International 100 Day Senate Reportgreenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread
INVESTIGATING THE YEAR 2000 PROBLEM: THE 100 DAY REPORT SENATE SPECIAL COMMITTEE ON THE YEAR 2000 TECHNOLOGY PROBLEM 161
This section addresses what has been the most challenging aspect of the Committee's work this yearP ascertaining the status of international Y2K preparedness.
BACKGROUND AND VULNERABILITIES
The days of American isolationism are long gone. An "American economy" is largely a misnomerP we now live in a global economy. The U. S. manufacturing sector imports commodities and components from a vast number of trading partners worldwide, and exports finished products to an equally vast number of customers worldwide. The software produced by the U. S. information technology sector is essential to businesses in every country in the management of their daytoday operations.
Trade, which represents more than onefifth of global output, is essential to the economic development and growth of all national economies. 1 No part of the U. S. economy is unaffected by international affairs, and significant Y2Krelated disruptions suffered by any of our major trading partners have the potential to cause disruptions here at home.
Globalization is not limited to the economy, but extends to social and cultural issues as well. The technology that links us all has strengthened old friendships and created new ones in this increasingly small world. Significant Y2Krelated disruptions suffered by our international friends and neighbors have the potential to raise the issue of humanitarian aid on an unparalleled level. Cries for such aid would inevitably be made to those nations most advanced in their Y2K preparations, including the U. S.
The scope of international Y2K preparedness is obviously a vast one. It has not been possible for any one organization to obtain definitive information concerning how our neighbors and trading partners around the world are progressing in their Y2K remediation efforts. A common problem faced by organizations making such efforts, including the Committee, is the uneven reliability of Y2K status information provided by nations themselves.
Indeed, there is an uneven global understanding of Y2K vulnerabilities, the unpredictability of cascading failures among interconnected systems, and the selfinterest at all levels in either exaggerating or minimizing Y2K preparedness. Commercial firms marketing Y2K remediation services and governments soliciting external aid have an incentive To Whom It May Concern: overstate the Y2K problem. At the same time, fear of stimulating panic, sensitivity about disclosing security vulnerabilities, and concerns about legal liability are incentives to downplay the risks of Y2K failures.
In light of these informational shortcomings, the Committee is fortunate that multiple organizations, public and private, have undertaken the task of performing international Y2K assessments. The Committee's analysis of their combined findings reveals consistent results notwithstanding different approaches to the issue. As a result, the Committee believes that these findings, taken as a whole, provide a generally reliable indicator of Y2K status worldwide.
All of the vulnerabilities referenced in each sector of this report are present in every country around the world, to greater or lesser degrees. As the International Trade Administration concluded,
"Economies that are highly automated and in which computers, software, and networks are in widespread use have a greater chance of experiencing Y2K difficulties. At the same time, however, these economies also have greater access to the capital and human resources necessary to remediate systems and respond to Y2Krelated needs. Countries that are less ITdependent may have less Y2K exposure overall, but their essential services, such as power utilities and communications, may be highly computerized, while the resources to address potential problems may be in short supply." 2
As discussed in further detail below, the Committee is particularly concerned about a handful of countries that are important to the U. S. for economic or strategic reasons. These nations include Russia, Japan, China, Italy, Venezuela, and Mexico.
One leading economic forecasting group, WEFA (formerly Wharton Econometric Forecasting Associates), identifies six risk factors for countries: hardware risk, aging capital stock risk, industrial structure risk, import supply chain risk, export financing risk and infrastructure risk. Ultimately, the riskiest countries are those with high vulnerability according to the risk factors and low spending (effort) for fixing Y2K problems.
WHAT IS BEING DONE?
Numerous entities, public and private, have spent much of 1999 conducting regular assessments of the Y2K preparedness status of countries around the world. The following section summarizes the work done by a few of these organizations.
U. S. State Department
The U. S. State Department (DOS) has been monitoring the status of international Y2K preparedness efforts for several reasons, chief among them the desire to avoid potential difficulties that might face U. S. embassies and foreign posts on January 1, 2000. DOS has conducted ongoing surveys among its 260 posts around the world to ascertain and monitor the Y2K status of host countries.
