All Eric Kriss, secretary of administration and finance, did was issue a memo to state agency CIOs summarizing a plan to move toward open standards in state government IT systems, but astonished stories in the media made it seem as if Kriss told CIOs the state was going back to punch cards for its computing needs.
Commonwealth officials hope the move toward open standards will not only save the state money in the long run, but also increase efficiency. Though using open source software in government is still somewhat controversial, the state has included it in its pursuit of open standards because it is easily adaptable to specific needs; it can be built, used and improved upon by many agencies; and it often costs less than proprietary software.
While some took the memo to mean Massachusetts was tossing proprietary software and installing Linux on all state desktop PCs, Massachusetts simply wants technology that is as adaptive and appliance-driven as possible to reduce the patchwork nature of the state's information systems, said Massachusetts CIO Peter Quinn. Both proprietary and open source software will be used as long as they are not built on proprietary standards.
Three Simple Reasons
The first draft of Massachusetts' Enterprise Open Standards and Open Source Policy was released on Nov. 24, 2003, to articulate the state's rationale behind adopting the policy. The state isn't looking to shake up its entire enterprise infrastructure, but to approach IT more logically.
While some theorized that the state's new tack is connected to its dogged pursuit of an antitrust lawsuit against Microsoft (the state is the only one that hasn't accepted the long-finalized DOJ settlement with Microsoft), the document lists several straightforward reasons for adopting the policy. First, system integration and data sharing make it simpler to efficiently deliver government services. Second, in today's tough budget climate, IT investments must be based on total ownership costs, and component-based software that uses open standards allows programs to be built once and used by many different agencies or groups. Third, open systems and specifications are often cheaper to acquire, develop and maintain, and do not result in vendor lock-in.
The document, approximately two months in the making, also states that all future IT investments will comply with the open standards Massachusetts set forth, and existing systems will be reviewed and enhanced to comply with new policy as needed. It also states that both open source software and proprietary software will be considered in a "best value evaluation" of potential open standard solutions.
"A best value evaluation should consider, at a minimum, total cost of ownership, fit with identified business requirements, reliability, performance, scalability, security, maintenance requirements, legal risks, and ease of customization," according to the document.
The policy places responsibility for compliance enforcement on the Information Technology Division. The ITD -- as part of its ongoing project review and oversight processes -- will review agency IT project plans and service requests before granting approvals. This will ensure they comply with policy, and that agencies evaluate open source alternatives. The ITD also is directing agencies to integrate language in all IT bids and solicitations that require open standards compliance.
In addition, the ITD released the companion Enterprise Technical Reference Model -- Version 1.0, drafted to help agencies identify standards, specifications and technologies that support Massachusetts' computing environment. And an Open Source License Legal Toolkit is under development.
Unknown Territory
Open source tools are already heavily used in some federal agencies, by many European governments, and in the private sector, which is also discovering their usefulness. It's clear this software genre has gained credibility, but a certain bit of uneasiness lingers.
AMS has seen a growing number of its customers say they want the company to use open source software, tools or components on their projects, said Wick Keating, senior vice president and CTO of the Virginia-based systems integrator and IT consulting firm.
Faced with customers who want the company to use open source software, Keating said AMS needed to know that particular open source software components would fit into an overall solution, are secure, robust and scalable, and not riddled with defects. "We had to say, 'Look, before we go too far down this path, we just need to understand what this is all about, what the opportunities are, what the risks are and what our approach ought to be.'"
Though obviously interested in doing what its customers want, Keating said AMS wasn't sure how to categorize the reliability and trustworthiness of open source products.
From his company's perspective, Keating said, one of the great unknowns about some open source software components is who developed a particular piece of software. Whether that piece of software will enjoy long-term support from the developer is also a great unknown.
To zero in on open source products it could market to customers, AMS divided them into three categories, Keating said. The top tier is composed of the best products of their kind, he said. "For the second tier, we came up with a very simple metric: Can you go to Amazon.com and buy a book on it? It sounds silly, but that turned out to be about another 70," he said.
"If it's got a book out on it, it's got reasonable presence in the marketplace," he continued. "The fact that somebody thought it was worthwhile to publish a book on a piece of software -- because they thought there were enough people out there using it -- is a pretty good way to segment the market."
The third tier is pretty much everything else, he said.
"There are about 10 in that first tier, 70 in the second and tens of thousands in the third," he said.
