During the final decade of the 20th century, a new concept began to emerge in American political and governmental parlance, electronic government (e-govt). A joint report of the National Performance Review and the Government Information Technology Services Board, Access America: Reengineering Through Information Technology, issued February 3, 1997, introduced the new term. 1 Almost three years later, in a December 17, 1999, memorandum to the heads of executive departments and agencies, the President directed these officials to take certain actions in furtherance of “electronic government.” 2On May 18, 2000, Senators Fred D. Thompson (R-TN) and Joseph I. Lieberman (D-CT), the chair and ranking minority member, respectively, of the Senate Committee on Governmental Affairs, unveiled a Web site on e-govt to collect ideas from citizens on how the government might offer more services and better information online. 3 During June 2000, e-govt became part of the campaign offerings of the two major party candidates for the presidency. 4

The concept of electronic government is new in American public discourse. Initially, the term was little more than a general recognition of a confluence of information technology (IT) developments and the application and use of these technologies by government entities. Subsequently, it has oftentimes been used as a symbol, an ambiguous reference to both current applications of IT to government operations and a goal of realizing more efficient and economical performance of government functions. It is a dynamic concept of varying meaning and significance.

Background

The conditions contributing to the e-govt phenomenon were recognized at least three decades ago. Observations offered by the authors of a report of the Commission on the Year 2000 of the American Academy of Arts and Sciences are informative in this regard. Concerning the executive branch, the report proffered that:

[b]y the year 2000, despite the growth in the size and complexity of federal programs, the technological improvement of the computer, closed-circuit TV, facsimile transmission, and so on, will make it possible for the federal bureaucracy to carry out its functions much more efficiently and effectively than it can today, with no increase in total manpower.5

The use of information technologies (ITs) was also seen as having critical importance for the legislative branch, constituting nothing less than “another aspect of congressional reform.” Should “Congress continue to deny itself the tools of modern information technology and permit the Executive virtually to monopolize them,” said the report, “Congress will ultimately destroy its power both to create policy and to oversee the Executive.” Moreover, it was observed, the “technology revolution… promises greater accessibility of senators and congressmen to their constituents, individually and collectively, and vice versa.” Indeed, the report warned:

Communications may become too close and constant, and act as a constricting force. For instance, by 2000 it will be easy to have virtually up-to-the-minute polls of the electorate on any given issue. But where does this instant-opinion development leave the senator and congressman?6

Such observations, however, should not obscure recognition that new information technologies have affected government operations in the past, as the following comment, penned in 1910, attests:

Public officials, even in the United States, have been slow to change from the old-fashioned and more dignified use of written documents and uniformed messengers; but in the last ten years there has been a sweeping revolution in this respect. Government by telephone! This is a new idea that has already arrived in the more efficient departments of the Federal service. And as for the present Congress, that body has gone so far as to plan for a special system of its own, in both Houses, so that all official announcements may be heard by wire.7

The author, a respected Canadian editor and writer, also presciently noted that, “[n]ext to public officials, bankers were perhaps the last to accept the facilities of the telephone,” because “[t]hey were slow to abandon the fallacy that no business can be done without a written record.”8 Subscription to such a “fallacy” constitutes a basis for the concerns of some regarding the paperless transactions of e-govt.

Demand

E-govt is operational in the United States today at the local, state, and national government levels. What has been the public reaction thus far? An answer to this question may be found in a survey commissioned by NIC, a commercial provider of Internet services and solutions for more than 100 American and global government partners, including 12 federal agencies.9 Survey results were released at a July 26, 2000, news conference at the National Press Club in Washington, D.C.

For purposes of the survey, which was conducted by the Momentum Research Group of Cunningham Communication located in Austin, Texas, e-govt was defined as “online government services, that is, any interaction one might have with any government body or agency, using the Internet or World Wide Web.” The survey methodology included 406 interviews, of which three-quarters fell into the citizen sector and one-quarter fell into the business sector.10

In summary, the survey found that almost two out of three adults who go online (65%) had conducted an e-govt transaction at least once. Almost one of five adults (20%) who use the Internet had conducted an e-govt transaction in the past 30 days. Almost half of the citizen users (47%) reported they would like to use the Internet to vote in major elections (38%) and to access one-stop shopping for all government services regardless of jurisdiction (36%). Almost half of the business users (43%) reported they would like to use the Internet to obtain or renew their professional license and to access one-stop shopping to apply for all new business licenses and permits (39%). When given a choice, almost three out of four citizens (71%) and three out of five businesses (61%) preferred to pay convenience fees for services over taxpayer-funded e-govt initiatives. Business users expressed a strong preference for a single federal e-govt portal, whereas citizens preferred to access information and services through their local e-govt portal.11 More than two out of three businesses (69%) and nearly half (49%) the citizens, when asked whether governments and private companies should partner more on technology issues to provide e-govt services, favored public-private partnerships. And only one in three (35%) electronic commerce users and only one in five (20%) non-electronic commerce users trusted that the government will keep their records confidential.12

Based on survey results, the report, generally finding that e-govt is “widely accepted and seen as a growing trend and value to citizens and businesses nationwide,” concluded that citizens and businesses are more satisfied with their e-govt experience than they are with traditional government service delivery; citizens and businesses understand and expect certain e-govt benefits, such as efficiency, time savings, and cost-effectiveness; the growth of e-govt depends on public education and awareness;13 citizens favor e-govt initiatives that are closer to them at the state or local level; the “services offered online are appropriate to the needs of citizens and business users and are offered at a price that they are willing to pay; trust is the most critical issue facing the adoption” of e-govt and, therefore, government must successfully address issues of public trust for e-govt to be successful in the long term; and “citizens and businesses who have conducted electronic commerce transactions are much more confident that privacy and trust are maintained in the electronic environment. As users begin to interact with government online and experience the increased benefits, a greater degree of trust will be created.”14

Policy environment

A variety of policy instruments support and shape the e-govt concept. In brief, they seek to promote the use of new IT by government entities with a view to improving the efficiency and economy of government operations. In addition, they seek to ensure the proper management of these technologies and the systems they serve, their protection from physical harm, and the security and privacy of their information. Major policy developments in these regards are listed (chronologically) and summarized below.

Privacy Act

With the Privacy Act of 1974, Congress addressed several aspects of personal privacy protection.15 First, it sustained some traditional major privacy principles. For example, an agency shall:

Maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity.16

Second, the statute provides an individual who is a citizen of the United States, or an alien lawfully admitted for permanent residence, with access and emendation arrangements for records maintained on him or her by most, but not all, federal agencies. General exemptions in this regard are provided for systems of records maintained by the Central Intelligence Agency and federal criminal law enforcement agencies.

Third, the statute embodies a number of principles of fair information practice. For example, it sets certain conditions concerning the disclosure of personally identifiable information; prescribes requirements for the accounting of certain disclosures of such information; requires agencies to “collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits, and privileges under Federal programs”; requires agencies to specify their authority and purposes for collecting personally identifiable information from an individual; requires agencies to “maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination”; and provides civil and criminal enforcement arrangements.

Paperwork Reduction Act

Replacing the ineffective Federal Reports Act of 1942, the original Paperwork Reduction Act of 1980 (PRA) was enacted largely to relieve the public from the mounting information collection and reporting requirements of the federal government.17 It also promoted coordinated information management activities on a government-wide basis by the director of the Office of Management and Budget (OMB), and prescribed information management responsibilities for the executive agencies as well. The management focus of the PRA was sharpened with the 1986 amendments, which refined the concept of “information resources management” (IRM), defined as “the planning, budgeting, organizing, directing, training, promoting, controlling, and management activities associated with the burden, collection, creation, use, and dissemination of information by agencies, and includes the management of information and related resources such as automatic data processing equipment.”18 This key term and its subset concepts received further definition and explanation in the PRA of 1995,19making IRM a tool for managing the contribution of information activities to program performance and for managing related resources, such as personnel, equipment, funds, and technology.20

The evolution of the PRA reflects the beginning of an effort to better manage electronic information and supporting IT. A recodification of the 1980 statute, as amended, the PRA of 1995 specifies a full range of responsibilities for the director of OMB for all government information, regardless of form or format, throughout its entire life cycle. The director is tasked, among other duties regarding IT, with (1) developing and overseeing the implementation of policies, principles, standards, and guidelines for federal IT functions and activities, including periodic evaluations of major information systems; (2) overseeing the development and implementation of certain statutorily specified technology standards; (3) monitoring the effectiveness of, and compliance with, certain statutorily authorized technology directives; (4) coordinating the development and review by the OMB Office of Information and Regulatory Affairs (OIRA) of policy associated with federal procurement and acquisition of IT with the OMB Office of Federal Procurement Policy; (5) ensuring, through the review of agency budget proposals, IRM plans, and other means, both (a) the integration of IRM plans with program plans and budgets for the acquisition and use of IT by each agency and (b) the efficiency and effectiveness of inter-agency IT initiatives to improve agency performance and the accomplishment of agency missions; and (6) promoting agency use of IT to improve the productivity, efficiency, and effectiveness of federal programs, including through the dissemination of public information and the reduction of information collection burdens on the public.