DOS earlier issued an edict stating that all embassies must be prepared to be selfsufficient for 30 days by January 1, 2000. DOS has established early October as the time by which it will make decisions as to whether it is appropriate to draw down personnel at any of these international posts for Y2K reasons.
DOS's other principal interest in monitoring international Y2K preparations is to ensure the safety of Americans abroad. In this regard, on September 14 DOS posted biannual consular advisory for 172 nations which included, for the first time, Y2Krelated information. These consular advisories are posted at http:// travel. state. gov. The Y2Krelated language in this initial wave of advisories is rather general, with little to distinguish one country from another.
In contrast, DOS's Office of the Inspector General (OIG), which is engaged in Y2K assessments of numerous countries, has provided valuable testimony to the Committee in two hearings this year, most recently in a July 22 hearing on global corporations. At that time, the OIG had assessed 161 countries, with the following summary results:
7 About half of the 161 countries assessed were at medium to high risk of having Y2Krelated failures in their telecommunications, energy, and/ or transportation sectors.
7 Industrialized countries were generally at low risk of having Y2Krelated infrastructure failures, particularly in the finance sector. Still, nearly a third of these countries (11 of 39) were at medium risk of failure in the transportation sector, and almost onefourth (9 of 39) were at a medium or high risk of failure in the telecommunications, energy, or water sectors.
7 Between 5268 developing countries of 98 had a medium or high risk of Y2Krelated failure in the telecommunications, transportation, and/ or energy sectors. However, the relatively low level of computerization in key sectors of the developing world may reduce the risk of prolonged infrastructure failures.
7 Key sectors in the newly independent states and the other former eastern bloc nations are a concern because of the relatively high probability of Y2Krelated failures.
U. S. Agency for International Development (USAID) USAID has made a tremendous contribution to our understanding of the potential impact of Y2K in developing countries. For many in the Administration, Y2K problems in developing nations are shrugged off with comments that "Country X" has problems with electric power on a good day; why would Y2K be any worse. This oversimplification demonstrates the lack of an understanding of margins, i. e. the difference between having a failure and having the technical and financial resources to fix the failure.
Developing nations are more vulnerable to Y2K failures not because they are as reliant on IT as industrialized nations, but because they have smaller margins. For example, failures and disruptions in key systems such as those used to control electric power or to deliver pension checks becomes longer lasting and, thus, more serious if the country does not have the resources to detect and fix the problem.
According to the Institute of Electrical and Electronics Engineers (IEEE), "Y2K is a longterm, not a shortterm problem . . . Y2K computer problems will be causing computer systems malfunctions and failures into the next decade." This may be especially true in developing nations where the expertise to fix such systems is not readily available. Further, developing nations are often unable to compete with developed nations in buying "rapid" IT solutions.
USAID has also begun an effort to assemble a Global Y2K Consortium. This consortium would bring technology expertise from U. S. global corporations to bear in the respective countries where they operate.
In June 1999 the United Nations (UN) hosted a meeting of national Y2K coordinators in New York City. The national Y2K coordinators from more than 170 countries met to discuss Y2K preparations and exchange information.
There was an attempt to gather an international assessment of key sectors. However, the uneven understanding of technology and key country sectors impeded the attempt to build a reliable assessment. There was a great deal of discussion of "publicizing" Y2K and the appropriate public relations. There was notable progress in trying to address the transborder issues that could result from individual countries exercising contingency plans. Unfortunately, many countries appointed Y2K coordinators with little political power. So it was difficult to assess the success of these discussions.
There was also a significant difference between the public and private conversations that were taking place between country coordinatorsP the public picture of Y2K readiness always rosier than the private one. The end result of the conference was that the world knows more about what is happening, but not enough to obtain a clear picture of the worldwide Y2K situation.
The UN could greatly facilitate the speed and efficiency with which world problems resulting from Y2K are resolved. However, the UN needs to first take care of its own Y2K readiness as an organizational body. Currently, there is no a clear understanding of its internal readiness or that of its agencies.
