ATO avoids open source due to security concerns

ATO avoids open source due to security concerns

Summary: Security concerns have kept the Australian Tax Office (ATO) from adopting open source software, according to the agency's CIO Bill Gibson.


Security concerns have kept the Australian Tax Office (ATO) from adopting open source software, according to the agency's CIO Bill Gibson.

In a video interview with this month, the ATO's Gibson said that while he is not opposed to open source software in principle, he "continues to have concerns about the security-related aspects of open source products."

"We are very, very focused on security and privacy and the obligations we have as an agency to ensure that we protect the rights of citizens information in that respect," he said. "We would need to make sure that we are very comfortable -- through some form of technical scrutiny -- of what is inside such a product so that there is nothing unforeseen there."

Gibson said that while the ATO uses a number of open source components within its systems, it hasn't dived in to open source applications due to concerns around getting the right kind of assurance that "the code is doing what it is intended to do."

"I realise that these risk exists even in proprietary code, however there is a vendor's reputation that helps protect [you and] provide that assurance."

Gibson is by no means the first to question the level of assurance an enterprise customer can expect from open source software.

Five years ago, as Linux entered into the mainstream computing world, several reports commissioned for the likes of Aberdeen Group and Microsoft-sponsored thinktank ADTI, questioned whether Linux might actually be as vulnerable as Windows, for example.

These advocates of closed software argued that proprietary systems boast "security through obscurity" -- meaning that there is less chance of attack if the code isn't widely available in the developer community.

Open source advocates, on the other hand, argue that the peer review model among open source developers results in better architected software. They also argue that enterprise versions of open source software, such as Red Hat, tend to respond quicker to security issues than the likes of Microsoft.

"All software has bugs, no matter what the licence, and some of those bugs have a security consequence," said Mark Cox, director of Red Hat's security response team.

"It's not the licence that determines how secure a given software project is -- software quality is a measurement on how the software was developed and how the project responds to security issues that are discovered. Open source is often credited as having a fast reaction time."

Organisations considering open source can still mitigate risks, he insists, by using an enterprise-level distribution, which provides a single source of notifications along with support from a security perspective, across a range of open source applications.

If a customer had installed Red Hat's Enterprise Linux 4 package, he said by way of example, and selected every available application with it, 81 percent of critical rated vulnerabilities had fixes available within a single calendar day.

Security vendors such as Trend Micro have agreed with this assessment -- hailing the open source model as one that enables better security outcomes.

Despite his concerns, Gibson says the ATO would still consider an open source application if it both meets the agency's needs and "if there is a trusted entity that provides [the required level of] assurance."

"We've got a number of components within our operating environment that utilise open source technology, but we have not found an ATO office-wide application like a Microsoft Office or StarOffice that we are yet comfortable with," Gibson says.

"When we find one, there is no reason why we would not embrace it. Something like standard office software could be a starting point and we may explore that as part of our end-user computing outsourcing bundle, which we will kick off in the second half of this year."

The full interview with Gibson will be published on the CIO Vision Series page today.

Topics: Government, Government AU, Linux, Open Source, Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is the whole problem.

    They put bozos like Gibson in charge in the Public Service, and they obviously have no clue. Seriously, these are YOUR tax dollars these clowns are spending (read WASTING) on inferior products just because they package it in a pretty box and have a hand-holding clause the vendor will give them, due to their incompetence.
    Typical short-sighted stupidity on the part of incompetent public servant drones.
  • whoah

    That's a little over the top isn't it? Sounds to me like he is taking a measured approach. Considering the incredible amount of risk involved in his role, he sounds pretty open minded to me!
  • When

    It all goes pear shaped they like to have a vendor to blame as opposed to maybe admitting their own incompetencies.

    I would feel much better in the knowledge that my data is held and secured in open source databases hosted on open source servers, but then again I know a bit about it, Mr. Gibson it seems does not.
  • The world is a charade

    and open-source is ruining the play.
  • Security?

    If they are really that concerned about security Then they need to grow balls and move away from windows.
  • Bureaucracy & risk

    A building could fall on this guy tomorrow. Hey, he's a bureaucrat -- he doesn't have to be competent, doesn't have to achieve anything, his only required outcomes are negatives & paper- pushing.

    He has no connection with any productive activity in the real world, other than to parasite off it.

    Of course the guy is clueless, wastes money time & space.. and inhibits other people, doing actual useful stuff. That's all Government and bureaucrats mainly do.

