Governments, Beyond the Open Source Hype

An anonymous reader writes "ForeignPolicy.com takes a look at Open Source as it applies to governments and some of the reasons that a governing body may or may not like OSS. From the article: 'Governments around the world are enchanted by open-source software. Unlike proprietary software, for which the code is kept secret, the open-source variety can be copied, modified, and shared. [...] Trouble is, the benefits of open source are not always so clear-cut. Software is too complicated a creation to be captured in rhetoric, and assertions about some of the technical benefits of open source fail to tell the whole story.'"

Its the money, first and foremost

[rob_squared]

Tell your citizens that its cheaper and they'll thank you for it. The details about where the saved monegy goes usually become obfuscated however.

Re:Its the money, first and foremost

[Bogtha]

More importantly, not only is it cheaper, but the money that is spent on it goes back into the local economy rather than straight into the pockets of a foreign company, because the government have the option of hiring any local firms willing to do the work instead of simply whoever holds the copyright.

Re:Its the money, first and foremost

[jesterzog]

Tell your citizens that its cheaper and they'll thank you for it. The details about where the saved monegy goes usually become obfuscated however.

I work in a non-US government department. Our government has its own policy on Open Source (developed by another dept), which is non-committal but non-inhibiting, and little more than a document that describes the main issues with using open source. The public and politicians don't know whether we use OSS or not, and I doubt they care. (Except for one politician who released a press release on OSS once, but it didn't get noticed by anyone.)

When it comes to using OSS, we simply use it when it makes sense to do so. There's no iron fist reaching down dictating to us what to do, and I hope there never is. We give our users Windows desktops because that's what they tend to be most comfortable with, we run predominantly Windows servers administered by people who know what they're doing, and also have a few Linux boxes thrown in where it makes sense to do so. Any or all of this may change in the future, but I like to think that it'll change because we've decided it's appropriate to change. We use open source in all sorts of places for support systems. Usually it's because the open source apps available for those particular tasks do a better job, or are more reliably supported. We use a lot of closed source software, too, because sometimes there just aren't the OSS apps for the specialist needs that certain people in the department have.

Amusingly it's often easier to get help from an interested community than it is from a closed source distributor who's charging a large support contract. Personally I think that the main purpose of support contracts is to be able to attribute blame to someone else not having fixed a problem, but they're still needed with closed source because it's impossible for anyone else to fix the problem. It's probably every month or so that we come across Outlook or some other similar app displaying a weird behaviour, the company (Microsoft in this case) ignores it, and all that people in the community can say is that 'it happens for me too, maybe try this'. Open source is completely different. eg. I'm currently writing an in-house CA software, and the two projects we've found that are easiest to use for building this (OpenSSL and CryptLib), are both Open Source. They both have active communities, and I'm quite confident that if/when I have problems or find bugs with either, there would be an immediate response, whether it's fixing them, or telling me what I should be doing differently.

Open source and closed source both have their place, and I think it's great when governments develop an official awareness of them. In my own government, though, I really hope we never get forced to use one or the other for political reasons.

Written by an ex-Microsoft employee.

This article is written by a Ms. Caroline Benner.

And if we look her up, we find...

Caroline Benner previously worked as policy researcher for Microsoft's Geopolitical Policy and Strategy Group

...as her only listed non-media job on at least one version of her bio.

Just saying.

Re:Written by an ex-Microsoft employee.

[jmorris42]

> Caroline Benner previously worked as policy researcher for Microsoft's Geopolitical
> Policy and Strategy Group

Ya know, I knew something like that was coming before I clicked into this article. The summary alone smelled of astroturf. But they do it because they realize while we will spot the paid 'independent scholarship' almost instantly the intended audience either won't.

Re:Written by an ex-Microsoft employee.

Absolutely. This is horseshit.

I write proprietary software; and I write it primarily for government organizations (and maybe some private companies, but they have yet to express an interest). No, I'm not willing to ID myself here, hence the coward bit.

