10 IT agenda items for the first US CIO

Last week, US President Barack Obama made good on his promise to appoint a national tech leader for the United States. As the country's first-ever CIO, Vivek Kundra faces significant challenges modernizing the nation's IT infrastructure and will be charged to do so at a time when self-interests and a lack of industry oversight threaten not only our freedoms and privacy but also the long-term innovation potential of IT.

And though the former CTO of the District of Columbia's new job description errs on the side of IT management rather than US tech policy, the move toward a national CIO -- and, likely, a national CTO -- lends hope that the government will provide much-needed oversight to an industry that has fast been infused into nearly every aspect of our lives.

After all, governance has proved essential to safeguarding a variety of long-standing industries from corporate malfeasance. And creating a post designed to oversee government-wide technical initiatives may be the first step toward getting the United States back on track in a number of tech areas faltering due to corporate neglect.

Here are 10 agenda items many of us in IT would like to see the first-ever US CIO address.

Agenda item No. 1: Mandatory restitution for customer data leaks

Companies that damage the public trust by dumping chemicals in streams or by illegally disposing waste pay fines. But those that breach the public trust due to data mishaps face little in the way of restitution. This must change.

The scenario is familiar: Banks cancel debit and credit cards abruptly, issuing new cards and account numbers with little explanation. Such is the fallout of data breaches and incidents wherein accounting records are "lost." Too often the card-issuing banks fail to divulge the name of the company responsible for that data leak; they simply cancel and reissue cards, leaving unwitting customers to clean up the mess.

Although IT has been saddled with a legal duty to secure sensitive data and to notify the public in the event of a data breach, this type of corporate negligence goes largely unpunished. If more stringent mandates were put in place to actually hold companies liable for their own security breaches, customers would see better care taken with their identities.

Offending companies at the very least should pay every bank and account holder for the cost of canceling and reissuing credit and debit cards due to negligent data practices. Restitution should also include payment for the time required to fix the fallout of their negligence. Add a fine of $10 per record, and you will certainly see a drop in breaches that expose millions of customers' account data at a time -- or at least more diligence in protecting those records.

It is well past time to get serious about citizens' sensitive data.

Page Break

Agenda item No. 2: Mandate net neutrality in perpetuity

It's a new age, and with it should come new rights, such as the right to unfettered Internet access. Much as our country was originally founded on beliefs such as the freedom of speech, congregation, and religion, we should be awarded the freedom of information in the form of open network access.

If the major ISPs had their way, access to the Internet would be tiered, exactly like cable television. That is, you'd have a "basic plan" that would let you access only a handful of sites, and a larger plan, with a larger price tag, that would allow you to access more sites. If put into place, it would necessarily destroy the original premise of the Internet as a completely open network of computers, where every system can connect to every other system, regardless of location.

No good can ever come from a tiered Internet, and the government should solidify that as a basic right. This isn't to say that every citizen should be given free Internet access, but rather that such access should not be filtered, censored, or constrained in any way.

ISPs should be free to sell various packages based on access speed and acceptable-use policies, but federal law should mandate that these services have no filtering whatsoever, including the current practice of blocking certain inbound ports.

Agenda item No. 3: Place restrictions on EULAs

Suppose GM required truck buyers to sign a document stating that the company could claim ownership to any material carried in the truck or that the company was not liable for any claims should the truck spontaneously explode due to a manufacturing defect. That's the situation we face with software, as companies' use of EULAs (end-user license agreements) to indemnify themselves for anything and everything has spun out of control.

Some EULAs go so far as to claim ownership of any work product created with their software. Couple that with the fact that EULAs have become so onerous that few bother to read them before clicking Agree, and you can fast see disaster in the making.

The fact that these agreements are often difficult to uphold in a court of law begs the question: What is the purpose of making EULAs so wide ranging to begin with? Perhaps a User's Bill of Rights is in order.

