Managing Network Security
Y2K - Alternative Solutions
by Fred Cohen


Series Introduction

Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


Introduction:

I have read a wide range of articles over the last several years about the Year 2000 problem in computers. Many of the consultants that offer to help fix this problem call it the Y2K problem - perhaps because writing 2000 takes too much time or space or effort. But of course that's what got us into this fix in the first place. I'll explain.

In the United States, people tend to write dates as MM/DD/YY - two digits each of month, day, and year. Now for many years I have disdained this because from a standpoint of writing a program to sort dates, YY/MM/DD makes a lot more sense. Naturally, much of the rest of the world has adopted DD/MM/YY as their standard. But for computers, which are like idiot savants in that they understand nothing but can do amazing things, the meaning of a two-digit year doesn't exist. When you subtract 04/11/98 from 01/02/00 to calculate interest rates, you get...

Now here's a real problem. In this United States, you might get 8/22/02 (8 months, 22 days, 2 years). Since different months have different numbers of days, you might want some slightly different answer for your calculation - like total number of days, or some such thing. But if a computer did the calculation instead of a human being, the answer would more likely be something like 8/21/-98 - or perhaps even something more bizarre. The good news is that I will owe you 98 years of interest, which means that your computer will probably send me a check for about 50 times as much as I actually owe you. Did you follow that? Since it's 98 years of interest, the computer might calculate interest with a negative sign and since the balance is in my favor, send me a check instead of a bill.


So why am I telling you about all this?

So what does all of this year 2000 business have to do with network security? Everything.

If you take the perspective that network security is about assuring integrity, availability, and confidentiality, you should soon see that the year 2000 problem could have major effects on network security. Some examples might help.

Example 1 - Corruption: Wrong calculations in backups. Suppose that file change dates with the year 99 are calculated to be newer than those with the year 00. This may result in overwriting files where the backup is older than the on-line copy and not overwriting files where the backup is newer than the on-line copy.

Example 2 - Disruption: One of your public key infrastructure servers is a few seconds off and still thinks it's 1999 when another one thinks itís 2000. As a result, they each decide that the other one is not trustworthy any more and until the company that designed the systems comes to fix them, both will shut down.

Example 3 - Leakage: Record retention dates specify that some particular information is to be kept confidential for 99 years, but when the calculation is done, 01/01/00 is found to be more than 99 years from 10/10/99 and the records are released.

Now these may seem silly, but I want to assure you that each of these has either been demonstrated in a real system or actually happened in a slightly different form. I am also certain that if you put forth a little bit of effort, you can demonstrate examples where this would have a substantial, perhaps even devastating, impact on your business.

 


Quick - call a consultant!

The hordes of Y2K consultants will probably tell you that you're already too late but that they can try to help you if you have enough money. Here are some quotes from Y2K on-line articles they have published:

"When the Year 2000 arrives, the programs we used yesterday will be useless. Unless the applications are fixed and available on January 1st, all businesses lose the ability to do business. I am at a loss as to how to communicate that message any simpler. I will leave it to you to contemplate what happens to the world-wide economy if businesses lose the ability to do business."

"The situation is critical. More than 65% of North American businesses have not yet begun to address this problem. For many it's already too late. There are less than 140 weekends left before December 31st 1998. You should be complete by then, so that you can allocate all of 1999 to test the hundreds of thousands of error prone changes you've introduced into your systems."

"There are an estimated 180 billion lines of COBOL code on MVS, and about 900,000 COBOL programmers dedicated to maintaining this code. If you would like to correct the date change operation, using automation tools and spread over a three year period 1996-1998, with out affecting the regular maintenance and new development, a minimum of 200,000 COBOL programmers should be added to the existing pool (Under the assumption that 1999 would be used, for fire-fighting measures). Going by the Gartner estimates, the total cost to correct the entire COBOL code would be US $48-65 billion. All these only for COBOL."

