Open Source Software and Security

Back in December the UK Government published their Open Source procurement toolkit (in PDF and ODF formats) which is mostly aimed at the public sector procurement officials, but is of general interest too. One document in particular I would like to pick out and quote verbatim (which I can do under the creative-commons inspired open government license) relates to the myth that the government can’t use Free Software because of security concerns. This is completely and utterly false. Free Software can be put through the certification processes just like closed software, but for most normal applications formal certification makes little difference one way or another as this is not the way solutions are accredited. So here it is, in their own words:

Open Source Software and Security

December 2011
This note, developed in consultation with CESG, highlights some of the key security considerations for the use of open source software in Government, and their implications for procurement practice. It focuses on dispelling common security myths about open source software which prevent a level playing field for its evaluation and use in Government. It is published in recognition that a wider audience wish to understand the UK Government’s position on open source software and security. Public sector customers can obtain further information from CESG in GPG38.

1. Open source, as a category, is no more or less secure than closed proprietary software.

All software, including open source and closed proprietary, will have vulnerabilities. Individual software products, regardless of category, will have strengths and weaknesses in security characteristics such as provenance, quality, support, and vulnerability management. Given the range of vulnerabilities and diversity of exploits, on balance, neither category is considered more or less secure than the other.

2. Therefore, open source software cannot be excluded from an options analysis for Government IT.

Given that no one type of software is inherently more secure than another, neither open source nor closed proprietary software should be excluded from an options analysis for security reasons. It is Government policy for open source software to be evaluated in an options analysis, and for suppliers to provide appropriately detailed evidence of the reasoning behind their selection. It is entirely possible that an open source option is not selected for valid reasons, such as insufficient functional fit, inability to meet performance requirements, or higher cost of ownership due to more expensive security controls. It is important that the same selection criteria are applied to all options. It is also important that requirements are not exaggerated, unnecessarily inflating costs.

3. CESG does not accredit software products. Departments accredit their own ICT solutions.

It is a myth that some software products are “accredited” for use in Government. This is a misunderstanding of the security framework and accreditation process. Departmental accreditation of their own IT solutions is a sophisticated and rigorous process encompassing business benefit, threat and risk assessment, hardware, software, communications, and human factors. CESG does operate assurance schemes through which security enforcing products, both open source and closed proprietary, can be evaluated and certified. Such certification assures the public sector that security enforcing products, such as firewalls and cryptography tools, can mitigate various risks to its information. The large majority of software used to build Government IT solutions does not fall into this category. Furthermore, the risk managed decision whether or not to use such software remains with the Department’s information risk owner.

Open Standards Open Opportunities

Flexibility and efficiency are perhaps not two words that have been traditionally associated with the public sector in general, and certainly not with government IT. This might change though, and you can help nudge it in the right direction. Last week, just before the budget was announced in front of a packed house of commons there was this little exchange:

John Pugh (Southport, Liberal Democrat)

To ask the Minister for the Cabinet Office what recent assessment he has made of Government policy on open source software and open standards; and if he will make a statement.

Francis Maude (Minister for the Cabinet Office; Horsham, Conservative)

We have always made clear that, where appropriate, Government will procure open source solutions.

Open source products are used in the delivery, of huge database programmes—such as the Indian Identity card scheme—at a greater scale and for much less cost than we have experienced in the past.

Gov.uk, the new platform for publishing in UK Government employs the same open source technologies.

It’s being delivered for a fraction of the cost of previous Government web schemes.

So not a big long speech, but there it is, said in the house and recorded for posterity with the transcript of the oral answers in Hansard and theyworkforyou.com,

The government is moving on Free Software, there is a very high level understanding of the need to avoid lock in, promote re-use and to remove the barriers to adoption for Open Source software. They have been taken for a ride by a bunch of proprietary suppliers who have sold them the same old stuff over and over again, with contracts that tie the government down and keep the gravy train rolling. There is no massive appetite for the government to contribute directly to free software projects, but they are very willing to have more open software from their existing and new suppliers, and to have those suppliers be good citizens in the open source community.

There appears to be a general alignment (and indeed confusion between) open source and open standards. What the government really appears to want is open standards, with open source software as a means to get to an environment where open standards are prevalent. This will give them the re-use and interoperability that they really want.