Similar responsibilities are specified for the agencies regarding government information, regardless of form or format, throughout its life cycle. With respect to IT, the agencies are tasked with (1) implementing and enforcing applicable government-wide and agency IT management policies, principles, standards, and guidelines; (2) assuming responsibility and accountability for IT investments; (3) promoting the use of IT by the agency to improve the productivity, efficiency, and effectiveness of agency programs, including the reduction of information collection burdens on the public and improved dissemination of public information; (4) proposing changes in legislation, regulations, and agency procedures to improve IT practices, including changes that improve the ability of the agency to use technology to reduce burden; and (5) assuming responsibility for maximizing the value and assessing and managing the risks of major information systems initiatives through a process that is both (a) integrated with budget, financial, and program management decisions and (b) used to select, control, and evaluate the results of major information systems initiatives.

OMB government-wide guidance on the implementation of the PRA and related policies is provided in Circular A-130, updated and reproduced in its entirety on February 8, 1996.21 Appendixes address federal agency responsibilities for maintaining records about individuals; cost accounting, cost recovery, and interagency sharing of IT facilities; the security of federal automated information resources; and important key sections of the circular.

Computer Security Act

Recognizing the increasing use of computers by federal agencies and the vulnerability of computer-stored information, including personal information, to unauthorized access, Congress enacted the Computer Security Act of 1987.22 The statute requires each federal agency to develop security plans for its computer systems that contain sensitive information. Such plans are subject to review by the National Institute of Standards and Technology (NIST) of the Department of Commerce, and a summary, together with over-all budget plans for IT, is filed with OMB. NIST is authorized to set security standards for all federal computer systems except those containing intelligence, cryptologic, certain military information, or information specifically authorized under criteria established by an executive order or statute to be kept secret in the interest of national defense or foreign policy. The statute also mandates a Computer Systems Security and Privacy Advisory Board within the Department of Commerce to, among other duties, identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer systems security and privacy and to advise NIST and the Secretary of Commerce on security and privacy issues pertaining to federal computer systems. Each federal agency is directed to provide all employees involved with the management, use, or operation of its computer systems with mandatory periodic training in computer security awareness and accepted computer security practice.

Computer Matching and Privacy Protection Act

Congress amended the Privacy Act in 1988 to regulate the use of computer matching—the computerized comparison of records for the purpose of establishing or verifying eligibility for a federal benefit program or for recouping payments or delinquent debts under such programs—conducted by federal agencies or making use of federal records subject to the statute. The amendments were denominated the Computer Matching and Privacy Protection Act of 1988.23 A controversial matter for more than 10 years, computer matching had begun in 1977 at the Department of Health and Human Services. The effort, dubbed Project Match, compared welfare rolls in selected jurisdictions with federal payroll records in the same areas. The controversy surrounding this and similar computerized matches pitted privacy protection advocates, who alleged that personally identifiable data were being used for purposes other than those prompting their collection, against those using the technique to ferret out fraud, abuse, and the overpayment of federal benefits. As the practice subsequently became more widespread, controversy over its use grew.

The amendments regulate the use of computer matching by federal agencies involving personally identifiable records maintained in a system of records subject to the Privacy Act. Matches performed for statistical, research, law enforcement, tax, and certain other purposes are not subject to such regulation. For matches to occur, a written matching agreement, effectively creating a matching program, specifying such details as the purpose and legal authority for the program, which are explicitly required by the amendments, must be prepared; the justification for the program and the anticipated results, including a specific estimate of any savings; a description of the records being matched; procedures for providing individualized notice at the time of application to applicants for, and recipients of, financial assistance or payments under federal benefits programs and to applicants for and holders of positions as federal personnel that any information they provide may be subject to verification through the matching program; procedures for verifying information produced in the matching program; and procedures for the retention, security, and timely destruction of the records matched and for the security of the results of the matching program. Copies of such matching agreements are transmitted to congressional oversight committees and are available to the public on request. Executive oversight of, and guidance for, matching programs is vested in the director of OMB. Notice of the establishment or revision of a matching program must be published in the Federal Register 30 days in advance of implementation.

The amendments also require every agency conducting or participating in a matching program to establish a data integrity board composed of senior agency officials to oversee and coordinate program operations, including the execution of certain specified review, approval, and reporting responsibilities.

Agencies are prohibited from reducing, suspending, or terminating financial assistance to an individual without first verifying the accuracy of computerized data used in the matching program and without first giving the individual 30 days to contest the action.

Electronic Freedom of Information Amendments

In 1966, Congress enacted the Freedom of Information Act (FOIA)24 to replace the public information section of the Administrative Procedure Act (APA), which was found to be ineffective in providing the public with a means of access to unpublished executive agency records.25 Subsection (a) of the FOIA reiterates the requirements of the APA public information section that certain operational information, e.g., organization descriptions, delegations of final authority, and substantive rules of general policy, be published in the Federal Register.

Subsection (b) statutorily establishes a presumptive right of access by any person, individual or corporate, regardless of nationality, to identifiable, existing, unpublished records of federal agencies without having to demonstrate a need or even a reason for such a request. Subsection (b)(1)-(9) lists nine categories of information that may be exempted from the rule of disclosure. The burden of proof for withholding material sought by the public is placed upon the government. Denials of requests may be appealed to the head of the agency holding the sought records and ultimately pursued in federal court.

The FOIA was subsequently amended in 1974, 1976, 1986, and 1996, the last alterations being the Electronic Freedom of Information Amendments (E-FOIA), which, among other modifications, confirm the statute’s applicability to records in electronic form or formats, require that responsive materials be provided in the form or format sought by the requester, and mandate so-called electronic reading rooms that the public may access online to examine important and high visibility agency records.26

Clinger–Cohen Act

The PRA of 1995 was modified the following year with the adoption of new procurement reform and IT management legislation. A House bill (H.R. 1670) was introduced by Representative William F. Clinger, Jr. (R-PA), the chairman of the Committee on Government Reform and Oversight, on May 18, 1995. The measure was part of a procurement modernization effort that he had undertaken in furtherance of the reforms realized with the enactment of the Federal Acquisition Streamlining Act of 1994.27Referred to the Clinger committee, the bill was subsequently marked up and reported by the panel in July.28 It came before the House on September 13 and, the following day, was passed, as amended, on a 423 to 0 recorded vote.29

A Senate procurement and IT management reform bill (S. 946) was introduced by Senator William S. Cohen (R-ME) on June 20, 1995. His bill grew out of a staff study he had directed during the previous Congress as the ranking minority member of the Subcommittee on Oversight of Government Management of the Committee on Governmental Affairs.30 The bill was referred to the Committee on Governmental Affairs. On August 4, during Senate consideration of the Department of Defense (DOD) authorization bill for FY1996 (S. 1026), Cohen offered an amendment, based on his procurement reform bill, that was accepted on a voice vote.31 The Cohen amendment remained in the DOD authorization bill (H.R. 1530 amended with the language of S. 1026) adopted by the Senate on September 6. The September 28 conference committee meeting on the legislation, with both Cohen and Clinger participating, provided an opportunity for reconciling their reform proposals into a mutually agreed on package. The conferees’ report, filed in the House on December 13, was approved in the House on December 15 on a 267 to 149 yea-nay vote, with the Senate agreeing four days later on a 51 to 43 yea-nay vote.

Although the Clinger–Cohen reforms drew no opposition from the White House, the President vetoed the DOD authorization bill for other reasons on December 28. An override attempt in the House on January 3, 1996, failed on a 240 to 156 yea-nay vote. On January 5, managers of the DOD authorization legislation turned to one of three reserved legislative vehicles (S. 1124) created in September when the Senate completed action on the DOD authorization bill (H.R. 1530 amended with the language of S. 1026).32 That day, the House passed the reserved bill (S. 1124) on a voice vote, then notified the Senate of its action and requested a conference, to which the Senate agreed. The conferees met on January 18; their report was filed in the House four days later.33The House agreed to the conference report on January 24 on a 287 to 129 year-nay vote, with the Senate giving its approval two days later on a 56 to 34 yea-nay vote. President Clinton signed the legislation on February 10.

Division D of the statute, concerning “Federal Acquisition Reform,” was denominated the Federal Acquisition Reform Act of 1996.34 Division E, concerning “Information Technology Management Reform,” was known as the Information Technology Management Reform Act of 1996.35 The two divisions were subsequently denominated the Clinger–Cohen Act.36

Repealing a section of the Automatic Data Processing Act,37 the Clinger–Cohen Act makes each agency responsible for its own IT acquisition and requires the purchase of the best and most cost effective technology available.38 It also contains several provisions that either amend or gloss provisions of the PRA of 1995 as set out in chapter 35 of Title 44 of the U.S. Code.39 Among the amendments is one establishing a chief information officer (CIO) in each agency, replacing the designated senior official mandated by the PRA at 44 U.S.C. 3506. Additional duties and qualifications of the CIO are prescribed in the Clinger–Cohen Act.

