In 1997 the Department of Foreign Affairs and Trade's most critical IT system, the Secure Cable system, was still partially based on an IBM mainframe commissioned 18 years earlier. Its replacement ADCNET R1 was operational, but unable to do all the work.
Where once a staff of 25 had handled system support, the entire job — systems, internal routing tables, programming changes — was now being handled by a single individual, a man who had been there as a Systems Programmer since before Day 1 and who we will call SP, for “superprogrammer”.
Which was all fine, says independent contractor Steve Jenkin, until the day SP was hospitalised with a suspected stroke, which turned out to be a very nasty neurological virus that kept him out of work for more than six months.
“There had been a long-running and heated ‘conversation’ between the DepSec in charge of IT and the head of IT operations over the risk of this situation, culminating in the DepSec closing the conversation with: ‘SP will never leave,’” says Jenkin, who was informed by departmental insiders.
The SP didn’t leave, but the department failed the 9/11 test, badly.
“Their response was to freeze the IBM mainframe and create an emergency response project for the troubled ADCNET to handle the work and shut down the IBM as fast as they could — which was originally planned for 1996,” Jenkins says.
SP wasn’t acting out of malice, but as a recent ugly incident in the United States has so dramatically highlighted, organisations are just as dependent on the good health — and goodwill — of their IT workers today as they were back then. In that recent, very public case, computer technician Terry Childs allegedly built a booby trap that was set to delete numerous files during a scheduled maintenance of San Francisco’s IT network. Childs ended up being jailed, pending trial, and now faces up to seven years in prison.
Then in August, what the PA Consulting Group chose to label a “rogue employee” managed to lose the personal details of the entire UK prison population after transferring the information onto an unencrypted, unmarked USB memory stick and then leaving it somewhere. While again, there was no suggestion of malice, it was enough to cause the UK Home Office to kill a £1.5m contract with the company.
Other disasters can be safely presumed to have unfolded in a more subterranean manner. After all, few are prepared to admit their IT catastrophes publicly unless forced into it.
“It used to be rumoured that there were SysProgs who went from bank to bank and extorted money all along the way because they knew how to break their systems,” Jenkin remarks. “Because there is no transparency or reporting, these stories can’t be verified.”
How vulnerable are other organisations today to sabotage or major stuff-ups by disaffected IT workers? “Completely,” Jenkin says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.