To this end the cabinet office is running a public consultation at the moment, asking you to comment on their thinking in the area of open standards. Don’t be misled though, this is all about open source really, and they really really want a bunch more responses to their consultation. You can view the consultation website here:

http://consultation.cabinetoffice.gov.uk/openstandards/

It is a bit of an epic read, there is a 31 page pdf describing the consultation then you can go on to provide your responses on the website where your answers will be published along with those of everyone else. I don’t think I have ever filled in a form where my answers were broken down into chapters before, but there is a first time for everything. Chapter 1 is all about how they should define what an open standard actually is, kind of like art, you know it when you see it. Chapter 2 discusses whether open standards should be mandatory (expect some detailed answers from proprietary suppliers in this section explaining why the world would end if openness was not optional). Chapter 3 is all about international alignment and would be a great place for comments from people who are not UK based but for whatever reason think we should be more interoperable at a government level.

Please do have a read of it and browse the questions and answer any you feel like giving your opinion on. Don’t feel you have to answer them all, or give long answers. I am assured that this consultation will make a difference.

Westminster eForum Speech

Today I had the pleasure of addressing the Westminster eForum event on Free and open source software in business, in government. I had a five minute slot following the excellent Karsten Gerloff of the Free Software Foundation Europe, then after speeches from Paul Holt, Andrew Katz and Christopher Roberts we had a panel Q&A with questions from the audience. Here are the notes from my speech, transcripts of the whole event will be distributed around Westminster. The seminar was sponsored by our friends at Sirius.

Hello & Good Morning Ladies & Gentleman.

My name is Alan Lord and I am co-owner of The Open Learning Centre; an Open Source Software Consulting and Services business based in Surrey.

In the few minutes I have I would like to briefly discuss a few of the themes that were suggested for this session.

So, starting with the first one then:

The challenges faced by small, medium and large organisations implementing Free & Open Source Software?

For me, one of the key challenges is Procurement:

Procurement practices have not kept pace with changing times. Existing policies and procedures often struggle with the idea of acquiring something that is ”free”. In addition, in our Free Software marketplace, many suppliers do not have the budgets or resources to participate in lengthy tendering processes and, frankly, often have better and less costly opportunities to pursue elsewhere.

Another challenge is lack of familiarity and knowledge: There is still a significant proportion of the population who haven’t really heard of, or understand what Free & Open Source Software is, even though they may use it everyday. The Open Source community has made tremendous inroads and awareness is definitely increasing, but bear in mind, we are competing against companies with multi-billion dollar marketing budgets.
Now I’d like to move on to mention something about:

The costs of deploying Free and Open Source software?

Firstly, it’s important to recognise that the ”free” in Free Software generally refers to freedom and not necessarily the price; although Open Source Software is frequently zero cost too. It should be recognised that implementing any software solution has costs, whether or not the software itself is freely available.

Time, of course, is not free; training, consulting and other professional services require people and knowledge, all of which have a cost whether they be internally or externally sourced. Although I feel fairly confident in saying that Open Source providers tend to charge comparatively less, I would recommend you use your experience to estimate and budget for the financial costs of the professional services you will need to acquire. Typically, the work required will be similar, in volume at least, for any given project whether Free or proprietary.

The financial benefits of Open Source really make an impact once you start using it: There are no ongoing licensing fees; you may copy and replicate what you have as many times as you wish. Product development, bug fixes and new features can generally be introduced at your discretion, and not that of your software vendor.

Another question that is often discussed is:

Is Open Source Software vulnerable?

Open Source Software is widely regarded as being inherently more secure than comparable proprietary software. Generally I would concur with this; particularly with regard to Operating Systems such as Linux and BSD. However, no software is ever infallible or 100% secure, so as an IT manager one must take all available precautions.

Many of the stories of Open Source vulnerabilities are, in the end, down to lack of skill or knowledge in setting up and maintaining these systems; this is just the same as with the proprietary alternatives. Again, skills and good education are the key to minimising these risks.

Free and Open Source Software is created in a very different way to legacy software. The ‘source code’, or instructions, are public; anyone can look at them. In a well managed Open Source project this visibility actually helps to improve the security of the end product. The benefit of this code-transparency was famously described by Eric S. Raymond, a well known Open Source author and advocate:

“Given enough eyeballs, all bugs are shallow.”

And finally I’d like to touch upon the question:

Who is responsible if Open Source Software is compromised or malfunctions?

Well – to be blunt. You are.

But then how is this different to proprietary solutions? If you’ve ever read a License Agreement for proprietary software then I’m sure you will have noticed that they start by disclaiming all liabilities, warranties and risks. Here’s one sentence taken from a very famous proprietary software vendor’s license agreement:

“The entire risk arising out of use or performance of the OS Components AND ANY SUPPORT SERVICES remains with you.”

