The ‘Bad Guys’ Have An Advantage In Bulgaria’s New Open Source Government

A bold plan always has risks.

Last week, Bulgaria passed a law mandating that any custom software developed for the government—as long as it doesn't handle classified information—must have its code published online in an open source format.

This move is supposed to improve government transparency, give citizens a tangible return on their tax dollars, and improve the quality and security of sometimes-shoddy bespoke government software. The law was seen as a win by advocates of open source software, but it also means Bulgaria must face the double edge of open sourcing.

"At the moment the 'bad guys' have an advantage"

Having code out in the open means that it's publicly verifiable, so that other people can make sure there's no glaring security flaws or bugs. However, less scrupulous characters are also able to pick apart every aspect of the code to subvert it, or build their own near-identical version of the open source program to scam unsuspecting people.

"Whether there will be more black-hat hackers than people doing responsible disclosure (for which we also add rules in the amendments to the law), is hard to tell, but at the moment the 'bad guys' have an advantage," Bozhidar Bozhanov, a developer and adviser on the new legislation, wrote me in an email.

Bulgaria's first test of the new open source mandate is likely to be a planned "eID" system, which may include contactless RFID chips on government-issued identification cards. These chips communicate identifying information to nearby receivers, and hackers have already demonstrated how easy it is to swipe information from them.

Bulgaria is planning on securing the information on these chips, Bozhanov said, by using PIN codes that will "block after three unsuccessful attempts" and may implement encryption to protect the information being transmitted from the cards.

While adequate encryption may indeed be tough, if not impossible, for hackers to beat, it's conceivable that someone might copy and augment the source code for the system to get around the "three attempt" rule for PIN codes, or perhaps even swipe the PIN itself if it is stored on the card and not protected.

But the important thing is to avoid "security through obscurity," Bozhanov wrote, which secures code only by keeping it out of public view, perhaps instead of actually patching security flaws. If there is a glaring flaw in the eID code, the idea is that the public will catch it before someone can exploit it.

As for the idea of someone copying a government system wholesale and turning it into an instrument for scamming, Bozhanov wrote that this is unlikely, and that the ability to replicate software will be an advantage.

"Typical functionality for document exchange, digitally signing documents, communication with central registers, etc. will most certainly be reused," he wrote. "Currently each company develops its own half-working solution."

Whatever the potential pitfalls of open sourcing, there's no disputing that Bulgaria (with a population of just 7 million) is taking a very progressive and largely untested approach to transparency in government technology. While the US Chief Information Officer has been working on a draft policy for open source government software, the US has yet to formally adopt any such policy or legislation.

Open source fans in the US and around the world will no doubt be watching Bulgaria closely to see how it all pans out, and if some of the lessons learned there can be used back home.