TRANSCIPTS - third part
'DR. RUBIN: Well, I've been asked to take a different position on this issue, which means, number one, staying in my seat and not going to the podium, but not quite a different position. I would say a few things.
In listening to the speakers here, we've talked a lot about the issue of the Year 2000 crisis and what happens if the worst case scenario hits. Suppose for a moment -- just think about, in listening to the speakers -- suppose everything was fixed.
And don't, Ed and Peter, get nervous. But you have to think about this crisis -- situation from a different vantage point. And I think that's what is missing here today. It's impossible to separate technology from business today.
And you have to think about those terms very carefully for a moment. There's a great story one of my friends, who's the CEO of a major computer company tells about a salesman on a train walked up to a passenger and says, "Do you want to buy a watch?"
The guy says, "No, I have a watch already." Puts down his cases that he's carrying. He pushes of a button, it becomes a TV screen. Pushes another button, becomes a cell phone. Now the guy is impressed and he says, "How much is this?"
It's $189.95. He says, "I'll take it," plops it down. Cases go down, walks to the end of the train. The guy sitting in the seat says, "You know," -- the guy says, "By the way, you left your travel cases." He says, "Those aren't the travel cases, those are the batteries."
(Laughter.)
Okay, technology are the batteries of business. What do those batteries cost right now? Worldwide technology spending in the 1980's was about $800 billion dollars. For this full decade it's going to be $4 trillion.
In dog years and people years, every two years in this decade equals the 1980's all over again. By 2005, each one year will equal the technology spending of all of the 1980's.
Think for a moment, dissecting this problem, why companies are spending money on technology.
Sorry you can't see me down there. I've been told to stay in my seat. But anyway, we'll watch the reruns.
Quite simply, they spend money on technology to support revenue and support income. That's in the business sector. Think about the Year 2000 problem for a moment and imagine it is fixed.
What cost estimate should we use for the U.S., $100 billion, $200 billion? We can make up any number. We can become a research analyst like the groups out there. You can pick a number with a lot of zeros and publish it.
And let's say that number is $100 billion dollars. Let's say it was $200 billion dollars. And we start looking, by the way, around the world at the GDP spending. One thing the people didn't pick up here is the U.S. dealing with this problem will be about 2.5% of the 1996 GDP.
In Russia it will be about 7%. In Mexico it's about 5%. So you say so what? Well, you need one other piece that's missing on the panel. Suppose the problem was fixed and you spent the money.
In the U.S., for every one dollar spent on information technology, it supports roughly $40 in revenue and $1.15 in income. Don't get confused that this is a cause and effect problem; that we spend a dollar, we get another $40 in revenue for your company.
That doesn't happen. This is like a chicken and an egg problem. The only person to solve that is Robin Williams by going to McDonald's at 11:00 a.m. and ordering a chicken sandwich and an Egg McMuffin to see which comes first.
So think about these things, this Ph.D. thesis.
But, suppose you take that $100 million dollars -- $100 billion dollars or $200 billion dollars and multiply by the revenue potential in the economy if the problem was fixed. Multiply it by $40. You are equal to the 1996 GDP for the entire United States.
That is the diversion that, even if we fix everything, that this is causing in economic growth. So you can draw your own conclusions from that.
But there are some other pieces that I think the panelists have to deal with, and I know I have just a couple of minutes here left to wrap up. But, look at this another way.
You've heard scenarios presented. The scenarios presented go from a blip, minor disruption. One of my friends, Caper Jones, brings it down to recession, depression, marshal law, famine -- you know, everyone go to New Mexico to see one of our common friends down there and eat with him because he's stocking up all the food.
Or, you know, total economic depression. The issue that we're facing is really what are we doing to manage the risk. We control our placement in this risk management spectrum.
We actually control, through mobilization and actions we take, where we're going to be. And in fact, I surveyed the industry in what's going on in companies, and this is almost like a "Three Little Pigs" scenario because people are doing various things to deal with risk mitigation.
