JULY 5, 1999
Y2K panel to shift to security
BY DIANE FRANK (diane_frank@fcw.com)
http://www.fcw.com/pubs/fcw/1999/0705/fcw-newsy2k-7-5-99.html
[Fair Use: For Educational/Research Purposes Only]
With agencies nearing completion of fixing computers to avoid the Year 2000 problem, Senate leaders are considering shifting the focus of the special Year 2000 oversight committee to what many government officials see as the next big threat to government computers: security breaches and cyberterrorism.
Since its creation in April 1998, the Senate's Special Committee on the Year 2000 Technology Problem has studied the impact of the Year 2000 computer problem on government and the private sector and has recommended legislation and other action.
The committee has focused on the potential impact of computer or network failures on banking, transportation, utilities and other components of the nation's critical infrastructure.
The committee chairman, Sen. Bob Bennett (R-Utah), and Senate Majority Leader Trent Lott (R-Miss.) recognize that security vulnerabilities in networks and computer systems pose a similar threat, as they are subject to attacks from personnel within agencies or from outside cyber-terrorists, according to a committee spokesman.
[The TBY2K Forum can relate!]
The senators have held informal discussions about the possibility of changing the committee's mission when its current authority expires Feb. 29, 2000, the committee spokesman said.
"There are several similar issues and problems that will be faced," he said. "The kernel of the idea was generated internally by people here at the committee who were examining critical infrastructure."
Several high-level federal groups and organizations, including the Critical Infrastructure Assurance Office and the National Infrastructure Protection Center at the FBI, also focus on computer security and the integrity of the nation's infrastructure against attacks.
But the government would benefit from congressional attention, said Olga Grkavac, executive vice president of the Information Technology Association of America's Enterprise Solutions Division.
"There really is a link between information infrastructure [and] critical infrastructure in [Year 2000 and security issues] and the hearing track record that the committee has built up," she said. "The experience the members now have would be a big plus."
A Senate committee would bring an extra level of discussion to what other groups on security and critical infrastructure around the government have raised because the committee could focus on policy and legal questions that have come up, said Dean Turner, information security analyst with SecurityFocus.com. "The technology is there to do these things, now the policy and the law have to catch up with it," he said.
It is important for the committee to look at more than just instances of World Wide Web site hacking, Turner said. Even though that is the phenomenon creating the biggest stir right now, it is the least harmful type of attack out there. "I think that if that's what the committee is going to focus on, then they'll be wasting their time," he said.
Much of the committee's initial focus should be to educate government and the public about the need for security, said Bill Larson, chief executive officer of security company Network Associates Inc.
"I think people do not understand in government the potential for cyberterrorism and the amount of havoc that can be created," Larson said.
The CIO Council probably would work closely with the new security committee if the Senate chooses to shift the Year 2000 committee's focus, said Ed Caffrey, liaison for the CIO Council's Security Committee and a member of the State Department's Systems Integrity Division. The CIO Council recently expanded the focus of its Security Committee to include critical infrastructure and privacy. The council and its committees serve as the coordinators between federal and state government and the private sector, Caffrey said. Because the Senate committee probably would serve the same function, it would make sense for the two groups to work together, he said.
-- Diane J. Squire (sacredspaces@yahoo.com), July 06, 1999
Answers
Wonder what happens with all the non-mission critical Federal
government systems? This year. And next.
Diane
-- Diane J. Squire (sacredspaces@yahoo.com), July 06, 1999.
Talk about closing the barn door after the horse is out!! They
SHOULD have started such a committee at the same time that they
SHOULD have started Y2K. One thing about our glorious system is that
we always get just what/who we voted for!!
Taz...who periodically takes to the woods looking for a rabbit hole
to hide in.
-- Taz (Tassie @aol.com), July 06, 1999.
Mornin Diane-
Interesting. Cyberterrorism probably *is* as grave a threat as Y2K
failures. Hmmm. Are we being misdirected?
*sigh*
Seein spin everywhere (Real? Imagined?) since learning about the
Rendon Group.
