Last week, President Barack Obama made good on his promise to appoint a national tech leader for the United States. As the country's first-ever CIO, Vivek Kundra faces significant challenges modernizing the nation's IT infrastructure and will be charged to do so at a time when self-interests and a lack of industry oversight threaten not only our freedoms and privacy but also the long-term innovation potential of IT.
And though the former CTO of the District of Columbia's new job description errs on the side of IT management rather than U.S. tech policy, the move toward a national CIO -- and, likely, a national CTO -- lends hope that the government will provide much-needed oversight to an industry that has fast been infused into nearly every aspect of our lives.
[ For perspective on the nation's tech policy in the years ahead, see "A high-tech agenda for President Obama." For a look at Kundra's credentials, see "Meet the nation's first CIO" and his 2008 InfoWorld CTO 25 profile. ]
After all, governance has proved essential to safeguarding a variety of long-standing industries from corporate malfeasance. And creating a post designed to oversee government-wide technical initiatives may be the first step toward getting the United States back on track in a number of tech areas faltering due to corporate neglect.
Here are 10 agenda items many of us in IT would like to see the first-ever U.S. CIO address.
Agenda item No. 1: Mandatory restitution for customer data leaks
Companies that damage the public trust by dumping chemicals in streams or by illegally disposing waste pay fines. But those that breach the public trust due to data mishaps face little in the way of restitution. This must change.
The scenario is familiar: Banks cancel debit and credit cards abruptly, issuing new cards and account numbers with little explanation. Such is the fallout of data breaches and incidents wherein accounting records are "lost." Too often the card-issuing banks fail to divulge the name of the company responsible for that data leak; they simply cancel and reissue cards, leaving unwitting customers to clean up the mess.
Although IT has been saddled with a legal duty to secure sensitive data and to notify the public in the event of a data breach, this type of corporate negligence goes largely unpunished. If more stringent mandates were put in place to actually hold companies liable for their own security breaches, customers would see better care taken with their identities.
Offending companies at the very least should pay every bank and account holder for the cost of canceling and reissuing credit and debit cards due to negligent data practices. Restitution should also include payment for the time required to fix the fallout of their negligence. Add a fine of $10 per record, and you will certainly see a drop in breaches that expose millions of customers' account data at a time -- or at least more diligence in protecting those records.
It is well past time to get serious about citizens' sensitive data.
Agenda item No. 2: Mandate net neutrality in perpetuity
It’s a new age, and with it should come new rights, such as the right to unfettered Internet access. Much as our country was originally founded on beliefs such as the freedom of speech, congregation, and religion, we should be awarded the freedom of information in the form of open network access.
If the major ISPs had their way, access to the Internet would be tiered, exactly like cable television. That is, you’d have a “basic plan” that would let you access only a handful of sites, and a larger plan, with a larger price tag, that would allow you to access more sites. If put into place, it would necessarily destroy the original premise of the Internet as a completely open network of computers, where every system can connect to every other system, regardless of location.
No good can ever come from a tiered Internet, and the government should solidify that as a basic right. This isn’t to say that every citizen should be given free Internet access, but rather that such access should not be filtered, censored, or constrained in any way.
ISPs should be free to sell various packages based on access speed and acceptable-use policies, but federal law should mandate that these services have no filtering whatsoever, including the current practice of blocking certain inbound ports.
Agenda item No. 3: Place restrictions on EULAs
Suppose GM required truck buyers to sign a document stating that the company could claim ownership to any material carried in the truck or that the company was not liable for any claims should the truck spontaneously explode due to a manufacturing defect. That’s the situation we face with software, as companies' use of EULAs (end-user license agreements) to indemnify themselves for anything and everything has spun out of control.
Some EULAs go so far as to claim ownership of any work product created with their software. Couple that with the fact that EULAs have become so onerous that few bother to read them before clicking Agree, and you can fast see disaster in the making.
The fact that these agreements are often difficult to uphold in a court of law begs the question: What is the purpose of making EULAs so wide ranging to begin with? Perhaps a User’s Bill of Rights is in order.
By all means, companies should be allowed to protect themselves with something akin to a EULA. But federally mandated standards and restrictions governing the scope of EULAs will go far in fostering innovation and growth in the software industry, not to mention protecting users from undue provisions.
Under no circumstances should a company be able to claim ownership of end-users' work products, nor should they be able to indemnify themselves from any action due to their own malfeasance in such a document.
Agenda item No. 4: Mandate the rollout of DNSSEC and BGPSEC
The Internet has become a fundamental pathway for public, private, and government communication, as well as financial transactions. Unfortunately, core infrastructure components in the United States remain woefully lacking in security for both DNS and BGP, making them unacceptably open targets for hackers.
Securing BGP is an absolute necessity. Only recently, there was a relatively significant routing problem that took parts of the Internet offline for several hours. The cause was runaway BGP advertisements from a single BGP peer. BGPSEC might not have helped that particular instance, as it was caused by human error, but the same problem would have occurred if someone had purposefully injected bad routing advertisements via unsecured BGP peers.