Other Clinger–Cohen Act provisions gloss the responsibilities prescribed in the PRA. The capital planning and investment control duties assigned to the OMB director by the Clinger–Cohen Act are to be performed, according to that statute, in fulfilling the director’s IT responsibilities under 44 U.S.C. 3504(h) of the PRA. Similarly, the director is to “encourage the use of performance-based and results-based management” in fulfilling these same responsibilities. The Clinger–Cohen Act requires agency heads, in fulfilling their counterpart IT responsibilities assigned under 44 U.S.C. 3506(h) of the PRA, to “design and implement… a process for maximizing the value and assessing and managing the risks of the information technology acquisitions of the… agency” and to perform certain prescribed duties. Also, agency heads are to “identify in the strategic information resources management plan required under [44 U.S.C. 3506(b)(2)] any major information technology acquisition program, or any phase or increment of such a program, that has significantly deviated from the cost, performance, or schedule goals established for the program.”

E.O. 13011: federal IT management

Following the enactment of the PRA of 1995 and the Clinger–Cohen Act, President Clinton issued E.O. 13011 of July 16, 1996, to improve federal IT management and to promote a coordinated approach to its application and use across the executive branch.40 The directive prescribes, as a matter of policy, that executive agencies significantly improve the management of their information systems, including the acquisition of IT, by implementing the relevant provisions of the PRA and the Clinger–Cohen Act; refocus IT management to support directly their strategic missions, implement an investment review process that drives budget information and execution for information systems, and rethink and restructure the way they perform their functions before investing in IT to support that work; establish clear accountability for IRM activities by creating agency CIOs with the visibility and the management responsibilities necessary to advise agency heads on the design, development, and implementation of those information systems; and cooperate in the use of IT to improve the productivity of federal programs and to provide a coordinated, interoperable, secure, and shared government-wide infrastructure that is provided and supported by a diversity of private sector suppliers and a well-trained corps of IT professionals. Agencies are also directed to establish an interagency support structure that builds on existing successful interagency efforts and provides expertise and advice to agencies; expand the skill and career development opportunities of IT professionals; improve the management and use of IT within and among agencies by developing IT procedures and standards and by identifying and sharing experiences, ideas, and promising practices; and provide innovative, multidisciplinary, project-specific support to agencies to enhance interoperability, minimize unnecessary duplication of effort, and capitalize on agency successes.

The directive details new responsibilities for agency heads, including effectively using IT to improve mission performance and service to the public. Strengthening the quality of decisions about the employment of information resources to meet mission needs through integrated analysis, planning, budgeting, and evaluation processes is another duty, including (1) determining, before making investments in new information systems, whether the government should be performing the function, if the private sector or another agency should support the function, and if the function needs to be or has been appropriately redesigned to improve its efficiency; (2) establishing mission-based performance measures for information systems investments, aligned with agency performance plans prepared pursuant to the Government Performance and Results Act;41 (3) establishing agency-wide and project-level management structures and processes responsible and accountable for managing, selecting, controlling, and evaluating investments in information systems, with authority for terminating information systems when appropriate; (4) supporting appropriate training of personnel; and (5) seeking the advice of, participating in, and supporting the interagency support structure established elsewhere in the order.

Additional responsibilities include selecting CIOs with the experience and skills necessary to accomplish the duties prescribed in existing law and policy and involving these officials in appropriate processes and decisions at the highest level of the agency; ensuring that the information security policies, procedures, and practices of the agency are adequate; structuring, where appropriate and in accordance with the Federal Acquisition Regulation and OMB guidance, major information systems investments into manageable projects as narrow in scope and brief in duration as practicable and consistent with the Clinger–Cohen Act; and to the extent permitted by law, entering into a contract that provides for multiagency acquisitions of IT as an executive agent for the government in accordance with OMB direction.

The interagency support structure created by the directive includes the establishment of a Chief Information Officers Council to serve as the principal interagency forum to improve agency practices on such matters as the design, modernization, use, sharing, and performance of agency information resources. The council is tasked with developing recommendations for over-all federal IT management policy, procedures, and standards; sharing experiences, ideas, and promising practices, including work process redesign and the development of performance measures, to improve the management of information resources; identifying opportunities and making recommendations for, and sponsoring cooperation in, using information resources; assessing and addressing the hiring, training, classification, and professional development needs of the government with respect to IRM; making recommendations and providing advice to appropriate executive agencies and organizations, including OMB, regarding the government-wide strategic plan required by the PRA of 1995; and seeking the views of the Chief Financial Officers Council, the Government Information Technology Services Board, the Information Technology Resources Board, the Federal Procurement Council, industry, academia, and state and local governments, as appropriate, on matters of concern to the Chief Information Officers Council. The membership of the council consists of the CIOs and deputy CIOs of 28 specified entities, two representatives from other agencies, and six other designated officials. It is chaired by the OMB deputy director for management.42

The order also mandated the Government Information Technology Services Board to ensure the continued implementation of the IT recommendations of the National Performance Review and to identify and promote the development of innovative technologies, standards, and practices among the agencies, state and local governments, and the private sector. Composed of executive agency personnel having proven expertise or accomplishments in the board’s areas of responsibility, the panel was tasked with making recommendations to the Chief Information Officers Council, OMB, and others, as appropriate, and otherwise assist in helping to create opportunities for cross-agency cooperation and intergovernmental approaches in using information resources to support common operational areas, developing and providing shared government-wide infrastructure services, and developing standards and guidelines pertaining to federal information systems consistent with the Computer Security Act, as amended. In April 2000, the board was absorbed by the new Electronic Government Committee of the Chief Information Officers Council.43

In addition, the order establishes the Information Technology Resources Board to provide independent assessments to assist in the development, acquisition, and management of selected major information systems and to provide recommendations to agency heads and OMB as appropriate. The board is tasked with reviewing, at the request of an agency and OMB, specific information systems proposed or under development and making recommendations regarding the status of such systems or next steps; publicizing lessons learned and promising practices based on information systems reviewed by the board; and seeking, as appropriate, the views of experts from industry, academia, and state and local governments on matters of concern to the board. The panel’s membership is composed of agency personnel, picked on the basis of their knowledge of IT, programs, or acquisitions management within executive agencies.

Finally, the order sets out certain responsibilities for selected executive branch officials. The OMB director is tasked with evaluating agency IRM practices and, as part of the budget process, analyzing, tracking, and evaluating the risks and results of all major capital investments for information systems; notifying an agency if the OMB director believes that a major information system requires outside assistance; providing guidance on the implementation of the order and on the management of information resources to the agencies and to the boards established by the directive; and evaluating the effectiveness of the management structure prescribed in the order after three years and making recommendations for appropriate changes.

Under the direction of OMB, the Administrator of General Services, among other duties, develops, maintains, and disseminates for agency use, as requested by OMB or the agencies, recommended methods and strategies for the development and acquisition of IT; conducts and manages outreach programs in cooperation with agency managers; serves as a focal point for liaison on IRM with state and local governments and non-governmental international organizations; supports the Secretary of State in liaison, consultation, and negotiation activities with intergovernmental organizations regarding IRM matters; assists OMB, as requested, in evaluating agencies’ performance-based management tracking systems and their achievement of cost, schedule, and performance goals; and provides support and assistance to the interagency groups established by the order.

The Secretary of Commerce is responsible for carrying out the standards responsibilities assigned by the Computer Security Act, as amended by the Clinger–Cohen Act, taking into consideration the recommendations of the agencies, the Chief Information Officers Council, and the Information Technology Resources Board. The Secretary of State, as noted above, has responsibility for liaison, consultation, and negotiation with foreign governments and intergovernmental organizations on all matters related to IRM; ensures, in consultation with the Secretary of Commerce, that the United States is represented in the development of international standards and recommendations affecting IT; and advises the OMB director on the development of United States’ positions and policies on international information policy and technology issues affecting federal government activities and the development of international IT standards.

