The case for using open source in government
In April, it was discovered that the personal data of over 21 million US citizens was stolen from the Office of Personnel Management. I'm one of those people, and I'm pissed off.
There were lots of systemic lapses in security that led to the break-in at OPM (I won't go into detail, for sake of brevity and blood pressure), but this is an opportunity to reevaluate how we approach public-sector computing. There's no better kind of software for public institutions than free and open-source software (FOSS) when it comes to civic engagement, security, and sovereignty.
Oh, did I mention it can save money?
Regardless of political affiliation, too many people feel that the government is separate from themselves. They feel they have no voice, no way to make things work better. Call me crazy, but I believe government and public life is what we make of it.
Code for America recruits coders and assigns them to cities or states to help develop applications. Think of them like Americorps for programmers. CFA faces the problem of trying to convince a coder to work on a fellowship for half or less than what they'd make at some startup. That's a lot to ask of someone with a San Francisco apartment and a Tesla payment. (Look up rents in the Bay Area, I'll wait.)
As much as I love what they do, Code For America can't do everything themselves. Governments don't know how to, and sure as hell can't afford to do it on their own either.
With FOSS, citizens would have an opportunity to directly improve their communities by contributing code. Governments could draw upon the idle talents of the citizenry to create more effective (and less costly) services. It's civic engagement for geeks.
But what about security? Open-source projects can be quite nimble when it comes to vulnerabilities. As the saying goes, security through obscurity is not security at all.
When the Heartbleed bug was announced in April, a patch for OpenSSL was available the very same day. It's no secret how public key cryptography works, and anyone can get the source code for PGP or ciphers like Twofish or AES. But magically, nobody has broken OpenPGP. How can that be?
Anybody can audit or fix FOSS projects because (duh) the source is available to everyone. Everyone can see the bugs, and anyone can fix them. The fear of contributors introducing backdoors is mitigated by auditing and reviewing code before it is merged into the main branch of a program.
Free projects protect sovereignty too, by removing the need for license payments and allowing modification by a government to suit its needs. There's no need to pay a vendor for extended support of an obsolete system. (The OPM still has machines running XP.)
Despite this, several governments may undermine their own best interests. After Wikileaks published the text of the Trade in Services Agreement (TISA), the Free Software Foundation (FSF) affirmed that FOSS is the best way for governments to preserve sovereignty in a statement condemning Article 6 of the proposed agreement's electronic services annex.
"Ensuring that government-used and -purchased software is free for anyone to review, share, and modify promotes the safety and security of the people," the FSF said.
Any government that uses proprietary software is subject to the whims of a non-state actor and that of its home government. That is not acceptable for any self-respecting sovereign state. On the other hand, a government that uses FOSS for workstations and back ends is will not be crippled by an unaddressed vulnerability, company failure, or corporate whim. It will be more secure, healthier, and more free.