Last week, President Barack Obama made good on his promise to appoint a national tech leader for the United States. As the country’s first-ever CIO, Vivek Kundra faces significant challenges modernizing the nation’s IT infrastructure and will be charged to do so at a time when self-interests and a lack of industry oversight threaten not only our freedoms and privacy but also the long-term innovation potential of IT.
And though the former CTO of the District of Columbia’s new job description errs on the side of IT management rather than U.S. tech policy, the move toward a national CIO – and, likely, a national CTO – lends hope that the government will provide much-needed oversight to an industry that has fast been infused into nearly every aspect of our lives.
[For perspective on the nation’s tech policy in the years ahead, see “A high-tech agenda for President Obama.” For a look at Kundra’s credentials, see “Meet the nation’s first CIO” and his 2008 InfoWorld CTO 25 profile.]
After all, governance has proved essential to safeguarding a variety of long-standing industries from corporate malfeasance. And creating a post designed to oversee government-wide technical initiatives may be the first step toward getting the United States back on track in a number of tech areas faltering due to corporate neglect.
Here are 10 agenda items many of us in IT would like to see the first-ever U.S. CIO address.
Agenda item No. 1: Mandatory restitution for customer data leaks
Companies that damage the public trust by dumping chemicals in streams or by illegally disposing waste pay fines. But those that breach the public trust due to data mishaps face little in the way of restitution. This must change.
The scenario is familiar: Banks cancel debit and credit cards abruptly, issuing new cards and account numbers with little explanation. Such is the fallout of data breaches and incidents wherein accounting records are “lost.” Too often the card-issuing banks fail to divulge the name of the company responsible for that data leak; they simply cancel and reissue cards, leaving unwitting customers to clean up the mess.
Although IT has been saddled with a legal duty to secure sensitive data and to notify the public in the event of a data breach, this type of corporate negligence goes largely unpunished. If more stringent mandates were put in place to actually hold companies liable for their own security breaches, customers would see better care taken with their identities.
Offending companies at the very least should pay every bank and account holder for the cost of canceling and reissuing credit and debit cards due to negligent data practices. Restitution should also include payment for the time required to fix the fallout of their negligence. Add a fine of $10 per record, and you will certainly see a drop in breaches that expose millions of customers’ account data at a time — or at least more diligence in protecting those records.
It is well past time to get serious about citizens’ sensitive data.
Agenda item No. 2: Mandate net neutrality in perpetuity
It’s a new age, and with it should come new rights, such as the right to unfettered Internet access. Much as our country was originally founded on beliefs such as the freedom of speech, congregation, and religion, we should be awarded the freedom of information in the form of open network access.
If the major ISPs had their way, access to the Internet would be tiered, exactly like cable television. That is, you’d have a “basic plan” that would let you access only a handful of sites, and a larger plan, with a larger price tag, that would allow you to access more sites. If put into place, it would necessarily destroy the original premise of the Internet as a completely open network of computers, where every system can connect to every other system, regardless of location.
No good can ever come from a tiered Internet, and the government should solidify that as a basic right. This isn’t to say that every citizen should be given free Internet access, but rather that such access should not be filtered, censored, or constrained in any way.
ISPs should be free to sell various packages based on access speed and acceptable-use policies, but federal law should mandate that these services have no filtering whatsoever, including the current practice of blocking certain inbound ports.
Agenda item No. 3: Place restrictions on EULAs
Suppose GM required truck buyers to sign a document stating that the company could claim ownership to any material carried in the truck or that the company was not liable for any claims should the truck spontaneously explode due to a manufacturing defect. That’s the situation we face with software, as companies’ use of EULAs (end-user license agreements) to indemnify themselves for anything and everything has spun out of control.
Some EULAs go so far as to claim ownership of any work product created with their software. Couple that with the fact that EULAs have become so onerous that few bother to read them before clicking Agree, and you can fast see disaster in the making.
The fact that these agreements are often difficult to uphold in a court of law begs the question: What is the purpose of making EULAs so wide ranging to begin with? Perhaps a User’s Bill of Rights is in order.
By all means, companies should be allowed to protect themselves with something akin to a EULA. But federally mandated standards and restrictions governing the scope of EULAs will go far in fostering innovation and growth in the software industry, not to mention protecting users from undue provisions.
Under no circumstances should a company be able to claim ownership of end-users’ work products, nor should they be able to indemnify themselves from any action due to their own malfeasance in such a document.
Agenda item No. 4: Mandate the rollout of DNSSEC and BGPSEC
The Internet has become a fundamental pathway for public, private, and government communication, as well as financial transactions. Unfortunately, core infrastructure components in the United States remain woefully lacking in security for both DNS and BGP, making them unacceptably open targets for hackers.
Securing BGP is an absolute necessity. Only recently, there was a relatively significant routing problem that took parts of the Internet offline for several hours. The cause was runaway BGP advertisements from a single BGP peer. BGPSEC might not have helped that particular instance, as it was caused by human error, but the same problem would have occurred if someone had purposefully injected bad routing advertisements via unsecured BGP peers.
DNS is the cornerstone of IP networking. Without the names, we only have numbers, and while the resources might be available, without the directory converting the name of those resources to IP addresses, we can’t see the forest for the trees. Also, by poisoning DNS server cache, malcontents can direct users to their own versions of known Web sites and swipe their log-ins or gain access to other sensitive information. Ensuring that DNS servers cannot be compromised at any level is a requirement for a secure Internet.
Implementing DNSSEC and BGPSEC throughout the country is not only the right thing to do, it’s not a terribly difficult task to accomplish. In fact, ISPs and hosting providers should have done so already. The hard part would be coordinating the effort. Given a clear
