Open Source Software and Security

Back in December the UK Government published their Open Source procurement toolkit (in PDF and ODF formats) which is mostly aimed at the public sector procurement officials, but is of general interest too. One document in particular I would like to pick out and quote verbatim (which I can do under the creative-commons inspired open government license) relates to the myth that the government can’t use Free Software because of security concerns. This is completely and utterly false. Free Software can be put through the certification processes just like closed software, but for most normal applications formal certification makes little difference one way or another as this is not the way solutions are accredited. So here it is, in their own words:

Open Source Software and Security

December 2011
This note, developed in consultation with CESG, highlights some of the key security considerations for the use of open source software in Government, and their implications for procurement practice. It focuses on dispelling common security myths about open source software which prevent a level playing field for its evaluation and use in Government. It is published in recognition that a wider audience wish to understand the UK Government’s position on open source software and security. Public sector customers can obtain further information from CESG in GPG38.

1. Open source, as a category, is no more or less secure than closed proprietary software.

All software, including open source and closed proprietary, will have vulnerabilities. Individual software products, regardless of category, will have strengths and weaknesses in security characteristics such as provenance, quality, support, and vulnerability management. Given the range of vulnerabilities and diversity of exploits, on balance, neither category is considered more or less secure than the other.

2. Therefore, open source software cannot be excluded from an options analysis for Government IT.

Given that no one type of software is inherently more secure than another, neither open source nor closed proprietary software should be excluded from an options analysis for security reasons. It is Government policy for open source software to be evaluated in an options analysis, and for suppliers to provide appropriately detailed evidence of the reasoning behind their selection. It is entirely possible that an open source option is not selected for valid reasons, such as insufficient functional fit, inability to meet performance requirements, or higher cost of ownership due to more expensive security controls. It is important that the same selection criteria are applied to all options. It is also important that requirements are not exaggerated, unnecessarily inflating costs.

3. CESG does not accredit software products. Departments accredit their own ICT solutions.

It is a myth that some software products are “accredited” for use in Government. This is a misunderstanding of the security framework and accreditation process. Departmental accreditation of their own IT solutions is a sophisticated and rigorous process encompassing business benefit, threat and risk assessment, hardware, software, communications, and human factors. CESG does operate assurance schemes through which security enforcing products, both open source and closed proprietary, can be evaluated and certified. Such certification assures the public sector that security enforcing products, such as firewalls and cryptography tools, can mitigate various risks to its information. The large majority of software used to build Government IT solutions does not fall into this category. Furthermore, the risk managed decision whether or not to use such software remains with the Department’s information risk owner.

Open Standards Open Opportunities

Flexibility and efficiency are perhaps not two words that have been traditionally associated with the public sector in general, and certainly not with government IT. This might change though, and you can help nudge it in the right direction. Last week, just before the budget was announced in front of a packed house of commons there was this little exchange:

John Pugh (Southport, Liberal Democrat)

To ask the Minister for the Cabinet Office what recent assessment he has made of Government policy on open source software and open standards; and if he will make a statement.

Francis Maude (Minister for the Cabinet Office; Horsham, Conservative)

We have always made clear that, where appropriate, Government will procure open source solutions.

Open source products are used in the delivery, of huge database programmes—such as the Indian Identity card scheme—at a greater scale and for much less cost than we have experienced in the past.

Gov.uk, the new platform for publishing in UK Government employs the same open source technologies.

It’s being delivered for a fraction of the cost of previous Government web schemes.

So not a big long speech, but there it is, said in the house and recorded for posterity with the transcript of the oral answers in Hansard and theyworkforyou.com,

The government is moving on Free Software, there is a very high level understanding of the need to avoid lock in, promote re-use and to remove the barriers to adoption for Open Source software. They have been taken for a ride by a bunch of proprietary suppliers who have sold them the same old stuff over and over again, with contracts that tie the government down and keep the gravy train rolling. There is no massive appetite for the government to contribute directly to free software projects, but they are very willing to have more open software from their existing and new suppliers, and to have those suppliers be good citizens in the open source community.

There appears to be a general alignment (and indeed confusion between) open source and open standards. What the government really appears to want is open standards, with open source software as a means to get to an environment where open standards are prevalent. This will give them the re-use and interoperability that they really want.

To this end the cabinet office is running a public consultation at the moment, asking you to comment on their thinking in the area of open standards. Don’t be misled though, this is all about open source really, and they really really want a bunch more responses to their consultation. You can view the consultation website here:

http://consultation.cabinetoffice.gov.uk/openstandards/

It is a bit of an epic read, there is a 31 page pdf describing the consultation then you can go on to provide your responses on the website where your answers will be published along with those of everyone else. I don’t think I have ever filled in a form where my answers were broken down into chapters before, but there is a first time for everything. Chapter 1 is all about how they should define what an open standard actually is, kind of like art, you know it when you see it. Chapter 2 discusses whether open standards should be mandatory (expect some detailed answers from proprietary suppliers in this section explaining why the world would end if openness was not optional). Chapter 3 is all about international alignment and would be a great place for comments from people who are not UK based but for whatever reason think we should be more interoperable at a government level.

Please do have a read of it and browse the questions and answer any you feel like giving your opinion on. Don’t feel you have to answer them all, or give long answers. I am assured that this consultation will make a difference.

Open Source with the Home Office and the British Computing Society

Recently there has been a lot more interest from the government in Open Source software than we have ever seen before, both at Cabinet Office level, departmental level and in Local Authorities. Last night was the first of two sessions hosted by the British Computing Society’s Open Source Specialist Group to help the Home Office IT team to gain a better understanding of why they are not taking advantage of as much Open Source software as they feel they should be doing, and to examine some of the issues and obstacles that have led to them being locked in to solutions that don’t give them the freedom and cost benefits that they are seeking.

