As most CIOs know, government policies have a major impact on corporate IT. Yet in presidential politics, the connection between policy and IT has gone largely unacknowledged.
Recent laws, however, have brought the link between policy and IT to the forefront, making it impossible to ignore any longer. For example, the Sarbanes-Oxley Act, which established new corporate reporting regulations, forced companies to reevaluate the way they manage financial data and in many cases overhaul the systems that handle it. The Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act mandated that health and financial organizations follow rigid information privacy and security practices. And that’s just the tip of the proverbial iceberg.
Technology is on the agenda this election. It will not be its own issue, but rather one embedded in other, overarching themes. “IT issues are not packaged in a way that finds a voice in national elections,” says Jonathan Zittrain, co-director of the Berkman Center for Internet & Society at Harvard Law School. “There are other political issues that are easier to understand and have been better shaped and lobbied for.” As a result, CIOs will have to examine a candidate’s stance on numerous issues to get a clear picture of his overall IT policy. “You don’t have to be a political junkie,” says Sue Kozik, executive vice-president and CTO of TIAA-CREF. “But I believe it is vitally important to keep abreast of the candidates’ positions on issues.”
The economy, Iraq and a score of other issues will likely dominate the presidential campaigns and may well be the decisive factors in your vote. But technology issues, says Zittrain, are important enough that candidates should have well-developed positions on subjects such as the future of hardware and software, privacy, corporate governance and offshore outsourcing. As such, the next administration will have the most profound effect on the future of U.S. IT departments yet. “Each election going forward has an ever-increasing impact on CIOs because the technology that runs America is continuing to evolve and affect more facets of our lives,” says Kozik. “The government — and all candidates — are playing an increasingly vocal role in commenting on or influencing technology usage.”
Here we present an overview of five of the most important IT policy issues and how the next administration could shape them. Knowing the next president’s options will help you understand what each policy will mean for the future of IT and business, and the country as a whole.
When it comes to critical infrastructure, there are two issues: homeland security and information security. They are, of course, related — if every company’s critical infrastructure were 100 per cent secure, then information security regulations would be unnecessary. While the national cybersecurity policy calls for closer cooperation between the private and public sectors with each passing year, the government has so far resisted the urge to issue any cybersecurity requirements. The next president will have to decide whether the private sector can achieve an acceptable level of cybersecurity on its own, or if the government should set the standards itself.
The centrerpiece of the government’s information security initiatives is the Department of Homeland Security’s National Strategy to Secure Cyberspace. Although it outlines the steps that the public and private sector — as well as individuals — can take, when it comes right down to it, it is simply a policy paper. Meanwhile, the threat to both businesses’ and the country’s IT infrastructure is growing. The frequency of viruses and other cyberattacks continues to hit new highs, and such incidents are becoming increasingly sophisticated. The FBI reports that identity theft, which is enabled by breakdowns in information security, is now one of the fastest-growing crimes. And although the government keeps telling us another terrorist attack is inevitable, the General Accounting Office warns that data centres aren’t prepared.
To date, both Democratic and Republican presidents have been reluctant to dictate security standards. “We would never rule it out, but it would have to be a last resort,” says Robert Atkinson, director of the Technology and New Economy Project for the Progressive Policy Institute, a think tank affiliated with the Democratic Leadership Council. “We have a pretty long history in this country of private-sector companies working out standards.” But there is a precedent for government intervention when there is significant public interest. HIPAA, which requires health information providers to take steps that ensure data integrity and confidentiality, is an example. HIPAA doesn’t endorse specific technologies; it just says that companies must meet baseline requirements. In all likelihood, HIPAA would be the model for future data security legislation.
Although HIPAA had to be passed by Congress, the president’s actions can have a direct impact on CIOs. For example, the president could mandate that any company that does business with government agencies, ranging from the FDA to the DoD, needs to clear a minimum information security threshold. Such a mandate would encompass most companies in the country. Joe Duffy, global leader of PricewaterhouseCoopers’ security and privacy practice, says companies could be forced to meet firewall standards, put controls in place that dictate who can access what system and data, and adhere to patch-management policies.
Every iteration of the national cyberstrategy has tried to foster private- and public-sector collaboration. Initially the government asked that companies voluntarily disclose cyberattacks. In 2001, the government developed the current system, which relies on security contractors to report attacks. If this system doesn’t work, the government will be tempted to require companies to report breaches. California already has a law that requires companies to notify residents when their personal data has been subjected to unauthorized access, and similar legislation has been introduced in Congress. The goal of such legislation is to force companies to upgrade their infosec procedures. Since California has the largest congressional delegation, its laws often get on the national agenda.
Perhaps the one IT-related topic guaranteed to show up in campaign speeches is offshoring. Companies looking to save money are laying off Americans and either replacing them with lower-paid foreign workers on specialty visas or outsourcing the work to overseas companies that can do it for a fraction of the cost. The president will have to decide whether to take steps to curb offshore outsourcing, thus protecting U.S. technology jobs; to invest in programs to retrain out-of-work IT workers; or to simply let the free market sort itself out.
