http://www.usia.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=00013101.glt&t=/products/washfile/newsitem.shtml

31 January 2000

Text: State Department Offers Final Y2K Assessment

(Official testifies before Congress)(1500)

State Department Chief Information Officer (CIO) Fernando Burbano, told members of Congress January 27 that the results of Y2K remediation were positive and many valuable lessons were learned. He said, "The Department of State, along with the rest of the federal government, showed just how powerful and effective we can be when we are singularly focused and committed to solving a problem, and are provided the necessary resources to get the job done."

Addressing the issue of whether too much money was spent on preparing for Y2K, Burbano said, "We should be careful not to confuse the lack of catastrophic disruptions with unnecessary preparations by the federal government."

Y2K-related computer failures are minimal, thus far, he said largely because of the, "United States' government's international outreach and awareness campaign led by the Department of State, Department of Defense, and the President's Council on the Year 2000 Conversion, and in coordination with the United Nations and the World Bank."

Even though no major glitches disrupted vital services, preparing for Y2K forced governments and businesses to realize the importance of their computer systems and cooperation with other businesses and organizations, Burbano said.

Burbano attributed the success of the government's Y2K effort to two primary factors: the participation of congressional oversight organizations and the availability of supplemental funding to pay for the fixes.

Following is the text of Burbano's remarks:

(begin text)

Oral Testimony Of Fernando Burbano, State Department Chief Information Officer (CIO) And CIO Council

January 27, 2000

Good morning Mr. Chairman, Madame Chairwoman, and distinguished members of the Subcommittee on Government Management, Information, and Technology, and members of the Subcommittee on Technology. Since my oral testimony is limited to 5 minutes, my written testimony includes more detail.

As Chairman of the CIO Council's Subcommittee on Critical Infrastructure Protection I am pleased to have this opportunity to discuss how lessons learned and products and processes developed in support of Y2K can be leveraged into our ongoing critical infrastructure security efforts, and challenges facing federal agencies in implementing security measures. As well, in my role as Chief Information officer of the Department of State, I would like to thank you for providing me this opportunity to talk about the results and continuing impacts of the Department's successful Year 2000 preparation efforts. The Department of State, along with the rest of the federal government, showed just how powerful and effective we can be when we are singularly focused and committed to solving a problem, and are provided the necessary resources to get the job done.

First, let me quickly address the cost of preparing for Y2K. The question is, "Did we spend too much?" The answer is very simple: absolutely not. We should be careful not to confuse the lack of catastrophic disruptions with unnecessary preparations by the federal government.

Now, moving on to the actual results of the Y2K rollover and its impacts to the global community. In general, there were few, and only minor Y2K failures reported internationally, and none that impacted the safety of American citizens worldwide. I believe this global success is a direct result of the United States government's international outreach and awareness campaign led by the Department of State, Department of Defense, and the President's Council on the Year 2000 Conversion, and in coordination with the United Nations and World Bank. Embassies representing the United States' presence in over 160 countries around the world played a key role in monitoring and reporting events in their host countries and post facilities to our Y2K Task Force convened in State's Operations Center. Additionally, internal State Department systems faired exceptionally well through the rollover experiencing no significant failures among our mission critical, critical, and routine systems.

As you are well aware, many of the products and processes developed to address Y2K problems can be applied to future challenges and serve as the foundation for managing issues which cross agency and public/private boundaries, including Critical Infrastructure Protection. In fact, much of the work already done is a prerequisite for PDD-63 (Presidential Decision Directive), Critical Infrastructure Protection, Clinger-Cohen (Act) and other Government Performance and Results Act initiatives.

Specifically, Y2K preparation forced government agencies to take a close look at its information technology (IT) applications and produce a complete prioritized inventory. This is a critical first step to identifying and refining the Mission Essential Infrastructure as required by PDD-63.

