Open Source Software: Providing Greater Security and Innovation in the Delivery of E-Government Services

Open Source Software Conference
Sydney
11 September 2003

Thankyou for the invitation to speak here today.  I am going to start by taking a big picture view.

The Information Age in which we all now live has brought with it two rules:

1. That influence and power accrue to those who can control information flows; and
2. That those information flows are harder to control than ever before.

The awkward resolution of these two diametrically opposed precepts can be seen almost daily; usually undertaken as court battles over the new territory that defines this Information Age – intellectual property.

The conflicts are fought between the old information empires – the copyright holders: record labels; proprietary software firms, and so on – and the new challengers, those empowered with digital technology – a PC, an internet connection – and a healthy disrespect for, or a lack of awareness of, intellectual property boundary markers.

From these border skirmishes over intellectual property I get the impression that, despite the technology of the challengers, it is the old landlords who are winning.

We all know the fate of Napster, and I read just yesterday that a 12 year old girl was forced to settle with a record label, after she had unlawfully, so it was implied, appropriated music that did not belong to her.

And this is only one of hundreds of lawsuits being thrown at those people the digital landlords consider “trespassers”.  Others include children copying games and businesses using proprietary software outside the licensing conditions.  So, what does this have to do with open source software?  Although far from a new phenomenon, open source software represents a new way of managing intellectual property.

It defies the traditional method of distributing software through a system of proprietary licenses, and instead says “I know I can’t stop you from redistributing me, so I’m not going to insult you by demanding that you don’t.”  It is a system that renders these conflicts over IP nonsensical.

Up until recently, the landlords did not really notice open source software.  It was a haven of the techies, computing professionals, academics and internet devotees.

I remember reading an article in 2001 which said that open source software would never secure a significant chunk of the software market.  It might hold its own as a server technology, the article said, but it was simply too user unfriendly to threaten and dislodge Microsoft from the PC software environment.

That’s not the case any more.  The open source movement has poked its head above the radar, and is now posing a serious challenge to the old empires of the proprietary software firms, as businesses and Governments around the world start taking notice.

Open source has entered the mainstream, to such an extent that the Butler Group predicts that Linux will be the dominant operating system by 2009.

The headline on last week’s Australian IT pages: “Telstra’s open-source push hurts Microsoft” pressed home the reality of this claim. The article beneath it stated that Telstra would be switching to open source right across the company – desktops, web servers and applications servers and believe me, you cannot get more mainstream than Telstra.

So, why has this occurred?  To put it simply, open source software products have become more user friendly to the wider market and now appeals to people beyond computing professionals and academics.

The arrival of for-profit open source businesses, which started with enterprises like Red Hat and now include IBM and Sun Microsystems, has meant that the products have become more commercially orientated.

This includes aesthetics.  From what I have seen, the days when Linux desktops were ugly, although undoubtedly very functional, grey screened monstrosities, are gone.

If anything, Linux desktops look slicker than Windows, and are replete with a whole raft of applications which, importantly, look and feel like the proprietary products that most of us were raised on.

A hard-core techie may scoff at such cosmetic features but they make a difference to regular users, who think that if something looks cheap, and it’s free, it must be inferior.

From my perspective, the next big question is – and this is the question I will be addressing today – how can the open source sector be more effectively utilised by Federal Government Departments and agencies?

On the face of it shouldn’t be difficult.  Open source software can effectively serve the needs of Government in many ways:

In addition to these points, the adoption of open source software by Governments would also have positive impact on industry development.

Despite the obvious benefits, there are a number of challenges which stand in the way of open source.  These are chiefly owing to the fact the market incumbents – proprietary software vendors – have built whole business strategies around client lock-in.  In this sense, open source providers are the new challengers.

For the dominance of proprietary software to be challenged, a change of attitude from the Government is required.  Government must have the will to remove the bias, but the open source industry itself will need to make sure its interests are represented.

Open Source and value for money

It scarcely needs to be said that Governments have to watch what they spend.

Around the world, Governments are exploring open source with the aim of cutting ICT costs.  France, Germany, and the UK have all expressed this aim as one reason for adopting of open source.

Telstra is hoping to cut its annual $1.5 Billion IT budget by half with open source. The irony of this Telstra decision is that they led the way in Australia with the now defunct whole-of-enterprise IT outsourcing model through IBMGSA – formerly a Telstra, IBM and Lendlease company.

The Howard Government made many false claims regarding the cost savings generated by their failed IT Outsourcing program. I am not convinced that IT changes, and this includes the implementation of open source software, will necessarily lead to cost savings.

The economic benefits lie in getting “more bang for the buck”. With less emphasis on licensing fees, and increased competition coming from a reduced likelihood of vendor lock-in, open source software can provide far greater value for money to Governments.