Here's some more FUD for you: the article author makes an association between For-Profit Corporations and proprietary software, on the one hand, and no-corporation amateurs and F/OSS on the other.

I see this association all the time, and it annoys the hell out of me. Yes, it's convenient for the F/OSS evangelists, and for the proprietary reactionaries. But for people who want to see the free exchange of ideas (and thus the rapid improvement of software) and who want to see everyone, especially their clients, get the best software possible, this association is lethal.

It's quite simple: if big clients, such as governments and corporations, make "open source" a requirement, and pay more for the software (or pool as groups to commission it), more companies will produce open source software. If more companies do that, those big clients will find themselves paying for fewer titles outright, and instead commissioning customizations that make that software work well for them.

Yes, it's a stretch. But, at heart, "Open Source" is not anti-commercial; it is simply a different way of doing business. Incidentally, it is a form of doing business that predates the notion of proprietary intellectual property and is far easier to support legally.

Microsoft wants Office to be usable around the world. But Microsoft could still make money on Office customization and make it open-source.

Yes, I am insane.

Re:Written by an ex-Microsoft employee.

[cp.tar]

Good one.

Governments could very well profit from Open source software, as well as the programmers hired to make it.

Just because it is Open Source, it doesn't mean that the work the programmers put in is free.

What it does mean is that:

1. Governments pay a single fee for a piece of software.
2. The source code of said software is also available, which makes the government vendor-independent.
3. The money goes to the local economy instead of a company which could buy the country I live in.
4. When you need something, you have someone do it. You don't wait for the next update & bugfix cycle.

But because of the omnipresent FUD, very few people in governments worldwide have any idea whatsoever about these things.

P.S.
5. ???
6. Profit!

If I were a foreign government

[MarkEst1973]

Why the hell would I want to entrust all my gov't operations, all my military, all my businesses' computing needs to a closed source, foreign (from my point of view) vendor... like, say, MS?

Ok, so your military doesn't run windows. Our military runs (or at least used to) Solaris and HP-UX... but those are closed source, too, and owned by a foreign entity.

In the end, open source provides me -- as a sovereign nation -- the ability to control the critical pieces of my own infrastructure.

That's how I (as a person) see it, anyway. Whether or not foreign governments agree, I don't know.

OSS isn't everything

[linvir]

In practical terms OSS is only relevant as a part of a wider policy. Brazil's Digital Inclusion (Google translation) is a good example. OSS barely even figures in the rhetoric for this. It's just one enabling factor.

This is how it's always going to be as well. Example: People don't move to Firefox because it's open source. They move to it because they're told it's better than IE, and they then stick with it because it's demonstrably better.

At the end of the day ideology is irrelevant to most people.

Re:Your average computer user

[AuMatar]

THen they should be coming to Linux in droves. My last Windows install took 4 hours and required me to hunt for drivers all over the web, and reboot a dozen times. My last Linux install worked smoothly with all hardware recognized.

Curiously contradictory article summary?

[Angostura]

On the one hand the article summary claims:

"Trouble is, the benefits of open source are not always so clear-cut. Software is too complicated a creation to be captured in rhetoric"

While at the same time giving us a splendidly succinct piece of rhetoric:

Unlike proprietary software, for which the code is kept secret, the open-source variety can be copied, modified, and shared. [...]

Poorer Countries

[runlevel+5]

I think poorer nations have the most to gain from employing open source software. The lower real cost of obtaining and updating computer systems (when using open source options) enables them to build infrastructures that would cost many times more to operate with closed source OS's and apps.

The sweet smell of plastic grass

[Bimo_Dude]

FTA:

Software, with its millions of lines of code, is so complicated that experts don't know for sure that open source has fewer bugs, nor can they say with certainty that having fewer bugs makes open source more secure.

It seems to me that this may be all the evidence we need of astroturfing. While I don't really know for sure if this statement is true, there is a glaring omission in the article where the author neglected to compare the time-to-patch for bugs between FOSS and closed software.

