REFLECTIONS ON THE WEEK: What might happen between now and Dec 31?

This is the first of two special reports. They were supported by the generous assistance of the Center for Y2K and Society. (www.y2kcenter.org) The first lays out events that could happen between now and Dec 31 that would be opportunities for the us to play a vital role in the closing days of 1999, and for which it should not be caught flat-footed. The second report describes what the situation may be in January 15, 2000. The two together point out some opportunities and dangers for society, as well as for those of us interested in Y2K..

I feel will be important to expand on this report in our own thinking potential events that may happen between now and Dec 31, just to keep us all focused and ready.

We should devote some time to thinking through how we might respond quickly to a sudden increase in awareness that Y2K is a significant threat.

That we be thinking about telling the story of what Y2K is really about. It is not fundamentally about the economy, but about people and long-term viability. I consider the ability to tell stories the emerging core competency of those of us who have been most concerned about y2k and its social impact.

We be thinking through how the issues raised in these weeks be seen as symptomatic of deeper issues in the current organization and marginalization of society towards transforming our new found capacity to think about such issues, rather than dropping the effort.

Here is a clue as to what we are up against.

It should be illegal to yell "Y2K" in a crowded economy. -- Larry Wall, creator of the programming language Perl

I would say there is extreme nervousness on the part of lots of the y2k players of significance. That nervousness is likely to leak out in anxious ways. Here are recent articles. Portsmouth, UK, November 28, 1999: A new public intelligence briefing published today systematically highlights how a false sense of security is being promoted via the UK Government booklet, 'Facts not Fiction: What everybody should know about the Millennium Bug' delivered this month to "every home" in Britain. The point-by-point critique called Facts not Fiction: Lies or Ignorance? - What you should know about the Government's Millennium Bug booklet', suggests fundamental flaws in the Action 2000 booklet. In stark contrast to Action 2000's bland official assurances, the briefing cites a chorus of warnings from official and expert sources elsewhere. According to the Bank of International Settlements worldwide banking transactions could quickly freeze, due to defaults on loans between banks and institutions. Whereas the public has been told, "there is absolutely no reason to buy in extra food just because of the Millennium Bug", the business community is scrambling to implement contingency plans and stockpile essential materials. According to a top State Department official quoted in the briefing, "The 2000 computer glitch is likely to disrupt the worldwide flow of goods and services, perhaps sparking havoc and unrest in some countries ... The global picture that is slowly emerging is cause for concern [because] Y2K-related disruptions in the international flow of goods and services are likely". The briefing comments that in the face of long-term food supply risks, Action 2000's advice against buying in extra food is irresponsible to say the least. This is from the London based Trenmonitor, http://www.trendmonitor.com

And from an investment report:

Mr. Cohen: Wall Street generally believes what it wants to believe, that Y2K will be a benign non issue - a blip with no major problems. Corporate America sold the Street that bill of goods. Corporations regularly promote themselves and deceive. It is human nature. The art of competent securities analysis is to separate self-serving promotion and deception from the truth.

But in general, U.S. corporate Y2K compliance progress is one of the biggest corporate deceptions I have seen in 30 years of analytical experience. The problem is that Wall Street didn't have the analytical experience of IT competence, nor the IT infrastructure values from which to ask intelligent questions. The Street simply couldn't do comparative analysis, get relevant answers, give the companies little or no wiggle room to respond inadequately, and conclude in an intelligent and informed manner. It just plain didn't happen.

The biggest threat to the economy is panic, more than Y2K. If people believe in the value of money, Y2K can still be severe and the economy survive, but if Y2K is weak but money undermined, the economy goes south. So policy, dictated by real concern for the financial implications of panic, has been successful to such a degree that work has been less intense and the threat to society is worse than it was. Currently people are a bit punch drunk, and careless.

If there are events between now and Dec 31 that open up the society, the press, the government, Clinton (his WTO speech shows some ability for quick reaction), to new ways of thinking about the danger we are in, then the we should be ready to respond. Things that might happen: the issuance of a severe warning from some major trade organization, or a corporation saying they cant make it, or some amazing whistleblower report. At such a moment we have an opportunity to help clarify what is happening and what is at stake. It seems to me some such reports or events are likely. My subjective sense is, 60%

Its important to see that nothing happening is a very big happening. Many of us have been in the forefront of taking on the issue and trying to make conscious the issues and potential results. We have been one of the few places that has gone beyond the kind of results that management culture can deliver, since it is so bound up in its own performance. We have been in a period of intense struggle between light and the fog of conventional media and government supported myopia. This political economy in which we live is unstoppable by mere possibility and has about it the quality of a puncture proof tire that has enough goo inside that any fact that cuts to the core is pasted over immediately by sanctimonious denial.

