Bennetts Y2K Senate Panel To Shift To Security (Federal Computer Week) : LUSENET : TimeBomb 2000 (Y2000) : One Thread

JULY 5, 1999

Y2K panel to shift to security

[Fair Use: For Educational/Research Purposes Only]

With agencies nearing completion of fixing computers to avoid the Year 2000 problem, Senate leaders are considering shifting the focus of the special Year 2000 oversight committee to what many government officials see as the next big threat to government computers: security breaches and cyberterrorism.

Since its creation in April 1998, the Senate's Special Committee on the Year 2000 Technology Problem has studied the impact of the Year 2000 computer problem on government and the private sector and has recommended legislation and other action.

The committee has focused on the potential impact of computer or network failures on banking, transportation, utilities and other components of the nation's critical infrastructure.

The committee chairman, Sen. Bob Bennett (R-Utah), and Senate Majority Leader Trent Lott (R-Miss.) recognize that security vulnerabilities in networks and computer systems pose a similar threat, as they are subject to attacks from personnel within agencies or from outside cyber-terrorists, according to a committee spokesman.

[The TBY2K Forum can relate!]

The senators have held informal discussions about the possibility of changing the committee's mission when its current authority expires Feb. 29, 2000, the committee spokesman said.

"There are several similar issues and problems that will be faced," he said. "The kernel of the idea was generated internally by people here at the committee who were examining critical infrastructure."

Several high-level federal groups and organizations, including the Critical Infrastructure Assurance Office and the National Infrastructure Protection Center at the FBI, also focus on computer security and the integrity of the nation's infrastructure against attacks.

But the government would benefit from congressional attention, said Olga Grkavac, executive vice president of the Information Technology Association of America's Enterprise Solutions Division.

"There really is a link between information infrastructure [and] critical infrastructure in [Year 2000 and security issues] and the hearing track record that the committee has built up," she said. "The experience the members now have would be a big plus."

A Senate committee would bring an extra level of discussion to what other groups on security and critical infrastructure around the government have raised because the committee could focus on policy and legal questions that have come up, said Dean Turner, information security analyst with "The technology is there to do these things, now the policy and the law have to catch up with it," he said.

It is important for the committee to look at more than just instances of World Wide Web site hacking, Turner said. Even though that is the phenomenon creating the biggest stir right now, it is the least harmful type of attack out there. "I think that if that's what the committee is going to focus on, then they'll be wasting their time," he said.

Much of the committee's initial focus should be to educate government and the public about the need for security, said Bill Larson, chief executive officer of security company Network Associates Inc.

"I think people do not understand in government the potential for cyberterrorism and the amount of havoc that can be created," Larson said.

The CIO Council probably would work closely with the new security committee if the Senate chooses to shift the Year 2000 committee's focus, said Ed Caffrey, liaison for the CIO Council's Security Committee and a member of the State Department's Systems Integrity Division. The CIO Council recently expanded the focus of its Security Committee to include critical infrastructure and privacy. The council and its committees serve as the coordinators between federal and state government and the private sector, Caffrey said. Because the Senate committee probably would serve the same function, it would make sense for the two groups to work together, he said.

-- Diane J. Squire (, July 06, 1999


Wonder what happens with all the non-mission critical Federal government systems? This year. And next.


-- Diane J. Squire (, July 06, 1999.

Talk about closing the barn door after the horse is out!! They SHOULD have started such a committee at the same time that they SHOULD have started Y2K. One thing about our glorious system is that we always get just what/who we voted for!!

Taz...who periodically takes to the woods looking for a rabbit hole to hide in.

-- Taz (Tassie, July 06, 1999.

Mornin Diane-

Interesting. Cyberterrorism probably *is* as grave a threat as Y2K failures. Hmmm. Are we being misdirected?


Seein spin everywhere (Real? Imagined?) since learning about the Rendon Group.

You also bring up a point I've been wondering about lately: So 94% of .gov's mission critical systems are "Y2K ready at a cost of about $9 Billion.

Okay. What percent of all .gov systems does that 94% represent, and when will all the rest of them get fixed? And what will THAT cost?

The only published ratio of critical/non-critical I can recall is DoD. I think Hamre implied in a hearing last winter that their mission critical systems represented less tha 10% of all DoD systems. As I recall, DoD systems (overall) account for more than half of all federal systems.

So less than 10% of 50% of .gov computer systems are currently ready.

The army and navy have said they will be 100% done by November. Quite a feat.

(BTW, I listened to the first bit the Navy's Community Conversation thing from June 15th - Navy said November, too)

Man, what a convoluted post. Java deficiency.

I guess what I'm asking is:

Has anyone seen an official statement of how many federal systems there are overall, and what portion of the total of them considered mission critical?

-- Lewis (, July 06, 1999.


Glad to see you still posting to this "old" forum. Personally, I'm much more interested in viewing other folks' "crystal balls" than the specifics on what to buy, where to live, etc...

-- Anonymous99 (, July 06, 1999.

Also see this link to a report (PDF format) on the projected compliance dates for high-impact federal programs:

-- Linkmeister (, July 06, 1999.

I certainly hope they have the leisure to do so. I see three possible thoughts going here.

A. Lets not for goodness sakes let a committee die. We will find something for it to do. (G)

B. A red herring for any and all Y2K related issues

C. Cyberterrorism is a very real threat. This does not preclude A & B.

-- Jon Williamson (, July 06, 1999.


