Incoming: Y2K Offers a Template To Squash the Cyber Bug
This article is the first in a two-part series about what Y2K can teach the world about cybersecurity.
I’ve heard a lot of talk about cyberthreats over the past 15 years, yet I haven’t seen anyone offer a holistic way to address them. As I reflect on my own experiences and challenges in information and operational technology, the last problem of this magnitude that we had to face was the feared millennium bug, or Y2K. A mere 17 years later, the information technology landscape looks eerily the same. For many chief information officers (CIOs) and chief information security officers (CISOs), the size and scope of the millennium bug is about the same as today’s major security challenge: the cyber bug. We can find many similarities between present-day cybersecurity concerns and the ramp up to Y2K, when the world spent billions patching and replacing systems to prevent massive infrastructure failures.
Although the causes of these problems are not the same, we could, and should, use the same approach to cyber that solved Y2K. Cyberthreats reach infrastructures globally through everything from toasters to cars, air traffic control systems, medical components, power grids and erroneous missile launches. The cyber bug problem is magnified by the advent of the Internet of Things (IoT), which reportedly will add 50 billion devices by 2020.
The Y2K problem was driven by the Julian calendar—programmers conserved memory by using two digits for years instead of four—and primarily affected business systems. The cyber bug is driven primarily by cyber crime, espionage, competitive advantage and warfare, all stemming from inadequate built-in security in software, hardware, embedded systems, business processes and complex architectures. Another risk factor is the lack of cultural security awareness.
Looking back on the plan to address the Y2K problem, awareness and education, along with a sense of urgency, created the foundation for recognizing and addressing the challenge. This was a whole-of-nation, indeed global, execution, not just a government-led effort. Governments and businesses formed formal groups to identify and initiate the actions necessary to avert infrastructure failures.
Several themes common with Y2K play out today. CIOs and CISOs need to know what applications and devices they actually have—it is time for asset discovery and documentation. It is also time to move away from an “if it isn’t broken, don’t fix it” mentality that keeps outdated equipment and software, increasing cyber risk. While Y2K was the single biggest driver for adopting packaged, off-the-shelf software, today cyber concerns are moving data to the cloud. And as with Y2K, cybersecurity has stirred up fears, becoming a board room discussion. Among C-suite executives, it has generated a lot of review and exercise of business contingency plans.
In some ways, it seems as if we are back at the same starting point as with Y2K: having to convince the powers that be that we have a continuing and growing problem amid actions that are not congruent with a holistic national or global framework to achieve the required objective. The cyber bug appears to be larger than life because we neither approach it in a synergistic way, nor are U.S. and international laws in place to address underlying causes. Lawmakers cannot even agree on common security standards for the IoT.
I can hear the same pundits then and now saying that Y2K turned out to be an overhyped nonevent. It was a nonevent only because of tremendous efforts by many to avoid a huge catastrophe. Y2K was real and, yes, a number of organizations did overspend on the problem. Nonetheless, it needed attention. This time, the cyber bug has far more serious implications for the very survival of companies and the overall economic power of our country—let alone the effects on national security, which I believe are one and the same. When you add in our civil liberties and privacy, the magnitude is tenfold. If we are to take the cyber bug seriously, then we need to treat this like any other risk and apply the right resources as we go forward.
The second part of this series will appear in the June issue of SIGNAL Magazine.
Maj. Gen. Earl D. Matthews, USAF (Ret.), the former director of cyberspace operations in the Air Force’s Office of Information Dominance and Chief Information Officer, is vice president of the Enterprise Security Solutions Group for DXC Technology (formerly known as Hewlett Packard Enterprise Services), U.S. Public Sector. The views expressed here are his own.