The offshoring trend has provoked a backlash from technology workers, who have begun to hold organized protests and, in some cases, unionize. If the job market doesn’t improve between now and the November election, “opponents are going to hit the Bush administration about where the jobs have gone,” says Matthew Slaughter, a Dartmouth College associate professor of business administration who specializes in economics and public policy management. “Exhibit A is going to be offshoring, and they will trot out anecdotes about how it is hitting college graduates.”
Even offshoring advocates realize that it is a sensitive issue — and one that the president could influence with a single pen stroke. “Don’t kid yourself,” says Harris Miller, president of the Information Technology Association of America (ITAA), a trade group for the IT industry that supports offshoring. “There are things that the government can do to screw up the offshore world.”
Economists are split on offshoring’s short-term impact on the economy. Short-term, however, could mean 30 years, which is eons in politics. Policy decisions are made on what is happening now, and right now the plight of displaced IT workers is gaining attention. Currently at least six bills in Congress would roll back, restrict or eliminate the use of L-1 or H-1B visas, two programs that allow foreigners to work for companies in the United States and are considered key to successful offshoring. Meanwhile, New Jersey’s legislature passed a bill outlawing state agencies from sending work offshore, and several other states have considered similar measures. No state or federal outsourcing bill has become law, however, which offshoring critics say is an indication of powerful pro-business lobbyists. Nonetheless, any move that limits offshoring would change most CIOs’ hiring and sourcing practices.
A president determined to curb offshoring could do so by proposing that the government will award contracts only to companies that keep the work in the United States. If offshoring opponents are elected to Congress, they could take any number of steps to slow the job exodus, such as sponsoring legislation to shut down the H-1B and L-1 visa programs. (Congress let the H-1B quota slip to 65,000 from 195,000 last October.) A possible, but less likely, scenario is that in the next few years there will be a sufficient enough outcry that companies will be given tax breaks to keep jobs stateside, much like how the agriculture and steel industries are subsidized today.
Even a president who supports offshoring will need to develop policies to help retrain the IT workforce. The ITAA, for example, calls for the creation of a National Center for IT Workforce Competitiveness, which would spot future IT trends and help communicate them to current and future workers.
Privacy legislation tends to follow the same pattern: Technology evolves, allowing data to be shared more easily, and then the public reacts negatively. Congress, in turn, passes a law limiting how data can be shared. It happened with HIPAA, which limits access to patient health records, and it happened with Gramm-Leach-Bliley, which limits how financial services companies can use the data they collect. As technology evolves and facilitates data proliferation, the public will be looking for privacy laws to evolve as well. The next president will have to decide where to draw the line between industry self-regulation and government intervention. Sections of the Patriot Act will expire in 2005 and will need to be renewed during the next administration.
There is a conflict between the United States’ long history of private-sector self-regulation and recent privacy laws. While privacy protection is huge with the public, the U.S. government has stopped short of regulating the privacy policies of organizations other than health-care providers and financial services companies. Some individual state laws and some European laws go further, however. And with every high-profile privacy violation, the cries for national privacy legislation grow louder, says Pamela Fredericks, senior security consultant for Forsythe Solutions. Meanwhile, the Patriot Act — which proponents say is essential to fighting terrorism, but critics say infringes on civil liberties — is turning into one of the most divisive issues in Congress and the current administration. For instance, there are multiple bills in Congress that would amend or rescind some provisions of the Patriot Act. And while Attorney General John Ashcroft went on a goodwill tour last summer to promote the current law, the Democratic candidates frequently rail against it.
As with security, the president can force companies to adopt new privacy practices by imposing requirements on companies dealing with government agencies. An area where the president may have control over privacy practices is in negotiating with the European Union, which already has strict privacy laws regulating the collection and sharing of personal information. In 2000, the United States and the EU agreed to a Safe Harbor provision that allowed American companies doing business with Europe to simply meet a compromise version of the EU regs. According to the Department of Commerce, more than 400 U.S. companies have certified that they meet this standard. But negotiations are ongoing; a president looking for a privacy quick-hit could reopen the Safe Harbor.
The next president will also have to contend with a Congress divided on data privacy issues, and will emerge as an advocate for either further privacy laws or business self-regulation. Again, California provides the pro-privacy model. Gramm-Leach-Bliley is an opt-out law; financial institutions can continue to use customer data as they see fit unless a customer tells them not to. In 2003, California passed an opt-in law for financial conglomerates preventing them from sharing a California resident’s personal information without his consent. The state law, scheduled to go into effect in July 2004, was preempted by a federal credit-reporting law enacted at the end of 2003. Conflicting state laws put companies in a difficult position: They will either have to dramatically change all of their data management practices or “come up with 50 different privacy policies for 50 different states,” says Deborah Birnbach, a lawyer who specializes in technology-related litigation at Testa, Hurwitz and Thibeault.
One of the hottest issues currently facing the business and IT community is the Sarbanes-Oxley Act, which requires increased diligence for financial reporting and holds top executives accountable for misstatements. The next president will have to decide how strictly to enforce the current regulations and determine if more aggressive measures are necessary. The impact of this decision on CIOs is huge. Financial data passes through IT systems; any further regulations, or strict enforcement of current ones, would likely require companies to undertake costly projects to integrate these systems. There would be less IT burden under a president who favors a lax interpretation of the current corporate governance laws.