You also bring up a point I've been wondering about lately: So 94% of
.gov's mission critical systems are "Y2K ready at a cost of about $9
Billion.
Okay. What percent of all .gov systems does that 94% represent, and
when will all the rest of them get fixed? And what will THAT cost?
The only published ratio of critical/non-critical I can recall is DoD.
I think Hamre implied in a hearing last winter that their mission
critical systems represented less tha 10% of all DoD systems. As I
recall, DoD systems (overall) account for more than half of all
federal systems.
So less than 10% of 50% of .gov computer systems are currently ready.
The army and navy have said they will be 100% done by November. Quite
a feat.
(BTW, I listened to the first bit the Navy's Community Conversation
thing from June 15th - Navy said November, too)
Man, what a convoluted post. Java deficiency.
I guess what I'm asking is:
Has anyone seen an official statement of how many federal systems
there are overall, and what portion of the total of them considered
mission critical?
-- Lewis (aslanshow@yahoo.com), July 06, 1999.
Diane,
Glad to see you still posting to this "old" forum. Personally, I'm
much more interested in viewing other folks' "crystal balls" than the
specifics on what to buy, where to live, etc...
-- Anonymous99 (Anonymous99@Anonymous99.xxx), July 06, 1999.
Also see this link to a report (PDF format) on the projected
compliance dates for high-impact federal programs:
http://freedom.house.gov/y2k/grades/highimpact9906.pdf
-- Linkmeister (link@librarian.edu), July 06, 1999.
I certainly hope they have the leisure to do so. I see three
possible thoughts going here.
A. Lets not for goodness sakes let a committee die. We will find
something for it to do. (G)
B. A red herring for any and all Y2K related issues
C. Cyberterrorism is a very real threat. This does not preclude A &
B.
-- Jon Williamson (jwilliamson003@sprintmail.com), July 06, 1999.
Lewis,
The whole "twisting" story still makes me dizzy. Including the Rendon
Group "spin" for Koskinen.
Remember, the Fed Y2K mantra? "It's all local."
Yeah. And most of 'em are in Washington, D.C. For now.
Anonymous99,
There is and will still be a continuing need to monitor Y2K news and
information... locally, nationally and internationally. Perhaps for a
full year yet.
TimeBomb 2000 (Y2000) Forum Classic... is the place for that... and
the continuing Y2K... and related... debates.
The NEW TimeBomb 2000 (Y2000) Preparation Forum is to discuss what's
important about preparing for the upcoming unknown Y2K reperussions.
Any eyes open global citizen can "see" protential problems looming.
It's now six months and counting. Both prep and awareness needs are
equally important activites.
*Some* of us prefer digging for news and puzzle pieces, first, while *
others* choose to dig in the garden first. And vice versa. (Just to
illustrate the shifting Y2K "landscape.")
Y2K is still a moving target. And...
Shift Still Happens.
;-D
Diane
-- Diane J. Squire (sacredspaces@yahoo.com), July 06, 1999.
More Federal Computer Week Related Info... in the article sidebar...
JULY 5, 1999
CIO Council to expand security focus
http://www.fcw.com/pubs/fcw/1999/0705/fcw-newsy2kside-7-5-
99.html
FCW�s coverage of Y2K
http://www.fcw.com/
ref/hottopics/y2k.htm
FCW�s coverage of security
http://
www.fcw.com/ref/hottopics/security.htm
Special Senate Committee on Y2K Technology Problems
http://www.senate.gov/~y2k/
Critical Infrastructure Assurance Office (CIAO)
http://131.84.1.84/index.html
�Critical infrastructure assurance is a new capability that resides
right at the point where our national security and economic security
merge. The Critical Infrastructure Assurance Office (CIAO), announced
by President Clinton in May 1998, will facilitate the creation of a
national plan to protect the services that we depend on daily:
telecommunications, banking and finance, electric power, transportation, gas and oil, emergency
services and government services. This initiative will require a new
level of commitment to partnership between the public and private
sectors, specifically in the areas of policy formation and information
sharing.�
National Protection Infrastructure Center (NPIC)
http://www.nipc.gov/
[NPIC looks unfinished. Kind�a like Y2K.]
