Draft Proposal to build FOSS capability for the NZ government

Background Assumptions

1. Shortage of IT skills. What is really meant by this is that there are shortages of a specific skill at a particular point in time with public and private businesses being unable or unwilling to carry a training risk.
2. Difficult for new entrants to the industry to get experience/skills. The size of the economy means that smaller public or private businesses are unable or unwilling to carry a mentoring risk.
3. Govt agencies appreciating FOSS but not seeing their role as FOSS support. While FOSS solutions exist within agencies there also needs to be significant external support as the agencies do not see themselves as FOSS developers or contributors.  
4. Significant taxpayer funding being sent offshore rather than growing onshore capability. Proprietary solutions from overseas companies are seen as better 'value' and Government contracts favour that rather than supporting local suppliers however, every tax dollar spent in New Zealand returns around 25 to 30 cents to Government in GST and/or Income Tax but every tax dollar spent overseas is a dollar lost to the New Zealand economy.
5. Security concerns. While open source technology and software is inherently more capable of being secure and any security issues that are discovered tend to be fixed relatively quickly there are still issues around the use of particular libraries.
6. IT infrastructure software is the enabler of the digital economy and should be treated in a similar fashion to roads and the fibre communications network. There is certainly some advantage in having a competitive environment to deliver services to the New Zealand public however history has proven time and again that there are some critical services that cannot be delivered without Government support. New and improved roads contribute significantly to the economy and the nationwide fibre rollout languished for years until Government incentives were made available.

Target Alignment

1. Broader Outcomes, the Five Principles of Government Procurement and the Government Procurement Charter. These are all designed to allow New Zealand businesses to compete on a level playing field however there are some obstacles to that primarily being driven by the misapplication of the AoG contracts that currently favour a single US multinational and limit the number of NZ businesses that can obtain favourable license terms.
2. Alignment with the NZTech Briefing for Incoming Minister (BIM) (2020). Point 9 - Boosting education and skills, Point 11 - Funding and Point 12 Better integration of IT across local and central Government can all be addressed by elements of this proposal.
3. Alignment with NZRise principals and options discussion paper. Ensuring that New Zealand businesses are evaluated equitably when proposing solutions to Government requirements and that there is support for vocational training and employment of New Zealand citizens.
4. Alignment with Catalyst IT BIM Digital Economy and Communications. Action 5 - ‘adopt the principles of digital development around open source and open standards’

Proposal

The proposal to address some of these issues is that open source work hubs (OSWH) be set up with a structure that allows public or private businesses that use open source technologies in New Zealand to access pools of developers, security specialists and other IT professionals for specific maintenance, documentation and upgrade tasks. 

For example, ACC and IRD have invested heavily in open source hadoop technology for data management via a company called MapR. As a result both agencies have a small team of developers skilled in those technologies. Unfortunately MapR as a company has ceased to exist and ACC do not see their role as being a sponsor for these open source projects even though they have a core team able to maintain and develop their existing environment under the open source licenses.

If the developers with the open source skills to support ACC and IRD were employed by a cluster/hub arrangement then both agencies could continue to receive support for their business operations while contributing to the local economy rather than overseas corporations. These developers could then also act as mentors to people coming out of tertiary education who would also pass through the cluster/hub arrangement. This gives the industry a pool of new entrants who also have practical work skills and reduces the risk to other small public or private organisations.

In a similar vein, many websites use javascript frameworks such as Node.js with the underlying software library package manager NPM. While security considerations are always applicable within the NPM framework malicious code can and does appear regularly. The OSWH could maintain, test and support NPM libraries used for digital web applications reducing the load on agencies to maintain their own code base or changes.

Agencies could identify and request specific changes to open source technologies from these pools to support their own initiatives. The OSWH would handle the interface to the open source community and maintain any repository requirements for forking/merging code upstream. Existing New Zealand open source companies could also take advantage of these pools to support the creation and setup of new services and/or ongoing maintenance of existing codebases.

The OSWH could be funded under an apprentice type model with the understanding that new entrants would be encouraged to see this as a starting point to gain experience to move into other areas. The work for the OSWH would also be consistent as the primary focus would be maintain and enhance existing capability leaving the innovation hubs or other entrepreneurial organisations to develop new services. I.E. the OSWH would have defined units of work or program increments to deal with without having to continually develop new ideas.

