As it Mandates Open Source, is Bulgaria Opening Questionable Doors?
For decades now, open source tools and applications have been gaining enormous traction in parts of Europe, and cities such as Munich have even been involved in a multi-year effort to transform technology infrastructure by throwing out proprietary applications and using open source tools instead.
In the latest move on this front, Bulgaria recently passed legislation requiring that government software be open source. The move underscores how pervasive open source applications and platforms have become. Now, though, there is growing debate about whether Bulgaria is making a wise move, or one that could open it up to security threats.
"This move is supposed to improve government transparency, give citizens a tangible return on their tax dollars, and improve the quality and security of sometimes-shoddy bespoke government software."
Having code out in the open means that it’s publicly verifiable, so that other people can make sure there’s no glaring security flaws or bugs. However, less scrupulous characters are also able to pick apart every aspect of the code to subvert it, or build their own near-identical version of the open source program to scam unsuspecting people."
“Whether there will be more black-hat hackers than people doing responsible disclosure (for which we also add rules in the amendments to the law), is hard to tell, but at the moment the ‘bad guys’ have an advantage,” Bozhidar Bozhanov, a developer and adviser on the new legislation, wrote me in an email."
Liviu Arsene, senior e-threat analyst at Bitdefender, also spoke with ZDNet on the topic, and noted:
"One main advantage is that the security community can constantly report new vulnerabilities and make sure information that the government handles is actually safe from attackers." Still, he raises a flag: "Having source code publicly available means that attackers can thoroughly study it and try to exploit vulnerabilities to hit the branch of government where it's being used."
in a blog post, Bozhidar Bozhanov, who calls the technology shots for the deputy prime minister, said that guaranteeing security is part of why this decision was made:
"As for security — in the past 'security through obscurity' was the main approach, and it didn’t quite work —numerous vulnerabilities were found in government websites that went unpatched for years, simply because a contract had expired. With opening the source we hope to reduce those incidents, and to detect bad information security practices in the development process, rather than when it’s too late."
Bulgaria has mandated that a new government agency is tasked with enforcing the law and with setting up a public repository (which will likely be mirrored to GitHub). And of course, already, there are calls for other government agencies around the world to follow Bulgaria's lead.
It will be worth following the massive open source experiment going on in Bulgaria, with an eye toward whether it can stay truly secure.