Pdd 63: critical infrastructures protection

Concerned about the vulnerabilities of certain critical national infrastructures, including the telecommunications system, to physical and cyber attack, President Clinton established, with E.O. 13010 of July 15, 1996, the President’s Commission on Critical Infrastructure Protection.44 The temporary study panel was tasked with assessing the scope and nature of the vulnerabilities of, and threats to, critical infrastructures; determining what legal and policy issues are raised by efforts to protect critical infrastructures and assessing how these issues should be addressed; recommending a comprehensive national policy and implementation strategy for protecting critical infrastructures from physical and cyber threats and assuring their continued operation; and proposing any statutory or regulatory changes necessary to effect its recommendations. The commission produced 12 special topical reports and submitted its final report, offering many recommendations, on October 13, 1997.45

On May 22, 1998, the White House issued documents concerning Presidential Decision Directive 63 (PDD 63), a security classified policy instrument on critical infrastructure protection.46 (The directive was recently declassified and made available for public examination.47) PDD 63 is the product of an interagency evaluation of the recommendations of the President’s Commission on Critical Infrastructure Protection with a view to producing a workable and innovative framework for critical infrastructure protection. The directive sets a goal of a reliable, interconnected, and secure information system infrastructure by 2003 and significantly increased security for government systems by 2000. To assist with the realization of this goal, PDD 63 establishes four new entities:

•

A National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism, whose responsibilities include not only critical infrastructure protection, but also safeguarding against foreign terrorism and threats of domestic mass destruction, including biological weapons;

•

A National Infrastructure Protection Center at the Federal Bureau of Investigation, which involves representatives from the bureau, the DOD, the United States Secret Service, the Department of Energy, the Department of Transportation, the intelligence community, and the private sector in an information sharing and collaboration effort and which also provides the principal means of facilitating and coordinating the federal response to an incident, mitigating attacks, investigating threats, and monitoring reconstitution efforts;

•

A National Infrastructure Assurance Council, composed of private sector experts and state and local government officials, to provide guidance for a national plan for critical infrastructure protection;48 and

•

A Critical Infrastructure Assurance Office to provide support for the National Coordinator’s work with government agencies and the private sector in developing a national plan for critical infrastructure protection and to help coordinate a national education and awareness program and legislative and public affairs activities.

The directive also encourages the creation of Information Sharing and Analysis Centers in partnership with the private sector and modeled on the Centers for Disease Control and Prevention.

Among the immediate tasks set by PDD 63, to be completed within the initial 180 days, were the development of a critical infrastructure protection plan by each federal department and agency for itself; initial vulnerability analyses of each sector of the economy and the government that might be a target of infrastructure attack intended to damage the United States significantly; an initial remedial plan, based on the vulnerability analysis, for each sector; a system for responding to a significant infrastructure attack while it is underway, with the goal of isolating and minimizing damage; and the development and implementation of a plan for enhancing intelligence collection and analysis of the foreign threat to the critical infrastructure of the United States.

The centerpiece of the efforts launched with PDD 63 is a national plan to serve as a blueprint for establishing a critical infrastructure protection capability. Version one, the National Plan for Information Systems Protection, was unveiled on January 7, 2000.49Subtitled “An Invitation to a Dialogue,” version one of the plan has been offered for public comment.50 As President Clinton explained in his introduction:

The National Plan for Information Systems Protection is the first major element of a more comprehensive effort. The Plan for cyber defense will evolve and be updated as we deepen our knowledge of our vulnerabilities and the emerging threats. It presents a comprehensive vision creating the necessary safeguards to protect the critical sectors of our economy, national security, public health, and safety.51

On December 18, 2000, the National Security Council held the first meeting of the Cyberincident Steering Group, created to foster cooperation between the private sector and government to secure systems from domestic and international cyber-attack. Creation of a rapid response system and communications between industry and government were reportedly among the topics discussed.52

Rehabilitation Act Amendments

Among the 1998 amendments to the Rehabilitation Act of 1973 adopted by Congress is a new subsection requiring federal agencies to procure, maintain, and use electronic and IT that provides individuals with disabilities, including both federal employees and members of the public, with accessibility comparable to what is available to individuals without disabilities.53 The Architectural and Transportation Barriers Compliance Board, known as the Access Board, was tasked with developing access standards to implement the new requirement. The amendments anticipated that the board would issue final access standards in February 2000, and the electronic and IT access requirement would become effective on August 7, 2000. However, the Access Board did not publish proposed standards for electronic and IT for public comment until March 31, 2000.54Provision was subsequently made in the Military Construction Appropriations Act for Fiscal Year 2001 to delay the effective date of the electronic and IT access requirement until six months after the date of the publication of the board’s final standards,55 which were issued on December 21.56 Federal agencies have been actively preparing to ensure that not only their Web sites, but also their internal software programs are in compliance,57 and free software for testing Web site accessibility recently became available to ease agency burden and cost.58 In a related development, President Clinton issued executive orders on July 26, 2000, setting a goal for federal agencies to hire 100,000 qualified individuals with disabilities over the next five years and requiring the agencies to better accommodate in the workplace federal employees with disabilities.59

Government Paperwork Elimination Act

Additional amendments to the PRA were enacted in 1998 as the Government Paperwork Elimination Act (GPEA). The legislation (S. 2107) was introduced by Senator Spencer Abraham (R-MI) in May and was referred to the Committee on Commerce, where it was redrafted. According to the committee report, which was filed on September 17, the revised bill “would require Federal agencies to make electronic versions of their forms available online and would allow individuals and businesses to use electronic signatures to file these forms electronically.” Continuing, the report indicated that the intent of the legislation “is to provide a framework for reliable and secure electronic transactions with the Federal government while remaining ‘technology neutral’ and not inappropriately favoring one industry over another.”60 The Senate subsequently approved the bill on October 15.

By this time, however, the 105th Congress was moving toward final adjournment. Consequently, agreement was reached that the language of the non-controversial Senate bill would be attached, as Title 17, to the Omnibus Consolidated and Emergency Supplemental Appropriations Act, 1999, which cleared both houses of Congress and was signed into law by President Clinton on October 21, 1998.61 As enacted, the GPEA makes the director of OMB responsible for providing government-wide direction and oversight regarding “the acquisition and use of information technology, including alternative information technologies that provide for electronic submission, maintenance, or disclosure of information as a substitute for paper and for the use and acceptance of electronic signatures.”62 In fulfilling this responsibility, the director, in consultation with the National Telecommunications and Information Administration (NTIA) of the Department of Commerce, is tasked with developing, in accordance with prescribed requirements, procedures for the use and acceptance of electronic signatures by the executive departments and agencies. A five-year deadline is prescribed for the agencies to implement these procedures.63

The director of OMB is also tasked by the GPEA to “develop procedures to permit private employers to store and file electronically with Executive agencies forms containing information pertaining to the employees of such employers.”64 In addition, the director, in cooperation with NTIA, is to conduct an ongoing study of the use of electronic signatures under the GPEA, with attention to paperwork reduction and electronic commerce, individual privacy, and the security and authenticity of transactions. The results of this study are to be reported periodically to Congress.

Finally, electronic records submitted or maintained in accordance with GPEA procedures, “or electronic signatures or other forms of electronic authentication used in accordance with such procedures, shall not be denied legal effect, validity, or enforceability because such records are in electronic form.” The act further specifies:

Except as provided by law, information collected in the provision of electronic signature services for communications with an executive agency… shall only be used or disclosed by persons who obtain, collect, or maintain such information as a business or government practice, for the purpose of facilitating such communications, or with the prior affirmative consent of the person about whom the information pertains.65

Children’s Online Privacy Protection Act

Although the Clinton administration and many members of Congress preferred to rely on industry self regulation for realizing Internet privacy protection, frustration with the industry’s slow response regarding minors led to the enactment of the Children’s Online Privacy Protection Act of 1998 (COPPA) as part of the Omnibus Consolidated and Emergency Supplemental Appropriations Act of 1999.66 The statute requires the operator of a commercial Web site or online service targeted at children under the age of 13 years to provide clear notice of information collection and use practices; to obtain verifiable parental consent prior to collecting, using, and disseminating personal information about children under 13 years; and to provide parents access to their children’s personal information and the option to prevent its further use. On October 20, 1999, the Federal Trade Commission issued a final rule to implement the COPPA, which went into effect on April 21, 2000.67 The statute authorizes the commission to bring enforcement actions and impose civil penalties for violations of the rule in the same manner as for its other rules. A June 22, 2000, Web site privacy memorandum from the OMB director to the heads of executive departments and agencies, discussed below, prescribed, as a matter of policy, compliance with the standards set forth in the COPPA by federal agencies and contractors operating on behalf of agencies.

OMB Memoranda: Federal Web site privacy

A June 2, 1999, memorandum from the OMB director to the heads of executive departments and agencies directs the posting of clear privacy policies on federal Web sites and provides guidance for this action.68 Such policies “must clearly and concisely inform visitors to the site what information the agency collects about individuals, why the agency collects it, and how the agency will use it.” Also, they “must be clearly labeled and easily accessed when someone visits a web site,” according to the memorandum. Agencies are reminded that, pursuant to the Privacy Act, they must protect an individual’s right to privacy when they collect personal information.

A June 22, 2000, follow-up memorandum was issued by OMB after press disclosures that the National Drug Control Policy Office, an agency within the Executive Office of the president, was secretly tracking visitors to its Web site through the use of computer software known as “cookies.”69 Addressing this revelation, it said:

Particular privacy concerns may be raised when uses of web technology can track the activities of users over time and across different web sites. These concerns are especially great where individuals who have come to government web sites do not have clear and conspicuous notice of any such tracking activities. “Cookies”—small bits of software that are placed on a web user’s hard drive—are a principal example of current web technology that can be used in this way. The guidance issued on June 2, 1999, provided that agencies could only use “cookies” or other automatic means of collecting information if they gave clear notice of those activities.

