EC Questions Security Of Open Source Software

The vice president of the European Commission has warned that any progress in using open source and open standards in the region will have to be tempered against the possibility that the software could have downsides in terms of security.

Speaking ahead of the launch of a European declaration on approaches to e-government in Europe up to 2015 in Malmo, Sweden, vice president of the European Commission Siim Kallas stated in a webcast that although the commission was behind the idea of adopting open source and open standards, such approaches to IT have implications for security and business continuity that governments must consider.

“You must understand that these open standard issues include an important element of sustainability and also security, so we must have a balance between the openess and the business continuity and security which is quite important,” he said when asked about the importance of open source. “There should be a good balance between open standards and open source and business continuity – and we are open to discuss all possible solutions.”

Although slightly faltering, Kallas’ comments appear to reflect the view – championed by proprietary software makers – that open approaches to software development are somehow more insecure than closed-source techniques and as a result more exposed to hacking or other attacks.

Kallas’ comments may surprise some in the open source community, timed as they are just before the official announcement of the Malmo EC declaration, which includes a commitment to put open-source solutions on an equal footing when it comes to awarding government contracts. The UK government made a similar declaration earlier this year but according to some experts in the open source community – little has changed when it comes to adoption of open source in the public sector.

“The UK has one of the best-written policies out there — the problem is policing it,” said Steve Shine, vice president of worldwide operations at open source specialist Ingres at a discussion in September. The problem is that large procurements simply ignore it, and this is not being picked up, he added.

In February, the UK government said it intended to use open source to save £600 million a year and published guidelines the that effect but, despite this, the UK lags badly at open source, using it less than countries like Mali, open source activists said at a meeting in September.

Elsewhere in Europe, other countries including Switzerland and Hungary have seen action taken by open source backers to force governments to break-down barriers to the use of non-proprietary software in the public sector. In an open letter to the Hungarian government’s procurement agency earlier this month – Directorate General for Central Services (KSZF) – the Open Document Format Alliance (ODFA) stated that last year the government spent around 9.5bn Hungarian forints (£32 million) on Microsoft software and has already spent 6.3 million euros (£5.6 million) on educational licenses and millions more on consultation and services from the software giant.

“Please make your calculations known to the public which will prove that open source will not be a viable low cost alternative,” the letter states.

The UK government is also involved in the drafting of the new Malmo regulations and has pledged support for extending its existing commitment to open source across Europe, despite the concerns over whether it has even been able to apply the policy in its own country. “This meeting gives me the opportunity to share our successes with my European counterparts and also learn from their experiences,” said cabinet office Minister Angela Smith, who is attending the meeting in Malmo.

Smith also stated that the UK is leading the way in Europe when it comes to using the internet to improve public services – another facet of the e-government directive being announced on Thursday. “With a huge range of public services available online, pioneering work taking place to free-up data and the world’s first plan to systematically cut the carbon emissions of government IT systems, Britain is leading the way in e-Government.

The Conservative opposition party in the UK recently appointed an open source enthusiast as an adviser on the use of the internet in public services. In early October, Tom Steinberg, co-founder of mySociety, the site behind online tools such as TheyWorkForYou.com agreed to help the Conservative party with internet policy. mySociety developed much of its software under the Affero GPL – a version of the GNU General Public License that actually goes further than the standard GPL. In an interview with Heise UK, Steniberg admitted that applications developed by mySociety such as TheyWorkForYou.com, WriteToThem.com, and PledgeBank.com would have been difficult to create without open source tools.

In September, the Hungarian government did approve a scheme that allows open source companies to compete for a share of public sector contracts but admitted at the time that half the IT budget is still reserved for Microsoft.

Speaking at a conference in Budapest earlier this year Florian Schiessl, deputy manager of the Munich LiMux project – one of Europe’s most high-profile Linux migrations – said there has to be political will to push through change. “Our politicians decided to have independence – we have the political backing. If there is no political backing – I know from many, many projects in the principalities and in the federal government and so on – then you have a real problem,” he said.

Andrew Donoghue

View Comments

  • Is an interesting question, as it requires only logic, not software development expertise, to examine.

    What ways are there to test security? Black box approach (probe blindly, looking for attack vectors) and reviewing how the thing, software, building, bank vault or whatever, is constructed; therefore it is *easier* to explore security issues of something that is open than of something that is closed.

    If you find a security flaw, how to rectify it? Well, for a building or a bank vault it might be difficult to retro-fit fixes, so maybe the method of construction, the plans, is best hidden; but some things, like software, can be easily patched and updated, so the finding of flaws through review of code, the programming equivalent of the building plans, will tend to result in improved security.

    Ergo, open is more secure than closed.

    Then sustainability: open source cannot be taken away, a company cannot choose to stop supporting a product in a way that leaves the user without support; it is more sustainable, not less.

    I don't even get where the use of standards is a bad thing...

  • Why should anybody be concerned about the security of Open Source software? People have been using Windows for years, constantly being infected with viruses, trojans, and all manner of security issues.

    If the EC is questioning the security of Open Source software, why has it never questioned the obvious lack of security in Microsoft software?

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 hours ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 hours ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

4 hours ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

1 day ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

1 day ago