Behind all of the recent news around governments adopting open source use policies, the questions of whether or not open source will actually be used and at what levels remain unanswered. At the end of the day, policy makers can say that open source solutions should be considered, but where are the teeth to put some bite into these preferences? Beyond expressing a preference, does anything else need to be done to make sure open source gets its fair share?
This is the topic that Maxwell Cooter talks about on his Blue Screen Techworld Blog. The UK has just updated their open source policy. It is really not a big change, basically continuing the Feb 2009 guidelines. Here is what the Government’s policy is:
Open Source Software
(1) The Government will actively and fairly consider open source solutions alongside proprietary ones in making procurement decisions.
(2) Procurement decisions will be made on the basis on the best value for money solution to the business requirement, taking account of total lifetime cost of ownership of the solution, including exit and transition costs, after ensuring that solutions fulfill minimum and essential capability, security, scalability, transferability, support and manageability requirements. Where a ‘perpetual license’ has previously been purchased from a proprietary vendor (and therefore often giving the appearance of a zero cost to a project, a shadow license cost shall be applied to ensure a fair comparison of total cost of ownership. The shadow license cost will be equivalent to the published list price of the product (no discounts can be factored in), or the price the public sector pays overall on a ‘crown’ deal.
(3) The Government will expect those putting forward IT solutions to develop where necessary a suitable mix of open source and proprietary products to ensure that the best possible overall solution can be considered. Vendors will be required to provide evidence of this during a procurement exercise. Where no evidence exists in a bid that full consideration has been given to open source products, the bid will be considered non compliant and is likely to be removed from the tender process.
(4) Where there is no significant overall cost difference between open and non-open source products, open source will be selected on the basis of its additional inherent flexibility.
Non-Open Source Software
(5) The Government will, wherever possible, avoid becoming locked in to proprietary software. In particular it will take exit, rebid and rebuild costs into account in procurement decisions and will require those proposing proprietary software to specify how exit would be achieved.
(6) Where non open source products need to be purchased, Government will expect licenses to be available for all public sector use and for licenses already purchased to be transferable within the public sector – including into cloud based service environments without further cost or limitation. The Government will where appropriate seek pan-government agreements with software suppliers which ensure that government is treated as a single entity for the purposes of volume discounts and transferability of licenses.
Sounds great doesn’t it? But rightfully so, many in the open source community say thanks but where is the beef here? Who is monitoring to make sure these policies are followed? What are the repercussions of not following these policies? Setting these policies at the cabinet level does not trickle down to the procurement office per say.
The UK is not alone in this situation. Now that we in the open source community are finally seeing governments big and small the world over express their preference for open source software, how do we translate these preferences into practice? There have been several forays into this across the map. One solution that has been tried are quotas on open source use.
Quotas in general are almost always a controversial option. Growing up as a child of the ‘70s (yeah I am old, I know) quotas were a lightening rod topic. These were the days of affirmative action, forced integration, busing and the Bakke case. Now granted these quotas revolved around race relations which was an even hotter pushbutton topic than open source use. But the different philosophical camps were clear.
On one side is the pro quota camp. Due to some perceived past discrimination or some other reason for favorable treatment, quotas are a valid way to even the playing field and give the protected class (in this case open source solutions) a chance to compete and succeed in an environment where they might not otherwise. Sometimes the thought is that by having a certain market share or level of participation, the protected class would then become stronger and would not need preferential treatment.
The other philosophical camp says that quotas are wrong and just perpetuates an inferior class system. The market will determine what the best choice is. If the open source software is the best fit for a particular situation, it will be chosen. By setting aside or putting a quota on its use, you are almost by definition choosing a product that may not be best for the situation. This creates two problems. One is that in the case of government, the taxpayer is paying for use of a product that is not the best choice. That winds up costing all of us money. Secondly, because the product is chosen regardless of whether it is truly best in breed, where is the incentive to keep the development pace brisk and make the product better? So the protected class, in this case open source would never continue improving. Another consideration is that non-open software vendors would then claim the deck was stacked against them.
One country where quotas on open source use have been instituted is Hungary. While some in the open source community have held Hungary up as an example to Europe and the rest of the world, there are others in the open source community there who question if the intent behind the quotas has actually been achieved. You would expect opposition to the quotas to come from outside the open source community. But as usual the devil is in the details and the road to perdition is paved with good intentions. In the case of Hungary some open source advocates are saying that the quota is not enough and not effective because of the way the plan is implemented.
Other countries in Europe have taken other routes. The Netherlands, while not imposing a strict quota has a system that if all things are equal the open source solution should be chosen. Again those pesky details have even some in the open source community grumbling. It seems the Dutch system is rigidly based on whether an OSI approved license is involved or not. No OSI approved license, no open source preference.
France has no set policy on open source, but maybe the most successful user of open source of them all. A recent study showed that 96% of public sector agencies and departments use open source software. That is pretty impressive. Beyond that it shows that all of the policies and quotas don’t add up to a hill of beans compared to people willing to give open source software a fair shot and try.
When it comes to public sector use, I am all for saving money. I am also all for using the best solution for the job at the best price, public sector or private. Maybe because of my personal experience growing up I am not a fan of quotas. But we do need to make sure that open source is getting a fair shake in the large public sector market. I say this not only for the good of open source projects which in and of itself would be a good reason. I say it for the benefit of all of us who are paying taxes to keep our governments working. They can do more with less money by using open source software.
We need to move beyond policy preferences to real action. That means that we need to monitor open source adoption to make sure we move beyond the talking phase and into the actual adoption phase of open source use in the public sector. The time is now!
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.