Because of the unique laws and traditions about government access to citizens’ personal information, the presumption should be that “cookies” will not be used at federal Web sites. Under this new federal policy, “cookies” should not be used at federal web sites or by contractors when operating Web sites on behalf of agencies unless, in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site; appropriate and publicly disclosed privacy safeguards for handling of information derived from “cookies”; and personal approval by the head of the agency. In addition, it is federal policy that all federal Web sites and contractors when operating on behalf of agencies shall comply with the standards set forth in the COPPA of 1998 with respect to the collection of personal information online at Web sites directed to children.70

Electronic commerce

The convergence of computer and telecommunications technologies has not only revolutionized the storage, retrieval, and sharing of information, but also, in the considered view of many, produced an information economy resulting from commercial transactions on the Internet. The federal government is a participant in e-commerce, and statutes such as the GPEA, discussed above, reflect encouragement of this development.

Among the first Clinton administration initiatives in furtherance of government participation in e-commerce was the June 15, 1995, unveiling of the U.S. Business Advisor, a new online computer service directly linking the federal government to American business.71 The new service was announced by the President and Vice President during the White House Conference on Small Business being held at the Washington Hilton Hotel.72 An upgraded and improved version of the U.S. Business Advisor, providing users with one-stop electronic access to more than 60 different federal organizations that assist or regulate businesses, was announced by Vice President Gore on February 13, 1996.

On July 1, 1997, President Clinton released a report, A Framework for Global Electronic Commerce, expressing five operating principles that the administration would follow in fostering e-commerce and designating lead federal agencies in key policy areas. 73These principles are as follows.

• The private sector should lead.

• Governments should avoid undue restrictions on electronic commerce.

• Where government involvement is needed, its aim should be to support and enforce a predictable minimalist, consistent and simple legal environment for commerce.

• Governments should recognize the unique qualities of the Internet.

• Electronic commerce on the Internet should be facilitated on a global basis.

In his remarks announcing the release of the report, the President indicated he was directing all federal department and agency heads to review the policies of their organization that affect global electronic commerce with a view to assuring that they are consistent with the five core principles of the report. Cabinet members were being directed to enter on achieving some of the administration’s key objectives within the next year, he said, and relevant agencies were being called on to work with the Department of Commerce, industry, and law enforcement agencies to assure that Americans can conduct their business affairs in a secure environment. The assistance of the private sector was being sought to meet “one of the greatest challenges of electronic commerce: ensuring that we develop effective methods of protecting the privacy of every American, especially children who use the Internet.” Specific assignments and taskings in these regards may be found in a July 1 presidential memorandum to the heads of executive departments and agencies on the subject of electronic commerce. A November 30, 1998, memorandum to the heads of executive departments and agencies assigned additional responsibilities to the assistant to the president for economic policy, the secretaries of commerce and state, and the administrator of the Small Business Administration.

On January 24, 1999, the President and Vice President announced an IT for the 21st Century (IT2) initiative for which $336 million was proposed to fund three kinds of activities:

• Long-term IT research that will lead to fundamental advances in computing and communications, in the same way that government investment beginning in the 1960s led to today’s Internet;

• Advanced computing for science, engineering, and the nation that will lead to breakthroughs, such as reducing the time required to develop life-saving drugs; designing cleaner, more efficient engines; and more accurately predicting tornadoes; and

• Research on the economic and social implications of the information revolution and efforts to help train additional IT workers at our universities.

The significance of IT2 was underscored in a February report of the President’s Information Technology Advisory Committee, which, in part, said:

While the importance of IT to the future of the economy and the government is clear, it may not be immediately obvious that government investment is needed to ensure continued progress.

We cannot rely on industry to fund the needed research because they necessarily focus, in view of economic realities, on the short term. Industry cannot and will not invest in solving problems of importance to society as a whole unless such investments make sense from a business perspective.

Information technology research is essential for the continued growth of the economy and for the solution of some of the most critical problems facing the Nation. Unless steps are taken now to reinvigorate Federal research in this critical area, we are very likely to see a significant reduction in the rate of progress over the coming decades. The cost to the Nation of such a reduction will be significantly greater than the investment needed to address the problem.74

In a November 29, 1999, memorandum to the heads of executive departments and agencies, President Clinton directed each federal agency, including independent regulatory agencies, to assist a working group on electronic commerce with identifying any provision of law administered by the agencies, and any regulation issued by them, that may impose a barrier to electronic transactions or otherwise impede the conduct of commerce online or by electronic means. They were also tasked with recommending how such laws or regulations might be revised to allow electronic commerce to proceed while maintaining protection of the public interest. A similar exercise was to be conducted with representatives of state and local government by the working group.

The heads of executive departments and agencies were informed of Clinton administration efforts to address the so-called digital divide in a December 9, 1999, presidential memorandum. The digital divide is a reference to the perceived disparity that results from portions of the population not having the ability to use IT because of a lack of access and/or skill. Among the actions directed in the memorandum were the development of a national strategy for making computers and the Internet accessible to all Americans; expansion of the federal community technology centers network to provide low-income citizens with access to IT; encouragement of the development of IT applications that would help enable low-income citizens to start and manage their own small businesses; and use of training to upgrade the IT skills of the American workforce, particularly workers living in disadvantaged urban and rural communities.

A December 17, 1999, memorandum to the heads of executive departments and agencies directed them, among other actions, to make available online by December 2000 to the maximum extent possible, the forms needed for the top 500 government services used by the public; to make transactions with the federal government performable online, with online processing, by October 2003; and to promote the use of electronic commerce, where appropriate, for faster, cheaper ordering on federal procurements.

Implementation components

In the paragraphs below, some of the principal components of the electronic government concept are identified and discussed.

Communication

Traditionally, communication between an agency and the public has occurred through written and verbal exchanges, the latter being either in person or by telephone. Electronic government introduces the prospect of such communication occurring via the Internet through Web site visitation or electronic mail. An agency Web site may offer forms or applications that can be completed and filed online, prompting the agency to respond to the communiqué. Federal agencies generally have managed electronic mail, or e-mail, communication with the public in a manner analogous to telephone communication with the public. Call centers, which serve as an agency contact point for the public (viewed in a market context as “customers”) via a toll-free telephone number, are often the agency receiving point for e-mail from the public. Indeed, there is growing recognition of the importance of such centers for realizing “customer” satisfaction.75

Information access

From 1789 through the first decade of the 20th century, the federal government largely satisfied the information needs of the American people through the publication of official documents. With the rise of the administrative state during the administration of President Woodrow Wilson, this situation began to change. Government began to become more complex, more intrusive, and more regulative of more aspects of social and economic intercourse. These conditions intensified during the New Deal and the prosecution of World War II. In response, a growing volume of public requests for unpublished information greeted an expanding bureaucracy that too often appeared to be indifferent to, if not scornful of, such entreaties. In 1946, Congress sought to provide some relief with a section of the Administrative Procedure Act (APA) prescribing a general procedure for the request of public information from the executive departments and agencies.76 Unfortunately, the section gave the agencies broad discretionary authority to withhold requested information and failed to provide an action-forcing mechanism to settle disputes outside of the refusing agency.

Congress returned to the information access issue in the latter half of the 1950s. After several years of investigating the problems and developing remedial legislation, it enacted the FOIA in 1966, discussed above, to replace the ineffective public information section of the APA.77 Amendments to the act in 1996, among other modifications, confirm the statute’s applicability to records in electronic form or formats, require that responsive materials be provided in the form or format sought by the requester, and mandate so-called electronic reading rooms that the public may access online to examine important and high visibility agency records.78

Three years earlier, President Clinton, in an October 4, 1993, memorandum to the heads of executive departments and agencies asking them “to renew their commitment to the Freedom of Information Act, to its underlying principles of government openness, and to its sound administration,” reminded them that “our commitment to openness requires more than merely responding to requests from the public. Each agency has a responsibility to distribute information on its own initiative, and to enhance public access through the use of electronic information systems.”79

Information access, in the context of electronic government, rests on these policies. Agencies have made a large amount of information accessible to the public through their Web sites and will continue to do so. For example, the Federal Aviation Administration provides various kinds of information for air passengers, including weather related delays reported at major U.S. airports.80 Another popular Web site is the Healthfinder page maintained by the Department of Health and Human Services and covering more than 1,000 health-related topics. 81 For those interested in exploring national park facilities by theme and location, the National Park Service has created Visit Your Parks. 82 However, at least two important matters remain to be addressed. One concerns the length of time documents or data are available on an agency Web site and their subsequent retrieval from archival status through the Web site. The other concerns the ability to make online requests, pursuant to the FOIA, through the agency Web site for records and information not otherwise made accessible through the Web site.