We have worked to all learn about the interconnectedness in society and the challenges this poses for the future. This has been in the face of massive groupthink and as Yardeni says, Mr. Greenspan deserves much of the credit for boosting public complacency.

Today (Thursday, Dec 2) we had a conference call with the preparedness sub group of the Y2K conversion Council. It was clear that the three government spokespeople so believed that nothing would happen and that January 1 would be a day of only normal daily risks, that any preparation was harmful to the supply chain, which was the only real threat. (now official as this was the basis for the ICCs and koskinens press confrence earlier this week)

If Nothing has happened continues till Dec 31, it will be the result of the most amazing emergence of groupthink, sort of like the nationalist hysteria around a war. Only in this case the nation is the expansion at all costs of the expansion-based economy. There are several factors that support the groupthink.

To give everyone credit, there is so much on peoples minds they have no room for Y2K. A recent visit to silicon valley had me spending time with people who needed to merge business strategy with three million in venture capital by the end of the week, with a feeling of desperation that windows of opportunity were passing them by.

Generally we have a technical reality about Y2K, with a managerial world on top of it, with the managers mediating between the technical level and society. Society is dependent on that managerial level for its understanding, and for the actions that can make a difference. But managerial culture has its own rules, such as, Dont look bad or make friends look bad under any conditions. (Note the emergence of an agenda for us here)

Lots of money got spent in one of the largest projects ever. For companies like Citicorp and GM, a billion dollars is 10,000 people for a year with a $100,000 salary. Probably much of it was hardware and software costs, but whatever the balance, such large projects are unprecedented. We can only be in awe if it turns out they were managed successfully.

But we have been led to believe that the great majority of Y2K projects were Its my judgment however that the conclusions arrive through a way too weak chain of logic, summing upwards in self-reports, accumulated in percentages with little meaning, and a embraced like mothers milk (or Prozac) by a ready audience that wanted (there is still some mystery here as to why. Its not just ignorance is bliss, it was motivated resistance to some stories and too easy acceptance of others but why?) to believe them. The story that got delivered is the story that wanted to be heard. This needs explanation. Management culture did not communicate beyond what it wanted to, so we have not been told of success stories, nor the hard work and rough spots, nor the failures, mostly because people wanted to get on with other projects that are on the competitive edge, and also because the lawyers said Dont make claims, in protection against potential litigation if it turns out wrong and was misleading.

Government has been much more concerned with protecting the big market (globalization and e-commerce) than society, with its preponderantly normal product and employment-based business.

The media didnt want to get stuck with a loser of a story, another Kahuteck, and they sensed the emergence of a consensus they werent motivated to take on (more mystery, but related to the depth to which the press is part of the globalizing economy). The facts have been closed to the press and without a body and a smoking gun, its hard. Any weakness they focused on would immediately get enough hot attention that the reporters would be proved wrong, and it would all ground down hill in quibbles.

We should also be aware that its possible that the network is less interconnected than we imagined, that software is more robust (perhaps one percent of all systems are down each day) than we thought, and that savvy business people have more awareness of this than we do.

But, not much has been allowed to happen. No trade association, corporation, bank, agency would come forward and say mea culpa because the wrath of power would single them out as losers. Can you imagine NERC saying they really do have a problem? Its easy to imagine the internal conversation that could lead that way, but everyone knows what the answer is supposed to be. Since the time table had things fixed by 2000, that we are told they are is not surprising. Any break in the front would have, in retrospect, been the real surprise. (I did not see this coming, the punctureproof nature of this faade, the social glue that holds society together.)

But much could happen between now and Dec 31, and thats my concern. There is great pressure in the system, both to hold on to a story that is not well grounded and people suspect it and because the need to know among the very same people is so high. (note that there is an emerging sense in the last few weeks that we have cast our lot, now we ride it. No more quibbles.)

History works in surprising ways and things like Clintons WTO speech December 1 in Seattle was one such surprise, showing how much third world countries do not want an equity argument, but the speech brought more of the reality into the open, and its led to lots of confusion and anger. Y2K logic may be upset by external events. A fall in the stock market would be the most obvious, but any kind of war or major terrorist event between now and Dec 31 would also shift the perceptions and forces.

But lets look first at what could happen internal to Y2K, like a major corporation announcing that in fact it will not be ready (the lawyers will make them say it if it avoids liability by prior notification as part of due diligence.), and then what could happen external to Y2K that might reveal or lead to a reassessment of Y2K issues?

