Government open source plan hindered by lack of security clearance

Open source software is effectively banned from government IT because products cannot get official clearance from GCHQ security experts

Open source software is effectively banned from government IT because products cannot get official clearance from GCHQ security experts, a meeting of the BCS was told this week.

Tariq Rashid, lead architect for the Home Office, raised the issue with the BSC Open Source Specialist Group on Tuesday as part of an investigation into the reasons why government doesn't make more use of open source software.

Rashid was told open source software couldn't get security clearance because it lacked single, powerful sponsors with the resources to put it through the stringent security vetting required by CESG, the information assurance arm of GCHQ. CESG's list of approved products are populated almost entirely with proprietary software. This discourages systems integrators and government departments from building open source software into their systems.

Kevin Wallis, applications architect at the Ministry of Defence, told the meeting how open source software had little hope of being approved unless it had powerful backers.

"The big problem with the certification process is unless you have a government project prepared to sponsor it, CESG is so stretched with the number of projects it has to deal with you will never see the light of day until you've got a government programme," he said.

Dr Chris Francis, head of government programmes at IBM, says any software approved by CESG typically has backing from a conventional vendor.

"If I've got a proprietary product, it should be profitable enough to take it through CESG clearance as part of your marketing programme," he said.

Open source software encountered a problem, however, because any organisation that sought to give it backing would have to face the prospect that they wouldn't gain any direct financial return for its efforts.

The discussion dwelt on the disjunct between government processes designed to work with an industry populated by organisations with the clout to champion their software products, compared to the collaborative open source model in which the cost and responsibility for a system was distributed across many organisations and individuals. The BCS heard last week how similar problems put government IT procurement out of the reach of open source systems and small IT suppliers - only large organisations could cover the cost of participating.

CESG charges vendors to have their software accredited and the process is said to be taxing. CESG was unavailable for comment on this story, but it has previously revealed how reliant it is on vendors pushing their software through the process - for example, the reason ministers cannot use iPhones instead of Blackberrys is because Apple is unwilling to go through CSEG accreditation.

"CESG evaluation of a product requires a vendor who is willing to engage in the full evaluation process, such as providing access to product engineering staff, and allowing CESG's evaluators to perform a detailed examination and review of the product's design and implementation," said CESG.

BCS members say the government should sponsor open source software through the CESG evaluation.

Darren Austin, technical architect at Atos Orgin, says systems integrators are discouraged from sponsoring open source packages through CESG evaluations by the time and cost involved. They were more inclined to use products that were already on the approved list.

"I'm not aware of any open source products in this space," he said.

However, Austin told Computer Weekly after the BCS meeting that CESG certification was usually only required for products used in settings where system security was an issue. In other instances where an integrator was helping develop a system for a government customer, there were cases where it had more leeway to use open source software.

Integrated systems require accreditation from the project's senior responsible owner in Whitehall, which is given after careful evaluation by security consultants working with both organisations.

Atos has made use of the JBoss open source middleware platform in government accounts, he says, whereas using Vyatta's open source routing software would require CESG evaluation. Using something like the Apache open source web server would depend on its setting, he says.

The only open source products on the CESG directory of security assured products are various versions of Linux and the Ingres database. Oracle secured certification for its HTTP Server, a product based on Apache and the open source firewall Mod_security.

Read more on IT legislation and regulation