A cursory glance

Nearly one-third of EU governmental IT security organisations contribute to open source software

Published on: 21/09/2020
Last update: 22/09/2020
News

Government IT security specialists in at least eight European Member States contribute to open source software, a quick Internet search shows. Poland, France, the Czech Republic and Luxembourg seem to be the most active, contributing to 58, 49, 24 and 19 projects respectively.

The list (see table below) is almost certainly incomplete. Some countries have multiple organisations focusing on IT security, and not all of them are easily found online.

In Poland, for example, the list of European IT security organisations maintained by Enisa, the EU agency for cybersecurity, lists three agencies: CSIRT-GOV, the Computer Security Incident Response Team led by the head of the country’s Internal Security Agency; cert.gov.pl, which is currently not online; and the CSIRT at the defence ministry.

There is no trace of the latter two agencies on GitHub, a popular open source code repository. By contrast, Cert-Polska, part of the country’s academic computer network, has no fewer than 58 projects on that repository.

Turning to the Czech Republic, the govCERT-CZ page on GitHub shows 24 open source projects, plus one for NÚKIB, the country’s cyber- and information security agency, which also manages GovCERT-CZ.

Compromised

The clearest example is France’s National Cybersecurity Agency (Agence nationale de la sécurité des systèmes d’information, or ANSSI). This organisation publicly shares some of its own software solutions, including DFIR ORC digital forensics software to reliably get data from compromised computers running MS Windows, and TCHAP, an instant messaging client now used across the central government and France’s fire departments.

In addition, ANSSI takes an active part in recommending the use of open source in France’s public services, for instance by taking part in conferences and demos.

Testing

Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) tests open source solutions for use by public services. These include OwnCloud, open source software that provides file and messaging functionality to organisations and workgroups, and Drupal, Plone, WordPress, Joomla and TYPO3, five open source web content management systems.

In addition, the BSI has funded the development of open source tools related to IT security, such as: GPGG4win, a port to MS Windows of the widely-used GPG encryption software OpenGPG; mailveloppe, a browser plugin for end-to-end encryption of webmail and web forms; and OpenGPG support in LibreOffice, a suite of office productivity tools.

Alternatives

The Dutch government’s cyber security centre (Nationaal Cyber Security Centrum, or NCSC) also tests and recommends open source software. In 2013, for example, it encouraged the use of Ubuntu Linux or Red Hat Linux as alternatives for those public services still hanging on to the Windows XP operating system. By that time, XP was a decade old and was no longer receiving security patches from its manufacturer.

The Dutch Intelligence and Security Service (AIVD) in 2015 funded the development of OpenVPN-NL, a tailored version of the widely-used OpenVPN (software for securing point-to-pont commnunications).

 

Member State GitHub page Number of repositories
Austria https://github.com/certat 10
Belgium https://github.com/certbe 1
Bulgaria    
Croatia    
Cyprus    
Czechia https://github.com/GovCERT-CZ 24
Denmark    
Estonia https://github.com/cert-ee 4
Finland    
France https://github.com/ANSSI-FR 49
Germany    
Greece    
Hungary    
Ireland    
Italy    
Latvia    
Lithuania    
Luxembourg https://github.com/GOVCERT-LU 19
Malta https://github.com/CSIRTMalta 3
Netherlands https://github.com/NCSC-NL/ 2
Poland    
Portugal    
Romania    
Slovakia    
Slovenia    
Spain    
Sweden    

More information:

Enisa’s list of European IT security organisations