Open Source with the Home Office and the British Computing Society

Recently there has been a lot more interest from the government in Open Source software than we have ever seen before, both at Cabinet Office level, departmental level and in Local Authorities. Last night was the first of two sessions hosted by the British Computing Society’s Open Source Specialist Group to help the Home Office IT team to gain a better understanding of why they are not taking advantage of as much Open Source software as they feel they should be doing, and to examine some of the issues and obstacles that have led to them being locked in to solutions that don’t give them the freedom and cost benefits that they are seeking.

The format of the evening was a panel debate with Mark Elkins of the BSC chairing and Tariq Rashid of the Home Office proposing the topics for discussion. On the panel were representatives from a number of large system integrators (SIs) who work on large scale government projects. The panel was:

  • Darren Austin, UK Chief Engineer, Atos Origin.
  • Adam Jollans, Program Director – Open Source and Linux Strategy, IBM Systems & Technology Group.
  • Mike Robertson, Head of Public Sector Business, Savvis.
  • Gurpritpal Singh, CTO, UK Technology Consulting, Hewlett Packard.

The format of the evening was that Tariq would pose a question and the panel members gave their responses before it was opened to the floor for questions and comments from the audience. This format worked quite well – although some members of the audience were clearly unused to requesting, and then waiting to be called to speak, and rather disrespectfully interrupted the proceedings on a number of occasions to spout their opinion during the panel responses – please, if you go to an event with a set format, don’t disrupt it, that just makes the community seem unprofessional.

I won’t break down the responses question by question (there will be audio published at some point I believe and I didn’t take good notes) but some of the key points raised were:

The System Integrators are perfectly happy to work with Open Source. The customer just has to ask for it. All the SIs on the panel said this. They already provide Open Source solutions to other countries, they already use Open Source software where they are providing just a service (cuts their costs and gives them more control). They just pitch proprietary stuff at procurement contracts because that is what wins them here.

When the customer asks for a service to be performed to open standards (yes there was a discussion of the definition of an open standard, the problems of FRAND and the need for Free standards) then the integrator will generally use Open Source software because it reduces their costs (a little) but much more importantly allows them the freedom to commercialise the overall solution in the way that they want to, without complicated negotiations with a third party supplier. The implication of this seemed to me to be that the government still gets screwed over, but only by the SI, and possibly not so badly.

Purchasers of smaller solutions rather than multi-million pound services projects buy from a catalogue, the  G-Cat or something like that. This is a list of approved, vetted, commercial off the shelf (COTS) solutions that are safe to use (“safe” in this context meaning you won’t get fired if the thing you bought was on the catalogue). This catalogue is hard to get on to. Suppliers of proprietary software have to jump through hoops to prove that they are good enough as a company to supply the licenses and there may be some technical appraisal, I don’t really know the details. The point is that the process is hard, it takes time, and probably money. Suppliers go through that process and write it all off as cost of sales, because they know that if they get on the list then the gravy train is on it’s way into town. Open Source projects, with great code, a solid and active community, but no real concept of “financial stability” (and equally no concept of “financial instability”) often have no budget to jump through hoops and fill out documents as a presales exercise because they get, and want, no financial reward at the end of the process when someone in local government downloads and uses the software for free. If the government wants Free Software in the catalogue, they are going to have to pick up the tab in the short term for the presales activity and engage with some knowledgeable consultants (yes, we will do that kind of thing) on a project to go through the evaluation process and fill out all the forms to enable, in the longer term, better value selections to be made from the catalogue.

There was quite a discussion about the ownership of risk, this is important to government purchasers, but more as a concept, than as a reality. Large projects have big penalty clauses, which means that the government likes to work with suppliers who have the financial wherewithal to live up to these clauses. I don’t think I am revealing that much about my company finances to say that we would struggle to demonstrate that we could pay up on a penalty clause running into tens of millions of pounds. Does the government exercise these penalties on a regular basis? No. As one of the pannelists mentioned they would swiftly end up owning all the SIs if they did, and whilst the UK government nationalising IBM is a fun thing to contemplate, it really isn’t going to happen. I made the point at this stage that the government seems to get a lot of comfort from knowing “who to sue”, if things break. What they need to do is learn how to gain comfort from knowing “how to fix it”, and knowing that they can engage with any other supplier to fix broken things. Having open code and the legal right to modify it to your requirements and to have other people modify it to your requirements actually reduces risk. Having financial penalties does not in fact reduce risk at all, it just mitigates your liability when things go wrong.

