The federal government has rejected warnings from an open source lobby group that closed source software presents a serious risk to Australia's national security and ought to be chucked out in favour of more transparent software.
The finger-pointing started last week with Open Source Industry Australia (OSIA) calling upon government departments and organisations "implementing solutions within the sphere of national security to discontinue use of closed-source software where possible due to serious security risks".
OSIA spokesman Con Zymaris pulled few punches in a bold bid to put the frighteners on Australia's most security-sensitive organizations – not least the Australian Security Intelligence Organization (ASIO), the Defence Signals Directorate (DSD) and the usually unflappable Critical Infrastructure Protection team ensconced within the Attorney General's department.
"Closed-source software brings with it the added security risk that clandestine back-doors and malicious Trojan horse code can be embedded within a code base, and there is no reliable method of detecting these without full access to the source code. The best way to reduce such a risk is through code which can be fully audited by independent third parties," Zymaris said.
While ASIO and DSD will not speak publicly on such subjects, a spokesman for Attorney General Philip Ruddock was swift to point out that it is government policy simply not to connect (or air-gap) national security systems to the outside world.
"National security computer systems are quarantined from the Internet and there is no access from outside systems. There are three principles involved in safeguarding information networks: information security, personal security and physical security. All staff involved in national security [have security clearances] and operate from highly secure premises," the spokesman said.
Another government source described Zymaris' comments as unhelpful, adding that they "muddied the water". The source said it was largely irrelevant what software was installed on physically-separated networks because they were not connected to anything.
The source said computers used in a national security environment were actually the least likely of all government computers to be vulnerable to attacks.
Microsoft's agreement to reveal its source code to the federal government also came in for a sledging with Zymaris describing the software behemoth's disclosures as inadequate.
"OSIA notes that attempts at partial disclosure of the source code, such as the Microsoft Government Shared Source Security Program (GSP) are a worthless marketing gimmick, designed to give governments the feeling of independently audited and certified code, without the reality," Zymaris said.