Chief Illogical Officer?

Sometime you would have to wonder whether logic totally escapes CIOs. In an article making comment on the The Australian Open Source Industry and Community Report 2008 prepared by Waugh Partners, ZDnet put out an article entitled “Open source barred from Australian government”. What I found particularly curious was a comment from the CIO of the Australian Tax Office, Bill Gibson. In it, he says that he “is concerned that open source software could not be as easily scrutinised as proprietary software”. This is probably a paraphrase from an earlier published interview by Zdnet where he is quoted as saying – “We are very, very focused on security and privacy and the obligations that we have as an agency to ensure that we protect those rights of citizens’ information in that respect. So, we’ve continued to have concerns about the security related aspects around open source products. We would probably need to make sure that we will be very comfortable — through some form of technical scrutiny — of what is inside such a product so that there was nothing unforeseen there.”

So how does he “scrutinise” proprietary software? I guess at best, you might be able to get to see the source code, but the license to see is usually going to be under a NDA, and it is unlikely one organisation is really going to have the skills and resources to examine all the code. And even then there are going to be dependendent libraries that you may not be able to have source code access. But in most cases, you will only be able see your software as a blackbox. If you do perform security analysis you will always limited in what you can test in this case. I just don’t see how with a blackbox you can successfully search out all the nooks and crannies with a high level of confidence.

Only with open source code to you, and the “many eyes” out there, do you have the opportunity to truly scrutinise the code. You also then are able to create and receive patches for any found vulnerabilities. Clearly the bad guys have a similar opportunity to review the source, but the evidence overwhelming supports the idea that open source inherently is less likely to have hidden security flaws and is able react to unforeseen attacks with greater rapidity.

I would be really interested to find out who Bill Gibbons has been taking advice from on software security.

One thought on “Chief Illogical Officer?”

  1. I have no idea who Bill Gibbons gets his ideas from. It sounds to me what we would term a “toilet expert” (one who takes an IT magazine into a cubical and emerges as an expert in whatever he was reading).

    However, having worked briefly with the ATO (and being subjected to security checks myself before I was allowed to waste tax payers money by sitting idle for two months waiting for approval from ATO to have a userid created for the classified systems), I can offer this insight: the concern may be that with Open Source software, there are parts of code that are contributed by untrusted sources, so that they *must* scrutinise the code in order to be assured it is safe. The obvious conclusion being that Proprietary code is magically (or contractually) imbued with trust by being the source of all good Bits.

    I fail to see any logic here either, but that was the impression I got: ATO can “trust” Proprietary software because they know who to blame when it’s found to be insecure (assuming it’s found). But they don’t know who to blame for Open Source, and they don’t have the resources to scrutinise it.

    The opportunity for IT companies that wish to engage the ATO with Open Source solutions is to be the agency that does the scrutinising on ATO’s behalf. That is where HP ES should be focussing — after all, EDS was always a company that “didn’t make anything”. Open Source logically fits best with what Applications Services does: customising COTS software for clients’ specific needs. And Open Source is far more customisable.

    We just have to get through the acceptance barrier and offer to warrant the software ourselves.

Leave a Reply

Your email address will not be published. Required fields are marked *