On August 26, 1999, the International Y2K Cooperation Center (IY2KCC), a UNbacked group funded by the World Bank, released its first survey of Y2K readiness in 72 nations, as reported by national Y2K coordinators representing each government. The survey asked these national Y2K coordinators to report the month implementation was expected to be 90% complete for various sectors. Full survey results can be found at the IY2KCC's web site, at www. iy2kcc. org. While the survey will be continually updated, as initially reported it yielded only 72 responsesP 67 countries had not yet responded. The following are a few summary findings:
7 The health sector reported the latest completion dates, followed by the government services sector. The finance sector reported the earliest completion dates.
7 Eastern Europe/ Central Asia and South America, with 40% and 70% of countries reporting respectively, reported the latest average completion dates.
7 SubSaharan Africa reported the least dependence on technology in its critical sectors, followed by Eastern Europe/ Central Asia, Central America/ Caribbean, and the Middle East/ North Africa. North America and Western Europe reported the highest dependency on technology.
7 Eleven countries (15%) had completed their healthcare contingency plans; twelve countries (17%) had completed their government services contingency plans; and 28 countries (39%) had completed their energy contingency plans.
More specifically, the U. S. and several other countries reported that certain sectors would not be ready until the last weeks of 1999. December targets were set by the U. S. for healthcare; by Pakistan and Macedonia for air transportation; by Bulgaria for healthcare; by Bolivia for government services; by Colombia for customs; and by Angola for sea and land transportation, customs, and healthcare. Bolivia also would not be ready with its customs system until after 1999, and Slovakia does not expect to complete remediation of its healthcare system until after the new year.
In December 1998, the European Commission (EC) adopted a report, "How the EU is tackling the Year 2000 Computer Problem," which was presented to the European Council. The Council asked the EC to convene a meeting of representatives of public infrastructure providers from the member states to establish if crossborder dependencies in such areas as transport, energy, and water supply were being adequately addressed.
In April 1999, the EC hosted a twoday meeting of EU public infrastructure providers. On June 2, the EC issued a report on the preparedness of key EU infrastructures for the Y2K problem. 3 While steady progress was reported overall within the EU, there were indications that not all sectors in all member states expected to be totally ready and fully compliant in time. A major problem was the lack of available verifiable information on the situation, particularly in relation to the potential spillover effects between member states.
In addition, every sector reported that smaller organizations lagged significantly behind larger companies in addressing the Y2K problem, and all organizations were dependent upon their information technology systems suppliers to accurately disclose Y2K compliance and deliver timely compliant upgrades.
With regard to the situation beyond the EU's external borders, the assessment of possible safety issues in nuclear installations and power grids in Eastern Europe and the former Soviet Union was of perhaps the most concern.
The findings with respect to some of the specific sectors were as follows:
Electricity: There may be failures, likely to be localized, which in the middle of winter could have serious consequences for the areas concerned.
Gas: The crossborder effect for natural gas was significant, since 43% of natural gas originates from outside the EU. Moreover, 22% of the total energy demand is covered by gas. These external supplies are obtained primarily from Russia, Algeria, and Norway, and the gas must flow across several countries through major pipelines to reach the various destinations. The report concluded that contingency plans were essential to assure uninterrupted and safe gas delivery.
Oil: Substantial oil stocks should exist, but the dependence on nonEU oil supplies, at nearly 80%, is high, and it is not possible to be certain of the effect of Y2K on external producer countries.
Nuclear safety: Member states of the EU have action plans to address the issue, and most reactor operators report they will be Y2K ready by mid1999. As for outside the EUP the Central and Eastern European countries and the Newly Independent Statesthere is a lack of confidence that concerns have been appropriately checked, including contingency plans. No guarantees can be given that assessments will be performed in time or that contingency plans will be ready. No international organization is presently able to coordinate an assessment of the risk presented by grid failure in these countries. In view of the potential risk to nuclear power plants; to imports from the Newly Independent States such as gas; and the general risk to citizens in the these countries, urgent attention needs to be paid to this issue.
Water supply and wastewater treatment: The main risk identified is the possibility of pollution of surface waters used for drinking water abstraction intake from major rivers as a consequence of the Y2K problem.
