While we may have successfully eased into the 21st century, distributed technology problems still exist. How can the lessons learned from Y2K apply to global information security?
The full extent of the threat to everyday life posed by the Y2K bug may never be known. Thanks to the judicious application of billions of dollars, the most critical, potential crises of Y2K were successfully averted, and the world eased into the 21st century with only minor problems. Some argue that the amount of time and money spent on the remediation effort was disproportionate to the threat, but that question is now moot. On the other hand, the transition's success can help shed light on how we might go about solving other distributed technology problems like global information security management.
The lessons of Y2K, however, offer approaches and strategies, not absolute solutions. Information systems affect all aspects of modern life, so computer security is not merely a technical issue but a management problem that could have a serious impact on the bottom line. The global information security risk is like Y2K without a fixed date.
Applying the Lessons
Many of the lessons learned during the course of Y2K remediation have direct implications for information security. The majority apply to networking (both technical and professional), managing infrastructure and forming effective partnerships. The International Y2K Cooperation Centre (IYCC) issued a report this past February summarising 18 different lessons from Y2K (see www.iy2kcc.org/February2000Report.htm for the full report). Key conclusions include the following:
Networking and cooperation work.
The global Y2K remediation effort clearly demonstrated that given the proper incentives to cooperate, a virtual worldwide organisation can successfully work together to solve a challenging distributed problem. A central organising function, in this case the international council of Y2K coordinators, encourages the open exchange of critical information among network members through a combination of personal contact and electronic information sharing.
This approach is already being applied in the information security arena. Under the leadership of the United Nations Working Group on Informatics, the network of national Y2K coordinators has morphed into a network of senior government IT representatives from more than 100 countries. Information security is their first project. In the wake of the "I Love You"virus that swept the globe with unprecedented speed and severity earlier this year, the group is reviewing existing national computer crime laws from around the world. It will ultimately produce a best practices guide for governments.
Infrastructures are both connected and resilient.
There was concern that local Y2K failures could cascade around the world through interconnected power, communications and trade networks. While that did not happen, the Y2K remediation efforts certainly taught us a great deal about supply chains and interdependencies. Telephone and electrical power systems, for instance, depend on each other for efficient operation.
Fortunately, those charged with the operation and management of such infrastructures are familiar with having to continue service in the face of technical problems. Commercial and government Y2K contingency plans routinely covered what to do if the power went out or if key supplies were delayed. At the date change event, Y2K problems in critical operations were handled without disruption of service to the public. Contingency planning and testing strengthened crisis management ability, and increased public confidence in the robustness of our critical infrastructures.
To date, the information infrastructure has been quite resistant to cybersabotage. While recent denial of service attacks have affected millions of users and generated widespread media coverage, real damage has been negligible. A few hours of downtime, or a few days of inconvenience, are much less significant than what one might experience in the aftermath of a severed cable or a severe storm. Within the telephone network and other infrastructures, cyberfailures to date have been caused by errors rather than attacks. The current level of cyberattacks is not yet a crisis but a warning that society should heed as it grows increasingly dependent on computers.
Public-private partnerships are necessary.
Public and private organisations worked hand in hand to resolve the Y2K problem. The partnership in the financial sector between the Joint 2000 Council (bank regulators) and Global 2000 Coordinating Group (financial institutions) kept consumer confidence high and assured the public that the Y2K bug would not affect international banking. In aviation, the world's air traffic control authorities teamed up with major airlines and airports to ensure a glitch-free date change. In these and other instances, private sector resources joined government agencies to put the best qualities of each to work. The international experience, which was mirrored by similar regional partnerships in many countries, showed that in the face of a broad, distributed threat, private and public interests can effectively converge.
These partnerships engendered mutual information sharing across public and private boundaries. In many countries, the government led the way in publishing detailed information about its Y2K progress. Businesses also provided detailed information, although usually through an industry clearinghouse in order to protect proprietary information.
This does not mean that public-private partnerships are now standard operating procedure. Conflicts of goals between business and government have made it difficult to create public-private partnerships to effectively address information security concerns.
Trust is also an issue. Businesses may be reluctant to share their unique vulnerabilities with government regulators. During Y2K, mutual information sharing built up levels of trust. Government and industry shared vulnerability data and solutions. A similar level of trust and partnership is needed to protect global information security. Government needs to share its emerging security concerns and rely on business to develop solutions to those threats before they become widespread.