The prospects of continuing innovation leading to better solutions alone holds great appeal.

So, although there may not be cost reductions in money terms, innovative solutions and better implementation will mean that you get a better system for the same budget.

Open Source and Security

Security is an important consideration for Governments, both in terms of national security, and for the protection of the huge amounts of personal information they hold.  Maintaining the integrity of Government information systems is always a high priority.

Not so long ago, open source software had a down-payment on security.  The “many eyes” approach was winning over the sceptics, who could see the benefits of many talented people evaluating code for security flaws, rather than relying on the assurances of a proprietary company.

The best analogy I came across was of a car engine: where proprietary software resembles a car with its bonnet welded shut, while open source is a car with the bonnet open and thousands of mechanics taking a look.

Open source systems have also proved their value in the field.  According to the Symantec Online Virus Encyclopaedia, Symantec has released over 1,600 security responses for viruses targeting Microsoft products, compared to only 12 for viruses targeting Linux.

Open source has been adopted in US Departments, such as the NSA, the White House, the CIA, and the Department of Defense.  In fact, in response to suggestions that open source should be removed from Defense, the Department said:

“Banning open source would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security focused DOD groups to protect themselves against cyber-attacks.”

That’s quite a rap.

At the time proprietary software providers seemed to place a lower profile on security.  In some cases it may have been felt that spending money on revamping software security would not be good business sense.  As Michael Paddon, the immediate past President of the AUUG put it to me in the Joint House Committee hearing on the Management and integrity of electronic information in the Commonwealth,

“How many people would go out and spend another $500 on a new version of Windows just because it was a bit more secure?”

Additionally, Bill Caelli, an E-Security expert and last years’ winner of the Pearcey Medal, makes an even stronger point:  he argues that improved security is never vendor led.  However, the situation is changing, and proprietary software companies have started focusing on the security of their products.

Microsoft, for example is demonstrating that it is willing to spend big money on security.  It has spent $176 million dollars taking off 8,500 developers from the Windows platform to review existing code for security flaws.  Microsoft boasts about this, but I think it shows the depth of their problem.

I don’t know if that is a sustainable way to secure one’s code in the long term, but it demonstrates that big proprietary firms are taking security seriously.  They are actively trying to prove to the Federal Government that proprietary security is better than the “many eyes” that open source offers.

The real challenge for Government is to know more than the software sales team.  This is a huge challenge and means that the Government must be a smart buyer.

This is a point that I will be returning to later.

Open source and reliability

One of the theories of having software that everyone can poke around with is that bugs get squashed quite quickly.  Open source advocates sometimes boast that their patches are often released in a matter of hours, unlike proprietary software patches which may take months.

I’m a little sceptical about this – I’m sure there are fast and slow examples in both cases.  Nonetheless, over the years the statistics have demonstrated that peer review is a successful method of building reliable software.

There have been very few independent reliability studies conducted recently, but of those done in the past, open source software consistently came out on top.  One experiment, conducted by Bloor Research found that over one year, a machine equipped with a GNU/Linux operating system crashed once – taking four hours to fix.

In contrast, a similar machine equipped with Windows NT crashed 68 times, taking 65 hours to fix in total.  A 10 month long server test in 1999, conducted by ZDNet found that while NT crashed only once every six weeks, the two Linux machines tested never went down.

Windows technology no doubt has improved since 1999, but undoubtedly so has Linux.

I am also intrigued by the ongoing Netcraft Survey of the 50 most requested internet sites with the longest uptimes.  Last time I looked, which was yesterday, 47 of these (or 94%) were running Apache server software.

Open Source and principles of Open Government

I am also reminded, as I’m sure are so many of you, of the points about open source and open government, so fluently raised by Peruvian Congressman, Edgar Villanueva Nunez in his now famous open letter to Microsoft.

Democratic, and accountable, governments must have their processes – even their IT processes – available to public scrutiny.  To this end Labor has advocated that IT contracts should be made public to allow more scrutiny.  However, Dr Nunez goes further.

To quote Dr Nunez,

“the citizen has a legitimate right to know how his vote is computed or his taxes calculated. And for that he must have free access to the source code and be able to prove to his satisfaction the programs used for electoral computations or the calculation of his taxes.”

For this, open source software is clearly well suited.  Furthermore, through the use of open file formats, Governments can ensure that public documents are also available to everyone – now or twenty years from now. 

This is not possible under proprietary file formats, which may not be accessible if a document format is lost over time.  This issue of archiving and ensuring access in the future without the need for an ongoing commercial relationship is essential.

Currently XML is being adopted, and this is a positive step, but vendor extensions to XML could defeat the purpose.