Telecommunications: The strong possibilities of network saturation give rise to the clear need to ensure a continuing priority to emergency and other essential services.
It is considered that operators outside the EU may not be equally well prepared and that disruption to the international telephone and fax networks cannot be excluded.
Healthcare: No international body is addressing the sector and no exchange of information is taking place between countries. The main problem is the difficulty in obtaining information from suppliers on the compliance of products, especially electronic machines for medical and health purposes containing embedded chips, in use within hospitals.
Global 2000 Coordinating Committee
Global 2000, an informal organization of banks, securities firms, and insurance companies, is a voluntary, privatesector financial industry grouping made up of 630 institutions from 70 countries. Its creation was announced at the Bank for International Settlements' Year 2000 Roundtable, which established the Joint Year 2000 Council in Switzerland in April 1998. Global 2000's mission is to identify and resource areas where coordinated initiatives will facilitate efforts by the global financial community to minimize the risks to global financial markets arising from the Y2K problem.
International Monitoring (IM) is a Londonbased specialist consultancy that provides information assessing the potential scale of Y2K damages and delays to 140 countries. It issues a Risk Rating report covering Africa, the Americas, Asia & Pacific, Europe, and the Middle East. To arrive at its risk ratings, the firm inventories country technology resources and utilization profiles to chart assessment progress; projects bad and incomplete fixes; and assesses economic profiles, technology usage and importexpert dependencies. The estimate of Y2K damage ranges from 0.0 to 9.0 and assesses scenarios in terms of delay or degradations in various sectors.
On August 26, IM released its assessment of projected Y2Krelated security risk exposure worldwide. Figure 1, available on IM's web site, depicts the country by country assessments contained in the report. The report measured the risk to foreign entities and individuals of being in given nations around the century date change. Counties listed as posing extreme risk were Albania, Bangladesh, Colombia, Congo, Zaire, Egypt, El Salvador, Ethiopia, Guinea, GuineaBissau, Haiti, Indonesia, Kenya, Lebanon, Liberia, Madagascar, Moldova, Myanmar, Niger, Nigeria, Pakistan, Qatar, Russia, Somalia, Sudan, Turkey, Vietnam, and Yugoslavia. 4
IM's August 20 update showed the average country slightly lowering its Y2K risk. One of the most improved countries was Mexico. However, 21 countries slipped further behind in their efforts and the vast majority of are countries still showing significant risk of infrastructure failure. The most disappointing country was Russia. Taiwan and Malaysia are also considered to be increasing their risk by falling behind in already late Y2K projects. The best gains are being made in the financial services sector, while transportation was falling behind in 27 of the 49 countries. IM believes that a failure in transportation could raise significant issues for supply chains.
IM's scenario for most countries still indicates significant potential for infrastructure failure possibly lasting anywhere from 2 days to 8 weeks.
Committee staff discussions with numerous global corporations show that all major global corporations are engaged in detailed international Y2K assessments for internal use. These firms have a huge stake in ensuring their continued business operations in their factories and sites abroad, and are taking proactive measures where possible and defensive measures where necessary.
While the assessments of these corporations are generally proprietary and, therefore, not for public use, several global corporations have stepped forward to share their general assessments. For example, during the Committee's July 22 global corporations hearing, Philip MorrisP with 220 factories in 50 countries and business in more than 180 different marketsP testified that it then considered approximately 600 of its highly critical international business partners to be likely to suffer Y2K related failures. As a result, Philip Morris believed it would suffer disruptions in its supply chain due to Y2K failures at these facilities, and was taking steps to minimize the effects of these disruptions. Another witness at that hearing was Procter & Gamble, which testified about its detailed international assessments, including international utility risk assessments. Its results are depicted in figure 2.
Every assessment known to the Committee indicates that Canada, Australia, and the United Kingdom are at the top of the Y2K preparedness lists.
Canada: As of August 26, the Canadian government reported that 99% of its missioncritical systems were Y2K compliant. A FebruaryMarch 1999 survey on Canadian industry, published in June, showed:
7 52% of large corporations expected to have all of their critical systems ready before the end of June; this was expected to increase to 85% by the end of September.
