Software should not be classified when used in government agencies except in some very rare exceptional cases. For example, software used to launch nuclear missiles and ensure they hit their targets might be an exception however, these should be an exception rather than the rule in my opinion. The reason I say that is because when a software is classified it means that a limited no of people are using it and that means only a limited no of developers are working on it as any given time. Plus, when something is classified it can not be security tested by external entities without having to sign multiple Non-Disclosure Agreements (NDA’s) and other similar hoops whereas regular software is used and tested by lots of people like corporate’s who test the solution before they implement it in their environment. This gives us multiple groups of people testing the software in various ways making it easier to identify security issues making it more secure.
Secondly, making classified versions of existing software doesn’t seem like a good use of resources to me. Why spend extra money creating a classified ‘Word’ when the commercial version (with some modification) would work perfectly well?
Coming to open source, I don’t think government should be prohibited from using Open Source. There are two ways government’s can be blocked from using opensource software. Firstly, the software license might prohibit government use. If this is the case, then the license no longer meets the requirement to be called open source since the Open Source Definition specifies that Open Source licenses may not discriminate against persons or groups. In-fact there was an attempt back in 2006 by GPU which is a Gnutella client to create a license that disallowed the use of their software by the military. It didn’t go anywhere because of strong opposition by the Open Source Initiative (OSI) to calling the license open source. Second, The government might not allow its use due to internal policy: This is primarily because they are worried about one or all of the following: Security, Cost, or licensing.
There is a misconception that opensource software is less secure than commercial software and even though majority of the servers worldwide run on opensource software (Linux, Apache etc) the detractors still persist. In every large company I have worked with so far, whenever I try promoting opensource software this point invariably comes up and I have to spend time explaining why this is not the case.
Another reason why companies might not allow OSS is because of the license the software might be under. If the software is licensed under the GPL they need to be extra careful when using it within their setup because the GPL is what is known as a viral license. It requires the source code of the entire “derived work” – i.e. the combination of GPL code and proprietary code – to be made available under the terms of the GPL publicly. Due to this most companies do not allow software licensed under the GPL to be used inside them. (Libraries licensed under GPL are fine because they don’t trigger the ‘viral’ clause). However, there are other licenses that do not have this clause and can be safely used.
Ultimately, I feel it is better if they use opensource software rather than pay ridiculous amounts of money as software licensing fees.