These four attributes of open source software – value for money, security, reliability, and support for open government all can potentially benefit the Government as a procurer of software.

Open Source and Industry Development

However, open source software also promotes industry development because it encourages innovation.  This should be an important consideration for the Federal Government.

Open source licenses allow any small-to-medium sized software firm to work on pre-existing state-of-the-art technology, without having to start from scratch.  This maximises the capacity for innovation, as business resources wouldn’t have to be expended re-inventing or re-modelling the wheel.

Depending on the license that the software is issued under – for example the BSD license – an SME could even use existing code in proprietary software it released.

By adopting open source software solutions for projects, a Federal Government department would potentially be more open to local enterprises, rather than simply the big foreign multinationals

This is an important consideration.  It would promote local industry development, and would act to slow the growth of our enormous ICT foreign debt – $14.4 billion in 2001-02 alone.

Another good reason why open source software should be a part of Government information systems is that it also reduces technological dependence on companies, and potentially other countries.

Other countries have realised this, especially in our region.  Earlier this month Japan, South Korea and China were reported to be planning their own alternative operating system to Windows, in order to reduce their dependency on a foreign-owned product, and to boost their own local industry.

China of course has famously developed its own Linux brand, Red Flag, partly as a measure to improve its own local industry, as well as removing its reliance on foreign software.  I am also aware that Governments in Taiwan, Thailand and the Philippines are considering establishing local open source development initiatives to build their own industries.

Unfortunately, the Australian Government hasn’t been so innovative, and I would like to conclude by highlighting some of the hurdles that the open source community is facing in selling their technology to the Federal Government.

The first hurdle is Federal Government resistance.  When it comes to purchasing ICT, the public service is a risk averse, conservative place.  In IT purchasing it does not have a great deal of corporate memory, thanks to the defunct IT outsourcing program, which stripped the public sector of experience.

With the exception of a few notable examples – Centrelink, and the Department of Veterans’ Affairs – the default position for ICT purchasers is to go with big vendor proprietary software, combined with vendor lock in.  Being the familiar option, it is felt to be less risky.

My impression is that this is compounded by a lack of understanding of open source software.  It seems to me that at least some potential purchasing officers are not smart buyers, and are somewhat led astray to the fear, uncertainty and doubt that they receive from the multinational proprietary firms which come knocking at their doors.

The open source movement hasn’t been helped in this regard by the SCO lawsuit against IBM.  Even if it is unsuccessful, the effect of this tactic will be to scare people – including public servants – off from open source solutions.

The Howard Government, beholden to the big multinational ICT firms, such as CSC, EDS and Microsoft, has shown no real interest in changing this situation.  So far all that they have produced was a single open source seminar in February this year.  Some would call it a good start, but there has been nothing since.

It is my opinion that the Howard Government should be showing more leadership in this area.  This is not to say open source should be mandated for Government contracts, but just that the institutionalised bias in favour of proprietary software should be actively challenged.  A fair deal for every potential vendor, if you like.

However, if Government resistance is to be broken down, the open source community needs to better lobby the Federal Government at an Industry level.

This is not to say that there is not lobbying being done at the moment, but more needs to be done, if only to balance the renewed effort being put forward by proprietary software firms.

The proprietary software lobby was caught napping by the rise of open source, but they are now making up for it.

Microsoft has started its own lobby group, the quaintly named Initiative for Software Choice, which seems dedicated to going after open source software developers.

Security is a classic example.  I mentioned earlier that Microsoft had taken steps to improve its credentials in this area.

Another Microsoft initiative is its “Government Security Program”.  This is a scheme to partially recreate a feature of open source software for its proprietary code by letting Government agencies “look under the bonnet” of its software.

It’s an acknowledgement of the “many eyes” advantage of open source software, and Microsoft has been quick to learn from it.

I am not saying this to praise Microsoft, but as a warning to the open source community – if you want to be attractive to Government purchasers then you must confront these competitive threats.

Without doubt we need to see very big steps from Government to make sure that the marketplace is fair.  But the reality of the situation is – and I’ve not spoken to a single open source advocate who doesn’t agree – the open source software industry must compete for its market space.

And I don’t think this is an impossible task.  The open source industry, almost by definition is an innovative and creative.  You must give the government no choice but to acknowledge this.

The bias towards proprietary software must be removed and it’s the Government’s responsibility to do this.

This creates the grounds for greater intervention in the procurement process.  At the barest minimum, meaningful market testing of open source solutions for government enterprises needs to occur now.

Government can also review vendor lock-in and assess new proposals to ensure this is not perpetuated,

Finally, to return to the theme of digital landlords, Government must be a smart enough buyer to prove it is not merely favouring one standard of software over another.