7 About 87% of small organizations and 98% of medium organizations with critical systems had taken at least some steps to ensure these systems would function when the date changes to the Year 2000.
7 Despite this progress, there was still substantial work to be done. At the time of the survey, only 15% of all large organizations with plans to test critical systems said testing had been completed. An estimated 13% said testing had not even started, and an additional 9% said testing had started but was less than halfway to completion. There was also evidence that the work done to date was not progressing as quickly as expected.
7 In most sectors, at least 75% of large organizations said they would complete all Y2K preparations required to ensure the continued delivery of products and services before the end of September. The only exception was the health sector, where 49% of large hospitals and 33% of large care homes said they would not complete their preparations until sometime during the last quarter of 1999.
7 Among large municipalities, 34% of police, 9% of ambulance, 22% of fire, 17% of water and 17% of sewage services said they would not finish critical preparations until after September.
A poll undertaken by the Canadian Federation of Independent Business, with results published in September 1999, showed that 92% of firms that employ fewer than 50 people say they are ready to handle the Y2K transition. However, only 77% of these firms had contingency plans.
Australia: Australia has created a Year 2000 National Strategy and established public and private sector task forces. In addition to confronting the Y2K problems faced by the commonwealth and states, Australia has established a National Industry Steering Committee (NSC), whose task is to develop and implement a $10 million Industry Program to increase business awareness of the Y2K problem.
As a followup to an October 1998 survey, an Australian Bureau of Statistics survey was commissioned by the NSC in 1999, with preliminary results issued on August 31. 5 The survey shows that
7 More than onethird of all businesses reported they had completed their Y2K work; more than three times the number of businesses which had reached this stage by the end of October 1998.
7 The proportion of businesses not intending to undertake any Y2K work has remained constant at 40%. Typically these are small businesses with less than 5 employees and low levels of technology dependence. Almost twothirds of the businesses not intending to undertake any Y2K work reported that their only technology was communications equipment or a standalone computer. The majority of businesses that do not intend to undertake any Y2K work reported that they either don't have any technology that will be affected or they don't believe their business will be affected.
7 Of the businesses intending to undertake Y2K work, nearly all had started work by the end of June 1999. Virtually all businesses that hadn't already completed their Y2K work expect to be completed by December 1999.
Australian business expects to spend approximately $10 billion addressing the Y2K problem.
United Kingdom: The United Kingdom's most recent status report on the national infrastructure was released on July 13, 1999, with status given as of May 14. Sectors were rated red for severe risk of material disruption, there may not be enough time to rectify; yellow for some risk of material disruption but agreed rectification and containment plans are in place; and blue for assessment has not identified any risk of material disruption.
Since the Committee's prior report, Western Europe has become increasingly aware of critical sector interdependencies existing within telecommunications, energy, water, transportation and finance. This increasing awareness has brought about extensive progress towards Y2K remediation and preparedness. News from the EC had reported that Y2K concerns lagged behind the efforts toward the currency changeover to the euro. However, more recent reports indicate that the euro conversion has been profitable for Y2K remediation because industries and government agencies were already in the process of updating systems to handle the euro. Businesses find it advantageous to complete Y2K assessments and remediation at the same time.
As a general matter, throughout Western Europe the financial sector is the most advanced critical infrastructure in remediation. However, the financial sector is dependent on both the energy and telecommunications sectors, which tend to trail behind in addressing the Y2K problem. Further, small European businesses are significantly behind large industries and companies attending to Y2K issues. Germany: According to a German Federal government report released in April 1999, Germany is quite advanced in its preparation for the Year 2000. A 1999 government survey of the 30 largest power supply firms and 37 smaller utilities groups showed that all companies had projects and contingency plans underway, although some were further along than others.
The financial sector is particularly well prepared and the telecommunications sector has made intensive efforts towards remediation. All three sectors announced that no noticeable fallouts had been expected. However, healthcare poses serious risks, and smalland mediumsized businesses are lagging significantly behind larger corporations. Smalland mediumsized firms started their Y2K work relatively late compared to large firms, but are under considerable pressure to become compliant. The German government is actively involved in providing advice and information to potentially affected firms, specifically small and medium sized businesses.