To set the stage for the possible internal eruptions of Y2K to the viewable surface, here is a long quote from Yardenis final report, which justifies the plausibility that things may in fact be rather worse than the official view. (see also Bill Ulrichs essay contained as an appendix to this paper.)

Most stock market investors have given their final answer: Nonevent! So have most other humans on the planet Earth. Complacency about Y2K has increased significantly in recent months and is nearly universal. Thats wonderful if Y2K turns out to be a nonevent. Investors seem certain that Y2K disruptions will be minimal. Greed, not fear is the emotion driving the stock market to new highs. While many stock prices are actually down for the year, the narrow bull market is led by a buying panic in technology stocks, the ones that are most likely to head straight south if Y2K turns out to be a serious event.

My final answer is that Y2K will be an event. I still assign a 70% probability to a Y2K recession scenario. But I am a reasonable fellow. I can t ignore the fact that just about every IT pro and Y2K policy official is optimistic that it will be a nonevent. Im skeptical, but Im not inflexible. So I am moderating my outlook for the severity of the recession. I am raising the odds of a moderate recession from 25% to 30% and I am lowering the odds of a severe recession from 40% to 35%.

I still expect most of the problems will occur in global just-in-time supply chains in manufacturing and petroleum production. In this scenario, publicly traded companies might start to pre-announce, during January and February, earnings shortfalls caused by Y2K glitches. This would depress stock prices, which would depress consumer confidence and spending, thus exacerbating the Y2K recession effects attributable to supply disruptions. The worst of the forecasted recession should occur during the first six months of next year. It is likely to linger during the second half of the year, though there should be clear signs by then that the worst is over and lots of signs of a recovery.

One of the most trusted leaders on our planet has been especially reassuring. On October 5, l999, Fed Chairman Greenspan said: `We at the Federal Reserve are optimistic that computer problems associated with the Century Date Change and the response to the CDC will not be a major event for our nation. The Chairman didnt provide any specific evidence to back up his upbeat assessment. Thats fie if Y2K is a nonevent, in which case we have nothing to fear but greed itself. Mr. Greenspan deserves much of the credit for boosting public complacency.

Its almost unpatriotic to be skeptical that Y2K will be a nonevent. On the other hand, even in the US Im skeptical about the thoroughness of the testing and the adequacy of contingency planning. I think there still is a much greater risk of systematic failure than does the Chairman. But my latest Y2K Experts Poll, conducted during November, is not reassuring. We all know that many IT systems can randomly malfunction or fail on a good day, but what it, early next year, we experience many bad days, several bad weeks, or a few bad months where the malfunctions and failures are nonrandom and systematic? We will soon find out all together. Ive been frustrated by the lack of good hard data to corroborate the optimistic progress reports. In an effort to collect some, I partnered with CIO Magazine and the Information Systems Audit and Control Association (ISACA) to conduct anonymous web-based polls of IT professionals with hands-on Y2K experience. The goal of our informal public-interest coalition is to help the public and their policy officials assess the readiness of organizations around the world for the century date change. We conducted a poll in June and again in September. The third poll was conducted from November 10-2l. All three can be viewed at www.peoolepolls.com.

We found widespread optimism based on little hard evidence: Most are finished or nearly so. In November 32% reported that their Y2K project was 100% completed and another 56% said they were 91%-99% done.

2) Many are taking longer than expected to finish. In November, 57% said they would need the last three months of the year to fish their Y2K projects, a disturbing increase from 43% in September and only l6% in June saying so. Moreover, 28% said they would be finished in November, with another 22% projecting completion in December. Curiously, there were a few organizations (8%) expecting to have Year 2000 work to do next year and beyond. 3) Some are behind schedule. In November, 15% said they were I-4 weeks behind schedule and 9% were 5 weeks or more behind schedule. 4) A small fraction of systems might malfunction or fail. When asked about the readiness of their mission-critical systems, 59% said they expected that they would all function properly, while 33% acknowledged that 1%-5% of these might experience some malfunctions or failures. A much greater percentage of respondents (73%) admitted that up to 25% of their non mission-critical systems might have problems. 5) A few are still waiting for key third-party software. When our experts were asked if they are still waiting for Y2K-compliant versions of mission-critical software programs written by third-party vendors, 15% said they were. That is an improvement compared to 23% in September and 35% in June. 6) Progress assessments are largely unaudited and assessments of vendors are mostly informal. The poll shows that many of the projects have not been subjected to independent assessments and audits. Indeed, 42% said that no independent audit was conducted. While many have assessed their vendors and are confident that most will be ready, only l4% actually conducted on-site verifications of vendor readiness. Everyone else relied mostly on conversations, questionnaires, and phone calls. Interestingly, 16% predicted that they might cause problems for some of their customers. 7) Contingency planning: some have, a few dont. Nearly a third had implemented their contingency plans, while another third was still doing so. A small percentage (8%) had no plans, while (13%) were still formulating their plans. A significant portion (38%) were not planning to increase their inventories, while 27% were likely to have another 1-4 weeks worth.