The whole "twisting" story still makes me dizzy. Including the Rendon Group "spin" for Koskinen.

Remember, the Fed Y2K mantra? "It's all local."

Yeah. And most of 'em are in Washington, D.C. For now.


There is and will still be a continuing need to monitor Y2K news and information... locally, nationally and internationally. Perhaps for a full year yet.

TimeBomb 2000 (Y2000) Forum Classic... is the place for that... and the continuing Y2K... and related... debates.

The NEW TimeBomb 2000 (Y2000) Preparation Forum is to discuss what's important about preparing for the upcoming unknown Y2K reperussions. Any eyes open global citizen can "see" protential problems looming.

It's now six months and counting. Both prep and awareness needs are equally important activites.

*Some* of us prefer digging for news and puzzle pieces, first, while * others* choose to dig in the garden first. And vice versa. (Just to illustrate the shifting Y2K "landscape.")

Y2K is still a moving target. And...

Shift Still Happens.



-- Diane J. Squire (, July 06, 1999.

More Federal Computer Week Related Info... in the article sidebar...

JULY 5, 1999
CIO Council to expand security focus 99.html

FCWs coverage of Y2K ref/hottopics/y2k.htm

FCWs coverage of security


Special Senate Committee on Y2K Technology Problems

Critical Infrastructure Assurance Office (CIAO)

Critical infrastructure assurance is a new capability that resides right at the point where our national security and economic security merge. The Critical Infrastructure Assurance Office (CIAO), announced by President Clinton in May 1998, will facilitate the creation of a national plan to protect the services that we depend on daily: telecommunications, banking and finance, electric power, transportation, gas and oil, emergency services and government services. This initiative will require a new level of commitment to partnership between the public and private sectors, specifically in the areas of policy formation and information sharing.

National Protection Infrastructure Center (NPIC)

[NPIC looks unfinished. Kinda like Y2K.]

-- Diane J. Squire (, July 06, 1999.

As of late March, the total number of federal systems considered "mission critical" was 6,123. Estimates of the total number of federal systems overall vary, according to whose statistics you use (those of OMB, GAO, "Federal Computer Week," etc.) and how "systems" are counted, but it is in the range of 67,000 to 73,000. So basically only 9% or so of all federal systems are currently being counted as "mission critical." Back in August 1997, 9,100 systems were so counted, but you know how it goes.

To the best of my knowledge, Koskinen never, but never, talks about all those supposedly "noncritical" systems; neither do Bennett and his cohorts on the Senate Y2K committee.

Re concern with cyberterrorism: this reinforces what Georgia State Rep. George Grindley (head of that state's Y2K Task Force) said in his recent letter, namely, that Koskinen was privately telling top state officials in Georgia to prepare for the outside possibility of up to three weeks without power; Grindley believed that Koskinen and Dod were particularly worried about cyberterrorist threats to power grids. This also supports a mainstream news article last summer that cited a joint NSA/DoD/FBI exercise in 1997, which reportedly determined that cyberterrorist attacks could take down power grids.

-- Don Florence (, July 06, 1999.

P.S. Re all those "noncritical" federal systems: I don't mean to imply that they aren't being worked on. I'm sure that many are being worked on and are in various stages of being fixed. But there is a reason that agencies went to "triage" and focused most of their energies on the "critical systems." Call it my natural suspicion, but I think that if there were indeed good news to report about those tens of thousands of supposedly "noncritical" systems, Koskinen, Bennett, and company would be crowing about it. They aren't--just as they aren't noting that external interfaces and end-to-end integrated systems tests aren't finished for at least some of the supposedly "fixed" critical systems, either.

One wonders about the division between "critical" and "noncritical" systems in corporate settings, too. I've never seen any reliable data regarding how many systems are actually being classified as "mission critical" by major U.S. corporations. Strange, considering what a potentially important issue that is.

Then there's the problem of interfaces, of systems being "windowed" in different ways. Plus, according to Capers Jones in "The Year 2000 Problem," windowing (which accounts for 80% of Y2K fixes worldwide) reduces the efficiency of typical database accessing and mining by roughly 20%. I think we are likely to see serious losses in corporate productivity and efficiency even among those companies that do get all their mission-critical systems "fixed" by year's end--and remember, according to the latest Cap Gemini survey, 22% of the Fortune 1000 now admit they won't be done with mission-critical systems by year's end. SMEs are still generally considered to be lagging behind the big boys.

A couple of encouraging points. I suspect, or at least hope, that in most govt. agencies and corporations the "critical" systems are also the really big ones; in other words, that a lot of the "noncritical" systems that are presently just receiving a lick and a promise are relatively small systems. And second, in one of Jones's monumental books on software metrics (all you ever wanted and needed to know to put you to sleep), he notes that perhaps 50% of all installed corporate software is presently dormant; IT depts. are notoriously bad about "cleaning house." But Jones also admits that number might be highly inaccurate, since it is based simply on projections from one IBM data center (where Jones was a top scientist before he went on to found Software Productivity Research 15 years or so ago). In any case, one can hope that a lot of the systems, corporate and govt., that are receiving little or no Y2K attention weren't being used much anyway.

As I said, one can hope.

-- Don Florence (, July 06, 1999.

It is not difficult to imagine that 90 percent of what the feds do is really useless.

-- dave (, July 07, 1999.

Moderation questions? read the FAQ