Back to ideas 
Movement Towards Open Source Software
By aachili
14 Jun 2025
1 Upvote
0 Downvotes
169 Views
1 Improvement
Increasing reliance on proprietary software and software providers (ex Microsoft Azure, Microsoft Office, Amazon Web Services) reduces the government's ability to ensure that citizen and resident data is stored safely, that the data is not used by malicious or independently motivated actors, and impedes migration and innovation for the government software stack.
Digital security research often discusses a concept called Shannon's Maxim [1] that informally says that "you should assume your adversary knows as much or more about your system than you do". Reliance on closed source software places the onus on the technology provider to ensure the security of our data. In recent years that capability has come under increasing scrutiny by academia and even CISA [2] due to increasing numbers and severity of security flaws in proprietary software (ex. Microsoft Windows, Crowdstrike). Compounding this problem is that software providers increasingly demanding real-time access to user devices for the purpose of continuous updates while simultaneously forcing migration to other external systems [3]. This makes telemetry data for many public services accessible to the respective software/hardware provider in addition to frustrating the end user and decreasing productivity when learning a new system. Taken together, the amount of data and the type of data stored with these providers poses a risk to the Canadian software supply chain.
The storage of public data on large cloud service provider Software As A Service (SAAS) platforms (ex. AWS, Microsoft Azure) subjects public data to the storage conditions of the cloud provider; terms that are notoriously bloated and difficult to understand. When we provide data, such as mentioned in the previous paragraph, to these data storage providers, they now control access and distribution of sensitive and identifying information of public servants. Despite promises to keep sensitive data within Canada [4] this is by convention, not by design. In addition, employees of the data storage provider now have access to this data, and when we consider the size of the workforce of a company such as Microsoft [5], this becomes a problem where we are again relying on the software provider to ensure security.
Finally, if data is held by centralized and highly integrated cloud platforms, migration of that data to another software stack becomes difficult. Often when migrating away from these large providers, local technicians are left to their own devices to determine the best way to perform migrations, leading to downtime, data loss and unexpected system outages [personal experience].
Some European governments have begun the transition to open source softwares to power public service administrative and front-line infrastructure [6, 7]. Open source means that "users have the freedom to run, edit, contribute to, and share the software" [8] and the increasing maturity of the open source community and open source software tools means that security researchers and system administrators can audit software freely. For the government, transitioning to open source software and local cloud providers means that: 1. The government maintains control of data 2. Security becomes much easier to verify 3. Access to updated software is trivial 4. Requesting features is easy and 5. Implementing those features can be taken up by local developers and other contractors
A transition to open source software would allow the government and public service to maintain greater autonomy, transparency, and flexibility across the software supply chain.
Bibliography
[1] Shannon's Maxim, AKA Kerchoff's Principle : https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
[2] CISA report on exchange 2023 vulnerabilities and exploits : https://www.cisa.gov/resources-tools/resources/CSRB-Review-Summer-2023-MEO-Intrusion
[3] End of life for Windows 10, widely used in the public service : https://support.microsoft.com/en-us/windows/windows-10-support-ends-on-october-14-2025-2ca8b313-1946-43d3-b55c-2b95b107f281
[4] Microsoft Azure Secure Instances : https://learn.microsoft.com/en-us/azure/container-instances/container-instances-confidential-overview
[5] Microsoft Employee Population : https://www.statista.com/statistics/273475/number-of-employees-at-the-microsoft-corporation-since-2005/
[6] German Migration to GNU/Linux based systems in progress : https://interoperable-europe.ec.europa.eu/sites/default/files/inline-files/Open%20Source%20Software%20Country%20Intelligence%20Report%20-%20Germany.docx.pdf
[7] Complete list of organizations migrating to LibreOffice from Microsoft Office : https://wiki.documentfoundation.org/LibreOffice_Migrations
trevortwining
Existing GC open source tooling, like the Government's use of the Drupal Content Management system (https://drupal.org) should be highligted and best practices shared for similar procurements.
Jun 17 2025
Like(0)Reply(0)