The Policies: The Next President's IT Agenda

As most CIOs know, government policies have a major impact on corporate IT.

Yet in presidential politics, the connection between policy and IT has gone largely unacknowledged. Recent laws, however, have brought the link between policy and IT to the forefront, making it impossible to ignore any longer. For example, the Sarbanes-Oxley Act, which established new corporate reporting regulations, forced companies to reevaluate the way they manage financial data and in many cases overhaul the systems that handle it. The Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act mandated that health and financial organizations follow rigid information privacy and security practices. And that’s just the tip of the proverbial iceberg.

Technology is on the agenda this election. It will not be its own issue, but rather one embedded in other, overarching themes. "IT issues are not packaged in a way that finds a voice in national elections," says Jonathan Zittrain, codirector of the Berkman Center for Internet & Society at Harvard Law School. "There are other political issues that are easier to understand and have been better shaped and lobbied for." As a result, CIOs will have to examine a candidate’s stance on numerous issues to get a clear picture of his overall IT policy. "You don’t have to be a political junkie," says Sue Kozik, executive vice president and CTO of TIAA-CREF. "But I believe it is vitally important to keep abreast of the candidates’ positions on issues."

The economy, Iraq and a score of other issues will likely dominate the presidential campaigns and may well be the decisive factors in your vote. But technology issues, says Zittrain, are important enough that candidates should have well-developed positions on subjects such as the future of hardware and software, privacy, corporate governance and offshore outsourcing (see Page 60 for candidate profiles). As such, the next administration will have the most profound effect on the future of U.S. IT departments yet. "Each election going forward has an ever-increasing impact on CIOs because the technology that runs America is continuing to evolve and affect more facets of our lives," says Kozik. "The government?and all candidates?are playing an increasingly vocal role in commenting on or influencing technology usage."

Here we present an overview of five of the most important IT policy issues and how the next administration could shape them. Knowing the next president’s options will help you understand what each policy will mean for the future of IT and business, and the country as a whole. (For more on what you can do, see "Three Steps to Getting Heard," Page 58.)

Critical Infrastructure

The Agenda

When it comes to critical infrastructure, there are two issues: homeland security and information security. They are, of course, related?if every company’s critical infrastructure were 100 percent secure, then information security regulations would be unnecessary. While the national cybersecurity policy calls for closer cooperation between the private and public sectors with each passing year, the government has so far resisted the urge to issue any cybersecurity requirements. The next president will have to decide whether the private sector can achieve an acceptable level of cybersecurity on its own, or if the government should set the standards itself.

The Problem

The centerpiece of the government’s information security initiatives is the Department of Homeland Security’s National Strategy to Secure Cyberspace. Although it outlines the steps that the public and private sector?as well as individuals?can take, when it comes right down to it, it is simply a policy paper. Meanwhile, the threat to both businesses’ and the country’s IT infrastructure is growing. The frequency of viruses and other cyberattacks continues to hit new highs, and such incidents are becoming increasingly sophisticated. The FBI reports that identity theft, which is enabled by breakdowns in information security, is now one of the fastest-growing crimes. And although the government keeps telling us another terrorist attack is inevitable, the General Accounting Office warns that data centers aren’t prepared.

The Politics

To date, both Democratic and Republican presidents have been reluctant to dictate security standards. "We would never rule it out, but it would have to be a last resort," says Robert Atkinson, director of the Technology and New Economy Project for the Progressive Policy Institute, a think tank affiliated with the Democratic Leadership Council. "We have a pretty long history in this country of private-sector companies working out standards." But there is a precedent for government intervention when there is significant public interest. HIPAA, which requires health information providers to take steps that ensure data integrity and confidentiality, is an example. HIPAA doesn’t endorse specific technologies; it just says that companies must meet baseline requirements. In all likelihood, HIPAA would be the model for future data security legislation.

Although HIPAA had to be passed by Congress, the president’s actions can have a direct impact on CIOs. For example, the president could mandate that any company that does business with government agencies, ranging from the FDA to the DoD, needs to clear a minimum information security threshold. Such a mandate would encompass most companies in the country. Joe Duffy, global leader of PricewaterhouseCoopers’ security and privacy practice, says companies could be forced to meet firewall standards, put controls in place that dictate who can access what system and data, and adhere to patch-management policies.

Every iteration of the national cyberstrategy has tried to foster private- and public-sector collaboration. Initially the government asked that companies voluntarily disclose cyberattacks. In 2001, the government developed the current system, which relies on security contractors to report attacks. If this system doesn’t work, the government will be tempted to require companies to report breaches. California already has a law that requires companies to notify residents when their personal data has been subjected to unauthorized access, and similar legislation has been introduced in Congress. The goal of such legislation is to force companies to upgrade their infosec procedures. Since California has the largest congressional delegation, its laws often get on the national agenda.


