How Governments Open Sourcing Code Helps Us Be More Secure
|Rami Sass in Open Source Friday, August 12, 2016|
The idea of governments releasing their proprietary code isn’t some pipe dream, it’s slowly becoming a reality in many countries and starting a much needed public discussion in others. Governments around the world are beginning to understand that their software is funded by the public, and therefore belongs to the public and should be accessible for their use. Bulgaria just passed a law which mandates that all code written for the government must be released as open source. Similarly, the United States is starting a 3-year pilot requiring all US agencies to release at least 20% of all federally-funded custom code as open source. France, Norway, Brazil and other countries have also initiated their own government open source programs to ensure more government funded code will be released as open source.
Governments are usually the largest producers of code in any country. In 2015, the U.S. federal government spent several billion dollars on software development. Because of the massive amount of funding and strict security requirements, software developed by and for government agencies is usually on the cutting edge of technology. This is especially true in terms of security since governments are dealing with massive databases with very sensitive information.
With this kind of massive budget and cutting edge technology that taxpayers are funding, we need to ask ourselves why isn’t all government funded code is released as open source?
Although many will believe that governments are not inclined to share all this goodness with the public up until now due to homeland security issues, the truth is that governments have just been bogged down by the bureaucratic hurdle of establishing a process to open source their code. The US government open source policy got off the ground because it was made part of an initiative to reduce spending on software development by sharing code between different US agencies.
It is true that there are some opponents to government open source initiatives, including the U.S. government’s Department of Homeland Security Office of the CIO, who stated that publishing governments’ source code could let attackers “construct highly targeted attacks against the software,” or “build-in malware directly into the source code, compile, then replace key software components as 'doppelgangers' of the original”. But this opinion is an exaggerated outlier. The vast majority of security experts agree that the answer to these potential security dilemmas is to make your software secure rather than hide it from the rest of the world.
If developers know that their software will be released as open source and not shrouded in secrecy, they will invest more efforts to ensure the software is secure and in high quality. This kind of public crucible can motivate programmers, both vendors and in house, along with the government teams responsible for oversight because everyone’s work is being constantly evaluated. Not to mention, there is the added benefit of near round the clock support and improvement from the crowd. Add to the mix the fact that governments do not need to protect their intellectual property to fend off competitors, a primary reason software companies don’t release their code, and you’ll really be puzzled as to why they have refrained from going open source until now.
Since governments generally produce the most innovative, secure, high quality software, open sourcing their code can drive forward the software development industry. It can help not only companies in niche verticals looking for tailored solutions, but software vendors of all verticals looking to secure the most advanced technology out there. Small and medium sized businesses have realized that they are specific targets, with 74% in the UK reporting a breach, yet it’s exactly those types of businesses that are least able to afford secure proprietary solutions, and government open source has the potential to change that. Huge enterprises, facing the same challenge as many government agencies of massive databases with sensitive information, also often prioritize connectivity and features over security due to market forces and could benefit from having access to these solutions.
The cost of security breaches is enormous. According to McKinsey Global Institute (MGI) data, “the economic costs of cybercrimes could run into the trillions of dollars.” By giving enterprises the added security of government code, we wouldn’t just be protecting people’s privacy, we’d be protecting economic innovations and data that can be utilized to carry out costly fraud. When the cost of cybercrimes is projected to be in the trillions, governments going open source should be viewed as a significant boost to economies and a safeguard of innovation.
Still worried about defense secrets ending up in the wrong hands? Code can and should be scrupulously reviewed before release as it is when any private company open sources its code. Furthermore, sensitive material under both the Bulgarian and U.S. initiatives are excluded from becoming open source. Even in situations where code is deemed to be sensitive, it likely accounts for less than 20% of the total code. The other 80% can easily be released to the open source community.
Both governments and enterprises alike will continue to face a vast array of security threats and although some enterprises are quite secure, far too many are not. By open sourcing their code, governments would be releasing advanced, top-quality code free of market forces, meaning that security, not profit is the priority. The result would be more secure businesses and less money, time and valuable information lost on vulnerabilities, not to mention improvements to the code released thanks to the crowd.
Government adoption of open source isn’t “forward thinking,” it’s about encouraging innovation, promoting transparency, savings and especially security, age old benefits that every government should be keen to embrace.
Read more: http://www.whitesourcesoftware.com
This content is made possible by a guest author, or sponsor; it is not written by and does not necessarily reflect the views of App Developer Magazine's editorial staff.