I figure that, based on this information, you probably haven't gotten far enough on the Y2K problem to have any hope of fixing it in time, so you might as well stop spending all that money on it and schedule a nice extended vacation for the holiday season of 1999-2000. If you vacation in a warm climate, you wonít have to worry about freezing to death when the computer-controlled power grid fails, but you will have to slug it out with all the refugees that make it out of the snow.


So what can I really do about it?

I, for one, am not so gloomy about the year 2000 challenge that many organizations will soon face. I think that the reason is that I believe in people.

I donít believe that the computer programmers and consultants of the world will fix every error in a computer program in the next 2 years, and I certainly donít believe that we will put up the $1 per line of program code indicated by the Y2K pundits. Frankly, computer programmers are still creating year 2000 problems, and I donít happen to have an extra $100M lying around to fix the programs in my small consulting businessís computers.

I also donít believe that this is the time to rebuy all of my computers and rebuild my infrastructure. If I wanted to do that, I would much rather wait until after Jan 1, 2000 to do it, since by then we will have a far better idea of what systems really work and what companies are still around to support their products. In fact, the year 2000 issue has not had much effect on my information technology buying habits, and any minor effect has been in my purchasing process, not the amount I spend on what.

I believe that the most successful organizations in dealing with the year 2000 situation will be the companies that have people firmly embedded in their business processes. Some examples might help to clarify this:

In case you havenít guessed, my bet is that the third group will get the job done no matter what goes wrong with the computers. The second group will gripe a lot, but they will probably survive at a substantially degraded level of service. The first group may just end up out of business, no matter how big they are and how well they are doing today.

The reason should be no surprise. Good people who are well meaning always do better than automation at adapting to unusual circumstances. Businesses that can work around the year 2000 challenge will survive and do so at a cost far below those who try to fix everything. Businesses that cannot work around the challenge and donít fix everything are in for a hard time.



Preparing to Adapt:

In order to fit into the survival category without spending a fortune, there are three things you should seriously consider doing:
 

  1. Plan a strategy: In order to be prepared, your organization must decide how you are going to deal with year 2000 issues. Is your strategy going to be prevention or detection and response? Is your strategy going to be consequence-based? Are you going to try to find the problems before, while, or after they impact operations? What resources are going to be applied when and to what? Are you going to treat year 2000 issues differently than any other integrity, availability, or confidentiality issues in your organization? The list of questions goes on and on, and one of the first things you should probably do is to get the list of the right questions for your organization.
  2. Prepare your people: Once you have a strategy, you need to prepare your people to carry the strategy out. This means a training and awareness campaign involving the entire organization and an in-depth preparation process for the key members of your year 2000 strategic response group. One of the most important preparation steps is to train the people who service human requests in how to respond when the computers do the wrong thing. Ideally, these people are empowered to resolve problems. Hopefully there are enough of these people trained and, in an emergency, available to deal with the most critical problems.
  3. Practice: Just as in any other field of endeavor, practice makes perfect. If you have a team of people who donít know how to perform functions manually or who are supposed to be available in an emergency situation, these people need to be practiced in both the normal and exceptional situations they may have to deal with. Not surprisingly, military organizations learned long ago that people fight as they train. Make sure the practice is meaningful and realistic.
Keep in mind that the preparations you make for the year 2000 will likely have to be ready well in advance of the turn of the century. Many companies already face future date calculations that extend beyond the turn of the century, and as we get closer to the deadline, more and more of these calculations and operations will be triggered.


Conclusions:

It would be nice to have a technical solution to the year 2000 challenge, but for most organizations this is simply not going to happen. Instead, there will be failures. The trick is to keep the organization prospering even when the computer systems arenít prospering.

The most prepared organizations will survive and prosper, and in many cases, they may even pick up the business of competitors who arenít as well prepared.

The preparations you make today will begin to be used in the coming years and, if properly made, will help you not only with the year 2000 problem, but with a wide range of other information security challenges you are likely to face in the networked environment of tomorrow.


About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net.