Re:The sweet smell of plastic grass

[Ithika]

nor can they say with certainty that having fewer bugs makes open source more secure

Well, that's a good one. "There's no evidence that our product, having more flaws than their product, is actually any worse."

Oh puh-lease.

Open Source is Really a Threat

[burningion]

Open Source is really a threat to most governments. Open source software gives everyone equal access to the same tools, regardless of social class. It threatens the entire model of top-down hiearchy, as open source is a means for equalizing all access to information and exchange of information. Anyone can put together an Apache webserver and begin experimenting with having their own website, for free. No need for expensive schooling, as information is freely available to teach yourself. This will become a "problem" for places like the US, where we utilize the leverage of patents and trade secrets to maintain our superiority in the global marketplace. As places like India and China quickly become more technologically saavy, our economic model becomes threatened. One of the biggest keys in the future will be the regulation of the internet, and the censoring of information. I believe the best thing for the global society is free and anonymous access to all (public) information on the net.

Make your own DemocraKey, and help spread the technology for free and anonymous access to all information.

...And the FUD-spreading site runs on what?

[orzetto]

Running a nmap -P0 -O foreignpolicy.com, you get among other things:

Device type: general purpose|media device
Running: Linux 2.4.X, Pace embedded
OS details: Linux 2.4.18 - 2.4.27, Pace digital cable TV receiver
Uptime 175.187 days (since Tue Dec 6 19:18:51 2005)

So it's open source, Linux, and running continuosly for 6 months. Ahh, the coherence.

Heh. Take a look at the source.

[dbarclay10]

Caroline Benner is a fellow at the University of Washington's Institute for International Policy. From 2001 to 2003, Ms. Benner was a consultant with the geopolitical policy and strategy group at Microsoft.

Yeah. Take a look at the source. I wonder if maybe she's still freelancing for them.

Really all the article does is point out that there's no silver bullet. She does so by pointing out that there are "claims" about open source. That's it. She doesn't dispute the claims. She just says they're claims. Unsurprisingly, she also doesn't point to the evidence of the claims.

FUD stands for "fear, uncertainty, and doubt." This may very well be a simple, subtle form of doubt-sewing. Nothing actually inaccurate in the article, that I saw, but also called into question some faily well-proven FOSS benefits (such as a lower cost of ownership).

About the worst I saw was:

For example, they believe that the total cost of ownership of open-source software is lower than that of proprietary software because they avoid the expensive licensing fees that companies like Microsoft charge.

Actually, most people I know don't consider "Total Cost of Ownership." That's a term made up by Microsoft in an attempt to make FOSS proponents look like they're narrow-minded and that their conclusions were incomplete and "irrelevant to business." Everybody I know looks at "cost" - period. "Cost", by definition, without any modifiers, *must* mean total cost. "Partial cost" or "license cost" may mean something other than Cost, capital C.

Likewise, relatively few people I know think Microsoft licensing is the main cost in a Microsoft shop; the legions of sysadmins and helpdesk staff, as well as the lost productivity and downtime cost quickly outweight the (relatively benign) up-front cost of Microsoft software. Take a look at Red Hat's licensing - it's actually more expensive than Microsoft on most fronts. You make it up tenfold in reduced operating expenses, however, and you can save even more in operating expenses if you go with a more technologically advanced flavour such as Debian GNU/Linux (you also reduce the up-front procurement costs as well).

Bah. I can't believe I wasted five minutes debunking this Microsoft-shill fluff piece.

Hire your own people.

[khasim]

This isn't just about control. This is about jobs.

With any closed source software not written in your country, you're importing it and sending your money to another country.

If you pour some cash into your education system and train up your own programmers to modify the Open Source code to suit your needs, you're investing in your own people. The money stays in your country. Those programmers pay taxes to you on that money.

And you've got to realize that this is going to be a very important field in the future. Do you really want your people left behind?