Right now, in terms of risk mitigation strategy, one thing that's not talked about here -- seems like there's a clear solution. I've been surveying Fortune 500 companies since December 1994 every three months.
Eighty percent of them have changed their strategy. Eighty-five percent of them say they are under-funded, they don't have enough money to do things. Only two out of three have plans today of how they're going to protect themselves and get through this crisis that can tell you potential crisis will be quite weak.
So there's an issue of economic impact if it does work. There's an issue of impact if things don't work. There's an issue of how people are addressing this kind of stuff today.
So sort of to bring things together and, say, take a little bit different perspective, let me just summarize. This is a risk management problem. And the risks are managed by the technologists who are looking at better ways to deal with the technical solutions.
You've heard 100 times here today that it's not a technical problem, it's a business problem. Well, what do businesses need to do? We've heard that the contingency planning has to come into place. We've heard more than that; that this is a storm.
Imagine this is a weather forecast and we're told there's going to be series of storms and the big one is going to hit in 18 months. Well, there are going to be cells of tornadic activity that are going to blow -- may blow companies away.
There is activity that may not be so severe in picture, but will blow the interfaces between companies away. So business contingency planning deals with the business and all the interconnections we've heard about.
But there's this whole social aspect of this. The social aspect of this has to do with the public. What does the public do to influence that? In terms of key questions, they should be asking companies how are you going to get business leaders to do things.
I'm not talking about things as radical perhaps as boycotts, but I'm talking about societal steering of what's going on by a public learning to ask the right questions of the companies they're doing business with.
Do they have plans beyond the SEC's filing requirements? So there are a couple of different levels of this. And, on top of that, there's sort of a national level picture and a global picture where the solution to this problem, as we've heard, probably -- and the panelists have sort of addressed it in some ways.
They say we need leadership. Well, from the President and Vice President on down and global leaders, this is not a problem that can be served by delegation.
The key question if you're dealing with a company and you want to get their attention is anyone in the business at a CEO or board level accountable for this thing.
No one's really put that to the Government. But is anyone in the Government at a senior level -- I mean, the President, the Vice President -- accountable for this thing?
So there are a whole bunch of pieces that have to be tied together here. Just by means of a metaphor, one of my son's teachers once told him when he was in sixth grade social studies that you have to understand your place in time.
And she said people have mild time displacement and severe time displacement. She said mild time displacement was when she became aware of when she was an intern on the Mayflower in Plymouth Plantation, Massachusetts.
And a couple came, loved the tour. At the end, they said, "Jesus, Mayflower is great. Now we'd like to see the other two boats, the Nina and the Pinta. Thinking about that, they knew what boats were; they didn't know what floats with boats.
And there was another couple that had severe time displacement. They came on the Mayflower, they stopped the entire tour. This is what I think got a little lost on the panel. They knew everything about the Mayflower technically.
And upon leaving, as a tour guide she said why the heck did you come on here, you know everything about the Mayflower technically. They said one thing that troubled us for years. Maybe you can answer the question for us.
And this is where she got her idea of severe time displacement. And to close, let me say we're in a time problem and the panel has to deal with this. Because this couple, upon leaving, said you know everything -- you knew everything technically about the Mayflower, but the one thing we never could figure out is how did you ever fit two of each kind of animals on this damn thing?
(Laughter.)
All right, thank you.
(Applause.)
MR. de BORCHGRAVE: As technical director of GAO's Office of the Chief Scientist for Computers and Telecommunications, Keith Rhodes has vast hands on Y2K expertise on a wide range of issues, ranging from the Year 2000 crisis, to computer security, to tax systems modernization, to the air traffic control system and various weapons systems.
Prior to joining GAO in 1991, Keith was the supervising computer scientist at Lawrence Livermore National Laboratory. He holds degrees in computer engineering and engineering physics from Ohio State and UCLA.