Service delivery

A great many federal departments and agencies have been created to provide various services to the American people and businesses. One of the oldest and most visible of these is the United States Postal Service (USPS), which traces its origins to 1775. Ironically, as federal entities actively seek to provide their services through Internet transactions, the USPS appears to be among the first to be negatively impacted by this development. The mail carrier expects to lose about $180 million in revenue in 2000 as a consequence of half a billion federal checks being delivered electronically rather than by the USPS.83 Examples of federal agencies using electronic service delivery to their advantage include the Department of Education, which provides a Free Application for Federal Student Aid Web site where students and parents can log on and apply for financial aid for college. 84 The Bureau of Public Debt, Department of the Treasury, maintains a Web site where visitors may purchase Treasury bills and bonds with a credit card or bank transfer; determine current redemption rates and interest earned on their investments; obtain nearly instant data on auction results and debt buyback programs; and get an exact, daily tally on the national debt. 85 At the Department of the Interior, the Bureau of Land Management maintains a Web site in furtherance of its wild horse adoption program. Potential adopters can log on to Adopt-a-Horse Program, view color photos of the adoptees, and electronically apply for permission to adopt. 86 The Department of Housing and Urban Development (HUD) has created an online realty store where interested individuals can shop for and bid on HUD-owned homes. 87Applications for Social Security retirement benefits may now be filed electronically and may still be made via a toll-free telephone number or in person. 88

Of interest for reasons of both information access and service delivery is the launching on September 22, 2000, of FirstGov, the single federal portal to all national government Web sites.89 President Clinton announced plans for the undertaking in June, and efforts at creating the portal began in August, with the final objective being to perform high-speed searches of an estimated 100 million Web pages at 25,000 federal sites.90 At launch, FirstGov connected users to 27 million Web pages and attracted an estimated 250,000 users during its first four days of operation. It will be administered by the nonprofit Federal Search Foundation, which created the huge FirstGov search engine and will manage it for two years, after which the government can operate it or outsource its management.91 An initial congressional hearing on FirstGov, held by the House Subcommittee on Government Management, Information, and Technology on October 2, revealed General Accounting Office (GAO) concern about the portal’s vulnerability to hackers, cyberterrorists, and others with malicious intent; a public interest group’s initial satisfaction with the innovation; industry perception of the portal as unwelcome competition; and general uneasiness about the future operation of FirstGov and ownership of its indexed database after the Federal Search Foundation ceases management.92 Industry concerns were heard again a few days after this hearing when the Computer and Communications Industry Association, a trade group representing equipment manufacturers, software developers, and telecommunications and online service providers, among others, released a study it had funded that was critical of some federal online services that “encroach dangerously on businesses already served by private enterprise.”93

Procurement

Apart from engaging in sales to the public, federal departments and agencies purchase goods and services from the private sector. Details regarding such procurement are offered on agency Web sites in various ways, including bid opportunities and placement arrangements, special contracts, and unsolicited proposals. Procurement opportunities for small businesses and for women- and minority-owned businesses are often identified, as are acquisitions of particular goods and services, such as IT. Among the major federal procurement agencies maintaining Web sites for this function are the Defense Logistics Agency,94 the General Services Administration,95 and the National Aeronautics and Space Administration.96

Security

For electronic government, security has several dimensions. Continuing efforts are being made to protect Internet transactions among government entities and between those entities and the public against obstruction, diversion, interception, and falsification. The use of encryption and digital signature capabilities is being applied to better assure the integrity of such transactions. However, the Internet infrastructure must also be safeguarded; agency Web site offerings must be protected against “hacking”; and agency IT systems, including Web sites and computers, must be regularly cleared of viruses, so-called “Trojan horses,” and similar such transgressing and destructive contaminants. Finally, agency storage of electronic data to both assure its integrity and prevent unauthorized disclosure is also a security concern.

The GAO has been a tenacious critic of federal electronic information security policy and practice.97 Relying on GAO’s evaluations, Representative Stephen Horn (R-CA), chairman of the House Subcommittee on Government Management, Information, and Technology, issued a report card on federal computer security at a September 11, 2000, hearing, giving more than a quarter of the 24 major executive agencies a failing grade of F and an over-all executive branch grade of D−.98

Remedial legislation awaits implementation. In mid-November 1999, Senator Fred Thompson (R-TN), chairman of the Committee on Governmental Affairs, with Senator Joseph Lieberman (D-CT), the committee’s ranking minority member, introduced legislation (S. 1993) amending the PRA by expanding its security coverage. The report accompanying the bill when it was reported from committee on April 10, 2000, proffered the following description:

The Government Information Security Act [S. 1993, as amended in committee] would provide a comprehensive framework for establishing and ensuring the effectiveness of controls over information resources that support Federal operations and assets. It is modeled on the “best practices” of leading organizations in the area of information security. It does this by strengthening responsibilities and procedures and coordinating information policy to ensure better control and oversight of systems. It also recognizes the highly networked nature of the current Federal computing environment and provides for government-wide management and oversight of the related information security risks including coordination of security efforts between civilian, national security and law enforcement communities.99

The PRA, according to the committee report, would be amended in four general areas:

• Agency Responsibilities: Agency heads would be responsible for developing and implementing security policies. This responsibility would be delegable to the agency’s Chief Information Officer or comparable official. Each agency would be responsible for developing and implementing an agency-wide security program which must include risk assessment considering internal and external threats, risk-based policies, security awareness training for personnel, periodic reviews of the effectiveness of security policies including remedies to address deficiencies, and procedures for detecting, reporting and responding to security incidents. Further, each agency would be required to identify specific actions—including budget, staffing, and training resources—necessary to implement the security program and include this as part of its Government Performance and Results Act performance plan.

• Director of OMB Responsibilities: The agency plans must be affirmatively approved by the Director of OMB who also would be responsible for establishing government-wide policies for the management of programs that support the cost-effective security of federal information systems by promoting security as an integral part of each agency’s business operations. Other responsibilities of the director would include overseeing and coordinating agency implementation of security policies, and coordinating with the National Institute for Standards and Technology on the development of standards and guidelines for security controls for federal systems. Such standards would be voluntary and consensus-based and developed in consultation with industry. To enforce agency accountability, the director would be authorized to take budgetary action with respect to an agency’s information resources management allocations. The OMB director may delegate these responsibilities only down to the deputy director for management.

• Annual Audit: Based on the General Accounting Office’s audit findings, S. 1993 adds a new requirement that each agency must annually undergo an independent evaluation of its information security program and practices to be conducted either by the agency’s Inspector General, the General Accounting Office or an independent external auditor. GAO then will review these evaluations and report annually to Congress regarding the adequacy of agency information programs and practices.

• National Security Systems: S. 1993 would require that the same management framework be applied to all systems including national security systems. However, to ensure that national security concerns are adequately addressed and that the appropriate individuals have oversight over national security and other classified information, the [bill as amended] would vest responsibility for approving the security plan for these systems in the Secretary of Defense and the director of Central Intelligence, rather than the director of OMB. Additionally, for these systems, the Secretary of Defense or the director of Central Intelligence shall designate who conducts the evaluation of these systems with the IG conducting an audit of the evaluation. Finally, the bill also allows the defense and intelligence agencies to develop their own procedures for detecting, reporting and responding to security incidents. 100

During Senate floor consideration of the Defense Authorization bill for FY2001 (S. 2549) on June 19, 2000, the Thompson proposal was attached to the DOD legislation and remained in the final version (H.R. 4205) approved by the Senate on July 13 and in the subsequent conference committee version of the legislation, which cleared Congress on October 12 and was signed by the President on October 30.101

Privacy

In addition to the information security considerations discussed above, federal agencies must comply with some additional requirements regarding their management—that is, collection, use, and storage—of personally identifiable information. These are largely specified in the Privacy Act, the Computer Matching and Privacy Protection Act, and two OMB federal Web site memorandums discussed earlier. The adequacy of these protections for the emerging e-govt environment appears to be somewhat uncertain. For example, in the NIC survey reviewed above, only one in three (35%) of the e-commerce users and only one in five (20%) of the non-e-commerce users trusted that the government would keep their records confidential. These records would seemingly contain some business information, perhaps even privileged commercial information, but they would certainly contain personal information. Similarly, another public opinion survey, which was conducted for the nonpartisan, nonprofit Council for Excellence in Government and is reviewed at the end of this article, found that more than half of the respondents (55%) were very concerned about government employees misusing personal information, and almost the same number (53%) were concerned about the potential for less personal privacy with the onset of e-govt.

