Over the last several years, computing has changed to an almost purely
networked environment, but the technical aspects of information protection
have not kept up. As a result, the success of information security programs
has increasingly become a function of our ability to make prudent management
decisions about organizational activities. Managing Network Security takes
a management view of protection and seeks to reconcile the need for security
with the limitations of technology.
Introduction:
I have read a wide range of articles over the last several years about the Year 2000 problem in computers. Many of the consultants that offer to help fix this problem call it the Y2K problem - perhaps because writing 2000 takes too much time or space or effort. But of course that's what got us into this fix in the first place. I'll explain.
In the United States, people tend to write dates as MM/DD/YY - two digits each of month, day, and year. Now for many years I have disdained this because from a standpoint of writing a program to sort dates, YY/MM/DD makes a lot more sense. Naturally, much of the rest of the world has adopted DD/MM/YY as their standard. But for computers, which are like idiot savants in that they understand nothing but can do amazing things, the meaning of a two-digit year doesn't exist. When you subtract 04/11/98 from 01/02/00 to calculate interest rates, you get...
Now here's a real problem. In this United States, you might get 8/22/02 (8 months, 22 days, 2 years). Since different months have different numbers of days, you might want some slightly different answer for your calculation - like total number of days, or some such thing. But if a computer did the calculation instead of a human being, the answer would more likely be something like 8/21/-98 - or perhaps even something more bizarre. The good news is that I will owe you 98 years of interest, which means that your computer will probably send me a check for about 50 times as much as I actually owe you. Did you follow that? Since it's 98 years of interest, the computer might calculate interest with a negative sign and since the balance is in my favor, send me a check instead of a bill.
So what does all of this year 2000 business have to do with network security? Everything.
If you take the perspective that network security is about assuring integrity, availability, and confidentiality, you should soon see that the year 2000 problem could have major effects on network security. Some examples might help.
Example 2 - Disruption: One of your public key infrastructure servers is a few seconds off and still thinks it's 1999 when another one thinks it’s 2000. As a result, they each decide that the other one is not trustworthy any more and until the company that designed the systems comes to fix them, both will shut down.
Example 3 - Leakage: Record retention dates specify that some particular information is to be kept confidential for 99 years, but when the calculation is done, 01/01/00 is found to be more than 99 years from 10/10/99 and the records are released.
The hordes of Y2K consultants will probably tell you that you're already too late but that they can try to help you if you have enough money. Here are some quotes from Y2K on-line articles they have published:
"The situation is critical. More than 65% of North American businesses have not yet begun to address this problem. For many it's already too late. There are less than 140 weekends left before December 31st 1998. You should be complete by then, so that you can allocate all of 1999 to test the hundreds of thousands of error prone changes you've introduced into your systems."
"There are an estimated 180 billion lines of COBOL code on MVS, and about 900,000 COBOL programmers dedicated to maintaining this code. If you would like to correct the date change operation, using automation tools and spread over a three year period 1996-1998, with out affecting the regular maintenance and new development, a minimum of 200,000 COBOL programmers should be added to the existing pool (Under the assumption that 1999 would be used, for fire-fighting measures). Going by the Gartner estimates, the total cost to correct the entire COBOL code would be US $48-65 billion. All these only for COBOL."
I, for one, am not so gloomy about the year 2000 challenge that many organizations will soon face. I think that the reason is that I believe in people.
I don’t believe that the computer programmers and consultants of the world will fix every error in a computer program in the next 2 years, and I certainly don’t believe that we will put up the $1 per line of program code indicated by the Y2K pundits. Frankly, computer programmers are still creating year 2000 problems, and I don’t happen to have an extra $100M lying around to fix the programs in my small consulting business’s computers.
I also don’t believe that this is the time to rebuy all of my computers and rebuild my infrastructure. If I wanted to do that, I would much rather wait until after Jan 1, 2000 to do it, since by then we will have a far better idea of what systems really work and what companies are still around to support their products. In fact, the year 2000 issue has not had much effect on my information technology buying habits, and any minor effect has been in my purchasing process, not the amount I spend on what.
I believe that the most successful organizations in dealing with the year 2000 situation will be the companies that have people firmly embedded in their business processes. Some examples might help to clarify this:
The reason should be no surprise. Good people who are well meaning always
do better than automation at adapting to unusual circumstances. Businesses
that can work around the year 2000 challenge will survive and do so at
a cost far below those who try to fix everything. Businesses that cannot
work around the challenge and don’t fix everything are in for a hard time.
In order to fit into the survival category without spending a fortune,
there are three things you should seriously consider doing:
It would be nice to have a technical solution to the year 2000 challenge, but for most organizations this is simply not going to happen. Instead, there will be failures. The trick is to keep the organization prospering even when the computer systems aren’t prospering.
The most prepared organizations will survive and prosper, and in many cases, they may even pick up the business of competitors who aren’t as well prepared.
The preparations you make today will begin to be used in the coming years and, if properly made, will help you not only with the year 2000 problem, but with a wide range of other information security challenges you are likely to face in the networked environment of tomorrow.
Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net.