SBN

Y2K … Two Decades Later

Why
didn’t I use the title “Y2K at Twenty” for this column to match “The FS-ISAC at
Twenty” that was posted on BlogInfoSec on January 6, 2020? Good
question … easy answer. Because The New York Times commandeered
“Y2K @ 20” for their online presentations.

I
will get to one of the NYT articles later. However, if you are
wondering why the two events (FS-ISAC launch and Y2K) came so close together,
it is no coincidence. We, the Board of Managers of the FS-ISAC and the U.S.
Treasury decided that it would be a good idea to have the FS-ISAC in place
officially prior to Y2K so that the FS-ISAC could be in operation over that
momentous weekend.

It
was actually a surprise to me to see attention being paid by the NYT
to this twentieth anniversary of the year 2000 date rollover. In the Sunday
Styles
section of the NYT of January 5, 2020, Nellie
Bowles describes the trauma induced by the fear that computer systems and
networks would fail at the stroke of midnight, December 31, 1999. As far as the
public was concerned, nothing much happened that night, leading most folks to
believe that it was a hoax concocted by software development companies to make
a quick buck (or hundreds of billions of bucks!). As Bowles put it: “… the
public consensus was: It was a fizzle. Maybe even a hoax.” It wasn’t.

There
is a supportive video at  https://mashable.com/video/wrong-about-y2k/
with the title “Why you’re wrong about Y2K, 20 years later.” It is well worth
watching as a reminder and a warning. My favorite quote from the video is:

“The
lasting moral of Y2K shouldn’t be of an overblown panic, but of a successful
and necessary global effort to avoid a known problem.”

The
video goes on to show climate change as a current problem to be addressed.
Unfortunately, both climate change and cybersecurity risk are not as clear-cut
as Y2K and the deadline isn’t as specific as for Y2K. But we cannot afford to
assume that claims of catastrophic consequences for climate change and
cybersecurity risk are overblown—they are not, in my opinion. However, the
likelihood of an international program to mitigate these known and
existence-threatening problems is very small indeed.

I
was privileged to represent the financial services industry, at the behest of
Lee Zeichner, in the NIC (National Information Center), which was the U.S. government’s
command center for the Y2K date rollover. John Koskinen had done a masterful
job coordinating the Y2K effort across government and industry and ran the NIC
both efficiently and effectively. I had the good fortune to meet White House
security czar Richard A. Clarke that night, and to interface with Stash
Jarocki—the force behind the forming of the FS-ISAC—who manned the financial
services command center in Lower Manhattan. Hewlett Packard had developed
software that allowed observers from all over the world to enter events that
were happening in real time. And there were quite a few—some serious—that occurred
but never made it into the public domain.

There
were cyberattackers prowling the Internet all night. Fortunately for everyone,
the century rollover occurred over a weekend when most organizations were
closed. Many took the added precaution of disconnecting their systems from the Internet
and other external networks. There were instances of organizations keeping
their systems up and running and being victims of successful cyberattacks. For
the most part, the pickings for attackers were slim, and practically everyone
in IT and InfoSec was on the lookout for nefarious activities—and problems
caused by unremediated code. However, a month later, when defenses had been
relaxed, major online companies, including CNN, Amazon, eBay and Yahoo, were
taken down by the Mafiaboy denial-of-service attack, see https://www.wired.com/2012/02/feb-7-2000-mafiaboys-moment/

Also,
when 9/11 hit the World Trade Center some 20 months later, many Wall Street
firms were able to dust off and invoke their Y2K contingency plans, which were still
current enough to be of significant value. Regrettably, many of those plans
have languished and were never updated, which puts us in a much more vulnerable
position when addressing cybersecurity risk. Ironically, there has been a
renewed interest in resiliency, business continuity, and disaster recovery vis-à-vis
cybersecurity as organizations have come to realize that successful
cyberattacks are all but inevitable.

BTW,
there was a mini-Y2K, namely a Y2020, over the recent 2019-to-2020 date
rollover as reported by Chris Stokel-Walker in an article, “A lazy fix 20 years
ago means the Y2K bug is taking down computers now,” which is available at https://www.newscientist.com/article/2229238-a-lazy-fix-20-years-ago-means-the-y2k-bug-is-taking-down-computers-now/
Essentially, as reported, some programmers used an easier technique known as “windowing”
to fix the Y2K problem on an interim basis. Seemingly, the program change
treated dates from 2000 until the 2020 changeover to be in the 2000s rather
than the1900s, but not dates following 2019. Now their chickens have come home
to roost. The article describes several real-world cases that were made public.
There were likely many more instances that were not reported.

While
“fixing” the cybersecurity risk issue is not directly comparable to Y2K—it will
take trillions of dollars and massive international cooperation (neither of
which are forthcoming) to make a dent—there are still lessons to be learned
from the Y2K exercise. Y2K showed that it is possible to get very substantial
buy-in to fix a known problem if powerful groups are convinced that (a) there
is a real problem, (b) it can be successfully addressed, and (c) it pays to do
so.

The first thing to do
is frame the problem, which is very difficult given the dynamics of modern
software growth. The next step would be triage, namely, selecting the most
critical systems and addressing them first. Then it would be a matter of
prioritizing the remaining systems and deciding which should be remedied ad
which should be replaced. Make no mistake … this is a multi-trillion-dollar
effort that could last many years, even decades. But, as Chinese philosopher,
Lao Tzu, is purported to have said: “A journey of a thousand miles begins with
a single step.” See http://www.bbc.co.uk/worldservice/learningenglish/movingwords/shortlist/laotzu.shtml


*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2020/01/20/y2k-two-decades-later/