LIVERMORE, CALIF. (01/28/2000) - Government and industry officials who met here last week agreed that the enterprise risk-analysis models and management practices used to determine potential year 2000 computer failures offer valuable lessons for the analysis of future security and infrastructure threats.
The conference, co-sponsored by the Center for Global Security Research at Lawrence Livermore National Laboratory, featured John Hamre, U.S. deputy secretary of defense. He noted that the one Y2K-related computer failure at the U.S. Department of Defense (DOD) - the malfunction of a satellite-based reconnaissance system - occurred because the department didn't conduct end-to-end testing of the system prior to the date change.
Hamre said Y2K preparations made the DOD realize how dependent it is on private-sector services like power generation and telecommunications, which must be included in integrated disaster planning.
"We are astoundingly dependent on the success of partners, and that frightened us," said Hamre, who expressed concern about the just-in-time delivery process adopted by many vendors. "We sent teams to 2,000 companies to see if they were going to be ready. We gained confidence in industrial partners that we hadn't leaned on before, and now [we] have much more willingness to adopt these business practices."
Joseph M. Weiss, technical manager of the Y2K program at the Electric Power Research Institute in Palo Alto, Calif., which represents 114 worldwide electric utilities and corporations, confirmed that the industry's Y2K preparedness created an information-sharing and contingency-plan testing model that deepened their understanding of systems operation. For example, Weiss said, better mechanisms are needed to report minor problems so information technology managers can swiftly fix and document them.
Weiss added that while critical control systems didn't use dates, noncompliant embedded chips did affect noncritical systems such as operator displays and trend reporting. He said Y2K projects helped shed light on non-Y2K infrastructure issues, like the need to review and update authentication software, communications protocols and systems integration.
"IT is not addressing operating systems, and they are as critical to security as networks and PCs," Weiss said.
Despite the success of good business practices, attendees said better security preparedness metrics are needed. They also worried that remediation knowledge gained would disappear as Y2K staffers lose their jobs. "Who will carry it on?" asked Bill Curtis, who led Y2K projects at the DOD.