Add new comment

Gen. Mathews is spot on in terms of using the Y2K example as a model for systemic commitment and for the marshaling of resources to stopping the cyber bug as he describes. However, I think the analogy of having a cyber flag event to once and for all to solve today's known problems (like Y2K had) is seriously flawed.

Cyber bugs and major vulnerabilities each present a Y2K problem several times every year. We search, patch, fix, and repeat the drill continuously. Some vulnerabilities have dire consequences and wide prevalence (such as the recent SMB vulnerability and WannaCry), and others fester under the surface not getting much attention until they are exploited. Some are simply unknown and small until one day discovered on a critical system. To take an approach that we are going to "fix all this once and for all" by upgrading to the latest HW/SW/versions like we did for Y2K is too simple an approach.

What we do need to first with Y2K urgency is change how we design and build computer systems and networks, and pay much more attention to deploying secure systems. Then we must proceed to get out of the discover-exploit-patch cycle once and for all by doing away with pervasive non-secure systems and protocols (for example even the entire TCP/IP stack) and replacing them with the secure technology. Any non-secure legacy technology should simply be dropped from standards. Non of this is trivial, and it will take a commitment more like a moon landing (and will probably take as many years).

If we need a date, then let's use no later than Y2K38 when the Unix clock rolls over.