-- Diane J. Squire (sacredspaces@yahoo.com), July 06, 1999.
As of late March, the total number of federal systems considered
"mission critical" was 6,123. Estimates of the total number of
federal systems overall vary, according to whose statistics you use
(those of OMB, GAO, "Federal Computer Week," etc.) and how "systems"
are counted, but it is in the range of 67,000 to 73,000. So basically
only 9% or so of all federal systems are currently being counted as
"mission critical." Back in August 1997, 9,100 systems were so
counted, but you know how it goes.
To the best of my knowledge, Koskinen never, but never, talks about
all those supposedly "noncritical" systems; neither do Bennett and his
cohorts on the Senate Y2K committee.
Re concern with cyberterrorism: this reinforces what Georgia State
Rep. George Grindley (head of that state's Y2K Task Force) said in his
recent letter, namely, that Koskinen was privately telling top state
officials in Georgia to prepare for the outside possibility of up to
three weeks without power; Grindley believed that Koskinen and Dod
were particularly worried about cyberterrorist threats to power grids.
This also supports a mainstream news article last summer that cited a
joint NSA/DoD/FBI exercise in 1997, which reportedly determined that
cyberterrorist attacks could take down power grids.
-- Don Florence (dflorence@zianet.com), July 06, 1999.
P.S. Re all those "noncritical" federal systems: I don't mean to
imply that they aren't being worked on. I'm sure that many are being
worked on and are in various stages of being fixed. But there is a
reason that agencies went to "triage" and focused most of their
energies on the "critical systems." Call it my natural suspicion, but
I think that if there were indeed good news to report about those tens
of thousands of supposedly "noncritical" systems, Koskinen, Bennett,
and company would be crowing about it. They aren't--just as they
aren't noting that external interfaces and end-to-end integrated
systems tests aren't finished for at least some of the supposedly
"fixed" critical systems, either.
One wonders about the division between "critical" and "noncritical"
systems in corporate settings, too. I've never seen any reliable data
regarding how many systems are actually being classified as "mission
critical" by major U.S. corporations. Strange, considering what a
potentially important issue that is.
Then there's the problem of interfaces, of systems being "windowed" in
different ways. Plus, according to Capers Jones in "The Year 2000
Problem," windowing (which accounts for 80% of Y2K fixes worldwide)
reduces the efficiency of typical database accessing and mining by
roughly 20%. I think we are likely to see serious losses in corporate
productivity and efficiency even among those companies that do get all
their mission-critical systems "fixed" by year's end--and remember,
according to the latest Cap Gemini survey, 22% of the Fortune 1000 now
admit they won't be done with mission-critical systems by year's end.
SMEs are still generally considered to be lagging behind the big boys.
A couple of encouraging points. I suspect, or at least hope, that in
most govt. agencies and corporations the "critical" systems are also
the really big ones; in other words, that a lot of the "noncritical"
systems that are presently just receiving a lick and a promise are
relatively small systems. And second, in one of Jones's monumental
books on software metrics (all you ever wanted and needed to know to
put you to sleep), he notes that perhaps 50% of all installed
corporate software is presently dormant; IT depts. are notoriously bad
about "cleaning house." But Jones also admits that number might be
highly inaccurate, since it is based simply on projections from one
IBM data center (where Jones was a top scientist before he went on to
found Software Productivity Research 15 years or so ago). In any
case, one can hope that a lot of the systems, corporate and govt.,
that are receiving little or no Y2K attention weren't being used much
anyway.
As I said, one can hope.
-- Don Florence (dflorence@zianet.com), July 06, 1999.
It is not difficult to imagine that 90 percent of what the feds do is
really useless.
-- dave (wootendave@hotmail.com), July 07, 1999.
Moderation questions? read the FAQ