June 18, 1998
'Y2K' Is Scarier Than The Alarmists Think
By BRUCE D. BERKOWITZ
Wall Street Journal
Some experts are warning of world-wide chaos and economic ruin just 18
months from now. They worry that computers that record years with only two
digits will confuse the year 2000 with 1900, causing them to miscalculate or go
haywire. Edward Yardeni argued on this page last month that the computing
meltdown could throw the U.S. into recession.
These experts may be exaggerating the economic threat. In many respects the
Year 2000 Problem--"Y2K" in cyber-speak--is much less complicated than
natural disasters like hurricanes or earthquakes. Unlike these events, we know
when Y2K will strike. And we know exactly where to look to solve most of the
problem--in old programming code.
Federal Reserve officials recently cautioned that the final cost of fixing
information systems in the U.S. may total more than $50 billion. Admittedly, this
is a large sum of money, but it is only a small fraction of the nation's $7.3 trillion
gross domestic product. So the effect on the economy as a whole should be
tolerable. Similarly, the Office of Management and Budget estimates that the
federal government will spend $3.9 billion to correct Y2K problems--a
significant sum, but less than 0.3% of total federal spending.
Debugging the world's information systems will take time, effort and money, but
the task is not overwhelming. The trick is to make sure that businesses and
individuals understand the problem, and then put their self-interest to work. A
detailed legal requirement to fix Y2K bugs is futile micromanagement. A more
effective approach is simply to clarify in the law that firms failing to take
reasonable precautions are liable for damages to customers harmed by Y2K.
Firms should also be required to disclose whether they have taken these steps.
Congress and state legislatures are currently considering this kind of legislation,
and there is time to pass it.
So the good news is that the threat does not need to be as dire as Mr. Yardeni
and others fear. Alas, the bad news is that there is an even greater threat related
to Y2K that no one seems to be thinking about yet. Simply put, Y2K will create
one of the greatest opportunities for information warfare, crime, sabotage and
terrorism we have ever encountered.
Sometimes a Y2K error is difficult to identify and fix because it is buried deep in
the logic of a software package or microchip. It is often hard to find
programmers who are familiar with programs and mainframes built decades ago.
These older systems are still used in many organizations for payrolls, billing and
controlling industrial machinery, and they are the systems most prone to a Y2K
error.
Corporations and government agencies world-wide are scrambling to find people
with the required skills. To handle the time-consuming, labor-intensive task of
reviewing computer code line by line, these organizations are recruiting
programmers at an astonishing pace. According to Howard Rubin of Hunter
College, the U.S. alone will need 500,000 to 700,000 additional programmers to
deal with the problem. To fill these slots, many organizations are recalling senior
workers who were laid off a few years ago because their Cobol and Fortran
skills seemed obsolete in an industry that was turning to C++ and Java. Other
organizations are outsourcing Y2K work in the developing world, where the
older computer languages are still widely used.
In other words, at least some of the people we are using to fix the Y2K problem
come from populations with a disproportionate number of disgruntled workers.
The potential for vandalism is obvious. But that is not the most serious threat.
What if foreign governments and organizations hostile to the U.S. decide to
exploit Y2K? With American business hiring as many technicians as they can
find, our adversaries could use Y2K to infiltrate agents into our utilities,
transportation services and financial institutions. They could also penetrate
computer manufacturers, software companies and other firms in the information
industry.
The potential for mayhem is enormous because technicians who fix Y2K
problems often have carte blanche access to all areas of an organization's
information systems. This access provides them a unique opportunity to
compromise these systems. They could cause immediate damage, or they could
plant viruses, logic bombs or trapdoors--programming devices, to be triggered
later, designed to destroy data or allow a hacker access. Since many of these
technicians are being hired precisely because organizations currently lack a
complete understanding of their older information systems, it could be difficult to
detect such an attack.
Of course, the vast majority of the technicians hired to fix Y2K bugs are honest
professionals. The problem is the large numbers of technicians who must be hired
in a very short time span. It is impossible reliably to review the backgrounds of
so many people so quickly. Even if just one in 10,000 of the new programmers
hired to address Y2K problems comes from a hostile country or organization,
Mr. Rubin's estimate of the number of new programmers required suggest that
this would result in 50 to 70 compromises in the U.S. alone.
Even the Pentagon would have trouble screening thousands of programmers in
18 months. You can imagine, then, how hard it will be for private firms.
Companies like AT&T, Microsoft and American Management Systems are in a
bind. If they exclude anyone with a bohemian lifestyle, a history of drug use, a
tendency to question authority, or off-center political beliefs, the remaining pool
of programmers could be quite small.
The current Y2K situation is just a hint of similar problems we can expect in the
future. As the world becomes more interconnected and information systems
become more standardized, generic problems like Y2K, a virus or some other
software or hardware defect will occur world-wide. Criminals, terrorists and
hostile governments will find opportunities in the confusion.
Welcome to the world of "strategic information warfare," where the threat is not
the casual hacker or prankster. The threats are foreign military services and
terrorist groups who won't pass up an opportunity to get into the innards of our
information systems.
They're probably at work even as we speak.
Mr. Berkowitz is an author and consultant based in Alexandria, Va. He is a
contributor to the forthcoming report on the information warfare threat to be
published by the Center for Strategic and International Studies.
|