If your chosen proprietary software is compromised or malfunctions what happens? Basically, you await the benevolence of the manufacturer, who is hopefully still in business and has a copy of the version of your product. With Free and Open Source Software, you will ALWAYS have a copy of the source code available.

A key feature of Open Source licensing, and something that is specifically NOT offered in the proprietary world, is the empowerment to improve and change it yourself. This doesn’t mean that you have to write the code though, there are lots of developers who will do that for a fair price.

Thank you.

Update on UK Gov’s Institutional Profligacy

As you may recall, a couple of weeks ago I used Write to Them to contact my MP, Jeremy Hunt, regarding the comments of the new CIO of HMRC and how it seemed that saving money was not being encouraged by our civil servants. I discussed it in this blog post:

Phil Pavitt, recently-appointed CIO for HM Revenue and Customs, has revealed that attempts to cut government budget is positively discouraged. In a telling anecdote, he says “In my first few weeks of the job I was visited by leading members of the Cabinet Office. In that conversation with me they mentioned I am in the top purchasing club… That means you have tremendous influence on buying power, buying ideas and management and so on.”I said ‘If I reduce costs by 50 per cent what happens?’, ‘Well, you leave the club,’ I was told.”

A couple of days ago I got a follow up from Jeremy after he received a reply from the Rt. Hon Angela Smith MP, Minister of State at the Cabinet Office. He didn’t seem that impressed…

Dear Alan,

Further to my email of 16th February 2010, I have now received the attached response from the Rt Hon Angela Smith MP, Minister of State at the Cabinet Office.

Given the worrying content of your email, the Minister has responded with little more than a standard response about how they always try to obtain good value for money.

Sadly we will never know what was said amongst the Minister and her civil servants about your email. However, I think we can be confident that it bore no resemblance to the final response I received!

Whilst Ms Smith’s comments are not surprise, I am sorry to have to pass on such a disappointing reply. If there is anything further I can take up with the Minister in the future on this issue, please feel free to let me know.

Best wishes

Jeremy

Jeremy Hunt
Member of Parliament
South West Surrey

I’ve attached the reply* so everyone can read it. Here is page 1, and here is page 2.

As you will see, the response is just a stock reply and gives almost no comment whatsoever to the main thrust of the question.

* The Minister’s response was emailed to me as a scanned PDF and it contained my home address and her email and phone numbers. I imported it into Inkscape and obfuscated those details which ended up creating 2 separate files.

Open Source, UK Gov. & Institutional Profligacy

I got a tad annoyed after reading this article by an old journalist friend and colleague Maxwell Cooter. In the story the new CIO of HMRC is reported as saying that there is basically institutional profligacy within the Cabinet Office:

Phil Pavitt, recently-appointed CIO for HM Revenue and Customs, has revealed that attempts to cut government budget is positively discouraged. In a telling anecdote, he says “In my first few weeks of the job I was visited by leading members of the Cabinet Office. In that conversation with me they mentioned I am in the top purchasing club… That means you have tremendous influence on buying power, buying ideas and management and so on.”I said ‘If I reduce costs by 50 per cent what happens?’, ‘Well, you leave the club,’ I was told.”

As you will probably know, I have a vested interest in seeing the Cabinet Office’s Open Source, Open Standards and Re-Use Action Plan[pdf] implemented in full and as quickly as possible. The comment above however, coming from deep within the halls of power, is a clear indication that there seems to be little appetite to drive this Action Plan into, ahem, action. I used the excellent Write to Them service to write to my MP Jeremy Hunt

Dear Jeremy Hunt,

I run an independent consulting company specialising in an area of software technology called Open Source.

We help organisations of all sizes get best-value by using technologies that are developed for the benefit of the user rather than of the producer.

We have been following the Cabinet Office’s recent Action Plan called “Open Source, Open Standards Re-Use” with some interest and have commented positively on the quality of the document but found there to be little in the way of energy to implement or monitor it’s adoption.

Today, I read an article by a journalist whom I have known for many years which seems to corroborate our opinion that there is little motivation for the status quo to change.

The link to the article is here:

http://blogs.techworld.com/the-blue-screen/2010/02/letting-the-cat-out-of-the-bag/index.htm

“Phil Pavitt, recently-appointed CIO for HM Revenue and Customs, has revealed that attempts to cut government budget is positively discouraged. In a telling anecdote, he says “In my first few weeks ofthe job I was visited by leading members of the Cabinet Office. In that conversation with me they mentioned I am in the top purchasing club… That means you have tremendous influence on buying power, buying ideas and management and so on.”I said ‘If I reduce costs by 50 per cent what happens?’, ‘Well, you leave the club,’ I was told.”