The Y2K effort produced program management methodologies which were applied across all government agencies and included Executive and Congressional oversight, Assistant Secretary level management, and repeatable standardized measures and processes. This management structure can also be applied to Critical Infrastructure Protection. All elements of the federal government reviewed and developed contingency plans for critical business processes. The development of these contingency plans resulted in a greater understanding by senior policy managers of the dependency of business processes on IT systems. Additionally, these plans are durable beyond Y2K and establish the foundation for all future contingency operations planning.

For the Y2K rollover period, the government developed a robust global reporting structure which can be leveraged into a mechanism for monitoring threats against critical infrastructure elements. For example, within the Department of State, we have developed a web- based, geographic information system to collect cyber-threat information from all overseas posts. This tool could serve as a pilot system for other agencies to collect and analyze cyber-threat data.

Finally, Y2K preparation efforts increased the level of interagency cooperation and coordination between the public and private sectors. This same working level teamwork will be required to effectively implement Critical Infrastructure Protection plans.

There are two areas which I believe allowed the federal government to successfully overcome widespread Y2K problems in the face of an immovable, tight deadline. First, continued participation by key congressional oversight organizations provided federal Y2K programs the authority needed to push agency resources to their limits. Second, the ability of federal Y2K programs to rapidly obtain, and more importantly retain, adequate separate supplemental funding specifically designated for Y2K allowed each agency to acquire the resources necessary to achieve time sensitive objectives. This ability of federal agencies to have access to a congressionally managed, yet continuous separate supplemental funding stream designated specifically for the Y2K effort, allowed federal CIOs and Y2K Program Managers the ability to acquire and retain qualified resources in the needed quantity.

Critical Infrastructure Protection programs require the same approach. Involvement by Congress and other oversight organizations to raise the level of awareness and visibility throughout the federal community and oversee CIP implementation progress in support of national security goals is vital, and this activity is already underway. But just as important to me and my colleagues throughout government is access to funding which allows each of us to begin developing and implementing our plans in accordance with PDD-63 and other Critical Infrastructure Protection guidance and statutes.

One of the key obstacles preventing agencies from immediately pursuing CIP initiatives is the lack of current funding for these projects. Due to the federal government's budget cycle, forecasting for future work is done two years prior to the budget year. Therefore, as new requirements are levied, current agency budgets do not reflect changing priorities and requirements, such as the new Critical Infrastructure Protection implementation initiative. In light of this, there are numerous events that have prevented agencies from adequately addressing current CIP implementation requirements in their FY2000-1 budgets. First, the unprecedented and unpredicted growth of internet use and technologies over the last two years. Second, the corresponding collateral growth of the cyber underworld during this same period. Third, the extent to which our daily business relies on internet-based systems, and the fundamental shift in business tools to be used in a web-based environment. And finally, expanding CIP requirements on federal agencies, including the recent Critical Infrastructure Protection National Plan and its 10 Programs, some of which require immediate implementation. These are just some of the reasons why federal agencies are poorly positioned to successfully implement Critical Infrastructure Protection programs to address the challenges posed by the ever-growing cyber underworld, not to mention to be in compliance with Executive guidance. Although we of the CIO Council fully understand fiscal constraints, reallocation of just a fraction of the current surplus would be a solid investment for the protection of the federal government's critical infrastructure.

In closing, it is my belief, and the belief of members of my subcommittee and CIOs across the federal government, that in order for National CIP initiatives to be fully successful, continued congressional support, as well as the ability to get access to specific CIP and security-related funding, is vital. I cannot emphasis enough that without Congressionally backed support, including adequate separate supplemental funding, we of the subcommittee on Critical Infrastructure Protection believe the federal government will significantly fall short of national Critical Infrastructure Protection goals.

Thank you.

(end text)

(Distributed by the Office of International Information Programs, U.S. Department of State)

-- Homer Beanfang (Bats@inbellfry.com), January 31, 2000

Answers

Thanks, Homer for second best guffaw of the morning. See clueless Pam's post for the first. Kyle

-- Kyle (fordtbonly@aol.com), February 01, 2000.