The Agenda

Perhaps the one IT-related topic guaranteed to show up in campaign speeches is offshoring. Companies looking to save money are laying off Americans, and either replacing them with lower-paid foreign workers on specialty visas or outsourcing the work to overseas companies that can do it for a fraction of the cost. The president will have to decide whether to take steps to curb offshore outsourcing, thus protecting U.S. technology jobs; to invest in programs to retrain out-of-work IT workers; or to simply let the free market sort itself out.

The Problem

The offshoring trend has provoked a backlash from technology workers, who have begun to hold organized protests and, in some cases, unionize. If the job market doesn’t improve between now and the November election, "opponents are going to hit the Bush administration about where the jobs have gone," says Matthew Slaughter, a Dartmouth College associate professor of business administration who specializes in economics and public policy management. "Exhibit A is going to be offshoring, and they will trot out anecdotes about how it is hitting college graduates." Even offshoring advocates realize that it is a sensitive issue?and one that the president could influence with a single pen stroke. "Don’t kid yourself," says Harris Miller, president of the Information Technology Association of America (ITAA), a trade group for the IT industry that supports offshoring. "There are things that the government can do to screw up the offshore world."

The Politics

Economists are split on offshoring’s short-term impact on the economy. Short-term, however, could mean 30 years, which is eons in politics. Policy decisions are made on what is happening now, and right now the plight of displaced IT workers is gaining attention. Currently at least six bills in Congress would roll back, restrict or eliminate the use of L-1 or H-1B visas, two programs that allow foreigners to work for companies in the United States and are considered key to successful offshoring. Meanwhile, New Jersey’s legislature passed a bill outlawing state agencies from sending work offshore, and several other states have considered similar measures. No state or federal outsourcing bill has become law, however, which offshoring critics say is an indication of powerful pro-business lobbyists. Nonetheless, any move that limits offshoring would change most CIOs’ hiring and sourcing practices.

A president determined to curb offshoring could do so by proposing that the government will award contracts only to companies that keep the work in the United States. If offshoring opponents are elected to Congress, they could take any number of steps to slow the job exodus, such as sponsoring legislation to shut down the H-1B and L-1 visa programs. (Congress let the H-1B quota slip to 65,000 from 195,000 last October.) A possible, but less likely, scenario is that in the next few years there will be a sufficient enough outcry that companies will be given tax breaks to keep jobs stateside, much like how the agriculture and steel industries are subsidized today.

Even a president who supports offshoring will need to develop policies to help retrain the IT workforce. The ITAA, for example, calls for the creation of a National Center for IT Workforce Competitiveness, which would spot future IT trends and help communicate them to current and future workers.


The Agenda

Privacy legislation tends to follow the same pattern: Technology evolves, allowing data to be shared more easily, and then the public reacts negatively. Congress, in turn, passes a law limiting how data can be shared. It happened with HIPAA, which limits access to patient health records, and it happened with Gramm-Leach-Bliley, which limits how financial services companies can use the data they collect. As technology evolves and facilitates data proliferation, the public will be looking for privacy laws to evolve as well. The next president will have to decide where to draw the line between industry self-regulation and government intervention. Sections of the Patriot Act will expire in 2005 and will need to be renewed during the next administration. (For more on the Patriot Act, read "What to Do When Uncle Sam Wants Your Data," available at

The Problem

There is a conflict between the United States’ long history of private-sector self-regulation and recent privacy laws. While privacy protection is huge with the public, the U.S. government has stopped short of regulating the privacy policies of organizations other than health-care providers and financial services companies. Some individual state laws and some European laws go further, however. And with every high-profile privacy violation, the cries for national privacy legislation grow louder, says Pamela Fredericks, senior security consultant for Forsythe Solutions. Meanwhile, the Patriot Act?which proponents say is essential to fighting terrorism, but critics say infringes on civil liberties?is turning into one of the most divisive issues in Congress and the current administration. For instance, there are multiple bills in Congress that would amend or rescind some provisions of the Patriot Act. And while Attorney General John Ashcroft went on a goodwill tour last summer to promote the current law, the Democratic candidates frequently rail against it.

The Politics

As with security, the president can force companies to adopt new privacy practices by imposing requirements on companies dealing with government agencies. An area where the president may have control over privacy practices is in negotiating with the European Union, which already has strict privacy laws regulating the collection and sharing of personal information. In 2000, the United States and the EU agreed to a Safe Harbor provision that allowed American companies doing business with Europe to simply meet a compromise version of the EU regs. According to the Department of Commerce, more than 400 U.S. companies have certified that they meet this standard. But negotiations are ongoing; a president looking for a privacy quick-hit could reopen the Safe Harbor.

1 2 Page 1
Page 1 of 2
Discover what your peers are reading. Sign up for our FREE email newsletters today!