8) Optimism is very high and few expect serious problems. Our Y2K Experts remain remarkably optimistic even though many of them report that they are not yet completely ready at this late date and seem to be falling behind schedule. Hopefully, they are using the remaining time mostly to retest and double-check. In the latest November poll, 91% said they were optimistic. Supporting this upbeat attitude, 21% claimed that their organizations are in better shape than their lawyers would permit them to say. An overwhelming 70% say that Y2K will have at most a very minor economic impact lasting a few days. 9) Demographics of poll are optimistically biased. Of the 30,000 e-mails sent to IT professionals, 1,212 self-described Y2K Experts responded. One-fifth said they work for a finance or banking organization. This is one of the best-prepared industries, which might explain some of the optimism expressed in the poll. Also contributing to the positive assessment is that 58% work at very large organization (with over 1000 employees), presumably with the resources to fix Y2K. Our sample was very US-based (63%) and a significant number (18%) working for a global company or organization.

Wheel Of Fortune. If Y2K is a nonevent, there will be many more millionaires and a few more billionaires next year. If it is a serious event, then many millionaires might take home a lot less than they expected. So: Will Y2K be a nonevent or an event? (From Yardenis website).

Thats not a very convincing story that the big banks are ahead, that the big corporations are fine, that the United states is in great shape except for a few minor glitches in HCVA and a local phone company or two.. It fits my assessment from internal meetings, that the work was poorly defined, carried out by weaker members of the staff under pressure, motivation and rewards were low, and the work boring.

This seems sufficient grounds to consider it plausible that disruptions will be extensive and have large impacts.

My best guess is that we will see some breaks in the faade before dec 31. Here is a short list to get us started.

Possible Y2K events between now and Dec 31 that would heighten public awareness and concern:

Legislation: Freeze on Stock Market Prices the last week of Dec. Limit on bank withdrawals some banks are already imposing 48 hour advance notification of withdrawal. Mandate on the amount of food that can be purchased per family Official practice days of no electricity/water/utilities as training in case of outages. Freeze on employment, no firing or hiring from Dec. 20 Jan 31 to ensure tech people stay with their current firms to solve possible company crises. (The impact of requiring people to stay at work during a millennial holiday without much compensation has not been ascertained.)

Airlines: Cancellation of flights to major airports Airplane/airport mishaps (technical malfunctions as a result of remediating systems causing slow down or interrupted/inaccurate information and perhaps even accidents) that cause sudden cancellation of a large number of flights, leaving people stranded at the airports. (USAir isissuing frequent flier cards because of a computer upgrade, but the woman on the phone told me that the new Y2K compliant software could not handle the old number format, so they had to issue me a new one.) A strike threat by FAA operators or others because of potential safety threats. (The whole impact of potential strikes has not been broached).

Pharmaceuticals: Announcement of uncertainty in future production levels due to non-compliant dealers/suppliers/distributors. Requirements that only a week/month supply of critical medicines can be bought, implying that the system is under stress.

Oil & Gas: Sharp hike in gasoline prices due to industrys expectation of a decrease or interruption of international sources of supply (seeing less profit in first quarter, they aim to recoup in the last weeks).. The year long rise in prices is not attributed yet to Y2K, but expectations of strong demand may have led the oil companies to see a period of inelastic demand that would pay higher prices.

Medical/Hospitals: Medical records are lost due to remediation efforts at hospital Medical devices fail resulting in complications/injuries/deaths Hospitals announce the unwillingness to schedule procedures during the roll over period. People in critical condition start getting press coverage as hospitals say they cant handle hem say after Dec 20th.

Food: Gradual decline in food delivery to local grocery stores resulting in empty shelves Decline in food supply due to malfunctions in distribution or perhaps from international inability to export to U.S. Food moves more rapidly off shelves and into homes and businesses (which see the need to feed staffs), prices go up dramatically.

Electricity: A failure like the one in Hawaii but located in L.A. or N.Y. or any densely populated area. Local companies admit that they are not ready for 2000.

Many of these could be triggered, s many events have, by the failure of new systems put in place to avoid the Y2K failures. The speed with which this work has been done does not lead to a deep sense of security. Much of it has been jerry rigged and haphazard, with Fix on Failure the strategy of choice for all but most visible critical systems.