Left unchecked, the Y2K date change could have seriously disrupted vital financial, business, health and government services. Throughout the late 1990s, there was a broad consensus that Y2K could have posed dangers in at least four areas:
System failures could have resulted in significant economic and social harm.
Public overreaction to Y2K fears (such as hoarding of pharmaceuticals) could have caused serious hardships.
Widespread Y2K failures or panic lasting more than a few days could have led to political instability.
Serious computer problems also could have reduced public confidence in IT, slowing growth in that industry and potentially derailing technology-led economic growth worldwide.
In contrast to the risks, however, Y2K offered a variety of valuable technological and procedural opportunities. Many CIOs used the impetus of the Y2K situation to bring their IT systems under control. Organisations also used Y2K to better understand their internal and external dependencies. They inspected supply chains and evaluated the reliability of key suppliers and customers. They created, tested and modified comprehensive contingency plans. Information security concerns could affect any or all of those areas as well, and should encourage the same level of self-examination and modification of policies and practices.
With the Y2K event, the governments of the world had an unprecedented opportunity to cooperate, so into this mix of threat and promise nations sent their best IT managers to form what became the global Y2K team. The national Y2K coordinators from more than 170 countries and the CIOs of countless public and private international organisations provided mutual assistance. The problem's clear-cut nature and unyielding deadline gave the work clarity and urgency. This environment fostered an agile mechanism with which to validate and share workable approaches to the problem and progress reports toward global readiness.
This was the second key asset - the growing pool of quality information. Sharing best practices for managing Y2K assessment, repair and testing, and for preparing and exercising contingency plans cut valuable months off the schedule and dramatically reduced costs in many countries. Team members from around the world were able to collaborate effectively thanks to current network technology. The final asset, financial support, came from both government and industry. Technologically capable and developed countries provided more than $US100 million in direct Y2K project assistance to developing and emerging economies, a small sum when compared with the $200 billion spent worldwide on Y2K readiness.
The IYCC, created with the support of the World Bank and the United Nations, was unique to the effort. The IYCC was the world's first virtual global intergovernmental organisation. The IYCC's leadership and staff of five supported the Y2K programs of the more than 170 nations within its network. Using e-mail, the Web and physical meetings (including 45 regional conferences), the IYCC gathered and disseminated information, organised regional and global networks, created a flexible response framework, managed rapidly changing public information, predicted most outcomes correctly and created a global window into the date change event.
The global Y2K team delivered a successful outcome. The Y2K transition produced no serious disruptions of critical services on a national, regional or global level. There was no significant panic or overreaction caused by Y2K fears. There were reports of several minor Y2K glitches but these were managed locally with limited effect on the public.
Ironically, the primary issue that national Y2K coordinators have had to face has been second-guessing by those not directly involved in the Y2K effort. Some asked if too much money was spent to address the problem. These critics point to the apparent wide range of expenditures and note the consequences seem roughly comparable. From this, they conclude less could have been spent to achieve the same results.
Analysis reveals more plausible explanations. Countries that are more dependent on computers recognised the importance of the task and spent more per computer. In some countries Y2K costs were much more public, and many lower-spending countries started the process later. Over time, Y2K remediation became faster and cheaper, permitting those who started later to accomplish the same results at a lower cost.
The Y2K experience offered a unique opportunity to learn how the global economy operates and how to develop and maintain networks in real time. These strategic lessons reflect on the problems that lay at the intersection of business, government and technology. Y2K menaced every country and every organisation indiscriminately. It generated a motivation to learn from the experience of others. Moreover, it would do little good to fix one's own systems if a partner for critical supplies or markets was not ready. The resulting cooperation demonstrated new organisation methods for managing highly distributed technology problems.
Cost-effective information security will soon be a prerequisite for conducting and managing e-business and e-government. Ensuring the Y2K readiness of business and government - their ability to continue to do business as usual - was the focus of millions of people around the world throughout the late 1990s. In the new, networked century, e-business will be business as usual, and e-readiness will be the focus. The Y2K event offered some lessons, but for those lessons to be valuable, nations and companies must come together to put them into practical application.
Bruce McConnell, president of McConnell International, directed the International Y2K Cooperation Centre and served as chief of information policy and technology at the US Office of Management and Budget