Open source software seems like a perfect fit for government IT projects. Developers can take advantage of existing code bases and, it's hoped, mold that code to their needs quickly and at less cost than developing code from scratch. Over the last few years, governments in the U.S. and abroad have been more closely embracing open source. However, agencies at all levels of U.S. government are still wary of open source and can be reluctant to adopt it. It's still not easy for government projects to use open source or for developers employed in the public sector to contribute their work to open source project.

At OSCON 2016, Morgan Senkal (a former federal government employee and current development team lead at Metal Toad Media) and Kathy Lee (an IT specialist at Bonneville Power Administration) are holding a session titled Storming the castle: open source challenges in government. Ahead of their session, Morgan and Kathy took some time to answer questions about the issues surrounding open source in government.

What's the current state of adoption of open source software in the public sector?

Kathy Lee (KL)/Morgan Senkal (MS): Both anecdotal observations and online research tell us that usage is high but contribution is low throughout the federal system. We'd love to see better and more visible opportunities to contribute.

What, in broad terms, is the process you'd need to go through to get a government department or agency to evaluate open source software?

KL/MS: For .NET developers who can use NuGet (a FOSS package manager) through Visual Studio, the process is now very easy. You can just NuGet to find the software you need. For instance, we needed to use the Unity framework for dependency injection, so we just looked for it on NuGet and added it our solution.

Back in 2010, there was no NuGet. The process was so cumbersome that it was basically a non-starter. We'd have to fill out a request and then our cyber security would have to do a scan of the software for malware/viruses. Then the software would have to go through our approved software process. This all could take up to six months.

What are some of the obstacles that you've encountered when trying to use or introduce open source software into your public sector work?

KL: So much paperwork. So many gates.

MS: There is also a lot of institutionalized mistrust of the open source community once you get down into the weeds of the federal government system. It's one thing to mandate it at the highest level, but the implementation throughout the federal government is still very spotty.

Why do think those obstacles exist?

KL: Auditing, mostly, to prove compliance.

MS: A lot of the obstacles encountered are just habit or inertia. For example, open source is far outside the comfort zone when it comes to finding solutions, especially considering it was considered anathema for so long. Combine that with fear and lack of knowledge about why these solutions that were previously viewed with such mistrust are now acceptable.

This quote in an Opensource.com article about a report done by the Department of Homeland Security pretty much sums the situation up:

"Rejection of OSS is a combination of fear and inertia. [They] don't like to move outside of their comfort zone, and [there's] the fear of the unknown," An OSS expert stated. "For OSS in the government, the biggest impediment is habit; they're used to buying what they've bought before." While not explicit in the report, as newer generations of IT professionals who grew up on OSS come into the government, it is likely that this assumption will shift. To some degree, we are already seeing it in agencies.

Do those obstacles exist at all levels of government?

KL/MS: The requirements of compliance are fairly consistent; it's how different agencies handle those requirements while still remaining flexible enough for open source solutions to address problems that varies tremendously from one agency to the next.

What are the most common arguments against open source software that you've encountered while working in the public sector?

KL/MS: "Yes, using this will be great, but it's going to take too much time to get it." Or, "Sorry, this was written by a foreign national, so we can't use it." Or, "There could be malicious code embedded in it since anyone can change it."

How did you counter those arguments?

KL/MS: I would usually just say I would deal with the paperwork and we can revisit using it when it was finally approved. I would try to find similar open source solutions that were based in the U.S. I would explain that we can review the code before using it to ensure there was nothing malicious embedded, and choose open source projects with extensive, vibrant communities, which can act as a deterrent to anyone planting malicious code.

What are the challenges around public sector employees contributing to open source projects?

KL/MS: We really aren't allowed to work on things we don't have a work order for. So unless a project has been approved, we can't work on it during work time. We could, of course, contribute on our own time, but that wouldn't count. We'd just be a person contributing to an open source project.

How can they overcome those challenges?

KL/MS: There needs to be buy-in from higher up to fund a project that will contribute to an open source project. If they can come to appreciate how having the open source communities understand the unique requirements of government-built software will help open source projects be more streamlined for government use, perhaps they would be more willing to fund projects with those allowances.

The White House recently released a draft open source policy for public comment. Do you think this is a step in the right direction?

KL/MS: It's a step in the right direction, but they need to find a way to communicate and encourage adoption for all developers and IT managers who work for the federal government. There is currently no such communication, and the message is not reaching all segments of the federal government.

If the federal government puts open source at the center of the software acquisition process, do you think that will filter down to other levels of government?

KL/MS: Federal doesn't always trickle down to state, city, or county, but it can't hurt!

If you could give one piece of advice to public sector employees who want to adopt open source software for their work, what would it be?

KL/MS: Think hard about the projects you are working on and if they have any practical use outside of government. Then pitch the idea to your manager on whether you can start an open source project.