Open Source Software: The Silent Threat at the Heart of the Cyber Security Crisis

31/10/2011 22:47 GMT | Updated 31/12/2011 10:12 GMT

Today, the government launches its cyber security conference following the 'disturbing' number of attacks suffered by government systems. It's good that they recognise there is a serious problem here - though I suspect it's because they know the average voter might suddenly start to care about tech issues following the recent revelations. As soon as the papers get wind of stories about 'hacking', people are bound to ignore the bland reality in favour of an imaginary thriller movie, possibly starring William Hague in a full-length leather trench coat.

Indeed, according to the ICO annual track, protecting personal information ranks as the joint-first public social concern, equal to crime prevention. This is something which is extremely important to a lot of people, and the government are aware that they need to do more.

However, for all that this signals a step in the right direction, the conference - and discussions about online security in general - need to recognise a deep-seated issue in the way we do business and store information online. I'm referring to the popularity of open source software, currently favoured by a range of e-commerce business and governmental services thanks to low associated costs and apparent convenience.

The government promised to increase mandates for open source technology last year after revelations about the levels of public spending on departmental web services (the website for the UK Supreme Court and Judicial Committee of the Privy Council cost £360,000, for instance). Transparency documents from the time demonstrated a shift in focus toward open source for budgeting reasons.

In business, web strategies often follow a similar path. The ubiquitous, open source e-commerce platform Magento, for instance, signs up hundreds of clients each month. It's certainly a short term money-spinner - the basic version costs nothing and even premium versions are relatively cheap. However, the bottom line is this: if a variety of unsolicited authors are working on the code for something which you rely on for security, you are setting yourself up for a fall.

In the case of businesses, this means potential loss of valuable customers, data and time and the possibility of long term brand damage. In terms of governmental services, a worst case scenario might actually lead to major security compromises. Either way, it's much like inviting in a focus group made up of local lock experts to design the security system for your factory. You might get lucky and land a lot of free expertise, but unless they are a lock enthusiast, a civilian who has taken the time to get seriously interested in bolts and keys might possibly have an ulterior motive.

We're therefore talking about an inherent structural issue - one that, left unaddressed, will only continue to worsen the problem. The banks have been the first to get justifiably worried about this issue, and my two eCommerce businesses, Venda and Powa, have worked alongside them to achieve a level 1 PCI compliant security rating - they're locked up tight, in layman's terms. Initial overheads may be higher, but it's hard to see why that's a problem when you're totally secure from future attack. A recent Verizon study in the US found that 79% of victims hadn't achieved appropriate security compliance prior to their breaches.

Forgive me a moment of hyperbole, but until governments follow this lead, the banks will remain near-universally ignored as the doom they prophesise draws ever closer. There's definitely a highly techie 'Trojan Horse' pun to be made here, but I'll spare you for now.