Italy: Italy started Y2K preparedness initiatives considerably later than other western European countries. The Comitato Anno 2000, a joint public/ private sector Y2K coordinating body, was not established until December 1998, and met for the first time in January 1999. At a June conference in Rome, Ernesto Bettinelli, the Committee Chair, stated, ". . . only two days ago I received
the findings of a fresh survey conducted . . . on the level of awareness of the Italians on the Millennium Bug problem: only 15% of the respondents [are] aware of the problem with less than half of the year left to December 31, 1999. It could even be taken as a good news: Ignorance and Disinformation: the Italians show the way to avoid mass panic so feared abroad." 6
Specific areas of concern are water, electric utilities, transportation, airports and, appearing weakest, adaptation of hospital equipment. Also disquieting is the fact that hundreds of thousands of people from around the world are expected to converge on Rome at the end of the year to commemorate what they believe to be the 2,000th anniversary of the birth of Christ.
France, Spain, Portugal: Reports on France indicate that most government agencies began their Y2K work several years ago. The Gartner Group world status report suggests that, overall, France ranges from having at least 20% of remediation completed, plans are in place, and resources committed to being fully compliant. Energy, gas, and electricity industries are mostly through completion and have contingency plans in place. Both Spain and Portugal also range from assessing Y2K status in all sectors to becoming fully compliant.
Austria, Belgium, Switzerland: Austria, Belgium, and Switzerland generally appear to be in the final stages of remediation of missioncritical sectors. Belgacom, a large Belgian telecommunications provider, stated in May that "all planned inventories, analyzes and assessment have been finalized and trial runs completed." 7 Switzerland disclosed that there are no indications of largescale risks. Although they cannot be sure of any shortcomings, because of the extensive work done in all key areas, risks should be quite limited. In May, Switzerland announced: "The reliability of services and the operating capability of the public and private sector are at risk of disruption today and every day. There are precautionary measures (contingency planning) in place, designed to offer protection against the effects of such disturbance. They are part of normal business and everyday planning." 8
Denmark, Finland, Iceland, Netherlands, Norway, Sweden: The Gartner Group Year 2000 world status report for the second quarter of 1999 categorizes all of these countries to be steadily underway on becoming Y2K compliant. Plans tackling the problem are complete and resources have been allocated. Each country ranges from having at least 20% of remediation completed to being fully compliant in each mission critical area. Nearly all of the key sectors tend to be highly dependent on technology in each nation, implementation plans have all been scheduled to be completed by October. Norway, Sweden, Iceland, Denmark, and Finland have the highest reliance on information and communications technology, energy, and trade exposure in most of western Europe. However, they appear to be the most prepared.
Greece: Greece could possibly face serious technical problems in all of the following sectors: healthcare, water, transportation, public service, communications, and energy. The financial sector is at low risk.
All available assessments indicate that, as a general matter, key sectors in the countries that were part of the eastern bloc, including those that were part of the former Soviet Union, have a relatively high probability of Y2Krelated failures. Most at risk are fails in the telecommunications, transportation, and energy sectors.
As noted above, the EU has serious concerns regarding the nuclear safety of plants located in this region.
-- Brian (email@example.com), September 23, 1999
I have compiled the Senate Report (links below), please use the link;
*****Senate 100 Day Report in HTML***** Home Page (TB 2000)
to communicate the report to others. This is a very important document for all folks. Please link it, Email it or print out sections for others to read.
Y2K in Canada and Beyond
Senate Report*****Senate 100 Day Report in HTML***** Home Page (TB 2000)
Executive Summary of 100 day report
Business 100 Day Senate Report Part One
Business 100 Day Senate Report Part Two
Financial Services 100 Day Senate Report
Transportation 100 Day Senate Report
Telecommunications 100 Day Senate Report
Health Care 100 Day Senate Report
Utilities 100 Day report
International 100 Day Senate Report Part One
International 100 Day Senate Report Part Two
Preparedness 100 Day Senate Report
Senate Y2K Committee 100 Day report Senate Report Home Page (PDF)
-- Brian (firstname.lastname@example.org), September 23, 1999.