How do these events get pubic attention? Lets look at how it might start.

Here's a quote from the Alliance of Canadian Travel Associations which contains news releases on Y2K issues and travel.

Just slightly down the page it reads:

More than 30 of the 185 countries represented by the International Civil Aviation Organization (ICAO) have failed to respond to an ICAO Y2K survey, said DOT Inspector General (IG) Kenneth Mead in Senate testimony on Thursday. And more than 1 million passengers traveled from the United States to the 34 non-responding countries in 1998, the DOT found. http://www.travelY2K.com/news.htm

Mead's testimony suggests that the FAA look into restricting US flights to countries that fail to provide Y2K information. A DOT spokesperson told Newsbytes that the FAA will probably follow Mead's recommendation.

Then,

MELBOURNE, Australia (AP) - Two of Australia's commercial ports will close during the New Year period because of fears about problems caused by the Year 2000 computer bug, authorities said Thursday. The closures are planned because harbormasters could not be sure that ships trying to enter could navigate. http://www.tampabayonline.net/news/news1007.htm

Comment: this kind of reporting makes travel companies nervous not enough to get the public attention big time, but to so doubts. My reading is that lots of little stories like this have softened people up so that, if there was a big story, people would move faster than they appear to be ready to do. It feels a little like the eye of the hurican, when we are in a false calm.

The following is another example of an approach, that, by making fun of it, reveals the nervousness underneath, but also is part of the myth/story telling stuff that is so important throughout this process.

** Y2K Is Good for You!

Now that all the possible problem dates proceeding Y2K have passed without a hitch, the whole thing has started to seem disappointingly anticlimactic. Fortunately for the media, the Commerce Department issued a report yesterday saying that the bug was costing the country a whopping $100 billion, making it, the Washington Post reported, "the most expensive peacetime catastrophe in modern history." Few outlets missed the chance to revisit everyone's favorite looming disaster, though the spin is far rosier than it was just a few months ago. Post reporter Rajiv Chandrasekaran went on to write that economists think Y2K might actually have a "positive short-term impact," because it's created a demand for programmers, hardware and software. Los Angeles Times reporter Elizabeth Shogren led with the good-for-the-economy angle: "The U.S. economy has already absorbed most of the costs connected with the year 2000 problem - a staggering $114 billion - and the future impact may be positive as resources are shifted from computer repairs to more productive uses, federal officials said Wednesday." The AP was only slightly less sanguine, noting that while Y2K might boost growth for the end of 1999, it "would most likely slow it during the first months of 2000 to compensate." Still, even that article repeated the Commerce Department's sunny analogy that Y2K was "something like a tangled shoelace for a world-class marathon runner." Interestingly, all the Y2K doomsayers and survival-manual authors who were so prominent in the press earlier this year were ignored in this latest, cheerful round of stories. Perhaps that's because, as Shogren said, "Opinion polls show that public concern about the year 2000 problem is declining, casting doubt on predictions that widespread panic would incite hoarding of money and goods." Journalists are smart enough to see that Y2K paranoia is pass, even though 2000 is still more than a month away. - M.G. From The Standard's Mediagrok A Review of Press Coverage of the Internet Economy, http://www.thestandard.com

Announcements like the following also raise doubts, without tipping the balance.

We are preparing to have appropriate cash levels and cash processing requirements for all of our locations, including ATM's, branches and vaults. While you may want to have a little extra cash over the New Year's holiday weekend, the safest place for your money is in the bank. If for any reason you do need to withdraw a large amount of cash between November 15 and January 5, please notify your branch two business days in advance and take appropriate safety precautions. You may withdraw at any location you choose. Without advance notice, you may be directed to a designated U.S. Bank location to make your withdrawal. http://www.usbank.com/corp_relations/Y2K.html#y2

There are some sophisticated responses that highlight the difficulties without seeming to. Business week this week , issue of December 6, has a Special Report titled SOFTWARE HELL: glitches cost billions of dollars and jeopardize human lives. How can we kill the bugs? Bad software has been implicated in plane crashes, train wrecks, and lethal malfunctions of medical gear. All told, us Businesses lost 85 billion in lost productivity last year, according to ..the Standish Group in Dennis, Mass. The year 2000 bug has focused attention on the topic. But Y2K tells only a tiny fragment of the story.