Next week there will be another debate covering slightly different topics, I believe the format and panel will stay the same which I think works very well (subject to a well behaved audience of course). The topics are listed below, feel free to discuss them in the comments and I will try and pass on some of the most insightful at the event.

Evening Debate 2 – Tuesday 1st March

1. Security. OSS is insecure compared to commercial software?

  • By what criteria can we select software to minimise security risks?
  • Does OSS need a different approach to patching?
  • Can we simply use empirical evidence when comparing OSS with closed software? Statistics for internet browsers are common – published vulnerabilities, known exploits, time to fix
  • Key question for HMG is – all things being equal, open code means vulnerabilities can be discovered and exploited before there is time to fix

2. Buy-not-Build. Can OSS actually benefit HMG because HMG doesn’t want custom or re-engineered software?

  • HMG generally asks IT suppliers to build systems from COTS components and minimise customisation and re-engineering – it doesn’t want to maintain special code because of cost and risk. So does a significant benefit of OSS not apply to HMG?

3. Legal advice for OSS

  • OSS has some unique legal aspects compared with commercial software – where to get advice? Myths around legal obstacles and obligations are going unchallenged.
  • Patents and liability issues are often raised – resolved by major OSS suppliers who will shield customers?

4. Long Term Strategy

  • OSS won’t happen overnight.
  • Should we work backwards from insisting on open information formats for HMG interactions with the public and other sectors? This way the use of open standards compliant software filters back into HMG organisations.

5. Other Ideas

4 Comments

  • Charlie Hull says:

    Sad to see the panel consisting entirely of large suppliers and not a single SME; lots of the innovators in open source work for smaller organisations. The updated Government Action Plan doesn’t mention this either. We’ve also noticed a lot more activity in both national and local government sectors with regard to OSS.

    • Alan Bell says:

      Actually I don’t think an SME representative on the panel would have been a particular improvement. There were lots of comments from SMEs in the audience, including myself. The panelists were a very good selection.

  • […] Open Source with the Home Office and the British Computing Society The System Integrators are perfectly happy to work with Open Source. The customer just has to ask for it. All the SIs on the panel said this. They already provide Open Source solutions to other countries, they already use Open Source software where they are providing just a service (cuts their costs and gives them more control). They just pitch proprietary stuff at procurement contracts because that is what wins them here. […]

  • I love the bit about reduction of risk. This is such monumental nonsense that I can’t believe anybody still buys this. Almost everybody gets under-served by ICT provider from time to time (commercial or FOSS) but nobody ever seeks legal redress because of the cost (except in cases of fraud). They either continue with a substandard product or go somewhere else. If anybody claims different ask them to provide a list of 10 lawsuits in which medium-sized projects sued the provider.

    I suggest that the perfect case for open software and security is HB Garry – a security company whose custom built website got hacked through SQL injection. If they had used (properly maintained and patched) Drupal, this would have been much less likely to happen. Obscurity (in code) never means security. Another example is Adobe whose proprietary software is now the prime vector for security attacks. But as Steve Gibson says, OS code isn’t more secure by definition. It is tried and tested code. And OS code is much easier to patch by the development community. Just see how quickly Firefox squashes bugs compared to IE. Or the power of TrueCrypt.

    Finally, why doesn’t the government require that any code written for a tax-payer funded project be released under an open license. Wouldn’t that automatically reduce the number of proprietary bidders or change their behavior.

    Another option is to evaluate whether interface changes in an existing platform aren’t as much of an issue as switching to a free one. For instance, why not go from Win XP to Ubuntu rather than Win 7? The interface change is less and the long-term cost savings are enormous. (But now I’m dreaming.)

    But perhaps the most important message. There is no intrinsic difference in usability or functionality between open source and closed source. They are just as likely to be bad or insecure as each other. With OS, it’s just less difficult to change or customise. And taxpayers’ money goes to projects that benefit everyone.

Leave a Reply to Alan Bell

XHTML: You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>