By all means, companies should be allowed to protect themselves with something akin to a EULA. But federally mandated standards and restrictions governing the scope of EULAs will go far in fostering innovation and growth in the software industry, not to mention protecting users from undue provisions.

Under no circumstances should a company be able to claim ownership of end-users' work products, nor should they be able to indemnify themselves from any action due to their own malfeasance in such a document.

Page Break

Agenda item No. 4: Mandate the rollout of DNSSEC and BGPSEC

The Internet has become a fundamental pathway for public, private, and government communication, as well as financial transactions. Unfortunately, core infrastructure components in the United States remain woefully lacking in security for both DNS and BGP, making them unacceptably open targets for hackers.

Securing BGP is an absolute necessity. Only recently, there was a relatively significant routing problem that took parts of the Internet offline for several hours. The cause was runaway BGP advertisements from a single BGP peer. BGPSEC might not have helped that particular instance, as it was caused by human error, but the same problem would have occurred if someone had purposefully injected bad routing advertisements via unsecured BGP peers.

DNS is the cornerstone of IP networking. Without the names, we only have numbers, and while the resources might be available, without the directory converting the name of those resources to IP addresses, we can't see the forest for the trees. Also, by poisoning DNS server cache, malcontents can direct users to their own versions of known Web sites and swipe their log-ins or gain access to other sensitive information. Ensuring that DNS servers cannot be compromised at any level is a requirement for a secure Internet.

Implementing DNSSEC and BGPSEC throughout the country is not only the right thing to do, it's not a terribly difficult task to accomplish. In fact, ISPs and hosting providers should have done so already. The hard part would be coordinating the effort. Given a clear time frame and guidelines set forth by the government, carriers could be coerced into stepping up to the plate and implementing this basic and extremely vital safeguarding methodology for the Internet.

Agenda item No. 5: Clean up the spam mess

According to Spamhaus, the United States is far and away the No. 1 source for all spam. In fact, most companies are experiencing spam levels as high as 99 percent of all incoming e-mail -- a ridiculous proportion made that much more unpalatable by the amount of phishing attempts hidden within. If these levels persist, they will eventually cause the demise of e-mail as a viable communications medium.

There is only so much that can be done within a single country to fix this problem, but steps need to be taken -- soon. One tactic would be to institute a mandatory $10-per-spam fine for anyone determined to be sending unsolicited bulk e-mail. By aggressively locating and prosecuting these cases, the United States could curtail a sizable chunk of spammers based within its borders. After all, the quickest way to end unsavory practices like this is to make them economically unviable. Meaningful fines pursued diligently are one method of achieving that goal.

Of course, this approach would not stop overseas spammers, and botnet spam operations would continue. But if written properly, the law could ensure grounds for prosecution of any botnet with even a single member existing under US jurisdiction.

Page Break

Agenda item No. 6: Tax breaks for rural broadband last-mile carriers

It's no secret that broadband access to much of rural America is spotty at best. In fact, there are many not-so-rural areas that are grossly underserved. If we're to hold ourselves up as leaders in the Digital Age, we need to make broadband more widely available to those who don't live in metropolitan areas.

The US government has tried rural broadband initiatives before. It even created a fund that ISPs could draw from to extend broadband access. Carriers such as Comcast and Verizon took their share and frittered the subsidies away without making significant strides toward connecting the unconnected.

While it's not generally a good idea to throw good money after bad, a performance-based incentive program might be the place to start. Here, tax breaks could provide a spark. Under such a program, every previously unserved household brought into the broadband fold would result in a small tax break for the carrier responsible. In order to increase competition and reduce the de facto monopolies that exist in underserved areas, this incentive could be extended to any last-mile carrier that brings service into an area that currently offers only one other existing broadband option.

Agenda item No. 7: Codify national standards for electronic medical records

In this day and age, it shouldn't be a challenge for one hospital or clinic to securely access a patient's medical records, wherever they may be. In the paper era, this meant couriers, copiers, and lots of dead trees. These days, all it should require is sufficient authorization, encryption, and perhaps a proxy for auditing purposes.