The format of the evening was a panel debate with Mark Elkins of the BSC chairing and Tariq Rashid of the Home Office proposing the topics for discussion. On the panel were representatives from a number of large system integrators (SIs) who work on large scale government projects. The panel was:

  • Darren Austin, UK Chief Engineer, Atos Origin.
  • Adam Jollans, Program Director – Open Source and Linux Strategy, IBM Systems & Technology Group.
  • Mike Robertson, Head of Public Sector Business, Savvis.
  • Gurpritpal Singh, CTO, UK Technology Consulting, Hewlett Packard.

The format of the evening was that Tariq would pose a question and the panel members gave their responses before it was opened to the floor for questions and comments from the audience. This format worked quite well – although some members of the audience were clearly unused to requesting, and then waiting to be called to speak, and rather disrespectfully interrupted the proceedings on a number of occasions to spout their opinion during the panel responses – please, if you go to an event with a set format, don’t disrupt it, that just makes the community seem unprofessional.

I won’t break down the responses question by question (there will be audio published at some point I believe and I didn’t take good notes) but some of the key points raised were:

The System Integrators are perfectly happy to work with Open Source. The customer just has to ask for it. All the SIs on the panel said this. They already provide Open Source solutions to other countries, they already use Open Source software where they are providing just a service (cuts their costs and gives them more control). They just pitch proprietary stuff at procurement contracts because that is what wins them here.

When the customer asks for a service to be performed to open standards (yes there was a discussion of the definition of an open standard, the problems of FRAND and the need for Free standards) then the integrator will generally use Open Source software because it reduces their costs (a little) but much more importantly allows them the freedom to commercialise the overall solution in the way that they want to, without complicated negotiations with a third party supplier. The implication of this seemed to me to be that the government still gets screwed over, but only by the SI, and possibly not so badly.

Purchasers of smaller solutions rather than multi-million pound services projects buy from a catalogue, the  G-Cat or something like that. This is a list of approved, vetted, commercial off the shelf (COTS) solutions that are safe to use (“safe” in this context meaning you won’t get fired if the thing you bought was on the catalogue). This catalogue is hard to get on to. Suppliers of proprietary software have to jump through hoops to prove that they are good enough as a company to supply the licenses and there may be some technical appraisal, I don’t really know the details. The point is that the process is hard, it takes time, and probably money. Suppliers go through that process and write it all off as cost of sales, because they know that if they get on the list then the gravy train is on it’s way into town. Open Source projects, with great code, a solid and active community, but no real concept of “financial stability” (and equally no concept of “financial instability”) often have no budget to jump through hoops and fill out documents as a presales exercise because they get, and want, no financial reward at the end of the process when someone in local government downloads and uses the software for free. If the government wants Free Software in the catalogue, they are going to have to pick up the tab in the short term for the presales activity and engage with some knowledgeable consultants (yes, we will do that kind of thing) on a project to go through the evaluation process and fill out all the forms to enable, in the longer term, better value selections to be made from the catalogue.

There was quite a discussion about the ownership of risk, this is important to government purchasers, but more as a concept, than as a reality. Large projects have big penalty clauses, which means that the government likes to work with suppliers who have the financial wherewithal to live up to these clauses. I don’t think I am revealing that much about my company finances to say that we would struggle to demonstrate that we could pay up on a penalty clause running into tens of millions of pounds. Does the government exercise these penalties on a regular basis? No. As one of the pannelists mentioned they would swiftly end up owning all the SIs if they did, and whilst the UK government nationalising IBM is a fun thing to contemplate, it really isn’t going to happen. I made the point at this stage that the government seems to get a lot of comfort from knowing “who to sue”, if things break. What they need to do is learn how to gain comfort from knowing “how to fix it”, and knowing that they can engage with any other supplier to fix broken things. Having open code and the legal right to modify it to your requirements and to have other people modify it to your requirements actually reduces risk. Having financial penalties does not in fact reduce risk at all, it just mitigates your liability when things go wrong.

Next week there will be another debate covering slightly different topics, I believe the format and panel will stay the same which I think works very well (subject to a well behaved audience of course). The topics are listed below, feel free to discuss them in the comments and I will try and pass on some of the most insightful at the event.

Evening Debate 2 – Tuesday 1st March

1. Security. OSS is insecure compared to commercial software?

  • By what criteria can we select software to minimise security risks?
  • Does OSS need a different approach to patching?
  • Can we simply use empirical evidence when comparing OSS with closed software? Statistics for internet browsers are common – published vulnerabilities, known exploits, time to fix
  • Key question for HMG is – all things being equal, open code means vulnerabilities can be discovered and exploited before there is time to fix

2. Buy-not-Build. Can OSS actually benefit HMG because HMG doesn’t want custom or re-engineered software?

  • HMG generally asks IT suppliers to build systems from COTS components and minimise customisation and re-engineering – it doesn’t want to maintain special code because of cost and risk. So does a significant benefit of OSS not apply to HMG?

3. Legal advice for OSS

  • OSS has some unique legal aspects compared with commercial software – where to get advice? Myths around legal obstacles and obligations are going unchallenged.
  • Patents and liability issues are often raised – resolved by major OSS suppliers who will shield customers?

4. Long Term Strategy

  • OSS won’t happen overnight.
  • Should we work backwards from insisting on open information formats for HMG interactions with the public and other sectors? This way the use of open standards compliant software filters back into HMG organisations.

5. Other Ideas