Y2K lessons learned

We live today in a new global risk landscape not unlike a past time of high uncertainty: the pre-Year 2000 period.

Left unaddressed, the Year 2000 date change would have disrupted firms' operations and services. Individual preparation and collaboration across organizational and national boundaries prevented disaster. Those at the epi.center of destruction last Sept. 11 benefited from those preparations. After 200,000 phone lines failed in New York, the city and Verizon Communications restored service using procedures developed for the Year 2000. Thanks to safeguards developed in 1999, bond markets reopened in two days. The New York Stock Exchange used Year 2000 testing protocols to validate its back-up trading system. Many other organizations used Year 2000 procedures to determine whom to contact, review the backup of systems, set up command centers and direct evacuations.

Preparation is essential to protect against current cybersecurity risks. Action is needed in five areas: readiness assessments, risk management strategies, useable security tools, crisis management networks and public relations.

For the Year 2000, organizations produced comprehensive inventories of their most important partners, systems and information; the functions they performed; and the interconnections among them. These inventories must be updated. Firms also surveyed their suppliers to ensure their readiness. Today, few organizations are systematically evaluating the computer security posture of their trading partners. Organizations need to assess their readiness to prevent and respond to disruptions caused by attacks.

For the date change, organizations identified mission-critical systems and fixed them first. Today, once systems inventories and supplier risks have been identified, resources must be allocated to address the most important risks first. And personnel security and management must be given additional attention.

For the Year 2000, the computer industry created tools that found and fixed the bugs. Today, many technical security solutions are available, but applying them to organizations' particular situations and systems requires a level of sophistication beyond most network managers.

For the Year 2000, infrastructure owners and operators organized cooperative networks to share information, exercise contingency plans and coordinate emergency response. Today, not enough co.operation and information sharing is occurring, except in the financial services sector, where long-standing trust relationships support strong coordination. A bill modeled on Year 2000 information-sharing legislation is pending in Congress and deserves support.

Finally, before the Year 2000, firms and industry groups organized public information campaigns to reassure shareholders and the public that the impact of the bug would be minimal. To date, post-Sept. 11 corporate publicity has expressed compassion. Focus should shift to creating a coherent message of reassurance.

McConnell, former chief of information policy and technology at the Office of Management and Budget, is president of McConnell International LLC (www.mcconnellinternational.com).

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.