This lets them off the hook and looks to me like a sophisticated strategy to raise the issues without being accused of being soft on Y2K . (soft on Y2K. Ouch. That soft thinking has come to be taking Y2K seriously, whereas hard tough thinking is to be dismissive, shows how much the public disc

-- a (a@a.a), December 17, 1999

Answers

(continued)

Ouch. That soft thinking has come to be taking Y2K seriously, whereas hard tough thinking is to be dismissive, shows how much the public discussion is motivated by anger and hatred towards anyone who would side with what is a threat to the system. But to give some credit to these defenders, those who have defended the communities and social side of society have all too often claimed certainty rather than possibility, and taken Y2K to be the sole threat against which everyone should mobilize.)

Another major source of potential breakthrough, or down, is the military. News from there has been very quiet in the last few months, because they fell in line with the anticipated assessment that all was being fixed. But since the military will be under stress to deal with Y2K breakdowns, we might see a political move to declare that all is not well.

This leads to a similar problem: the hype around the potential of hackers to disrupt. I am deeply concerned that this potentiality has led to an increased use of Y2K to support the development of a national infrastructure defense that will not go away after January. Fear about hacker attacks and terrorism could lead to some paranoid moves hat would reframe Y2K. Consider the follow report from TIAA.

Y2K May Lead to Breaches in Information Security

Congressional investigators, in a report released in early October, identified both government and business computer networks as being at increasingly severe risk of disruption. The General Accounting Office identified security shortcomings in national defense, tax collection and air traffic control, among other key operations.

In the last three months, as the certainty of Y2K has approached closure, these same kind of security concerns have begun to move to the forefront of remediation efforts as well as post-Y2K planning efforts.

Many companies are making sure that they are Y2K-compliant, but that doesn t mean the systems are secure, said Ernst & Young analyst Thomas Klevinksy, a member of their penetration testing services. And this concern has carried over to US government computers who have been victimized by hacker attacks such as Solar Sunrise and Melissa.

Ken Barksdale, program manager for Bell Atlantic's disaster recovery services, agrees that a problem exists. As Y2K project leader working for a Wall Street firm three years ago, the discovered traps in code that was farmed out to overseas contractors. The embedded code was set to cause systems to crash in 2015, he said.

Now, "people are still finding bugs [that would let intruders] get into appl ications without passwords," he said. Barksdale declined to name companies that have discovered such traps. However, he advised companies to hire computer emergency response teams (CERTS) to test Y2K programs for trap doors.

Mark Gembicki, president of WarRoom Research, a security consultancy, said a few of his clients have found malicious code embedded in programs sent out for Y2K remediation that are associated with the years 2013 and 2017.

Essentially, the traps "open up a portal for organizations to see more proprietary information" once installed on systems, Gembicki said.

However, it is not yet clear whether the Year 2000 is an entry point, giving an intruder access for 13 years, or whether systems would be exposed in the year 2013, Gembicki added. "It may be a fluke, but it should be enough to make people paranoid," he said.

Michael Vatis, head of the FBIs National Infrastructure Protection Center (NIPC) making him the nations top cyber cop reported in early October that malicious code changes under the guise of Y2K modifications had begun to surface in some U.S. work undertaken by foreign contractors.

At the time, Vatis said it was quite easy for an outsider to code in ways of gaining future access or causing something to detonate down the road. This could expose a company to a future denial of service attacks open it to economic espionage, or leave it open to a malicious altering of data.

Concern about U.S. vulnerability to cyber attack led the Clinton administration to launch an initiative called Presidential Decision Directive 63 in May 1998. The directive instructed U.S. agencies to develop cyber protection plans and establish links with industry groups. Y2K May Lead to Breaches in Information Security

Congressional investigators, in a report released in early October, identified both government and business computer networks as being at increasingly severe risk of disruption. The General Accounting Office identified security shortcomings in national defense, tax collection and air traffic control, among other key operations.

In the last three months, as the certainty of Y2K has approached closure, these same kind of security concerns have begun to move to the forefront of remediation efforts as well as post-Y2K planning efforts.

Many companies are making sure that they are Y2K-compliant, but that doesn t mean the systems are secure, said Ernst & Young analyst Thomas Klevinksy, a member of their penetration testing services. And this concern has carried over to US government computers who have been victimized by hacker attacks such as Solar Sunrise and Melissa.

Ken Barksdale, program manager for Bell Atlantic's disaster recovery services, agrees that a problem exists. As Y2K project leader working for a Wall Street firm three years ago, the discovered traps in code that was farmed out to overseas contractors. The embedded code was set to cause systems to crash in 2015, he said.

Now, "people are still finding bugs [that would let intruders] get into applications without passwords," he said. Barksdale declined to name companies that have discovered such traps. However, he advised companies to hire computer emergency response teams (CERTS) to test Y2K programs for trap doors.