Currently, many patients' medical records are stored electronically in a database run by whatever EMR software your clinic or hospital is using. Access to those records from outside entities is all but impossible in most cases, requiring the records to be printed out and snail-mailed to another location. Since these records already exist in digital form, there should be a better way to safely and quickly transmit that information to another health care provider, especially in an emergency.

If the US government set up a central proxy -- not a repository -- for EMR transactions, it could effectively keep accurate logs on the transmission of medical records from facility to facility, conform to HIPAA standards, and still enable medical records to easily move where they're needed.

After this article was written, but before publication, Obama introduced a somewhat amorphous plan related to electronic medical records, but the particulars of this program aren't readily available and are likely still in the development phase.

Such an agenda would require the cooperation of all EMR software developers, but that's what standards are for. Come up with a central XML-based standard for the records with the help of those companies, and let them transition their products to work with the central proxy. It'll take time, but the result will be worth it -- especially if you've just had a car accident in another state.

Page Break

Agenda item No. 8: Mandate a single electronic voting standard

Companies that produce electronic voting systems have proved they can neither manage nor secure their own products. The result is widespread distrust in electronic voting across the country. With something as vital as the election of government officials, we cannot afford such problems, nor do we have to.

The government needs to appoint an independent contractor or bring in the expertise necessary to develop a rigorously tested open source system that can be used by electronic voting machine manufacturers free of charge. The onus of maintaining the code base could be placed on a consortium of key individuals from companies such as IBM, Microsoft, Cisco, and so forth.

By open-sourcing e-voting, rather than depending on proprietary vendors to ensure the integrity of our elections process, the very foundation of our democracy will be better secured. The closed source approach has too often proved to be a road to disenfranchisement.

Agenda item No. 9: Lighten the FCC's load

The FCC celebrates its 75th birthday this year, and my, how times have changed. Originally created to regulate the airwaves as we understood them in the 1930s, the FCC now stretches well beyond its original footprint, rendering it seemingly powerless to do anything besides levy fines for wardrobe malfunctions. It's time to split the data from the spectrum and create an ICC, or Internet Communications Commission, that explicitly deals with national inter-networking issues.

The inter-networking communications system in the United States is far too large and complex for a single five-person commission to handle, in addition to its original charter of policing the airwaves. The stakes are simply too high. Ideally, a new commission would be created and populated with experts in a variety of technical fields essential to the health and security of the Internet, in addition to the usual political appointees.

Page Break

Agenda item No. 10: Clean its own house

Much ado has been made of President Obama's staff running into technical roadblocks as they transitioned from campaigners to administrators. Having proved themselves technically savvy on the campaign trail, the team has since inherited a relatively ancient communications infrastructure within the halls of government itself. Modernization of this infrastructure should be among the chief goals of this administration.

And here we are talking about a lot more than just putting a foot down about a BlackBerry. After all, if the various clandestine services can engineer elaborate digital wiretapping and data collection practices across the United States, is it too much to ask that various staffers be able to use their Macs?

Security is certainly an issue for an endeavor such as this, but given that the previous administration "lost" thousands of e-mails by circumventing existing security practices, starting from scratch might not be a bad idea. In fact, it may be a fundamental requirement to maintain Obama's pledge of a more open government.

The importance of oversight

This is an extremely technical time and an extremely technical country -- and it should have an extremely technical governing body.

Ideally, none of the above agenda items would be necessary if only the tech industry would police itself and make sound decisions that would not negatively impact the country as a whole. Unfortunately, utopian ideals such as these are far from reality, as has been proved by corporate malfeasance in just about every large industry within the United States. OSHA, the FDA, and other government agencies exist for this reason. The telecommunications, software, and hardware industries are not exempt.

It took a few decades from the inception of wireless communication for the government to see the need to create the FCC, and it's been a few decades since the Internet became mainstream. It is not time for the creation of this post -- it's well past time.