Y2K Remembered - The Family Jewels
Washington, DC, Jan 1st, 2008 -- Ten years ago the drive to convince Banks, Governments and Financial companies to remediate their old legacy programs to fix the Y2K problem was in full swing. At the time it seemed that the problem would not be fixed in time, with only two years left to go to the changeover. The problem was there were no roadmaps to the software, code and patches that made up the suites of programs at risk. We compared this software to The Family Jewels, hardly ever looked at, very expensive to replace, and the inventory kept in a vault somewhere. Frankly most management hadn't a clue of what they had, what they needed, what was essential and what needed cleaning out.
At the time we were very thankful that the media were finally taking a real interest in the problem. Later we would regret the hype and media madness as a serious problem needing only the diligent sifting through of lines of jumbled code became a platform for every Snake Oil salesman promising relief from Armageddon, as predicted in The Book of Revelations. In a few weeks time, in early 1998 I would make myself very unpopular with the religious right by questioning how computer software could possibly be forecast in the Bible. tens of thousands of not very Godly emails predicted my torment in the afterlife, and hoped I would go there soon.
The US Government were slowly moving towards making a concerted effort, and again the extent of the problem was unknown.
The research into the Y2K Threats began to turn up a lot of other vulnerabilities, as software packages, and procedures were examined to determine the risks involved. The whole critical infrastructure was seen to be in a very vulnerable state, and neglect, greed and lack of planning would one day come back to bite the complacent managers of essential assets.
These vulnerable danger points were well documented, and freely available over the developing Internet. The blueprints on how to sabotage the US Economy, the Telecommunications Networks, or the Petroleum Network were there for anybody to download. As I toured major Utilities, speaking to engineers and management, I was amazed how easy it was to gain access, to physical plant and to their networks.
In Washington during the1997 Inaugural, I had irritated the Clinton White House by broadcasting my commentary at 11am on the Y2K Radio Program in Washington entitled "A Bridge Too Far" about total lack of leadership over recognizing the threats, and their solutions to our computer and communication networks. A year later the White House had begun to move things along, and even invited me on occasions to discuss Y2K and network vulnerabilities.
The Chinese didn't seem to worry as they had a different calendar, so they watched carefully as US corporations hawked there problems around to find the cheapest software team to explore and fix their code. The warnings about monitoring the process of handing over company secrets to third world countries went unheeded. The Family Jewels were sent to India and China for cleaning, without any verifications, or effective oversight. Any Cobol programmer who could read code was grabbed by the nation's most important corporations, and set to work on their most critical computer networks. The impact on the bottom line overruled security considerations. If they were cheap they had access!
The Cavalier attitude was endemic in management, throughout government and industry. The ingrained perception that nobody dare mess with the World's only Superpower and try and disrupt commerce and industry, let alone dare to touch our critical infrastructure.
The legal profession had begun to take an interest in ComLinks.com, as up to 30,000 people a day were downloading the free papers, legislation and advice from contributors. We became one of the most popular sites, although a long way behind Peter deJagers Year2000.com. In the months ahead we would work with prestigious law firms across the country to look at the issues that may present a legal risk to their clients.
But looking back at the plight of the Family Jewels ten years ago it strikes you not what has improved, or what has changed, but how we have forgotten the lessons learned, and how we find ourselves in a vulnerability crisis, this time from organized crime and cyber warfare probing by governments, and their contractors. The difference is now there is not a simple solution, and a fixed date. We spend over 50% of the IT security budget just waiting for the attack, and guessing how and when it will occur. Some companies learned their lessons from Y2K and had disaster recovery plans in place, tested and verified. Others just called the whole thing a hoax and wrote off the experience.
I meet a whole new generation of IT managers these days, who have no grasp of the historical lessons learned, and are destined to repeat them. I remember pointing out in early 1998 that it was possible to paralyze the telecommunications network for a big chunk of the economy with nothing more than a Fireman's Axe. The small group of Critical Infrastructure leaders found this amusing and one commented on a saboteur landing by inflatable boats from a submarine holding an axe. Today they would realize that the saboteurs are already here, and the access points had better be secure.
Those who learned from Y2K have done well. Those who got their information and opinion from the media coverage and hype from vendors will live to regret believing it was all an expensive hoax.
Back to Main Menu