The Sarbanes-Oxley Act, inspired by scandals such as Enron Corp. and WorldCom Inc., sailed through Congress and received broad public support. Because it is so sweeping, experts expect Sarbanes-Oxley to still be the dominant corporate governance legislation four years from now. That said, its future is very much up in the air. The law was passed while wounds from recent corporate accounting scandals were still fresh. The rush to passage, however, resulted in confusing legislation that relies heavily on the Securities and Exchange Commission to explain to companies what the law actually means. The SEC has been at it for more than a year now, bouncing between aggressive and loose interpretations, leaving CIOs and other executives as confused as ever.
In its first attempt to interpret the Sarbanes-Oxley Act, the SEC proposed that companies identify and fix all of the points where data integrity could be compromised. Irwin Kishner, chairman of the corporate law department at Herrick, Feinstein LLP, a firm whose clients include Bridgestone/Firestone and Hollinger International Inc., says that an aggressive interpretation of this proposal is that companies would have needed to automate the generation, handling and reconciliation of all corporate data — a decision that would have sent CIOs scrambling. The SEC’s final rule, however, was substantially weaker and doesn’t require IT investments, although companies may still choose to make some.
An administration that wants to crack down on corporate fraud could fight for the original interpretation, which would force CIOs to rethink the manual processes that sit between most automated tasks, for example, compiling financial data from multiple systems in a spreadsheet. Along with tightening controls over financial data, strict Sarbanes-Oxley enforcement would require CIOs to work with their legal departments to craft polices about when to save data and, more important, when to destroy it. In addition to spurring new hardware investments, says Harvard’s Zittrain, enforcing document destruction policies “could be a different way of thinking to a CIO whose mantra is backup, backup, backup.”
Meanwhile, most companies view Sarbanes-Oxley as an unnecessary burden and claim that it won’t stop corporate fraud, which is a moral issue that can’t be legislated. An administration sensitive to these complaints could all but neuter the act through its law enforcement priorities. Whereas a president who favors tight governance could request a large SEC budget or appoint an advocate of corporate reform to head the agency, the opposite is also true. The next president could cripple Sarbanes-Oxley by cutting the SEC’s budget or appointing an opponent of the law. The same end could be achieved through less nefarious means.
The Justice Department, which would help investigate and prosecute any Sarbanes-Oxley offenses, has limited resources, says Birnbach of Testa, Hurwitz and Thibeault. The next president will have to decide between using these resources to fight terrorism or enforce Sarbanes-Oxley. There simply isn’t enough money to do both effectively, she says.
Unless Bill Gates somehow wins the election, the next president will not be personally involved with the future of hardware and software. However, his policies will affect that future, including technology standards, open-source technology or how R&D projects influence the IT sector. The direction he gives his Cabinet and his attitude toward these issues will determine how active the government is in setting technology standards, either through direct intervention or indirectly through its purchasing power as the largest IT consumer on the planet.
Industry groups are notoriously slow at standard setting, and even when a standard emerges, often a competing standard comes along and throws a wrench into the process. “Right now security standards are done voluntarily,” says Ari Schwartz, associate director of the Center for Democracy and Technology. “But requiring companies to meet security goals is gaining traction.” Some CIOs, such as Scripps Health’s Jean Balgrosky, say they would welcome mandated technology standards because the market has failed to set them. Most CIOs — and, for the most part, the government — are opposed. “Look at how much trouble the courts and U.S. Patent Office have trying to understand and deal with the complexity of the software and IT issues that land before them,” says David Reid, CIO of fast-food chain Krystal Co. “Imagine politicians and bureaucrats trying to codify how technology that they barely grasp is required to work.”
There is a precedent for lawmakers trying to impose a technology standard. An example is the Consumer Broadband and Digital Television Promotion Act, introduced by Sen. Ernest Hollings in 2002, which would have given the recording industry one year to create a digital copy-protection standard. If the industry had failed, the proposal dictated the FCC would have to come up with a standard. Hollings said it was preferable for the industry to set its own standard.
The Hollings bill never passed, but it is indicative of the approach a hands-on administration might take. While Schwartz suggests that government frustration over industry’s failure to develop standards may force it to take action, a more likely tact is indirect standard-setting through its purchasing power. The Department of Defense, for example, is requiring that vendors be certified on the Software Engineering Institute’s Capability Maturity Model, a move that has prompted many U.S. technology companies to pursue that certification.
In the long term, the R&D projects that the next administration pursues will eventually find their way into the mainstream. If the next president has an affinity for networking or, say, antiterrorism technology and decides to fund such projects, that would lead to commercialized products in those fields.
There is no doubt the next election will have a profound impact on the way CIOs run their departments. Until IT policy emerges as its own issue, CIOs will have to scrutinize every issue for its potential IT consequences. A shorthand way of doing that is to note how candidates talk about technology. “Leadership saying why technology is important helps a lot,” says the Progressive Policy Institute’s Atkinson. “Especially now when a lot of people have lost faith (in IT).”