- BlogInfoSec.com - https://www.bloginfosec.com -

Y2K … Two Decades Later

Why didn’t I use the title “Y2K at Twenty” for this column to match “The FS-ISAC at Twenty” that was posted on BlogInfoSec on January 6, 2020? Good question … easy answer. Because The New York Times commandeered “Y2K @ 20” for their online presentations.

I will get to one of the NYT articles later. However, if you are wondering why the two events (FS-ISAC launch and Y2K) came so close together, it is no coincidence. We, the Board of Managers of the FS-ISAC and the U.S. Treasury decided that it would be a good idea to have the FS-ISAC in place officially prior to Y2K so that the FS-ISAC could be in operation over that momentous weekend.

It was actually a surprise to me to see attention being paid by the NYT to this twentieth anniversary of the year 2000 date rollover. In the Sunday Styles section of the NYT of January 5, 2020, Nellie Bowles describes the trauma induced by the fear that computer systems and networks would fail at the stroke of midnight, December 31, 1999. As far as the public was concerned, nothing much happened that night, leading most folks to believe that it was a hoax concocted by software development companies to make a quick buck (or hundreds of billions of bucks!). As Bowles put it: “… the public consensus was: It was a fizzle. Maybe even a hoax.” It wasn’t.

There is a supportive video at  https://mashable.com/video/wrong-about-y2k/ [1] with the title “Why you’re wrong about Y2K, 20 years later.” It is well worth watching as a reminder and a warning. My favorite quote from the video is:

“The lasting moral of Y2K shouldn’t be of an overblown panic, but of a successful and necessary global effort to avoid a known problem.”

The video goes on to show climate change as a current problem to be addressed. Unfortunately, both climate change and cybersecurity risk are not as clear-cut as Y2K and the deadline isn’t as specific as for Y2K. But we cannot afford to assume that claims of catastrophic consequences for climate change and cybersecurity risk are overblown—they are not, in my opinion. However, the likelihood of an international program to mitigate these known and existence-threatening problems is very small indeed.

I was privileged to represent the financial services industry, at the behest of Lee Zeichner, in the NIC (National Information Center), which was the U.S. government’s command center for the Y2K date rollover. John Koskinen had done a masterful job coordinating the Y2K effort across government and industry and ran the NIC both efficiently and effectively. I had the good fortune to meet White House security czar Richard A. Clarke that night, and to interface with Stash Jarocki—the force behind the forming of the FS-ISAC—who manned the financial services command center in Lower Manhattan. Hewlett Packard had developed software that allowed observers from all over the world to enter events that were happening in real time. And there were quite a few—some serious—that occurred but never made it into the public domain.

There were cyberattackers prowling the Internet all night. Fortunately for everyone, the century rollover occurred over a weekend when most organizations were closed. Many took the added precaution of disconnecting their systems from the Internet and other external networks. There were instances of organizations keeping their systems up and running and being victims of successful cyberattacks. For the most part, the pickings for attackers were slim, and practically everyone in IT and InfoSec was on the lookout for nefarious activities—and problems caused by unremediated code. However, a month later, when defenses had been relaxed, major online companies, including CNN, Amazon, eBay and Yahoo, were taken down by the Mafiaboy denial-of-service attack, see https://www.wired.com/2012/02/feb-7-2000-mafiaboys-moment/ [2]

Also, when 9/11 hit the World Trade Center some 20 months later, many Wall Street firms were able to dust off and invoke their Y2K contingency plans, which were still current enough to be of significant value. Regrettably, many of those plans have languished and were never updated, which puts us in a much more vulnerable position when addressing cybersecurity risk. Ironically, there has been a renewed interest in resiliency, business continuity, and disaster recovery vis-à-vis cybersecurity as organizations have come to realize that successful cyberattacks are all but inevitable.

BTW, there was a mini-Y2K, namely a Y2020, over the recent 2019-to-2020 date rollover as reported by Chris Stokel-Walker in an article, “A lazy fix 20 years ago means the Y2K bug is taking down computers now,” which is available at https://www.newscientist.com/article/2229238-a-lazy-fix-20-years-ago-means-the-y2k-bug-is-taking-down-computers-now/ [3] Essentially, as reported, some programmers used an easier technique known as “windowing” to fix the Y2K problem on an interim basis. Seemingly, the program change treated dates from 2000 until the 2020 changeover to be in the 2000s rather than the1900s, but not dates following 2019. Now their chickens have come home to roost. The article describes several real-world cases that were made public. There were likely many more instances that were not reported.

While “fixing” the cybersecurity risk issue is not directly comparable to Y2K—it will take trillions of dollars and massive international cooperation (neither of which are forthcoming) to make a dent—there are still lessons to be learned from the Y2K exercise. Y2K showed that it is possible to get very substantial buy-in to fix a known problem if powerful groups are convinced that (a) there is a real problem, (b) it can be successfully addressed, and (c) it pays to do so. The first thing to do is frame the problem, which is very difficult given the dynamics of modern software growth. The next step would be triage, namely, selecting the most critical systems and addressing them first. Then it would be a matter of prioritizing the remaining systems and deciding which should be remedied ad which should be replaced. Make no mistake … this is a multi-trillion-dollar effort that could last many years, even decades. But, as Chinese philosopher, Lao Tzu, is purported to have said: “A journey of a thousand miles begins with a single step.” See http://www.bbc.co.uk/worldservice/learningenglish/movingwords/shortlist/laotzu.shtml [4]