It really doesn't make sense to me that software isn't created at the government level for cities and states to use. This way it's easier to make sure everything is functioning properly and the cost is only paid once.
> It really doesn't make sense to me that software isn't created at the government level for cities and states to use.
What government level? The federal government?
> This way it's easier to make sure everything is functioning properly and the cost is only paid once.
The federal government is no paragon of software virtue, nor is it likely to produce software adapted all that well to all of the needs of various states and cities, so what you'd end up with is software less fit for purpose, not particularly free from vulnerability, and where all of the vulnerabilities expose every state and local government in the country rather than just one jurisdiction.
And that's still assuming good intent, but in many cases the state and federal government have adversarial relations on particular issues, which might lead to the federal government actively designing software in a way to frustrate the needs of particular states.
Government jobs like creating software are required by law in most cases to be done as contracts that are put out for bid. Then the lowest cost or most corrupt choice wins. This entire system creates massive perverse incentives. Failing to complete the project on time is a business win. Making it hard to maintain is a business win (because maintenance will be separate ongoing contract and the company that authored it is thought to have some advantage on getting that contract). Making it hard to modify is a business win. Delivering as little actual functionality as possible is a business win (they might make new contracts or contract mods to add more functionality).
I worked on a system for over a decade that originally got awarded as a contract to build 3 systems. When all was said and done, 3 contracts had been awarded to get it to completion and 1 system (which required 9 months of full time work to get into a state to be used in production) was delivered. There are only 2 words for that in the contracting world: stellar success. That was a bigger win than they could ever have dreamed. Just drag it on, hiring the lowest paid new grads you can find to slap something together, stack the project with absurd layers of management, and collect the checks. Eventually, after years and years of this leeching, someone in the government will decide to make it an achievement in their career that they actually got the thing across the finish line. To do that they will sign off on the project and accept it no matter how short of contract requirements anything is. Their goal is to get the thing in the door and get credit for that, no one is going to blame them when its terrible. And the idea of actually punishing the companies that do this, penalizing them financially and legally for violating their contract when they don't deliver a working system on time? Forget it. Never happen. The companies will get the public fighting against 'big government' and crying crocodile tears for how harangued the billion-dollar megaconglomerates are with the RNC clanging finger cymbals while whirling around chanting 'jobs jobs jobs'.
Do we know the problem is in the software? There's a lot of other things that go into securing a large system like this, training and testing staff to resist phishing attacks, apply security patches promptly, maintaining least privilege as requirements, hardware and staff change, etc. It seems to me that unless your software package encapsulates every use case and enforces the security protocols itself the only defense is an on-site security professional who is listened to.
Every state is going to have their own requirements. Some intentionally different, others unintentionally different. I can totally get on board with mandated open-source software for governments, but the reason the federal government doesn't just make the software is because most of the contracts involve support and training services. You can't rust government employees to do things for themselves now, come on. (=
Think of government as your grandparents. You can give them the best computer and software, but odds are they'll still call you in the middle of the work day to ask questions you don't really have time to answer. This is why Accenture and other big shops get big government contracts. At some point, it's easier to just send Geek Squad to your grandparent's house... knowing full well that they'll get upsold on crap they don't need, and charged more than they should... it's still easier than having to deal with teaching your grandparents not to write their passwords on PostIts they leave next to the computer.
