From tomorrow's Electronic Telegraph:

Bug supremos fall out over strategy

The rosy picture of Britain's preparedness for 2000 may be misleading, says Simon Davis.

Two leading figures in the race to get Britain's computers ready for the Y2K rollover -- the so-called Y2K bug -- are at loggerheads over the Government's entire strategy on the issue.

Robin Guenir, director of the industry-backed Taskforce 2000, says the government's "traffic light" ratings system -- the foundation for assessment of Y2K readiness -- is fundamentally flawed. He claims the system could be giving a false sense of security about the safety of the nation's critical infrastructure, including such sectors as utilities, air transport, police, and medical care.

"Absolute rubbish," says Don Cruikshank, chairman of the government-backed Action 2000. He argues that the Government is committed to a "process driven" approach to the problem, and is confident the end of year will see business as usual.

The preparedness of critical infrastructure organisations is based on assessment by a three-level ratings scheme co-ordinated by Action 2000. A red rating indicates severe threat, amber a limited threat with "rectification and containment" plans in train. The highest level, blue, certifies no identified risk of "material disruption".

Guenier is very concerned that the guidelines for the blue status are not available to the public. "You can't find the criteria," he says. "The system is based on trust, but you wouldn't rely on trust on issues like GM foods."

He sees flaws in the system's logic. If a sector were working through its procedures, "you would imagine that a properly constructed ratings system would result in organisations going down as well as up, but that never happens". Guenier also believes the system is inadequate: "At this stage, two months before the millennium, the public needs to know which organisations have completed the job. The blue light system doesn't show that. It only establishes that no risk of material disruption has been identified. We know nothing about the preparedness of the public sector. I think scepticism is in order."

A similar dilemma has been exposed in America, where the foundation of trust in computer systems is "Y2K Compliance Statements", which give some assurance that appropriate testing and audit processes have been carried out. However, the certification process was lambasted by the Inspector General of the Department of Defense. His report said the certification of some military systems was invalid. Only 109 of the 430 systems reported as compliant by November 1997 were in fact adequately validated, according to the government's five-phase process. The conclusion reached by some analysts was that there is no credible evidence that all mission-critical systems will be repaired and tested on time. Other departments have suffered the same criticism.

The traffic light results here have given rise to widespread optimism about millennium compliance. Preliminary figures produced by Action 2000 show that nearly all critical infrastructure sectors - transport, utilities, telecommunications, fuel, finance, food, transport, roads, police, emergency services, post, broadcasting and key public services - are out of the red zone and at least into the amber.

But even using the traffic light system as the sole indicator of readiness, some sectors have left their preparations perilously late. October figures show all health, police and Inland Revenue systems 100 per cent blue - not a moment too soon, albeit a heroic achievement, given that in June, 97 per cent of NHS systems were still at the dangerous amber level, as were 98 per cent of police systems and 62 per cent of tax collection systems. (The Inland Revenue admits that it has been under enormous pressure because of 2000-related failures, resulting in one case in threats of legal action against a company accused of failure to pay tax 99 years ago).

The essential problem for organisations at the amber level is that they will almost certainly fail to achieve full readiness. Even those that, against the odds, have managed to haul themselves up to blue in four months should, ideally, have reached that level with six months to spare for testing. In the event of major systems failure or problems with the supply chain, organisations such as the Inland Revenue and the NHS will have little hope of developing meaningful contingency measures in time for the day.

The prospect for sectors such as telecommunications, air traffic control, water, nuclear and finance appears much healthier. They were all rated at 100 per cent blue by June. Yet even supposedly fully compliant sectors are having problems - 4,000 London Electricity customers lost their supply in August because compliance work on pre-pay meters failed to accept new keys. The coastguard service, which also claims 100 per cent compliance, has experienced significant levels of computer failure in recent months.

Traffic light flaws can be identified in an audit commissioned by the Department of Trade and Industry, of the "upstream" offshore oil and gas industry - one of the very few audits to have been published (www.og.dti .gov.uk/y2k/octup.htm). The independent report, prepared by WS Atkins was intended to gauge the preparedness of that industry to meet the date issue against Action 2000's assessment criteria.

While proclaiming that the industry was 100 per cent blue, the report added: "There are a number of elements to be completed, such as finalisation of remedial work, contingency plans/Millennium operating regimes and final assurances/discussions with critical third parties."

Achieving a successful "blue light" status involves a high level of trust. Organisations are expected to provide audits and assessment, but these are often subject to constraints such as commercial secrecy and self-reporting.

Despite the optimism communicated by Government, it appears that companies and government departments are still struggling to combat the Y2K problem. Earlier this month, Reuter's share price slumped after it warned that Y2K concerns were undermining the company's revenues.

But despite the optimism created by the blue rating, organisations are facing a near-impossible task assessing the real threat. Almost all leading companies in Britain are now refusing on legal advice to disclose specific details of their preparedness - or lack of it - for the new year.

Most companies have remained silent about their preparedness, and many have refused to provide anything more than a general statement of intent. The Financial Services Authority, fearing repercussions from consumers, has directed banks not to disclose their level of preparedness. The stand-off has caused uncertainty in some industry sectors, and is part of the reason for the recent refusal by insurance underwriters to deny insurance against the risk of Millennium failure. In recent months, many insurance companies have moved specifically to exclude year 2000 claims from their future policies.

The problems highlight the reality that Y2K is more than just a problem of computer failure. It is about legal dilemmas, insurance black spots, broken supply chains, public order and contingency planning. The bug has exposed the fragility of a complex "just in time" economy.

Despite the assurances of large organisations, recent surveys have revealed grave problems. A survey by Taskforce 2000 earlier this year showed that nearly a third of UK businesses had "no chance" of preparing for the Bug. A further twenty per cent had a "borderline" chance of surviving the millennium intact.

Despite this evidence, the media has recently maintained an eerie silence over Y2k. Whether the silence is justified will only be known in nine weeks.

-- Old Git (anon@spamproblems.com), November 08, 1999