Security is another unknown, he said. Though the open source community argues that many eyes have scrutinized the source code to detect and remove bugs, no one is held accountable if bugs are not detected or removed, Keating said. "Nobody wants to bring in a solution, and then turn around and discover it's got bugs and there's nobody they can hold accountable for fixing those bugs, or that it's got a security flaw."
"You don't really know that somebody didn't slip something in," he continued. "How do you know it wasn't the Russian mafia that put up that last upgrade and left themselves a back door they can use to tunnel into their systems?"
This doesn't necessarily mean open source software is suspect, he noted, citing the experience of the Pentagon, which performed an internal survey of its systems about a year ago. Officials were surprised at how much open source code the Pentagon was using, which raised some security flags, Keating said. But the Pentagon assembled a task force to review the code for security holes and found nothing to indicate the presence of back doors or other vulnerabilities.
Sign of the Times
The push to open standards is happening around the world, especially in Europe, said Allen Brown, president and CEO of The Open Group, an international vendor and technology-neutral consortium committed to creating what it calls "boundaryless information flow."
The Open Group regularly works with foreign governments, the U.S. government and vendors to further open standards adoption, mainly through conferences.
Government stovepipes are difficult to break down, Brown said, but having integrated information is key to getting people to work together.
"It becomes an even greater challenge when there is a need to integrate information with external organizations," he continued. "Government will have to face this greater challenge if the vision of 'citizen-centric government' is going to be realized. Federal and state systems will have to be interconnected. This will not be achieved without open standards -- nor will it be achieved exclusively by open standards."
Working toward open standards can also save state governments money over the long term. Though open standards based software isn't necessarily less costly, Brown said, enterprises must focus integration costs.
Avoiding a patchwork infrastructure is impossible if the state is unable to control and manipulate all aspects of its IT infrastructure, he said. "IT products that conform to open standards will reduce the risks to time, cost and quality of integration. Sometimes these risks are not realized until well into the future, when the lack of open standards in the existing infrastructure will cause problems for integrating new services."
Cost is clearly part of Massachusetts' drive toward open standards, Massachusetts CIO Quinn said. The ability to use nonproprietary products makes it easier to share those applications, but still, it's not about cutting for cutting's sake.
"We're just not doing slash and burn. We're still making investments as we go, but when we make an investment, we apply total cost of ownership principles when we make any kind of acquisition. That is a practice that hadn't been here before," Quinn said.
A Communal Approach
"We're trying to get to an environment of appliance computing where we can have interchangeable parts," Quinn said, noting that though the policy articulates a goal of building toward open standards, it also sets the stage for a singular IT presence in the commonwealth. "There has never really been an overriding set of enterprise standards in the commonwealth, and always the mantra I've talked to people about is being one IT community, that we have to figure out how to succeed together or we'll fail separately."
Architects from all agencies are working with Massachusetts CTO Bob Stack to contribute to standards that comply with the new policy, Quinn said, and the ITD is stressing a communal approach. Using open source software and tools increases the opportunity to devise creative ways to share information.
"Open source has never really been considered an avenue for folks in the commonwealth in the past," he said. "We really believe we're opening up the choices, and we hope, opening up the opportunity for innovation in a way that hasn't always been present in the past. We're thinking about IT in a much more enterprise approach, a more portfolio look at the applications we develop and a more participatory, communal environment."
Open Channels
Massachusetts isn't alone in its drive to build open standards, but publicly linking open source products to that goal is unique. Early in 2003, Oregon tried something similar. State Rep. Phil Barnhart sponsored a bill to mandate state agencies considering open source software when deciding to procure new software.
The bill generated lots of headlines, as well as conspiracy theories. Proponents of the bill said powerful trade groups mounted a cloak-and-dagger campaign against it, successfully killing it. Critics of the bill said it was unnecessary because state agencies could already use open source products. In the end, Oregon's Speaker of the House pulled the bill before it made it to a committee vote.
Massachusetts avoided what happened in Oregon because Eric Kriss, secretary of administration and finance, decreed that open standards and open source will be a part of the commonwealth's IT strategy. One thing Quinn said he found is there's plenty of interest in open source in government.
"We're getting a lot of free advice from folks," he said. "We're trying to listen to see what makes sense and what doesn't, compile the information as we go and see if it's meaningful in our environment. We've got folks around the country, my counterparts in the other states, that are very interested."
He said other states are interested in two things: the economic opportunity, because states are struggling to do more with less; and the opportunity to share, both from an experience standpoint and a development standpoint.
"If somebody builds it we all get it," he said. "But we all enhance it, and then everybody gets to contribute it back to the larger community."
