Comment by AnthonyMouse
3 months ago
The general problem here is that we need to do something about the government contracting process. It has been thoroughly captured by large government contractors who do mediocre work for enormous sums of money while excluding anyone who could do better from the process through corruption and red tape.
Which in turn means that important systems become frozen in time because upgrade attempts become boondoggles that can't meet requirements until they're so far over budget they get canceled, or never attempted.
One of the major problems that should be fixed immediately is that the government pays for code to be written but then doesn't own it, which makes them dependent on the contractor for maintenance. Instead they should be using open source software and, when custom code is necessary, requiring it to be released into the public domain, both for the benefit of the public (who might then be able to submit improvements to the code they're required to use!) and so that maintenance can be done by someone other than the original contractor.
You touch on an interesting idea. Imagine if there is a "USA ATC Github" open-source repo. As a consultant, you bid on maintenance of the repo and get repo ownership privilege in exchange for your contract. Now you are paid to contribute to the repo for the duration of the contract. The public gets to see if you are worth your fee. If your contract ends, ownership revoked and handed to the next consultant.
The obvious downside to this is that hardening code becomes a potential large amount of effort/overhead that could normally be concealed behind binaries and proprietary code.
> The obvious downside to this is that hardening code becomes a potential large amount of effort/overhead that could normally be concealed behind binaries and proprietary code.
This is not a downside, it's a benefit.
Suppose an adversarial country eventually gets access to the proprietary code. Do you want members of the public to have found and patched any obvious vulnerabilities before this point? Yes you do.
A lot of this is also driven by the government insisting on every modernization effort covering every issue, and then changing their mind when they learn that it will take 10 years it upgrade, so they spend 2 years of requirements gathering to get ~6 months of upgrades, which is basically enough to keep things barely maintained...