Incoming: The Lessons of Y2K for Cybersecurity
This article is the last in a two-part series on what Y2K can teach the world about cybersecurity. Read the first part here.
The Y2K event went out with a whimper and not a bang, but not because the issue wasn’t serious. The potential for massive data disruption was there, but government and industry rallied to address it before the January 1, 2000, deadline. The millennium bug was squashed because stakeholders with a lot to lose attacked it in a coordinated effort. That approach can serve as both a lesson and a model for the latest security challenge: the cyber bug.
Today, the dynamic nature of cyberspace is a result of rapid advancements in computer and communication technologies as well as the tight coupling of the cyber domain with physical operations. Military organizations have embedded cyberspace assets—their information technology—into mission processes to increase operational efficiency, improve decision-making quality and shorten the sensor-to-shooter cycle. But this cyberspace asset-to-mission dependency can put a mission at risk when a cyber incident occurs, such as the loss or manipulation of a critical information resource.
Nonmilitary organizations typically address this type of cybersecurity risk through an introspective, enterprisewide program that continuously identifies, prioritizes and documents risks. This allows for selection of an economical set of control measures—people, processes and technology—to mitigate risks to an acceptable level. The explicit valuation of information and cyber resources, in terms of their ability to support the organizational mission, enables the creation of a continuity of operations plan and an incident recovery plan.
But above all, cyber response demands the same sense of urgency as Y2K. In addition, information technology/operational technology (IT/OT) risk must be aligned with real-world risk. I have not seen the same rigor about IT/OT risk since Y2K. Unfortunately, what followed Y2K was a huge decline in information technology spending and a reversal to less governance of IT/OT portfolios. This led to more risk by allowing technology to lapse naturally after a big investment, along with the regrowth of shadow information technology. According to a Market to Market report, global spending on cybersecurity will be nearly $170 billion by 2020, and that figure does not include all the other information technology spending, which is approaching $4 trillion, analysts estimate. The money is there, but why not spend it through a structured framework to address the cyber bug today?
The millennium bug was considered a once-in-a-lifetime opportunity to clean up and standardize information technology. Now we need to do it again. We did not learn our lesson after the turn of the century as we relegated information technology back to a supporting role. Operational technology continues in its own lane instead of being incorporated into the overall business and mission risk equation. But for business, government and nearly every person, technology is part of the fabric of everyday life. The Internet of Things (IoT) promises to advance that principle even further.
The approach for solving the millennium bug challenge should serve as a framework for stopping the cyber bug. The need for a solution is becoming even more urgent with the explosion of IoT devices. We have succeeded with this approach before, and we can do so again. But this time, we must be sure to learn our lesson.
Maj. Gen. Earl D. Matthews, USAF (Ret.), the former director of cyberspace operations in the Air Force’s Office of Information Dominance and Chief Information Officer, is vice president of the Enterprise Security Solutions Group for DXC Technology (formerly known as Hewlett Packard Enterprise Services), U.S. Public Sector. The views expressed here are his own.