Passwords save America
And the rest of the week that was.
You’re reading Slow Build, a weekly newsletter on tech & society by Nancy Scola. Thanks for doing that.
Let’s talk today about ad topic on all of our minds: how reimagining the federal government’s policies on reusing passwords might restore Americans’ dwindling faith in their country.
Oh, our story is admittedly a twisty one, so let’s begin where it starts. The year’s 2002, and President George W. Bush, like everyone else still riding the wake of the dot-com boom, signs the E-Government Act, which establishes the role of administrator of an Office of Electronic Government inside the White House’s Office of Management and Budget, charging that person with figuring out whether this Internet thing can help better deliver to the American public the sort of services it relies upon.
All is relatively quiet, and obscure, until the year 2009.
There’s a new president in town, by the name of Barack Obama, and he came to Washington pledging to really and truly harness technology to improve the work of government. To add muscle and shine to the little-acknowledged role of e-gov administrator, Obama rebrands the job as “Federal Chief Information Officer of the United States” and appoints former D.C. chief technology officer Vivek Kundra to the post. Said the White House at the time, “The Federal Chief Information Officer directs the policy and strategic planning of federal information technology investments and is responsible for oversight of federal technology spending.”
From there, we go to 2014. The launch of Healthcare gov has…not gone well, and Obama signs off on the creation of something called the U.S. Digital Service, meant to be a team of experts working with existing assets like the U.S. CIO and focused on redesigning the online interactions Americans have with their government. Part what the service argues: Washington has to refocus on designing products with the end customer, the citizen, in mind, a riff on the “human-centered design” popularized at Stanford’s design school.
The Trump years happened.
Then, in the spring of 2021, about six weeks after the inauguration of President Joe Biden, he appoints as the country’s fifth permanent U.S. CIO Clare Martorana. Martorana came from the world of commercial health care, working at places like WebMD, but she’d switched to a government track in joining the U.S. Digital Service as a specialist, before moving on to the job of CIO of the Office of Personnel Management. Some past U.S. CIO’s came into the job with a focus on, say, getting over-budget and past-due government IT projects back on track. Martorana came into office with a strong foundation in citizen-centered design.
Meanwhile — and here’s where our story gets complicated — there’s work being done in government to address the country’s belief that the U.S. is a little weak on the cybersecurity front. Building on work started at the National Institutes of Standards and Technology, better known as NIST, under President Trump, and inspired in large part by the 2020 cyber attack on the Texas-based software company SolarWinds traced back to Russia, in May of 2021 Biden issues an executive order on “improving the nation’s cybersecurity.” The order in particular calls for the country to begin shifting to what’s known as a “zero trust architecture,” which boils down the idea of “never trust, always verify,” based on the belief that no user and no device should ever assumed to be safe.
We take a short hop ahead to this past December, and Biden again gets out his executive order pen, this time to throw presidential weight behind the U.S. Digital Service-championed idea of focusing on the user. It reads, “Government must be held accountable for designing and delivering services with a focus on the actual experience of the people whom it is meant to serve,” and in issuing it the White House cites the concept of the “time tax” popularized by Atlantic writer Annie Lowrey to capture the idea of effort wasted by citizens when dealing with government inefficiencies.
While Lowrey focused attention on the most struggling among us who often have to pay the government’s time tax, it’s clear that they aren’t the only ones paying the price. People inside government are, too. Here we bump ourselves to last week, when an open letter went viral on LinkedIn and Twitter, authored by Michael Kanaan, director of operations for the Air Force’s MIT Artificial Intelligence Accelerator. “Fix Our Computers,” is its call to action. A taste: “Want innovation? You lost literally HUNDREDS OF THOUSANDS of employee hours last year because computers don't work.” The pain it implied was validated by Air Force CIO Lauren Knausenberger: “Oh man, Michael Kanaan. I echo your open plea to fund IT. It’s the foundation of our competitive advantage and also ensures every single person can maximize their time on mission.”
“The zero trust strategy provides a clear roadmap for deploying technology that is secure by design and responsive to the needs of our workforce so they can better deliver for the American public.”
And that brings us up to almost the current day. Nearly simultaneous to Kanaan’s letter circulating, OMB — under the leadership of acting director Shalanda Young and Martorana, the CIO — issue a memo meant to operationalize Biden’s directive to move the country to a zero-trust cybersecurity architecture. The document is sweeping, covering everything from bug-bounty programs to the limits of VPNs, but Martorana sums up its intention by saying, “the zero trust strategy provides a clear roadmap for deploying technology that is secure by design and responsive to the needs of our workforce so they can better deliver for the American public.”
One way it attempts to free the federal workforce so it can better deliver for the American public?
By adding some reason to the password policies that drive many federal workers up a wall, from convoluted rules about what can and can’t count as a valid password for their laptops, internal databases, email accounts, and so on, to demands that passwords be constantly changed and then memorized.
It’s all security theater, suggests the OMB memo. And it has to stop: “[A]gencies must remove password policies that require special characters and regular password rotation from all systems within one year of the issuance of this memorandum.” It goes on. “If outdated password requirements lead agency staff to reuse passwords from their personal life, store passwords insecurely, or otherwise use weak passwords,” it argues, “adversaries will find it much easier to abstain unauthorized account access.” It’s a bold decree cloaked in governmentese: complex password rules do little to protect the country while frustrating the people who should instead be devoting their energies to serving the American customer.
Now, there are a ton of obstacles that stand behind making any of this real. Agencies can lack the funding, expertise, and will to overhaul their operations to match the orders handed down from on high by people like the U.S. CIO or even president of the United States.
But it’s an attempt by government to make life a bit easier for the people who make up government, they can take care of their end users: all the rest of us.
What’d I get wrong? Let me know.
Wordle is proof that people aren’t after elegance — just stuff that works like it should, argues Cyd Harrell.
That said, people sure like to share stuff.
Underplaying the role of civil servants in projects like the Covidtests.gov might make digital-services teams look heroic while undercutting their long-term success, says Mark Headd.
Facebook lost a great deal of money this week — but gained a talking point in its argument that it can’t possibly be a monopoly if its under so much competitive threat.
“[I]t’s the Renaissance, and the antitrust agencies are Florence.”
The Intercept’s Ryan Grimm goes deep with Silicon Valley Rep. Ro Khanna on his push for “dignity in a digital age.”
Spotify’s indulging in “platformology at an evangelical level” in its bid to distance itself from Joe Rogan, says Bloomberg’s Mark Milian.
“Havana Syndrome” is somehow getting less knowable over time.
The rest of the world can have its WhatsApp; Americans still text.
Tim O’Reilly walks us through Web3, while cautioning “I don’t think we’re going to be able to call Web3 ‘Web3’ until after the crypto bust. Because only then will we get to see what’s stuck around.”
TurboTax is nudging people towards Coinbase.
A look at why Matt Damon, very successful movie actor, is “shilling for crypto,” though I still can’t tell ya.
Fewer experts are testifying before Congress in the YouTube-clip age.
AT 29,000 FEET
German climber Jost Kobusch is attempting to become the first person to summit Mount Everest alone in winter without supplemental oxygen — and you can follow his progress through this live tracker.