Kartik Chawla, a 2nd year student from Nalsar University of Law, brings our attention to a recent development wherein the Tamil Nadu State Government is considering installing a home-grown Open Source Operating System as one of the mandatory OSes in the various govt departments. In this post, Kartik notes that while a focus the affordability of Open Source softwares is evident, the government must also tread carefully with respect to possible security concerns.
Open Source in TN Govt
In a letter dated 12th March 2014, the Information Technology Department of the Chennai Secretariat has requested all government departments to consider installing BOSS Linux as one of the mandatory operating systems. BOSS Linux (Bharat Operating Systems Solution) is an Open Source Software developed by the Centre for Development of Advanced Computing (C-DAC).
This decision has been prompted by the impending removal of support for Windows XP on April 8th, 2014, after which there will be no more security updates or technical support, leaving the computers still running Windows XP at a greater risk to security and virus attacks. Phasing out the current software for the higher version would require investment not only on the software but also possibly on the hardware.
The recommendation to use BOSS Linux seems to be mainly motivated by the intention to save this additional expenditure. As the order notes, BOSS Linux is cheaper because it is a free Open Source software, has very low support costs, and the customer support is easy since the development team is available locally. Thus, the focus of the government in moving to Open Source Software is inspired by the ‘huge savings’ promised by such a step.
The core point that the government must consider here, along with the amount of money it will be saving, is the level of security offered by BOSS Linux. The source code of Open Source software, as the name given to it implies, is available publically. ‘Source Code’ here refers to “any fully executable description of a software system”. Thus, for Open Source software, the core programming of the software is available in the public domain. This approach to programming has its definite advantages, but it also has certain disadvantages. The advantages relevant here include the cost savings noted earlier, and quicker bug reports and fixes from anyone in the developer community who wants to take the initiative, while the disadvantages relevant here include a possible higher security risk, and hidden training or expertise costs. [See here: “This is reinforced by the more general observation of our public sector respondents that while it is easy enough in theory to take code and customize it to individual needs, this is not so easy in practice. To do so they need to hire experts and look for support outside their organisation.”]
Keeping in mind the nature of the computer systems in question here, the security of these systems is crucial. The Indian government’s websites were hacked 78 times in 2013, up to the month of June 2013, and a total of 308 and 371 websites had been compromised in the years 2011 and 2012 respectively – at the same time, nearly 16,035 instances of scanning, spam, malware infection, DDoS attacks and system break-in affecting the government, defence and public sector undertakings were noted, and 13,301, security breaches in 2011 and 22,060 security breaches in 2012 (Source). Even though these statistics are from before the National Cyber Security Policy was released in 2013, they are regardless a cause for concern. Thus, the existing security of these systems is quite lacking. With Open Source software, since the source code of the software is publically available, it is easy for crackers to sneak in a malicious code, or to find weaknesses in the code which can be exploited to hack it. The essential question here is whether the exploit is made public as soon as it is discovered so that it can be fixed, or is it used by the a cracker before for malicious purposes before it can be fixed. While this does not mean with any degree of certainty that Open Source software is any more vulnerable to attacks than proprietary software, it is a concern that must be kept in mind while transitioning government systems holding sensitive data from their current software to an Open Source model.
The second disadvantage of Open Source software, that being its requirement of a higher level of expertise, is something that depends on the software in question. Even though the level of expertise of Indian government officials with regards to the usage of computers is certainly questionable, this concern is balanced by the fact that the development team for BOSS is available locally in the case of Chennai. Thus, this might actually work out in favour of the government.
Thus, while the move from Closed to Open Source is a good step for the government, on the whole, it must make sure that it takes the proper precautions during and after the transition to ensure the security of its systems and the privacy of its citizens.
Few points to break the FUD of using Open Source.
1. This is not the first time TN Govt has embraced OpenSource fully. In 2007, a similar initiative was made by Umashankar IAS who was then head of ELCOT (IT / electronics procurement agency of state). Everything in the state ran on BOSS linux for ~2 years. After his transfer, lobbies(needless to say which corporate giant) managed to convert back to Windows. Moving to linux is not a major shift in user behavior as most e-governance applications are browser based. It doesn’t really matter which OS does one use to open Firefox, does it? BOSS linux also has support for office applications and Tamil support which is probably the only other use of computer for 90% clerical staff in govt apart from 10% who don’t handle specialized software packages like say GIS, databases. The ‘higher level of expertise required for using opensource’ FUD is broken here.
2. Large number of systems are offline and used in office only for internal purposes and not really exposed to cyber world. The web facing applications are hosted in state data center which is managed by separate team with NIC engineers. They have also planned a state level cloud infrastructure, which would be hosting applications in future. CyberSecurity is important for all computers used in govt FUD is broken here. BOSS linux is secure enough as long as they keep pushing security updates from upstream and even without these updates, desktop systems are not in any major risk as critical applications are hosted in secure data centers.
Your point is slightly self-contradictory insofar as you note that shifting to BOSS Linux is not much of an expertise issue since most e-governance applications are browser based, and then go on to state that a large number of systems are offline. Those are separate points, but what the ‘expertise’ required to manage a Linux system refers to is exactly these offline applications, including all services from the applications-level down to the BIOS-level. Support for Open Source software runs the risk of being lacking, which as noted is countered here by the development team being at hand.
And insofar as the point of security is concerned, it is the necessity of continuous security updates that you note that is being stressed here. And even if a system is offline, if there is a bug in the OS which has not been fixed, there is still a very real risk of a cracker with physical access to the system exploiting – the threat does not exist in the cyberspace alone. Furthermore, the argument made above about the security risk very well applies to the ‘secure’ data centres too,. ‘Secure’ is always a relative position, as can be seen from the hacked ‘secure’ servers of various companies and government that are in the news rather quite frequently.
As the post notes, the step by the TN government to move to Open Source is quite a positive step. It only recommends that the proper and necessary precautions be taken during and after this transition.