Bristol City Council has been cleared to build an IT infrastructure using open source software after a visit from CESG, the cyber security arm of the UK intelligence services.
Complaints about CESG's obstruction of open source software were branded "folk-law" at a meeting the security body held in Bristol yesterday with council leader Barbara Jenke and others including Bristol IT chiefs Paul Arrigoni and Gavin Beckett, and executives from the Cabinet Office.
The security body, an arm of GCHQ, denied its Code of Connection (CoCo) and guidance on information assurance prevented public bodies using open source software.
The meeting heard how CESG rules, by which public bodies determine what systems they should use, were being interpreted incorrectly.
Liam Maxwell and Bill McCluggage, Cabinet Office directors of ICT futures and ICT policy respectively, joined the meeting to tackle what they believed was a misperception that had been thwarting their policy to increase the use of open source software in government.
Bristol became symbolic of this misperception after complaining it could not fulfil its own open source policy because open systems did not have security clearance from CESG. Microsoft reseller Computacenter, which Bristol contracted to assess the policy, had advised the council it could not use open source systems without falling foul of security rules.
Computer Weekly understands from talking to people close to the matter that the network of people responsible for meeting CESG's required levels of assurance have come to rely on conventions that disfavour open source software. Senior Information Risk Owners (SIROs) in public bodies have concluded on advice from systems integrators and CESG-accredited security consultants that only known proprietary software systems and business models would win CESG approval.
It was also feared systems integrators had been using old CESG guidance to formulate their advice and confusing rules on software at the boundaries of public networks, such as firewall and other security software, which must be certified by CESG.
A CESG spokeswoman said: "CESG does not impose rules on the use of software on any public authority, local government or other."
She admitted it "bound" councils by security measures set out in CoCo, but insisted, "these do not prescribe which software authorities must use."
"The final risk management decision on whether or not to use a software product rests with the information risk owner within the department rather than with CESG," she said.
Mark Taylor, who as chief executive of open source supplier Sirius helped Bristol formulate its IT policy last year, said: "If you look at the actual rules, there aren't the inhibitors to open source adoption some people claim there are. Some people are not playing with a straight bat. Of course councils are risk averse. They play it safe, so they accept what is actually FUD [fear, uncertainy and doubt]."
Gerry Gavigan, chair of the Open Source Consortium, an industry body, said: "This has got almost nothing to do with open source software. It's a question of governance, risk and responsibility.
"A systems integrator or a proprietary software company can set up a stack, demonstrate they have met the tests, issue a certificate of conformance for this particular hardware and software and then the local authority can pass that to CESG and meet the requirements."
The current arrangement involved CESG issuing guidance rather than proscriptive rules and that passed responsibility to the local authority. The council relied on the assurance of systems integrators who in turn relied on the sureties they got from their relationships with proprietary software vendors.
Bristol City Council Leader Barbara Janke said in a statement the council was committed to lead the adoption of open standards and open source in public systems for the sake of its own economy, in which creative and high-tech industries were a notable constituent, as well as for other councils.
"Our aim is to do all we can to see a higher proportion of money from our IT procurement ending up in the local economy and supporting the city's innovative software companies," she said.
A spokesman for the council said Thursday's meeting had determined CESG did not impose restrictions on its use of open source plans. But it had yet to decide whether to actually go ahead with them.
Computacenter was not present at the meeting and was unavailable for comment. LinuxIT, an open source supplier contracted by Computacenter to work on the Bristol project, attended the meeting and said in a statement afterwards Bristol had become the "flagship" for government open source policy.
Bristol "allegedly suffered from flawed advice provided by its previous open-source advisers," said the firm.
The council has also published the minutes from the meeting with CESG.
Read more on Bristol City Council's open source plans:
Give Linux security clearance, US told UK