    If they ever do anything useful, it's entirely outside the job description; and grounds for immediate dismissal.
  • NSA, US and French Defence departments are all wrong

    Huh ! Bad news for NSA, US and French Defence departments CIO's. They believed that OSS was much safer than closed source software and now it appears they were all wrong...
  • Typical response from a govt organisation

    Working in AUS Government the response from Gibson is exactly what I get all the time. Most of the large AUS departments are M$ shops and have no or little experience in open source. These organisations rely on being TOLD what they want by armies of consultants who have vested interests in keeping the income flowing. They talk about security issues in open source but they take the word of closed source vendors (usually their marketing people) that their software and platforms are secure without checking. Open source is a challange to organisations like the ATO and rather than fully exploring the values that open source can deliver they prefer the easy non thinking option.
    It is a pity that the higher you move in the Public Service the less you are connected with the technology and the less capable you are to make the very decisions that you are making. Mr Gibson I would invest in a few IT mags at the news stand and improve YOUR understanding of opens source rather than relying on others.
  • Generalise much?

    I'm the CIO of an "AUS government" agency. We run open source and Windows, soon even OSX.

    It's all about spreading risk and defence in depth.

    Admittedly, I do seem to be somewhat of a rare beast among my peers. Most of the time they have no idea what I'm talking about, when I speak to them about technology.
  • Sad

    "Admittedly, I do seem to be somewhat of a rare beast among my peers. Most of the time they have no idea what I'm talking about, when I speak to them about technology."

    A sad state of affairs indeed, but unfortunately true.
  • I can believe it

    I too occupied a similar position until recently.

    I have now left and am back in the private sector where people will actually listen and take appropriate action and where multi-million dollar projects are not handed to idiots who's only achievement has been to successfully navigate their way into the building every day for the last 10 years. *draw breath*

    The levels of incompetence I have personally witnessed are astounding and the root cause is that no-one in gov spares a thought to actually creating or earning wealth for the nation. Every year the government money-fairy flies over and sprinkles untold billions of dollars all over Canberra and so the concepts of efficiency and waste minimisation are completely lost on these people.

    On one of my previous projects I saved the department over $15 million dollars on hardware by negotiating a better deal and I got reprimanded for not documenting the process as I went along! If I was at Westpac (well, maybe not Westpac, but you get the idea) I'd get a bloody medal! By the way, I did document everything, I just didn't spend 28 hours a week doing it and taking 2 hour lunches, and flex days, and mandatory recreation leave days, and a zillion sick days, and stress leave days and................and...........
  • Open source versus blind faith

    "if there is a trusted entity that provides [the required level of] assurance." And herein lies the problem. Managements, private and public, don't want to understand, they want someone to state that what is in the sealed box meets the requirements.
    As to relying on the "vendor's reputation", frankly I don't believe it. This is the old "nobody got fired for buying ..." syndrome, the actual reputations of most major vendors are fairly murky, you buy their products on price and the chance they will be around for a few years to support them.
    The truth is that if the ATO really wants certainty about what is inside the box they will have to go open source. But it is easier to test a sealed unit than to fully evaluate the contents of an unsealed unit, which the ATO would be obliged to do if looking at an open source product.
    It is easier to rely on an assurance than to do your own research.
  • How bizarre!

    Gibson says "...we have not found an ATO office-wide application like a Microsoft Office or StarOffice that we are yet comfortable with" - he's just said it in his own statement & doesn't recognise that StarOffice runs on Linux. Perhaps he needs wording up to the wiser but someone, please.

    As for the questionable state of security within Linux, he has a point but has forgotten another & that is that the US Armed Forces have given SuSE Linux a security rating equivalent to that of Windows which I believe is a joke because without its network Windows might be secure but until they realise that the network is part of the computer they'll continue to have the amount of problems they have.

    Based on Unix, Linux has many more years of security embedded. Everything points towards Linux being more secure than Windows & brings about far less reliance on the USA. Software must be one of our largest imports of all but if it was Linux this would be reduced in cost by a huge margin. Initial operating costs would possibly go up but that would only be initial costs until the next generation of computer savvys were Linux-oriented rather than Windows. In any case the imports of Windows OS & Office would be in the many tens of millions per year every year.
  • The world is a charade

    You goose!
  • Deficit

    How many Linux distros are made in Australia?
    Lord Watchdog
  • No Deficit

    Distros are made by developers from all around the world. So there is no point asking which one is made in Australia. Most of them are freely available.

    OSS is about financing local software support company's instead of foreign monopoles. Just one of the reasons so many countries are using OSS in public sector.
  • Public service is about...

    I think "public service" is about providing quality services to citizens at the best price possible and not checking that you have someone to blame if something goes wrong.

    The impact of software choices on local economy should also be taken in consideration.

    Is the service better when public servants use a 400$ or 500$ MS Office software or just the same as with a 0$ OpenOffice ?

    What par of this n x 400$ goes in local economy and what part abroad ?
  • What Gartner predicts

    In a new report 'The State of Open Source 2008' Gartner predicts : 'In a few years' time, almost all businesses will use open source ... By 2012, more than 90 percent of enterprises will use open source in direct or embedded forms ... Users who reject open source for technical, legal or business reasons might find themselves unintentionally using open source despite their opposition.'
  • I had a similar experience

    And I checked on the place 10 years after I left and the same old farts are still in their cozy little place in the public service world. Public service IT is not a comfortable place to be in if you have real talent and something to offer the world.