Mark Gembicki, president of WarRoom Research, a security consultancy, said a few of his clients have found malicious code embedded in programs sent out for Y2K remediation that are associated with the years 2013 and 2017.

Essentially, the traps "open up a portal for organizations to see more proprietary information" once installed on systems, Gembicki said.

However, it is not yet clear whether the Year 2000 is an entry point, giving an intruder access for 13 years, or whether systems would be exposed in the year 2013, Gembicki added. "It may be a fluke, but it should be enough to make people paranoid," he said.

Michael Vatis, head of the FBIs National Infrastructure Protection Center (NIPC) making him the nations top cyber cop reported in early October that malicious code changes under the guise of Y2K modifications had begun to surface in some U.S. work undertaken by foreign contractors.

At the time, Vatis said it was quite easy for an outsider to code in ways of gaining future access or causing something to detonate down the road. This could expose a company to a future denial of service attacks open it to economic espionage, or leave it open to a malicious altering of data.

Concern about U.S. vulnerability to cyber attack led the Clinton administration to launch an initiative called Presidential Decision Directive 63 in May 1998. The directive instructed U.S. agencies to develop cyber protection plans and establish links with industry groups. https://www.itaa.org

The general pressure on police and the FBI may lead to statements of concern that are designed to be strong enough to get public attention.

The bank run and its anticipations is the greatest source of potential breakthroughs.

The Fed is Paranoid about Y2K (John Crudele, New York Post) http://www.nypost.com/business/18993.htm

"The Federal Reserve is being driven to distraction by Y2K. Even as the Central Bank has been publicly tightening monetary conditions through three interest rate hikes this year, it has been quietly pumping money galore just in case the Millennium madness being predicted actually does happen." This piece goes on to say that Michael Belkin, "a Fed expert who writes the Belkin Report, says Alan Greenspan has allowed $70 billion in cash to flood the U.S. monetary system in recent weeks and has created something called a 'repo option.' These options could leave the monetary system awash in another $426 billion in additional emergency cash in the next few weeks. 'This all adds up to the biggest Fed credit expansion ever. This monetary boost is wildly stimulative for the U.S. equity market in the short term,' Belkin says, 'but will leave equities painfully vulnerable to a crash once the Y2K-related credit expansion is withdrawn in the new year.'" Apparently, in the past week, "the government's M-3 money supply figure rose at an annual growth rate of 12 percent. That's more than double the normal growth and far above what the Fed would generally allow. But the repo options, which were first sold on Oct. 20, are the thing that could pump more money into the nation's monetary system the quickest. Financial institutions that buy these options can convert them quickly to cash in a pinch. Ironically, this liquidity burst comes at a time when the Fed is pretending to be very stingy. The third rate hike of the year that came a couple of weeks ago was billed as the Central Bank's 'get-tough policy.'"

And we can conclude with the following survey results from Information Week. (And ask, if you were a diagnostician, given only this data, plus some theory about how long and difficult software projects are, and that everyone was supposed to be finished by September 1, what would you conclude?

InformationWeek of 200 IT executives from small, midsize, and large businesses released last week, reported 59% of those surveyed say that year 2000 compliance and remediation efforts are completed. Another 38% responded that they were confident that all projects will be completed by December 31, 1999.

Respondents in the Information Week survey said that nearly one in four of all IT staff members will be required to be on site on New Years Eve. That figure is 27% at small companies and 19% at large companies. On average, the survey reveals that 11% of companies will have 100% of staff on-site that night, as well as 62% of staff on call over the weekend.

All this suggests that, as confident as American business is that their Y2K remediation efforts are successful, they are taking no chances.

I hope that you are convinced that we should assume no events that shift public opinion between now and the 1st. While it feels like we are living in doped up molasses of anesthetized public opinion, there is lots seething under the surface.

** It is to the detriment of the revolution, system, and society if an impression is created that an Individuals views are confronted in any other way than a satisfying analytical approach," president of Iran, Monday, Dec 1 NYT.

Wise words can come from strange places. The inability of our society to deal with Y2K in a reasonable analytic way is an opportunity for us to rethink its approach. Some of this will be covered in the next issue of y2kweek, On the state of things on January 15th.

APPENDIX

Y2K's close; we're still not ready By WIlliam Ulrich 11/29/99

Industry association and government spokesmen have proclaimed the Y2K problem dead. People believe this because they ignore published status reports to the contrary, see no personal connection to the problem and listen to pundits while doing little research for themselves.

