Fred Cohen & Associates

Managing Network Security Y2K - Alternative Solutions by Fred Cohen

Series Introduction

Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

Introduction:

I have read a wide range of articles over the last several years about the Year 2000 problem in computers. Many of the consultants that offer to help fix this problem call it the Y2K problem - perhaps because writing 2000 takes too much time or space or effort. But of course that's what got us into this fix in the first place. I'll explain.

In the United States, people tend to write dates as MM/DD/YY - two digits each of month, day, and year. Now for many years I have disdained this because from a standpoint of writing a program to sort dates, YY/MM/DD makes a lot more sense. Naturally, much of the rest of the world has adopted DD/MM/YY as their standard. But for computers, which are like idiot savants in that they understand nothing but can do amazing things, the meaning of a two-digit year doesn't exist. When you subtract 04/11/98 from 01/02/00 to calculate interest rates, you get...

Now here's a real problem. In this United States, you might get 8/22/02 (8 months, 22 days, 2 years). Since different months have different numbers of days, you might want some slightly different answer for your calculation - like total number of days, or some such thing. But if a computer did the calculation instead of a human being, the answer would more likely be something like 8/21/-98 - or perhaps even something more bizarre. The good news is that I will owe you 98 years of interest, which means that your computer will probably send me a check for about 50 times as much as I actually owe you. Did you follow that? Since it's 98 years of interest, the computer might calculate interest with a negative sign and since the balance is in my favor, send me a check instead of a bill.

So why am I telling you about all this?

So what does all of this year 2000 business have to do with network security? Everything.

If you take the perspective that network security is about assuring integrity, availability, and confidentiality, you should soon see that the year 2000 problem could have major effects on network security. Some examples might help.

Example 1 - Corruption: Wrong calculations in backups. Suppose that file change dates with the year 99 are calculated to be newer than those with the year 00. This may result in overwriting files where the backup is older than the on-line copy and not overwriting files where the backup is newer than the on-line copy.

Example 2 - Disruption: One of your public key infrastructure servers is a few seconds off and still thinks it's 1999 when another one thinks it’s 2000. As a result, they each decide that the other one is not trustworthy any more and until the company that designed the systems comes to fix them, both will shut down.

Example 3 - Leakage: Record retention dates specify that some particular information is to be kept confidential for 99 years, but when the calculation is done, 01/01/00 is found to be more than 99 years from 10/10/99 and the records are released.

Now these may seem silly, but I want to assure you that each of these has either been demonstrated in a real system or actually happened in a slightly different form. I am also certain that if you put forth a little bit of effort, you can demonstrate examples where this would have a substantial, perhaps even devastating, impact on your business.

Quick - call a consultant!

The hordes of Y2K consultants will probably tell you that you're already too late but that they can try to help you if you have enough money. Here are some quotes from Y2K on-line articles they have published:

"When the Year 2000 arrives, the programs we used yesterday will be useless. Unless the applications are fixed and available on January 1st, all businesses lose the ability to do business. I am at a loss as to how to communicate that message any simpler. I will leave it to you to contemplate what happens to the world-wide economy if businesses lose the ability to do business."

"The situation is critical. More than 65% of North American businesses have not yet begun to address this problem. For many it's already too late. There are less than 140 weekends left before December 31st 1998. You should be complete by then, so that you can allocate all of 1999 to test the hundreds of thousands of error prone changes you've introduced into your systems."

"There are an estimated 180 billion lines of COBOL code on MVS, and about 900,000 COBOL programmers dedicated to maintaining this code. If you would like to correct the date change operation, using automation tools and spread over a three year period 1996-1998, with out affecting the regular maintenance and new development, a minimum of 200,000 COBOL programmers should be added to the existing pool (Under the assumption that 1999 would be used, for fire-fighting measures). Going by the Gartner estimates, the total cost to correct the entire COBOL code would be US $48-65 billion. All these only for COBOL."

I figure that, based on this information, you probably haven't gotten far enough on the Y2K problem to have any hope of fixing it in time, so you might as well stop spending all that money on it and schedule a nice extended vacation for the holiday season of 1999-2000. If you vacation in a warm climate, you won’t have to worry about freezing to death when the computer-controlled power grid fails, but you will have to slug it out with all the refugees that make it out of the snow.

So what can I really do about it?

I, for one, am not so gloomy about the year 2000 challenge that many organizations will soon face. I think that the reason is that I believe in people.

I don’t believe that the computer programmers and consultants of the world will fix every error in a computer program in the next 2 years, and I certainly don’t believe that we will put up the $1 per line of program code indicated by the Y2K pundits. Frankly, computer programmers are still creating year 2000 problems, and I don’t happen to have an extra $100M lying around to fix the programs in my small consulting business’s computers.