Reporting on a recent survey of online privacy protections at federal Web sites, GAO found that 23 of 70 agencies had disclosed personal information gathered from their Web sites to third parties, mostly other agencies. However, at least four agencies were discovered to be sharing such information with private entities—trade organizations, bilateral development banks, product manufacturers, distributors, and retailers. The offending agencies were not identified by GAO. Responding to these findings, some privacy advocates called for updating the Privacy Act, whereas others urged better oversight and enforcement of the statute.102

When completing action on the FY2001 appropriations legislation for the Department of Transportation and related agencies, House and Senate conferees included a Web site privacy provision. Section 501 of the conference committee version of the bill (H.R. 4475) prohibits funds appropriated by the legislation for the Department of the Treasury and related agencies to be used by those entities (1) to collect, review, or create any aggregate list, derived by any means, that includes the collection of any personally identifiable information relating to an individual’s access to, or use of, any federal government Internet site of the agency or (2) to enter into any agreement with a third party, including another government agency, to collect, review, or obtain any aggregate list, derived from any means, that includes the collection of any personally identifiable information relating to an individual’s access to or use of any non-governmental Internet site. These limitations do not apply to any record of aggregate data that does not identify particular persons; any voluntary submission of personally identifiable information; any action taken for law enforcement, regulatory, or supervisory purposes, in accordance with applicable law; and any action that is a system security action taken by the operator of an Internet site and is necessarily incident to the rendition of the Internet site services or to the protection of the rights or property of the provider of the Internet site.103

The first limitation may be viewed as a response to the previously discussed June 2000 press revelation that the National Drug Control Policy Office was secretly tracking visitors to its Web site through the use of “cookies.” OMB’s June 22, 2000, memorandum to the heads of all executive departments and agencies indicated that:

“cookies” should not be used at Federal web sites, or by contractors when operating web sites on behalf of agencies, unless, in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site; appropriate and publicly disclosed privacy safeguards for handling of information derived from ‘cookies’; and personal approval by the head of the agency.

The second limitation may be regarded as a response to the September GAO report indicating that 23 agencies had disclosed personal information gathered from their Web sites to third parties. President Clinton signed the legislation into law on October 23, 2000.104

Two days before the President’s action, press disclosures revealed that a GAO follow-up study contended that 13 federal agencies had ignored the OMB June 22 memorandum prohibiting the tracking of visitors to government Web sites. An appended letter from the OMB deputy director for management defended agency use of so-called “session cookies,” which, the letter said, facilitate transactions at the Web site and are not banned by OMB. Session cookies last only as long as one is visiting the Web site. Clearly prohibited are “persistent cookies,” which may track Web habits for long periods of time and the dissemination of a person’s information to a private company. GAO found seven agencies engaging in one or both of these activities.105

Management

In very large measure, over-all management of federal executive branch e-gov operations and related matters is concentrated in the leadership of OMB. The OMB director, assisted by the OIRA administrator, is vested with broad authority and responsibility for IRM by the PRA. Although the development of computer and related systems security standards for the non-military/intelligence community agencies is the responsibility of NIST, the application of and adherence to such standards by these agencies is also a responsibility assigned by the PRA to the OMB director. OMB responsibility for oversight and enforcement of agency implementation of the Privacy Act provides the OMB director with authority to address agency Web site privacy practices and use, protection, and disposition of personally identifiable information. The Clinger–Cohen Act eliminated the primary role of the Administrator of General Services for coordinating and providing for the procurement, maintenance, and use of IT, and assigned to the OMB director duties for coordinating with OMB’s Office of Federal Procurement Policy the development and review by the OIRA administrator of policy associated with the purchase of IT.

The Clinger–Cohen Act also mandated a CIO for each executive agency and vested this official with responsibility for carrying out the information management responsibilities assigned to the agencies by the PRA, as well as some additional duties specified in its own provisions. The CIOs were brought together in a Chief Information Officers Council established by E.O. 13011, which tasked the panel to serve as the principal interagency forum to improve agency practices on such matters as the design, modernization, use, sharing, and performance of agency information resources; developing recommendations for over-all federal IT management policy, procedures, and standards; sharing experiences, ideas, and promising practices, including work process redesign and the development of performance measures, to improve the management of information resources; identifying opportunities and making recommendations for, and sponsoring cooperation in, using information resources; assessing and addressing the hiring, training, classification, and professional development needs of the government with respect to IRM; and making recommendations and providing advice to appropriate executive agencies and organizations. The council is chaired by the OMB deputy director for management.

During 2000, two issues regarding CIOs came under public discussion. The first concerned the adequacy of the authority of agency CIOs to do their jobs. Some contend that public sector CIOs should have power equivalent to their private sector counterparts. For instance, with the exception of the CIOs at the Department of Agriculture and the DOD, federal CIOs do not have direct influence over IT procurements. The federal budget process is thought to curtail exploration and adaption of new IT: private sector CIOs plan on a shorter cycle and can take better advantage of burgeoning technology, whereas public sector CIOs must work in timeframes of two to five years in the future. The budget process and concomitant funding limitations also hinder government efforts to recruit and retain skilled IT professionals. Views such as these were expressed during a March 2000 hearing held by the House Subcommittee on Government Management, Information, and Technology.106 A GAO representative testifying at this proceeding introduced a new GAO executive guide to maximizing federal CIO success by learning from private sector CIO experiences.107

The second issue that came under discussion was establishing a position of Chief Information Office of the United States (CIOUS) for the entire executive branch. Such an official had been proposed in 1995 Senate legislation (S. 946) underlying the Clinger–Cohen Act discussed above. A Progressive Policy Institute report recommended such a position in March 2000,108 and legislation in support of the concept was offered in the House in June and July.109 Then Texas Governor George W. Bush endorsed the CIOUS idea in a June 9, 2000, government reform speech in Philadelphia. A subcommittee hearing on the proffered bills was held on September 12.110 Proponents of the CIOUS concept contend that many aspects of IT management would benefit from having a IT expert in charge of this area, that such an official would better facilitate OMB oversight of IT applications and use, and that efficiencies and economies could well result if this official could prevent federal agencies from purchasing computer systems that did not work or otherwise performed poorly or failed in security tests. Critics maintain that the CIOUS would unnecessarily perform a subset of duties currently vested in the OMB deputy director for management, would seemingly have little immediate enforcement powers, and in some versions, might be controlling funds outside the traditional appropriations process. Members of the Chief Information Officers Council reportedly are at odds over the need for the CIOUS.111

Maintenance

Continued maintenance of IT systems that underlie electronic government will require at least two resources: personnel and funds. Regarding the first of these resources, the Chief Information Officers Council is championing the recruitment, retention, and development of IT professionals—defined as computer scientists, computer engineers, computer programmers, and systems analysts—as members of the federal civil service. A June 1999 council report projected that “[w]ithin the federal government, the number of IT workers is expected to rise from 66,660 in 1997 to 71,320 by 2006. Achieving this growth will require replacing 32,315 and adding 4,660 new IT workers to the base.” A foreseen major obstacle to recruiting such workers was “a serious disparity” in IT salary levels between the federal government and the private sector. The private sector’s competing need for new and replacement IT staff was also recognized.112 Among the recommendations offered by the report were waiving restrictions to allow federal agencies to hire skilled IT personnel retiring from the armed forces; using temporary and term appointments to speed the placement of new IT hires on the job; implementing Web-based recruiting that would allow agencies to contact potential job applicants at sites that they frequent and where timely application for employment could be made; obligating private IT contractors to perform skills transfers to government employees; and establishing a scholarship and internship program for promising IT students in exchange for government service. The Office of Personnel Management (OPM) recently created a special pay schedule for IT workers, increasing salaries as much as 33% for entry-and mid-level personnel, effective January 1, 2001. The increase is an attempt to make federal IT positions, which lag about $12,000 on average, behind what new hires are paid in the private sector, more competitive.113

However, actual practice—outsourcing—may lessen the number of federal IT employees required. According to one assessment, “more federal information technology jobs will be turned over to the private sector in coming years. The only question is whether the numbers will be modest or mammoth.” In fact, the Bureau of Labor Statistics predicts a shrinking federal IT workforce, dropping from a 1998 total of 1.8 million jobs to 1.6 million in 2008, a 9% loss. The bureau also projects a rise in federal spending on IT outsourcing, increasing from $30.3 billion in 2000 to $40.3 billion in 2005. Although there is agreement within the IT business sector and the federal government that IT contract employees will not eliminate their civil service counterparts, the outsourcing phenomenon will contribute to a further reduction of the federal civilian workforce in the immediate years ahead.114

Funds will also be needed to maintain IT systems that underlie electronic government. At a minimum, aging hardware will have to be replaced about every three to five years. More important, however, security upgrading systems to maintain operation in the face of more sophisticated cyber attacks will be necessary. Reflecting this imperative, the Chief Information Officers Council sent a September 6, 2000, memorandum to all members of Congress apprising them of the need for funding essential programs for ensuring the security of the federal cyber infrastructure, and saying:

While there is significant progress, it has become clear that the foundation set of government-wide efforts to improve cyber security are hampered by a patchwork of funding and oversight structures in both the Executive and Legislative branches. In particular, efforts that are essential to providing a solid day-to-day operational foundation for cyber security across the Federal government are budgeted for by several agencies, and funding and oversight is likewise provided by a number of Congressional Committees. Federal CIO’s view these programs as critical to our ability to create effective information security programs. Moreover, we are increasingly concerned that the collective visibility of these efforts is being lost. As a result, we are increasing our efforts to ensure oversight of these essential programs and to encourage budget support from Congress.115