Re:FUD, FUDDER, FUDDEST

[rewinn]

From the Article... it is misleading to say that open source empowers people in ways proprietary software does not. Both open source and proprietary software allow you to change the behavior of a software program in significant ways without touching the program's source code

Those two sentences go beyond mere FUD to outright deception.

• It equates empowerment to changing program behavior without changing the source code, as if source code inspection for security flaws were of no significance; +1 FUD
• It ignores the possibility that modifying source code can be far more empowering more than tweakiing program behavior; +1 FUD
• It accuses OSS proponents of being misleading. +1 FUD

Bad doggie! No cookie for you!

The Article is NOT true (Linux excepted)

[i+am+kman]

No, No, No! The headline and much of the article is extremely misleading).

Sure, governments are starting to use Linux as the ONLY viable alternative to the hated Microsoft.

But that's it. While Linux is open source, open source is not defined by using Linux.

Much of the US government explicitly bans open source and I've supported 2 foreign government contracts that also had explicit anti-open source requirements. And they ban open source specifically because it is a potential security risk. In fact, it seems quite reasonable to question why the US (or European) countries would want to use open source code that may have been developed in China or even France (or others countries well known for their industrial espionage).

In any case, who the hell actually believes open source is MORE secure simply because they publish their millions of lines of code? Like ANY customer is actually going to look at the code.

Ok, before flaming, I agree some, well tested, well accepted, and well controlled open source with blessed versioning is more secure (probably MUCH more secure) because of exhaustive testing and support by real companies, but that's VERY different than arguing it's more secure governments can peek at the source code.

As a side note, open STANDARDS are a completely different topic and all governments want, love, and support open standards. Unfortunately, Open Source and Open Standards are very often confused by governments and government contracts.

That said, some countries like open source because it providesa competative advantage. For instance, China is rapidly excelling in HW production so open source acts to undermine the competative advantages more developed countries have built up in their commercial software industries. (That, and open source allows the Chinese government to insert all sorts of filters in place, but that's a different story).

Penny-wise and future foolish.

[jbn-o]

Proprietors agree with you, which is why they're interested in cutting their prices or giving away gratis copies of their software to large-seat clients in exchange for locking government users into something that will pay off (both monetarily and in terms of control) in the future. Money is not and should not be the chief rationale by which these decisions are made or else more valuable points that pay off now and in the future will be lost.

A response for the non-techie

[grcumb]

Benner's article states:

'In a 2002 letter to Microsoft, Peruvian Congressman Edgar David Villanueva Núñez noted that, "Relative to the security of the software itself, it is well known that all software (whether proprietary or free) contains 'errors' or 'bugs' (in programmers' slang). But it is also well-known that the bugs in free software are fewer." Yet, ask computer security experts and they'll tell you that's not necessarily true. Software, with its millions of lines of code, is so complicated that experts don't know for sure that open source has fewer bugs, nor can they say with certainty that having fewer bugs makes open source more secure.'

This statement is true, as far as it goes. But it ignores something that's far more important than the opinion of a computer scientist: empirical evidence. No matter how you measure it, FOSS software is successfully exploited far less often than proprietary software. In many cases, the differences are striking. There are, for example, effectively no Linux viruses in the wild.

Even in cases where FOSS is the dominant application (like the Apache web server, for example) the number of successful attacks are so much lower that there is no effective competition from the alternatives.

So the key here is not whether software is provably secure (i.e. auditable) but that it's effectively secure. The difference here is subtle, especially to those who don't understand software. It's something crucially important, however.

There's another issue here that's at the core of the Free Software philosophy: process. The FOSS software development process is based entirely delivering quality software. In fact, development cycles and processes often sacrifice convenience for IT folks in favour of solid code. Proprietary software is almost always driven by business priorities which sometimes - but not always - put a low priority on software quality.