He's a voting member of the Internet Engineering Task Force and has received numerous awards and citations and has authored many articles for technical journals on computer architecture and the modeling of communications networks.
He will now also tell us about Y2K contingency planning and hopefully challenge what has already been said.
(Applause.)
MR. RHODES:
[Slide Handouts]
I always find it odd, as someone who works for the General Accounting Office, to hear applause.
(Laughter.)
You'll have to allow me to regroup here for a second.
What I would say is that the data that are out there are suspect. The numbers that are presented are not uniform. We are -- in the General Accounting Office we're having trouble finding clear definitions of sort of the following terms: due diligence, why is someone doing what they're doing.
If you want me to fix the system so it will work, that's one thing. If you want me to fix the system so it will stand up in court, I have to fix that system differently.
Compliance -- you say tomato, I say tomato. There's a great deal of people who say four things you can hear from a vendor. One you probably will never hear, and that is certified Y2K compliant. You're not going to hear that much from a vendor. So if you're relying on a product, that's not what you're going to hear. Second point would be just Y2K compliant. That's going to come to you from the General Counsel.
And it will be a large document, and I promise you you won't understand it when you're done. Third thing is Y2K ready. I have no idea what that means. The fourth one is, we don't foresee a problem; and if you have one, call us.
That's what we're hearing. Therefore, when I hear that people are Y2K ready -- you know, you look -- somebody's 40% in this block, somebody's 50% in this block. What does that mean?
Those numbers are not necessarily vapor, but they're not uniform in their discussions. We have a great deal of problem inside our own analysis trying to figure out where any particular agency or department is.
Therefore, the doomsday scenario or the blip in the road, if you're going back to the original numbers, may both actually be valid depending on who you're talking to at any point in time. However, when you hear I don't know, I don't know is equal to no.
So that's why we're doing the work now in contingency planning and that's why we've issued a guide on contingency planning. It is available on our Web site. It is free to the public.
Our Web site is www.gao.gov. You look in the special publications. It is an exposure draft. So if you have comment, you can send it back to us. Basically we're talking about four phases of contingency planning. This is business contingency planning. This is continuity of operations. I'm not talking about how do normal disaster recovery discussions -- how do I keep this particular system running.
It's how do I keep the business running. As I said, there are four phases. One is initiation. That's the normal get the buy in and set up the organization and hopefully it will work. The second one is the business impact analysis. That's where you actually do your impact assessment.
You do your doomsday scenario at that point. You figure out what your failures are, what the failure scenario definition is. You figure out what your infrastructure risk assessment is.
As has been pointed out, it's very, very hard to have a telecommunications infrastructure melt down if you don't have electricity. And it's very hard to care if you don't have water.
So those are the -- you have to figure out what your interdependencies and dependencies are. And then you're ultimately driving to what the Department of Defense calls the "thin line," what the intelligence community calls the "operational thread." You're looking for the minimum business function. What do I need to keep minimally in business? What information -- not system yet. You're talking about information. What answers do I have to give?
You're assuming that the phone line is open and I have nothing to say. What would I say?
The fourth area is the contingency planning itself where you identify the plans, you go through your cost benefit analysis; but you also figure out the implementation modes.
Can you go physical? Do you have to be semiautomatic? Do you have to be completely automated? There are banks out there that are saying they are Y2K compliant. They have not yet tested with the Federal Reserve Board.
They are talking about themselves internally. They haven't answered the final question which is can I clear with the Fed. Wall Street is beginning what they call the street wide test. They're going to take it from order option initiation to final clearing.
They are the only ones we know of who are out there taking it completely end to end. You're looking at the trigger dates as well. This is where you begin to establish the trigger functions. A trigger date is not Year 2000. It's not January 1st, Year 2000
That's not the date that you actually do your contingency plan. You figure out when you need to do your contingency plan based on how long it will take you to put the people and assets and resources in place. |
