Bristol Council's open source plan thwarted by security clearance problems

Bristol City Council's open source push has suffered another series of set-backs that point a finger of blame at CESG, the cyber security arm of GCHQ.

Bristol City Council's open source push has suffered another series of set-backs that point a finger of blame at CESG, the cyber security arm of government intelligence unit GCHQ.

Leaders at the local authority claim that the need for CESG security certification of e-mail systems effectively means the council has no choice but to buy Microsoft.

Senior Cabinet Office IT leaders have been asked to help as Bristol's faltering open source strategy, still showing little progress after a year, highlighted problems besetting the coalition government's own open source policy.

Councillor Mark Wright, architect of Bristol's IT strategy, said the problems had led him and council leader Barbara Jenke into a confrontation with council officers.

Bristol Council's IT department, led by Paul Arrigoni and Gavin Beckett, recommended in the summer the council buy a Microsoft software infrastructure because it did not have security clearance to buy alternatives, according to Beckett.

"What that effectively means is that Whitehall will only certify Microsoft e-mail systems," said Wright. "That's not good enough. It's enforcing a monopoly."

Bristol Council's cabinet had voted on 30 September last year to implement an open source infrastructure in an attempt to break the city's dependency on Microsoft software.

The later decision to buy Microsoft after all was based on recommendations made by Microsoft reseller Computacenter, which had been commissioned to examine the case for alternatives.

Wright said he and Jenke had thrown the long-awaited recommendations back at council executives and told them to do it again.

"It got sent back because it wasn't good enough," he said. "The sticking point as far as officers were concerned was security, particularly e-mail."

But Bristol's IT department discovered that public bodies only use e-mail systems certified by CESG - and only three e-mail systems were certified: Lotus Notes, Novell Groupwise, and Microsoft Exchange. Of those, only Microsoft's software was deemed viable. But it was not the only viable system on the market.

Bill McCluggage, Cabinet Office director of ICT policy, and Liam Maxwell, Cabinet Office director of ICT futures and a leading voice behind the open source policies now being pursued by both the coalition and Bristol, became involved after Wright "kicked up a stink", said the councillor.

A Cabinet Office spokesman said in a statement it was determined to increase government's use of open source software.

"We are aware there are issues," he said. "[We] are looking into ways to remove these barriers."

CESG rarely certifies open source systems because they do not have powerful commercial sponsors to push them through the onerous certification process.

Last month CESG even stopped the Cabinet Office using an open source supplier for its software asset register, a system on which its open source policy depends.

Computer Weekly understands the Cabinet Office has been talking to CESG about the certification problem since March.

A source close to the department said it had found a solution, but he was unable to explain how open source systems could be accredited unless public bodies were asked to carry the cost of putting them through CESG's gruelling, 18-month certification process. But CESG has itself sponsored open source software systems when they meet its own interests.

A spokeswoman for CESG said it was committed to support the government's IT strategy.

"We are aware there are issues for open source solutions providers," she said, adding that government was trying to "create a level playing field" for them.

Bristol City Council was unavailable for comment.

Read more on Business applications