects visitors’ personal information and browsing activity when they connect to whitehouse.gov across the vast, unpredictable network of computers that is the internet.”

If you’re unfamiliar with HTTPS, it’s a way of encrypting the way you connect to a Web server online. Specifically, HTTPS refers to layering the Hypertext Transfer Protocol (HTTP) on top of the Secure Sockets Layer (SSL) or Transport Layer Security (TLS). What that means in practice is that your requests to the Web server and the pages results from it are encrypted and decrypted. Why does that matter? Consider, for instance, if someone is looking up sensitive health information online and visits a government website without HTTPS that also has data collection.

“Use of https is generally considered to be good practice, however, as opposed to unencrypted, regular http, although it adds a small amount of extra processing and delay to do the encryption,” commented Eugene Spafford, a Purdue University computer science professor and founder and executive director of the Center for Education and Research in Information Assurance and Security.

“HTTPS primarily provides three things: greater authentication, stream privacy, and message integrity. A quick look at the site doesn’t reveal (to me) anything that would likely require privacy or heightened message integrity. The most immediate consequence is that parties connecting to the website can have increased confidence of the site’s authenticity because a signed certificate will be employed. Of course, most people don’t actually verify certificates and their roots (cf. Superfish), so this isn’t an ironclad identification.”

Why does this matter?

“This immediately creates a strong baseline of privacy and security for anyone in the world, American or otherwise, who visits the White House website — whether to read their blog, learn more about the President, download official policies, or anything else inside whitehouse.gov,” said Mill.

“At a basic level, what a person sees and does on whitehouse.gov should be between them and the White House. When someone reads official policies published on whitehouse.gov, they should be confident that policy is real and authentic. The White House’s use of HTTPS by default means those promises just got a lot stronger.”

Ashkan Soltani, the FTC’s chief technologist, explained why that federal agency shifted at the Tech@FTC blog:

As a quick primer, HTTPS encryption secures your communications while in transit with websites so that only you and the website are able to view the content. The lock icon now appearing in your browser represents that the communication is encrypted and eavesdroppers are unable to look in. At this time, secure browsing is generally not a requirement for federal websites, but it is considered an industry best practice. Transit encryption is an important safeguard against eavesdroppers and has been the subject of previous investigations where we alleged companies failed to live up to their security promises when collecting personal information. It’s an important step when websites or apps collect personal information, and is a great best practice even if they don’t.

What broader trends does this tap into?

The White House moving to HTTPS is part of a larger move to lead by example in promoting privacy and security best practices, related Soltani, over email.

“I believe we’ll see a slow shift over the next few years of websites and services moving to HTTPS by default,” he said, “something a number of standards bodies including ISOC, IETF, and IAB have also called for.”

Along with FTC.gov, Mill highlighted the Privacy and Civil Liberties Oversight Board (PCLOB), the independent agency charged with balancing the rights of American citizens against the security steps taken in the wake of the terrorist attacks of 9/11, to HTTPS.

They’re far from alone: “Last month, 18F worked with 19 other .gov domains to go the distance to ensure browsers would always connect to them over HTTPS,” said Mill.

“Tt’s important to understand that what’s happening now in the federal government is what the broader internet has been working on for a while: making privacy the default.

The standards bodies that guide the internet’s development are recommending that the internet be encrypted by default, instructing their working groups to prioritize encryption in new protocol development, and declaring a more secure future for the web. The fastest versions of HTTP today already require encryption in major browsers, and it’s becoming easier to imagine a future where web browsers proactively warn users about unencrypted websites.

This is also why every .gov that 18F builds with its partner agencies uses HTTPS, full stop. We work hard to demonstrate that HTTPS can be fast, inexpensive, and easy. It’s a better future, and a practical one.”

The kind of privacy and security the White House is offering its visitors is what we should come to expect from the entire web, not just websites someone thinks are “sensitive”. All Web browsing is sensitive, and the White House’s leadership here reinforces that.”

It looks like Chris Soghoian, the principal technologist at the Speech, Privacy and Technology Project in the American Civil Liberties Union, is going to have a good day tomorrow.

While the Obama administration has taken its lumps on digital privacy after revelations of bulk surveillance of the Internet backbone by the National Security Agency, this is undeniably an important step towards securing the traffic of millions of people who visit whitehouse.gov every month.

Now that the White House is leading by example, hopefully other federal, state and local government entities will also adopt the standard.

“Everyone should want a simple feeling of privacy as they use the web, and confidence that they’re at the real and exact website they meant to visit,” said Mill. “While not everyone is highly attuned to watching for that padlock in their browser, the more websites that add it — especially high profile ones like the White House — the more that people can depend on that promise being met.”