I also don’t believe that this is the time to rebuy all of my computers and rebuild my infrastructure. If I wanted to do that, I would much rather wait until after Jan 1, 2000 to do it, since by then we will have a far better idea of what systems really work and what companies are still around to support their products. In fact, the year 2000 issue has not had much effect on my information technology buying habits, and any minor effect has been in my purchasing process, not the amount I spend on what.

I believe that the most successful organizations in dealing with the year 2000 situation will be the companies that have people firmly embedded in their business processes. Some examples might help to clarify this:

Last week, I called a company at their toll-free support number and got nothing but computers all the way down. I eventually called their corporate headquarters and got a human being (after several button pushes). The person essentially told me that no humans were available to help my in this area, that I could send them email, physical mail, or facsimile, and that they would call me if they thought it was necessary to have further human contact.

This week, I was trying to reconcile an account on an automated system, but the system did not generate the proper menus for me. I called the reconciliation people but they told me it could only be done by computer and from my desk. I explained that since it could not be done from my desk, it would either be done by someone else or not reconciled. They got in touch with technical support and, based on the response, told me to do something that didn’t work. They again told me that it could only be done by computer and from my desk. I tried to clarify to them that since I could not do it and it had to be done, someone else had to. The conversation ended without resolution, but I had the same exchange a month earlier and, eventually, somebody reconciled the account.

On the day before the Thanksgiving holiday (the busiest travel day of the year), I was trying to process some paperwork for a trip I was leaving on the day after Thanksgiving. I had been given the information I needed after hours the evening before. The computers were working but the printers were all down for some reason nobody could figure out. After 15 minutes of trying different things, the person in charge took charge. She went to a typewriter in the corner and completed the paperwork needed for the trip. We then called to FAX the paperwork and found that the remote office was already off for the holiday. Not to be deterred, she found another way and the job got done. The trip was a great success.

In case you haven’t guessed, my bet is that the third group will get the job done no matter what goes wrong with the computers. The second group will gripe a lot, but they will probably survive at a substantially degraded level of service. The first group may just end up out of business, no matter how big they are and how well they are doing today.

The reason should be no surprise. Good people who are well meaning always do better than automation at adapting to unusual circumstances. Businesses that can work around the year 2000 challenge will survive and do so at a cost far below those who try to fix everything. Businesses that cannot work around the challenge and don’t fix everything are in for a hard time.

Preparing to Adapt:

In order to fit into the survival category without spending a fortune, there are three things you should seriously consider doing:

Plan a strategy: In order to be prepared, your organization must decide how you are going to deal with year 2000 issues. Is your strategy going to be prevention or detection and response? Is your strategy going to be consequence-based? Are you going to try to find the problems before, while, or after they impact operations? What resources are going to be applied when and to what? Are you going to treat year 2000 issues differently than any other integrity, availability, or confidentiality issues in your organization? The list of questions goes on and on, and one of the first things you should probably do is to get the list of the right questions for your organization.
Prepare your people: Once you have a strategy, you need to prepare your people to carry the strategy out. This means a training and awareness campaign involving the entire organization and an in-depth preparation process for the key members of your year 2000 strategic response group. One of the most important preparation steps is to train the people who service human requests in how to respond when the computers do the wrong thing. Ideally, these people are empowered to resolve problems. Hopefully there are enough of these people trained and, in an emergency, available to deal with the most critical problems.
Practice: Just as in any other field of endeavor, practice makes perfect. If you have a team of people who don’t know how to perform functions manually or who are supposed to be available in an emergency situation, these people need to be practiced in both the normal and exceptional situations they may have to deal with. Not surprisingly, military organizations learned long ago that people fight as they train. Make sure the practice is meaningful and realistic.

Keep in mind that the preparations you make for the year 2000 will likely have to be ready well in advance of the turn of the century. Many companies already face future date calculations that extend beyond the turn of the century, and as we get closer to the deadline, more and more of these calculations and operations will be triggered.

Conclusions:

It would be nice to have a technical solution to the year 2000 challenge, but for most organizations this is simply not going to happen. Instead, there will be failures. The trick is to keep the organization prospering even when the computer systems aren’t prospering.

The most prepared organizations will survive and prosper, and in many cases, they may even pick up the business of competitors who aren’t as well prepared.

The preparations you make today will begin to be used in the coming years and, if properly made, will help you not only with the year 2000 problem, but with a wide range of other information security challenges you are likely to face in the networked environment of tomorrow.

About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net.