When is GOTS not in the national interest?
The modern open-source software (OSS) movement can be traced back to the early 1980s with the birth of Richard Stallman’s GNU Project and the Free Software Foundation.
This revolution ushered in a new era of egalitarian software development, untethered from corporate interests. At the time, it would have been impossible to fathom what is now a truism— that OSS is one of the best things that has happened to commercial, for-profit software makers.
Although paradoxical, the success of open source software is principally the result of market forces — specifically, the desire to commoditize complementary products to increase demand for one’s own products. In every organization, software operates as an ecosystem with many interconnected software products. If an enabling technology for a particular software product is made cheaper (commoditized), that increases demand for the product because the overall ecosystem has become less expensive. The idea can be summed up in a quote from Joel Spolsky’s wonderful essay on the topic: “Smart companies try to commoditize their products’ complements.”
This drive for complementary commoditization turns out to be a dramatic forcing function for innovation. Companies are required to develop more value-added capabilities if they want to win and maintain business. Customers see a world with reduced costs and more interoperability. This pressure is maintained because of the depth and breadth of the open-source community. OpenHub.net, an online community and directory of free and open-source software (FOSS) tracks almost 500,000 OSS projects, nearly 30 billion lines of code, and over 5 million contributors. Interestingly, one study found that the average commercial application was more than 35% OSS with internal development projects pushing the needle at 75% open-source. OSS is huge. And it is everywhere.
This leads us to examine GOTS or “Government-off-the-Shelf” software. The idea behind GOTS is that the government builds the software itself (or, more likely, contracts with an external firm). The government then owns and maintains the source code and any government agency can apply to use the GOTS software for free. This model is problematic for a number of reasons.
First, we must recognize that GOTS is not a good deal. A representative analysis performed by the U.S. Geospatial Intelligence Foundation (USGIF) found that GOTS programs cost the government 70% more than similar commercial-off-the-shelf (COTS) solutions.
However, cost is a red herring for the real challenge presented by GOTS software solutions. On the surface, GOTS seems very similar to OSS which implies that it has the larger structural advantages of OSS. If handled cautiously, it can have those advantages, but care needs to be taken about what sort of existing software is being commoditized. The U.S. has a national interest in maintaining a strong software development capability. We are fortunate to be the dominant software-building country in the world. According to the Forbes 2000 list, the total market capitalization of U.S. internet, software, and computer services companies is close to $4.7 trillion — more than twice the rest of the world combined. Software tech is an enormous comparative advantage for the U.S. As a result, it is clearly in the national interest to have the government avoid directly competing against and potentially weakening the U.S. private sector.
In the modern era, power struggles between nation-states were the norm. In contrast, most 21st century conflict takes place among a variety of diverse actors, not limited to nation-states, and on the non-kinetic battlegrounds of economic and industrial competition (in addition to diplomatic and military arenas). One of the supreme commitments of the U.S. government is to protect the security of the nation; central to this is recognizing that security is tightly linked to prosperity. Maintaining technological superiority is at the heart of this. Specifically, we need to identify how and where the government is spending money that may unintentionally harm American industry leading to compromised national security.
It is important to note that governments around the world, including our adversaries, are actively depriving U.S. software companies of opportunities in key sectors because they seek to create a protected domestic industry — a movement called digital sovereignty. Although inadvertent, the U.S. government is helping them by reducing market access and directly competing with its economic base. Examples of this misapplied competition are unfortunately common. SIMDIS is a GOTS software suite developed by the U.S. Naval Research Laboratory for use in 2D and 3D geospatial analysis. As a program, SIMDIS has its roots in the late 1980s and has been under development ever since. SIMDIS promotional materials boast that it has provided cost savings and avoidance “for the DOD over similar COTS products” directly admitting that the existence of the program is in competition with the U.S. private sector.
Another example would be Ghidra which is a “software reverse engineering” (SRE) toolset developed as GOTS and subsequently open-sourced by the NSA. It also directly competes with privately developed disassemblers and decompilers, effectively commoditizing these products. In neither case, should we assume ill-will or malice on the part of these programs or their contributors. However, what we should expect is that when programs like this are executed, the effect on U.S. national security will be complex and multi-faceted and it may be the case that commoditizing a private-sector product is not in the best long-term interest of the United States. Our own experience is colored by the fact that many government agencies have tried to rebuild our products (not successfully so far) at great expense to the American taxpayer. These failures are unsurprising given the intrinsic risk in developing enterprise software, where the expected outcome is delay and failure: 98% of OSS projects fail — so we should expect similar success rates for its U.S. government cousin, GOTS.
The U.S. government should use successful OSS — as should commercial organizations. It fuels innovation, controls costs, and not doing so puts our nation at risk. But the government should also recognize that competitor countries are deliberately investing in OSS to compete against and commoditize U.S. dominance in software as part of their security strategy. Fortunately for the U.S., the rest of the world is a long way from taking on America’s commanding position in software; instead they must fight a proxy war to commoditizing piece-by-piece to. Github, the premier OSS code repository hosting platform, bears out this economic trend: Since 2014, OSS contributions from developers outside the U.S. have surpassed those of U.S. contributors. In 2019, fully 80% of Github contributions came from non-U.S. developers. Chinese developers have created 48% more source repositories in 2019 than they did 2018, and the trend will likely continue. Iranian developers had the second-highest rate of growth in open source projects created in public repositories. These trends continue to accelerate, as we are now experiencing a new Moore’s Law in which the number of OSS projects is doubling every 14 months. Given this competitive landscape, we must ensure that U.S. procurement policy does not exacerbate these trends.
What is required is a highly nuanced approach to GOTS software. As previously stated, GOTS software is more expensive than both COTS and OSS, since the cost to develop and maintain is born entirely by the government and not the broader market. Leaving cost aside, there is a critically important national interest question. There are good reasons to build GOTS software — e.g. when the software itself will be classified. However, where GOTS software may compete with U.S. companies, we should consider that we are likely harming the very interests we aim to protect. When GOTS software is strategically leveraged to commoditize innovations from adversarial nations or to provide a capability that does not exist commercially, it is advancing the national interest. Creating a more rigorous process to review and re-consider the national interest in this context will improve U.S. competitiveness and bolster national security.
Shyam Sankar is president of Palantir Technologies.