But when problems emerge, companies and governments will take the brunt of the criticism. Assessing the reality of the situation will allow organizations to respond to the public relations challenges ahead. Reality is different from what the media tell us. In September, Cap Gemini America, an information technology consulting firm in New York, found that 44% of major companies wouldn't have their mission-critical systems compliant by January. A CIO magazine poll found that 81% of large companies weren't yet finished and that half the companies surveyed had no contingency plans. A National Federation of Independent Business study found that 40% of small businesses had done nothing about Y2K. Where progress has been made, work completed to date remains in question. According to independent validation and verification (IV&V) studies by SEEC Inc. in Pittsburgh, the average mainframe or midrange system contains 510 date-related errors after remediation.

A second study in February by Reasoning Inc. in Mountain View, Calif., found between 100 and 1,000 bugs in similar samplings. An unrelated study by SriSoft Corp. in Diamond Bar, Calif., in October discovered that testing catches 30% of Y2K bugs, while IV&V uncovers another 40% to 45%. This leaves 25% of the remaining bugs in a best-case scenario. Statistics drawn from government hearings and Web sites paint a more detailed picture. Only 13.5% of small and midsize chemical and petroleum firms have completed Y2K preparations. The Food and Drug Administration said 4,053 high-risk biomedical devices remain noncompliant. More than half of all health care providers won't be ready. And 70% of schools are unprepared.

According to calculations found in a report by researcher Warren Bone at New York-based Westergaard.com Inc.'s Web site (www.wbn.com/Y2Ktimebomb/), only 75% of federal mission-critical systems will be finished by January, and the status of nonmission-critical systems remains unclear. Other reports found 13 states at risk for failures in federal benefit programs, 25% of U.S. counties with no Y2K plan, 63% of 911 call centers unprepared and Medicare provider payments facing delays.

Even best-case scenarios are imperfect. The Social Security Administration (SSA) began year 2000 efforts in 1989. In July, according to the Information Systems Accounting & Information Management Division, SSA found 1,565 year 2000 errors in mission-critical systems. Only 44% of these had been fixed as of October. SSA is still checking data and finalizing contingency plans.

What does this mean to consumers? In statements made in early November to CBS News, the State Department inspector general said, "80 countries are at moderate to high risk, and there will be failures at every economic level, in every region of the world." Nick Gogerty, an analyst at London-based International Monitoring, predicted in October that Y2K would lead to $1.1 trillion in damages worldwide, not including those from litigation and insurance costs. These costs, along with many inconveniences, will affect us next year. Why is the government telling us that most industries are 100% Y2K-compliant when bug-free systems are a myth? The answer is that the government and selected industries don't want people to panic. But when things go wrong, people will demand answers. What can organizations do when problems strike? First, consider that 80% of your customers expect no year 2000 problems at all. Second, don't believe your own industry hype about 100% compliance. Third, be polite and let them know we are all in this together -- for the long haul. Most important, when future large-scale challenges arise, consider your industry's posture. The unrealistic Y2K performance expectations set by industry associations are unachievable. Finally, see if any of those high-priced public relations directors want to work your customer hot line in January. They may learn something about manipulating perceptions about matters they barely understand.

(end of Ulrich report)

(mark will be back with some ideas in the next issue)

Douglass Carmichael

(from a listserv)

-- a (a@a.a), December 17, 1999.

Gee....my schedule between now and then looks kinda sparse compared to all that....I just have one more office Christmas party, a bluegrass picking session outside of Atlanta, 2 days of scuba diving in West Palm Beach, then on down to hang out with my son in Key West for some deep sea fishing and more scuba-ing until the 29th, then a mad dash home and into the abandoned missile silo to button up.
Thank God for the last dash of good times before the bus goes over the cliff!
Yeah, I hear ya....don't count my chickens before they cross the road; well, you gotta blow your own drum around here, otherwise you might be beating a dead gift horse while looking him in the mouth and changing him in mid stream!

And not only that, but this burnt dog dreads the one hand that feeds him while it washes the other!! (a small excerpt from my never released life work called Mixed-up Metaphors)

-- Jay Urban (Jayho99@aol.com), December 17, 1999.

Jay!!

more, more!

-- 1funny (2funny@chuckle.com), December 17, 1999.

Sorry, too much of a good thing makes the heart grow fonder, and too many cooks are in the kitchen watching the pot that will never boil call the kettle black.
However; although it istrue that curiosity killed what the cat just drug in, a stitch in time will save his other nine lives!

-- Jay Urban (Jayho99@aol.com), December 17, 1999.

Sorry, too much of a good thing makes the heart grow fonder, and too many cooks are are in the kitchen watching the pot that will never boil call the kettle black.
However; although it istrue that curiosity killed what the cat just drug in, a stitch in time will save his other nine lives!

-- Jay Urban (Jayho99@aol.com), December 17, 1999.