Reforming like it's 1995
Let's skate to where the puck is going to be this time
I keep thinking about the Clinger-Cohen Act. As one does.
In the mid-1990s, Senator Cohen and Representative Clinger asked the right questions about the federal government’s technology problem. The Brooks Act and other legislation had established technology in government as a primarily a purchasing problem, and agencies had no one whose job it was to think about technology strategically. Clinger-Cohen established a CIO Council and required federal agencies to develop coherent IT architectures. It told agencies to measure outcomes, empower CIOs, and treat technology as a strategic asset. These were very reasonable remedies.
But the law was written in 1995 and passed in 1996. The World Wide Web had been invented six years earlier. Amazon launched the same year Clinger-Cohen was written. Google was three years away. The consumer internet was about to transform society more profoundly than anyone in the halls of Congress fully grasped. After decades of failing at technology, Clinger-Cohen tried to catch government up, but just as it brought some reasonable answers, the questions changed.
That same year, Congress passed the Paperwork Reduction Act of 1995, a major revision of the 1980 original. The original PRA had created the basic framework, OMB oversight of paperwork burden. The 1995 rewrite locked in the specific procedural machinery: the requirement that agencies get OMB approval before creating any form, website, survey, or electronic submission, the 60-day and 30-day public comment periods, the three-year renewal cycles. It was a thoughtful, bipartisan effort to reduce the burden of government information collection on the public, and like Clinger-Cohen, it came at an awkward time.
The internet was about to turn “government information collection” from paper forms mailed to your house into something vastly more dynamic, interactive, and frequent. The PRA’s procedural apparatus was designed for none of it. As I’ve argued at length, the PRA has never done what it claimed to do. It has not reduced burden on the public. But it has added enormous compliance costs inside agencies, delayed critical changes, and made it nearly impossible for agencies to test and learn their way to better services. The specific processes that Congress codified in 1995 locked agencies into processes that were almost immediately outdated.
So here we are in our own version of 1995. The lesson of both Clinger-Cohen and the PRA isn't just that the timing was bad. It's that no single law could have done what the moment required: not only harness technology in the service of existing government, but anticipate the changing needs and expectations the country would face and build a government capable of meeting them. We are just starting to understand how government might use AI. We don’t really understand how AI will change the work government needs to do. So we risk boldly dragging government into the mid-to-late 2010s and then letting it stagnate for another generation.
Meanwhile, the list of laws governing government technology that are overdue for replacement is long. Beyond the PRA, you have the Privacy Act of 1974, designed to protect citizens from government overreach in the era of mainframe databases, now preventing agencies from pre-filling information they already have, forcing people to provide the same information repeatedly to different parts of the same government. FISMA offers a reasonable menu of security controls, but in practice agencies implement nearly all three hundred of them regardless of relevance, adding months or years to timelines while actually making systems less secure by crowding out time for testing. All these and others represent a particular era’s best guess at how to build and buy technology. All of them have been overtaken by events.
These laws need to change. This is not a partisan position. Anyone who has complained about government’s inability to deliver (who hasn’t?) should be supporting bipartisan work to modernize them. AI’s evolution and adoption are happening fast. The distance between what technology makes possible and what our legal framework contemplates is about to grow massively, and it will keep growing. We must act, but we need to avoid the mistakes of 1995. And I think we can.
I’ll be writing over the coming months about how I and others think about getting it right this time. The short version is that we need to stop specifying processes that sound reasonable but have not been tested in the real world, do not have built-in mechanisms for revision and adaptation, and will not survive the transformation that’s already underway. And we need to acknowledge that even the best-designed legislation fails when it’s aimed at agencies that lack the capacity to deliver on it. In addition to purpose-fit systems, government needs the right people, focused on the right work, and incentivized towards outcomes. It needs oversight frameworks that support the experimentation that learning requires. These ideas deserve more than a paragraph, so stay tuned.
For now, I want to be clear that I’m not saying we should wait until we understand AI before we reform. We can’t afford to wait. The PRA is still haunting service delivery. The Privacy Act of 1974 is still preventing sensible data sharing. Delay is its own form of failure. What I’m saying is that the pattern — write reasonable-sounding laws, lock in the mechanisms, watch them calcify — is not inevitable. We know enough now to choose differently.
