Kartik Chawla, a 2nd year student from Nalsar University of Law, brings our attention to a recent development wherein the Tamil Nadu State Government is considering installing a home-grown Open Source Operating System as one of the mandatory OSes in the various govt departments. In this post, Kartik notes that while a focus the affordability of Open Source softwares is evident, the government must also tread carefully with respect to possible security concerns.
Open Source in TN Govt
In a letter dated 12th March 2014, the Information Technology Department of the Chennai Secretariat has requested all government departments to consider installing BOSS Linux as one of the mandatory operating systems. BOSS Linux (Bharat Operating Systems Solution) is an Open Source Software developed by the Centre for Development of Advanced Computing (C-DAC).
This decision has been prompted by the impending removal of support for Windows XP on April 8th, 2014, after which there will be no more security updates or technical support, leaving the computers still running Windows XP at a greater risk to security and virus attacks. Phasing out the current software for the higher version would require investment not only on the software but also possibly on the hardware.
The recommendation to use BOSS Linux seems to be mainly motivated by the intention to save this additional expenditure. As the order notes, BOSS Linux is cheaper because it is a free Open Source software, has very low support costs, and the customer support is easy since the development team is available locally. Thus, the focus of the government in moving to Open Source Software is inspired by the ‘huge savings’ promised by such a step.
The core point that the government must consider here, along with the amount of money it will be saving, is the level of security offered by BOSS Linux. The source code of Open Source software, as the name given to it implies, is available publically. ‘Source Code’ here refers to “any fully executable description of a software system”. Thus, for Open Source software, the core programming of the software is available in the public domain. This approach to programming has its definite advantages, but it also has certain disadvantages. The advantages relevant here include the cost savings noted earlier, and quicker bug reports and fixes from anyone in the developer community who wants to take the initiative, while the disadvantages relevant here include a possible higher security risk, and hidden training or expertise costs. [See here: “This is reinforced by the more general observation of our public sector respondents that while it is easy enough in theory to take code and customize it to individual needs, this is not so easy in practice. To do so they need to hire experts and look for support outside their organisation.”]
Keeping in mind the nature of the computer systems in question here, the security of these systems is crucial. The Indian government’s websites were hacked 78 times in 2013, up to the month of June 2013, and a total of 308 and 371 websites had been compromised in the years 2011 and 2012 respectively – at the same time, nearly 16,035 instances of scanning, spam, malware infection, DDoS attacks and system break-in affecting the government, defence and public sector undertakings were noted, and 13,301, security breaches in 2011 and 22,060 security breaches in 2012 (Source). Even though these statistics are from before the National Cyber Security Policy was released in 2013, they are regardless a cause for concern. Thus, the existing security of these systems is quite lacking. With Open Source software, since the source code of the software is publically available, it is easy for crackers to sneak in a malicious code, or to find weaknesses in the code which can be exploited to hack it. The essential question here is whether the exploit is made public as soon as it is discovered so that it can be fixed, or is it used by the a cracker before for malicious purposes before it can be fixed. While this does not mean with any degree of certainty that Open Source software is any more vulnerable to attacks than proprietary software, it is a concern that must be kept in mind while transitioning government systems holding sensitive data from their current software to an Open Source model.
The second disadvantage of Open Source software, that being its requirement of a higher level of expertise, is something that depends on the software in question. Even though the level of expertise of Indian government officials with regards to the usage of computers is certainly questionable, this concern is balanced by the fact that the development team for BOSS is available locally in the case of Chennai. Thus, this might actually work out in favour of the government.
Thus, while the move from Closed to Open Source is a good step for the government, on the whole, it must make sure that it takes the proper precautions during and after the transition to ensure the security of its systems and the privacy of its citizens.