Another quotation from the article:

'There are really two reasons that it is very difficult to know whether software is secure [....] The first reason is that even the simplest software program consists of hundreds of thousands to millions of parts, and potentially all of these have to be correct, or the system may have security vulnerabilities. The second reason is that we have no technology for systematically checking that the parts are correct and fit together in a way that ensures security."'

Both of these points (that even simple software is hopelessly complex, and that there is no systematic way to test intereactions between software) are inaccurate. It's like saying that human bodies are composed of billions of cells, so we'll never be able to measure a person's health.

Unix-inspired systems usually use a 'toolkit' approach, in which a number of small, special-purpose tools are brought together to perform complex tasks. The result is that each individual part is very well understood and performs its task(s) in a clear fashion. So, while it may be true that it's hard to document every possible interaction between software elememts, that's not nearly the problem the writer makes it out to be.

The article concludes:

'Software becomes more interesting--indeed, rhetoric-worthy--when it promises a better future. Open source may well deliver that promise, but computer science is too young a discipline, and there is too much we do not yet know about software to be so sure.'

This is a silly argument, especially in an article that claims to compare two alternative approaches to software. Computer science is not a young discipline, even if you compare it to physics and mathematics. The fundamentals of computing were understood even before we had computers to test with. The assertion that we just don't know enough is just plain wrong-headed.

Furthermore, even if it is true that we don't know enough, shouldn't that be an argument in favour of open source, where at least nothing is deliberately hidden?

Most big "foreign" software vendors are US

[rmerry72]

... as are most of the body shops that install and implement these projects. There only foreign if you live outside the US. Following that logic shouldn't the US governments be supporting their own US economy and buying more software from the big boys?

Re:Most big "foreign" software vendors are US

[Bogtha]

There only foreign if you live outside the US.

Erm, yes. What's your point? You do realise that most people live outside the USA? And that when the article talks about governments around the world, they aren't just referring to the USA?

Following that logic shouldn't the US governments be supporting their own US economy and buying more software from the big boys?

I don't see why. I identified an advantage that open-source has for most governments. If the advantage does not apply to a particular government, that doesn't mean the proprietary alternative is automatically better, it just means that they are equal in this respect. Think about it - it would be reduced to a choice between local companies (open-source) and local companies (proprietary).

PS: To make yourself appear more intelligent.

Re:Most big "foreign" software vendors are US

[Bogtha]

So you're point is about foreign and national companies.

Let's clear the terminology up. I understand "national" companies to be companies that are partly controlled by the state. Given that we are talking about trade between countries, I used the word "local" to talk about companies owned by citizens of the country in question. I am not differentiating between different areas of the same country.

I'm saying that, all other things being equal, open-source software allows governments to get software work done in such a way that the profit is earned by people residing in that particular country. Proprietary software, on the other hand, forces at least some part of that profit to go to the shareholders of the company that holds the copyright to the software, which - for most governments of the world - means that the government is giving money away to other countries.

You see, if a government spends money in such a way that the money goes to the people in that country, the country doesn't get any poorer. But if it spends money in such a way that the money goes to the people in another country, it does get poorer. Buying proprietary software services makes a country poorer if that software is imported. Buying open-source software services does not make a country poorer because there's no need to use foreign companies.

for products from foreign companies "control" of the code is an issue and should be considered above and beyond money.

Well yes, I should hope that software required for a country's infrastructure should come with buildable source code, but that's not at all what I was saying, and it's unrelated to open-source. Open source doesn't just mean access to the source code..

Are you worried about your state or city govenment "giving control" of some vital infrastructure software to Redmond or Silicon Valley?

Certainly. Why wouldn't I? Are you assuming I'm from the USA?

PS: To make yourself appear more intelligent.

Because it works

[porkThreeWays]

I work in municipal gov't in Florida. We use a lot of open source software in our organization. Why? Because it works. It has little to do with money. I've never been denied money for software if I can justify it.