As I understand it, these are civil servants and as such are non-political.

Could you please comment on how a Conservative Government would try to change this apparently appalling attitude towards public expenditure.

Yours sincerely,

Alan Lord


The Open Learning Centre
Web: www.theopenlearningcentre.com

A couple of days ago I got an initial reply and, although the response itself isn’t exactly exuberant, Jeremy does indicate one thing I have heard something about before; the Tories policy of splitting massive IT projects into much smaller component parts by using Open Standards. This shows to me they have a decent understanding of the power of Open Standards to break the stranglehold a few monopolies currently have, although of course the proof will be in the delivery… He has also written to the Minister of State at the Cabinet Office to get the Government’s response to my enquiry too.

Here’s his reply in full.

Dear Alan,

Thank you for your email in which you kindly included your own experiences of the Cabinet Offices Action Plan called “Open Source, Open Standards Re-Use”.

Whilst I was pleased to hear you are complimentary about the quality of the document, I was sorry to learn that there seems little in the way of follow-up.

I was also most concerned to read the contents of the article by Maxwell Cooter.

Having spoken to the appropriate Shadow Cabinet Member as you requested, they have assured me that the Conservatives will create a level playing field for open source software by introducing open standards across government that enable large ICT projects to be split into smaller modular components. This will cut licensing costs, reduce risk and enable more small companies to bid for government ICT contracts.

I hope this is helpful and in order to get the Government’s response to the issues you have raised, I have also written to the Rt Hon Angela Smith MP, Minister of State at the Cabinet Office seeking her comments.

As soon as I have received the Minister’s reply, I will of course let you know straight away.

Thank you once again for bringing this important matter to my attention and if I can be of any further assistance in the meantime, please do let me know.

Best wishes

Jeremy

Jeremy Hunt
Member of Parliament
South West Surrey

If you want your MP (or future MP), whatever party they represent, to at least be aware of issues that concern you, please write to them. It is an easy way to voice your opinion. I have found MPs and MEPs to be generally quick to reply, to have understood the points I made and to follow up on issues when they said they would.

PS: Once I have the Minister’s reply I will of course let you know straight away too.
PPS: Can I please be recorded as the first to come up with the phrase “Institutional Profligacy” :-)

UK Gov Updates Open Source Policy

Remember the Cabinet Office Open Source, Open Standards Re-Use: Action Plan that came out last February?

Well, they’ve updated it. And the bits that they have changed are most welcome:

4. This Strategy does not represent a wholesale change to the Open Source Open Standards Reuse Strategy published in February 2009. It has been updated to take account of comments posted on www.writetoreply.org. The key changes to policy are:

  • We will require our suppliers to provide evidence of consideration of open source solutions during procurement exercises – if this evidence is not provided, bidders are likely to be disqualified from the procurement.
  • Where a ‘perpetual licence’ has been purchased from a proprietary supplier (which gives the appearance of zero cost to that project), we will require procurement teams to apply a ‘shadow’ licence price to ensure a fair price
    comparison of total cost of ownership. We have also defined the shadow licence cost as either:

      1. the list price of that licence from the supplier with no discounts applied, or
      2. the public sector price that has been agreed through a ‘Crown’ agreement.
  • We have clarified that we expect all software licences to be purchased on the basis of reuse across the public sector, regardless of the service environment it is operating within. This means that when we launch the Government Cloud, there will be no additional cost to the public sector of transferring licences into the Cloud.

Which is nice :-)

But unfortunately, as has been said widely before and again with this update, this is an action plan without any teeth. There is no enforcement, there is no monitoring and there are no penalties for not implementing the plan.

It’s all been said already so this is a short post. Until the Cabinet Office can get this implemented at a departmental level across the government and enforced, it remains essentially a "nice-to-have" objective but not much more.

The Cabinet Office have an Open Source aggregation service that collects various commentary from around the world based on various tags. This one needs the #ukgovOSS tag if you want to write your own piece or even tweet/dent about it.

PS: We have also made a remark or two about this update on our recently started (admittedly rather quietly) and more business-centric Open Source blog that’s on our main web site. We’ve called the blog The Way Out. Please feel free to drop by or add to your feed readers.

Next Page »