Comments

Governments aren't going to want to hire apprentice-level skillsets to work on their software projects.

The OSWH would not be developing in flight work for the agencies. The agencies have a pipeline of work already that is being developed either internally or in conjunction with existing suppliers such as Catalyst and Silverstripe. The OSWH would provide the support infrastructure and services to provide secure and audited libraries and toolsets that the agency work is built on. Apprentice may be the wrong word as well as the OSWH would take graduates for up to two years max. This would give them a work history and experience without small business or agencies carrying any risk.

Who will do admin, funding etc for these clusters? govt doesn't generally do shared funding on stuff (central govt, that is).

Acknowledged however if we treat the open source infrastructure that so much of our digital economy relies on in a similar manner to roads and bridges or the fibre broadband rollout then Government funding or incentives is a viable option. The funding could come from many sources incorporating some existing programs such as University/Tech internships or a new covid pool/PGF/economic boost program. The agencies do not see themselves as responsible for maintaining the FOSS code they use so this provides a way of giving them the ability to have a support and maintenance structure for the base code and any enhancements that they may need. This also reduces the risk of the FOSS community at large not being as engaged as required.

Cloud - govt is very well aware of privacy stuff (the new act's just come into play) and the issues around storing personal data in overseas server farms. it's worth noting that agencies already store data locally, and the situation is improving. it's also why MS etc are building server farms here in NZ, too.

Understood... but the management of those environments will still be performed from offshore with access control held by the multinationals registered in tax havens such as Bermuda. The data may physically be here but logically it is still just as exposed as it is today. Also, we have local companies that can provide that already so why is the focus on Azure other than the small caps aog being incorrectly used as a big caps AoG to bypass procurement processes.

The Government is very strongly attached into their current ecosystems (eg Azure), and small local providers simply don't have the tech, scale or pricing or even potentially skills, to compete.

Exactly, and this is one way of addressing that issue. We appreciate that the NZ Govt. provides basic commercial infrastructure, roads, rail, hospitals, fibre to everyone so supporting digital expertise for the software backbone that is underlying the innovation we seek should not be that much of a stretch

We can't ask government to be taking massive tech risks - it's essential tech infrastructure.

I would argue that the tech risk is there anyway. We know from a security perspective that the NPM model for javascript libraries is seen as an issue and we have seen efforts to ursurp some of those libraries with malware loads so having an organised pool for approved source libraries for use in Govt projects should be an advantage, a risk mitigation strategy. We also know that in spite of improvements over the years proprietary technologies in general and Microsoft in particular still have significant undisclosed vulnerabilities that can and do allow malware to hold large organisations to ransom.

FOSS is not necessarily cheaper that proprietary.

From a TCO perspective this may be true however this is where we rely on the ‘broader outcomes’ aspect of the procurement rules. As noted earlier, individual businesses in New Zealand cannot scale to the level where the use of open source hardware and software is cheaper. The advantage we have is that the money that would be going overseas is kept here in New Zealand and drives the local economy. Wages that are paid here get taxed here. The disposable income would mostly be spent here driving more business and tax revenue. Again, the drive behind this is to improve that capability across the board so that agencies and small business can take advantage of that support while at the same time developing the relevant IT skills that those same agencies and businesses will benefit from in the future without them having to carry as much risk as they would have if each entity had to rely on their own resources. 

Specific Projects

Cloud based solutions are popular at present based on the understanding that basic infrastructure services would be cheaper to obtain based on bulk suppliers. One consideration that all agencies are required to address is the storage of and access to personal data of New Zealand citizens. With overseas based cloud solutions ultimate control of this is lost given the layout of the telecommunications cable structure into and out of New Zealand. In addition to that New Zealand has no jurisdictional oversight of the companies involved in these services and is therefore unable to apply any remedies in the case of malicious or unintentional exposure of that data.

This proposal would allow the development and support of solutions such as NextCloud to provide browser based document creation, maintenance and intra/inter departmental exchange. This reduces the cost of the local hardware to access those resources as well as reducing the taxpayer burden of licensing options.

Telephony - Asterisk/linphone?

Videoconf - BBB - Already available to Govt as a service by Catalyst IT. (Jitsi as a softphone?)

IAM - Keycloak?

Data lake - hadoop etc.