"Enterprise" software has never really impressed me. A great deal of the time, the guy on the other end of support is no more knowledgable than me of the product. That is when you are lucky enough to get someone who speaks english natively. So what's the point for lackluster support? (Hardware is the exception. Many service plans can guarantee you a new server in less than 4 hours).

Highly specialized software generally has an unreasonable amount of bugs. We have one dept that has "enterprise level software", that I'm in the process of rewriting its so buggy. It's almost as if this company has no regression testing procedures in place.

And it's always a lot of fun paying 2,000k a pop for marginal glue code between applications. God-forbid that gluecode break one side. You'll get thorwn into a fun blame game of each company blaming the other. You need complex glue code? That'll be $10,000 and 6 months. You'll also recieve a windows front end in tk with extremely complex install directions. Minor versions are incompatible. You can never patch that box because xp sp2 will break the very customized non-standard registry settings.

People can spread all the FUD they want about open source, but I use it on a daily basis whenever I can. I have control over it and things just work. It's comical to see some of the rediculous things that go on in the closed source community. I like being able to change the ip address of a server if I have to. I don't need a license holding me back from doing that.

Re:Not necessarily. Decide for *yourselves*

[Russ+Nelson]

Are we really so insecure in our convictions that the slightest whiff of Microsoft makes us cry 'shill'?

It's not insecurity. It's not wanting people to be misled by non-facts.

Get the Facts, She's a Shill.

[twitter]

From the fine Article:

Caroline Benner is a fellow at the University of Washingtons Institute for International Policy. From 2001 to 2003, Ms. Benner was a consultant with the geopolitical policy and strategy group at Microsoft.

Just what does a software company need a Geopolitical Policy and Strategy Group for anyway? Gobal FUD? Creepy, and she's got a long history of M$ apologies and FUD to her name. Let's review,

• Not embarrassed by M$ virus penetration of Pentagon systems or disruption of NASA communications endagering the Space Shuttle and five months before the 9/11 attacks she tells us not to worry about cyber terrorists because the mighty M$ can deal with such unskilled attackers through patches., " time and access one needs to create a devastating attack, like crashing an airplane. In "Six Nightmares," Lake doesn't consider the checks that protect infrastructure from such threats. He also fails to ask an obvious question: If there are so many malicious hackers at work (19 million, by Lake's count), why have their attacks been, by and large, fairly innocuous?" M$ forsight. Let's review what happened next:
  • 9/11 demonstrated to the world that there were indeed many well organized terrorists wanting to harm US citizens and how venerable rescue efforts were to disruption of communications.
  • US Government drafts defense plan
  • Chinese attack plans are revealed by the CIA
  • Still M$ languishes and languishes working on DRM and other lock out crap.
  • M$ incompetence contributes to the biggest US blackout ever by disrupting critical company communications and overloading network. The whole thing could have been prevented.
  • North Korea launches cracker schools.
  • The US Air force Mission is updated to include net dominance
  • US Government turns to superior Free Software
  • Home and business users lag, causing havoc in hospitals, threatening medical and accounting records and creating a hotbed of exploitable computers for spam and spam and spam and denial of service attacks used against EVERYONE.
• 2004 apologies, security is too hard! Duhhhhh, if M$ is not up to task no one is, right? Wrong.
• The FUD rolls on to this day check out Her new Blog! as she spews forth Pressing Questions.
  • Get the facts about how expensive and non free software is helping India and other developing coun

It is *not* the money, at least not at first

[Per+Abrahamsen]

It is the freedom to choose future vendors that follows with free software. You don't have a single vendor who is the only one who can inspect, modify and redistribute the code. Anyone can do that, which ensures competition, which ensures the lowest cost in the long run.

The initial cost of free software is usually higher, as a vendor of proprietary software can sell the product below production cost, with the expectation of making the money back later in support and manitanence.

Which again is why we should work to make it official policy to require all software to be covered by a free software license in *any* organization where we are members (including the temptation), as there will be a temptation for decision makers to make the purchase that is cheapest in this budget year, and ignore the expenses later on.