DNS is the cornerstone of IP networking. Without the names, we only have numbers, and while the resources might be available, without the directory converting the name of those resources to IP addresses, we can’t see the forest for the trees. Also, by poisoning DNS server cache, malcontents can direct users to their own versions of known Web sites and swipe their log-ins or gain access to other sensitive information. Ensuring that DNS servers cannot be compromised at any level is a requirement for a secure Internet.
Implementing DNSSEC and BGPSEC throughout the country is not only the right thing to do, it’s not a terribly difficult task to accomplish. In fact, ISPs and hosting providers should have done so already. The hard part would be coordinating the effort. Given a clear time frame and guidelines set forth by the government, carriers could be coerced into stepping up to the plate and implementing this basic and extremely vital safeguarding methodology for the Internet.
Agenda item No. 5: Clean up the spam mess
According to Spamhaus, the United States is far and away the No. 1 source for all spam. In fact, most companies are experiencing spam levels as high as 99 percent of all incoming e-mail -- a ridiculous proportion made that much more unpalatable by the amount of phishing attempts hidden within. If these levels persist, they will eventually cause the demise of e-mail as a viable communications medium.
There is only so much that can be done within a single country to fix this problem, but steps need to be taken -- soon. One tactic would be to institute a mandatory $10-per-spam fine for anyone determined to be sending unsolicited bulk e-mail. By aggressively locating and prosecuting these cases, the United States could curtail a sizable chunk of spammers based within its borders. After all, the quickest way to end unsavory practices like this is to make them economically unviable. Meaningful fines pursued diligently are one method of achieving that goal.
Of course, this approach would not stop overseas spammers, and botnet spam operations would continue. But if written properly, the law could ensure grounds for prosecution of any botnet with even a single member existing under U.S. jurisdiction.
Agenda item No. 6: Tax breaks for rural broadband last-mile carriers
It’s no secret that broadband access to much of rural America is spotty at best. In fact, there are many not-so-rural areas that are grossly underserved. If we’re to hold ourselves up as leaders in the Digital Age, we need to make broadband more widely available to those who don’t live in metropolitan areas.
The U.S. government has tried rural broadband initiatives before. It even created a fund that ISPs could draw from to extend broadband access. Carriers such as Comcast and Verizon took their share and frittered the subsidies away without making significant strides toward connecting the unconnected.
While it’s not generally a good idea to throw good money after bad, a performance-based incentive program might be the place to start. Here, tax breaks could provide a spark. Under such a program, every previously unserved household brought into the broadband fold would result in a small tax break for the carrier responsible. In order to increase competition and reduce the de facto monopolies that exist in underserved areas, this incentive could be extended to any last-mile carrier that brings service into an area that currently offers only one other existing broadband option.
Agenda item No. 7: Codify national standards for electronic medical records
In this day and age, it shouldn’t be a challenge for one hospital or clinic to securely access a patient’s medical records, wherever they may be. In the paper era, this meant couriers, copiers, and lots of dead trees. These days, all it should require is sufficient authorization, encryption, and perhaps a proxy for auditing purposes.
Currently, many patients’ medical records are stored electronically in a database run by whatever EMR software your clinic or hospital is using. Access to those records from outside entities is all but impossible in most cases, requiring the records to be printed out and snail-mailed to another location. Since these records already exist in digital form, there should be a better way to safely and quickly transmit that information to another health care provider, especially in an emergency.
If the U.S. government set up a central proxy -- not a repository -- for EMR transactions, it could effectively keep accurate logs on the transmission of medical records from facility to facility, conform to HIPAA standards, and still enable medical records to easily move where they’re needed.
After this article was written, but before publication, Obama introduced a somewhat amorphous plan related to electronic medical records, but the particulars of this program aren’t readily available and are likely still in the development phase.
Such an agenda would require the cooperation of all EMR software developers, but that’s what standards are for. Come up with a central XML-based standard for the records with the help of those companies, and let them transition their products to work with the central proxy. It’ll take time, but the result will be worth it -- especially if you’ve just had a car accident in another state.
Agenda item No. 8: Mandate a single electronic voting standard
Companies that produce electronic voting systems have proved they can neither manage nor secure their own products. The result is widespread distrust in electronic voting across the country. With something as vital as the election of government officials, we cannot afford such problems, nor do we have to.
The government needs to appoint an independent contractor or bring in the expertise necessary to develop a rigorously tested open source system that can be used by electronic voting machine manufacturers free of charge. The onus of maintaining the code base could be placed on a consortium of key individuals from companies such as IBM, Microsoft, Cisco, and so forth.
By open-sourcing e-voting, rather than depending on proprietary vendors to ensure the integrity of our elections process, the very foundation of our democracy will be better secured. The closed source approach has too often proved to be a road to disenfranchisement.