By mid-October, it appeared that several cyber security programs would not be funded, and others were in doubt as the 106th Congress moved toward final adjournment. Richard A. Clarke, special assistant to the president for cyber security, infrastructure protection, and counter-terrorism, observed that, “because funding… is broken up into so many different committees, no one feels they are destroying our attempt to create cyber-security.”116 Several weeks later, however, as Congress negotiated a spending bill that would allow it to complete its work by mid-December, the IT funding situation had improved dramatically. Over-all, by one assessment, “Congress breathed new life into IT programs once presumed dead, infused modernization initiatives with much-needed cash and recognized the dependence agencies have on technology to function and to provide services to the public.” Not all cyber security programs fared well—the Department of Agriculture, for example, received about half of what had been requested—but most “survived the budget process.”117

Digital divide

As noted earlier, the digital divide refers to the perceived disparity that results from portions of the population not having the ability to use IT because of a lack of access and/or skill. It was initially addressed by the Clinton administration in a December 9, 1999, presidential memorandum to executive department and agency heads directing their assistance with the development of a national strategy for making computers and the Internet accessible to all Americans; expansion of the federal community technology centers network to provide low-income citizens with access to IT; encouragement of the development of IT applications that would help enable low-income citizens to start and manage their own small businesses; and use of training to upgrade the IT skills of the American workforce, particularly workers living in disadvantaged urban and rural communities. This effort was based on assessments of the digital divide conducted by NTIA, which continue with a view toward better understanding IT and electronic communications disparities in terms of population variables, including geography.118

Examination of the digital divide was also begun by the President’s Information Technology Advisory Committee, which undertook an October 19, 1999, conference focusing on IT access for racial and ethnic groups in the United States. At the time the committee reported the results of this conference to President Clinton, additional conferences on geographic disparities and small university access to information tools were under consideration. The report, transmitted on February 2, 2000, urged a more coordinated national strategy for addressing the digital divide, with more community input, greater emphasis on using IT to educate, greater government investment targeted toward programs to resolve the digital divide, and a market approach that better addresses issues of information inequality. The committee called for continuing research, data collection, and evaluation of the conditions contributing to the divide, and support of better IT to help increase the use of IT tools, particularly among minority-owned companies, minority researchers, and policy-oriented minority employees.119

Emergency response

In the American governmental experience, an expectation has long existed that the president will exert leadership when a sudden crisis threatens the nation. Such thinking may be traced to the 18th century British philosopher John Locke, who argued that occasions may arise when an executive must exert broad discretion in meeting special exigencies or “emergencies” for which the legislative authority has provided no relief and/or existing law does not grant necessary remedy. As the federal government has evolved during the past two centuries, a number of developments have occurred regarding presidential response to national emergencies, resulting in a less drastic situation than the one envisioned by Locke. Special institutions, such as the current Federal Emergency Management Agency (FEMA), have been created to respond to, coordinate the efforts of other agencies to respond to, and plan for national emergencies. Such institutions have coordinated, and contributed to, the preparation and maintenance of emergency plans, such as the Federal Response Plan for the delivery of federal disaster assistance,120 and standby directives, such as E.O. 12656 of November 18, 1988, assigning emergency preparedness responsibilities among the federal departments and agencies.121 In addition, Congress has enacted various laws that provide the president ready authority to address an emergency as well as some standby statutory powers that may be selectively activated under the terms of the National Emergencies Act of 1976, as amended.122

Responding to an emergency arising from severe disruption of computer-based critical infrastructures and e-govt operations both draws and builds on this legacy of developments. Experience has shown that severe weather conditions produced by a hurricane or tornado can damage or destroy communications systems and critical infrastructures in a geographic area. Consequently, the restoration of communications damaged or destroyed by severe weather is addressed in the Federal Response Plan. However, a recently added plan annex concerning terrorism indicates that the Department of Justice is responsible for “crisis management,” defined as “measures to identify, acquire, and plan the use of resources needed to anticipate, prevent, and/or resolve a threat or act of terrorism,” such as damaging or destroying critical infrastructures. The annex specifies that FEMA is responsible for “consequence management,” defined as “measures to protect public health and safety, restore essential government services, and provide emergency relief to governments, businesses, and individuals affected by the consequences of terrorism.”123

Critical infrastructure protection planning and preparation is also addressed in PDD 63, discussed above. In addition to creating new institutions and assigning responsibilities regarding these matters, the directive establishes a public-private partnership structure, recognizing that, because “the targets of attacks on our critical infrastructure would likely include both facilities in the economy and those in the government, the elimination of our potential vulnerability requires a closely coordinated effort of both the government and the private sector.”124 Among the first fruits of these partnerships is the National Plan for Information Systems Protection, made public on January 7, 2000, and discussed above.125 An October 1999 GAO report reinforced the value of these public-private partnerships and offered various recommendations for critical infrastructure protection based on recent experiences of addressing the year 2000 computing problem.126

Ultimately, in the event that severe disruption of, or damage to, critical infrastructure results in public disorder in a locale, the president may resort to the deployment of armed forces personnel, military technicians, the Ready Reserve, or federalized National Guard units to support federal law enforcement officials.127 These troops would function under federal civilian direction; no condition of martial law would necessarily result.

Oversight

Electronic government is subject to oversight by both executive branch officials and legislative branch entities. The OMB director is a principal executive branch overseer of e-govt, monitoring agency compliance with relevant statutes, presidential directives, and OMB and NIST guidance. Within departments and agencies having them, CIOs performing statutory responsibilities and duties for assuring compliance with the requirements of the PRA and monitoring the performance of IT programs also play an oversight role.128 Also, in departments and agencies having them, Inspectors General (IG) exercise an oversight capability, particularly with regard to protecting the transmission, storage, and processing of sensitive data in electronic forms and formats.129

Congressional committees and subcommittees, assisted sometimes by congressional support agencies such as GAO, conduct oversight of executive entities and activities for various purposes: to ensure executive compliance with legislative intent; to improve the efficiency, effectiveness, and economy of government operations; to evaluate program performance; to investigate alleged instances of poor administration, arbitrary and capricious behavior, abuse, waste, dishonesty, and fraud; to assess agency’s or officials’ ability to manage and carry out program objectives; to review and determine federal financial priorities; to ensure that executive policies reflect the public interest; and to protect individual rights and liberties, among other reasons.

For Congress, oversight of electronic government may prove to be particularly daunting. With potentially thousands of daily electronic transactions—for information, benefits, services, and goods—occurring, rapidly and invisibly, overseers will have to be alert to the development of administrative or managerial problems that could quickly snowball, resulting in unnecessary hardship, waste, misfeasance, or worse. Careful attention will have to be given to the creation, maintenance, preservation, security, integrity, and accessibility of the records of these transactions for possible audit and review by overseers. When agency leaders and program managers are consulted or brought before a congressional committee or subcommittee for an oversight proceeding, the agency CIO and IG may also be consulted or otherwise be found to be important participants. Moreover, for congressional and executive overseers alike, FirstGov, the single federal portal, may prove to be a useful tool for scrutinizing government-wide compliance with certain e-govt policies, such as Web site privacy notices, and other uniform requirements for federal Web sites.

Public views

As the federal government embarks on the transition to e-govt, early indications are that the American people are favorably inclined to many aspects of the new arrangements. A recent public opinion survey conducted for the nonpartisan, nonprofit Council for Excellence in Government found that 56% of those surveyed anticipated that the impact of e-govt will be positive; 71% of those who visited government Web sites indicated they were impressed with the quality of the site, calling it good or excellent, and 60% say it was easy to find what they were looking for; 59% were opposed to voting over the Internet; and 68% believed that investing tax dollars in e-govt should be a priority, that level rising to 77% approval of such investment being a medium to high priority after being given specific examples of e-govt. Among respondents, 65% felt that e-govt should be developed slowly rather than quickly because of concerns about security and privacy, as well as the digital divide. Security was the major concern, however, with 66% focusing on hackers breaking into government computers, 55% troubled about government employees misusing personal information, and 53% worried about the potential for less personal privacy. The study concluded that “Americans want government to address Website security and privacy protections, and to play a role in addressing the digital divide by making sure that e-government services and information are available in other ways and that more computers are available in public spaces.”130

Electronic government, in brief, is the continued performance of a variety of government responsibilities, such as communication, information access, and service delivery, through the use of IT with a view to improving the efficiency and economy of government operations. To facilitate this development, new authorities have been created to ensure the proper management of these technologies and the systems they serve, their protection from physical harm, and the security and privacy of their information. As the American people become more familiar and comfortable with these technologies in their everyday living, they likely will be increasingly favorable toward expanded applications in the furtherance of e-govt. Significant consequences in such developments may include a much reduced federal workforce (fewer “public servants”); greater detachment and impersonality in government employee-citizen relations (more “bureaucratic”); and new complexities in emergency preparedness, accountability, and oversight. Addressing these and other such consequences to the satisfaction of the American people is very much part of the creation and successful operation of e-govt in the United States.

References