Y2K Lessons and Legacies for Homeland Securitygreenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread
The following article is posted here for the interest and information of the GICC readership. It is reprinted with the permission of the PA TIMES, a publication of the American Society for Public Administration. The article appears in Vol. 24, Issue 11, Nov. 2001.
Strategic Planning and Y2K Technology Challenges: Lessons and Legacies for Homeland Security
By Paula D. Gordon, Ph.D.
The tragic events of September 11, 2001 have had an impact on strategic planning and implementation efforts relating to all aspects of national infrastructure protection and security, including information technology, cyber-security, and cyberterrorism. Indeed, the lessons that can be learned from national and global efforts to address Y2K-related technology problems, can be viewed in a new light given the events of September 11. Understanding the successes and the shortcomings of the Federal government's Y2K efforts can help illumine current efforts to address the multiplicity of complex challenges and threats that now face the nation. Many of the current challenges and threats are also highly technical in character. In addition both sets of challenges have been characterized by a sense of urgency and the need to organize quickly in order to bring about desired results.
To reflect on the Federal government's Y2K efforts at this point in time constitutes something of a challenge. I will begin by summarizing some of the misconceptions concerning Y2K, misconceptions that seemed to make discussion of Y2K particularly difficult prior to September 11. These misconceptions span a wide gamut and include the following:
1) that (perhaps) Y2K was never a problem in the first place;
2) that problems occurred but that no problems of significance occurred;
3) that real challenges were addressed and that no problems of significance occurred because of the relative thoroughness of remediation efforts;
4) that it was possible to determine the overall impact of Y2K in the first weeks of the year 2000 and that it was reasonable to curtail any continuing efforts, including efforts to assess what actually happened and efforts to identify, acknowledge, and track ongoing problems;
5) that the government had a sufficient number of experts tracking, monitoring, and assessing problems before, during, and after the primary trigger date of January 1, 2000;
6) that those in positions of responsibility in the private sector were fully knowledgeable and/or fully forthcoming concerning problems that became evident after January 1, 2000 and that they were keeping public officials apprised of the ongoing problems that were occurring; and
7) that the media had sufficient technical knowledge of Y2K-related technology issues to ask the right questions and to take note of and discern the significance of the ongoing problems that have occurred.
I have addressed these misconceptions in the writing that I have done on Y2K over the past several years. From the close tracking I have done of Y2K, I would characterize Y2K efforts and what has actually happened in the following way:
1) At the time of January 1, 2000, the most critical trigger date, far more temporary as well as long-term remediation had been completed than had been reported.
2) Prior to January 1, 2000, more attention had been devoted to contingency planning and "work-arounds" than had been anticipated; more actions had been taken than any one individual in roles of public responsibility knew. No one person at the time of the January 1 rollover date knew the extent to which systems and plants were operating at reduced power, were operating partially or totally on manual control, and/or were turned off with plans to bring them back up slowly and over time so that there would be no risk of simultaneous failures and cascading effects.
3) Prior to January 1, 2000, an extraordinary amount of behind-the-scenes, outside-of-normal-channels efforts were carried out deftly throughout the world in every locale that the US military had a presence. Similarly, multi-national corporations undertook major low profile initiatives in locales where they had a presence around the world. No comprehensive reports of these efforts have been made public, nor is it likely that such reports will be issued in the future.
4) There were Y2K-related problems that were triggered before the rollover, at the time of the rollover, and subsequently that were recognized or reported as being Y2K-related problems. A wide variety of reasons accounts for such instances of non-reporting and underreporting.
5) The cumulative impact of minor and more serious Y2K-related problems has been slowly evolving since the January 1, 2001 into a low to mid-range Y2K impact scenario. Prior to September 11, impacts in all key sectors of the nation's infrastructure and economy were discernible. The significance of such impacts seems to have been totally overshadowed by the events of September 11. There remain a few reasons why it might be important to even mention these impacts now. One reason has to do with a basic tenet of problemsolving: If you have a problem and have not identified or acknowledged its cause, you may well end up treating and re-treating the symptoms or, in the case of IT systems and complex integrated systems, you may end up having to replace systems that ultimately fail. Another reason to consider these impacts is that there may be lessons to be learned concerning what has transpired and what was done. Yet another reason is that there is work that remains to be completed.
6) Temporary "fixes" that were done and remediation efforts that were not fully or adequately completed continue to need ongoing attention. At the same time, resources have dwindled, individuals with knowledge of complicated and patched-together systems may have moved on, and/or needed expertise may no longer be available.
7) Having averted a worse case scenario, a victory was "declared" and no one in government continued to follow in an active way those problems that became evident after the first few weeks of the year 2000. (One of the resources that have tracked Y2K-related and other infrastructure problems since January 1, 2000, has been the Grassroots Information Coordination Center on the Worldwide Web.) Tracking, assessment, and monitoring of Y2K-related problems by the government effectively ceased in the first half of the year 2000.
8) In the late 1990's, it was commonly understood by analysts and experts most knowledgeable concerning Y2K that it could take 18 to 24 months after the initial trigger date of January 1, 2000 before the cumulative impacts of Y2K might become known. Persons in key roles of responsibility in the government seemed to have abandoned that understanding when a mid-range or worse case scenario did not materialize in the first weeks of the year 2000. Both the Administration and the key Committees in Congress declared an early victory and ended practically all Y2K-related efforts. In doing so, they neglected to authorize or undertake a comprehensive assessment of national and global efforts, problems, and impacts. The General Accounting Office's did issue a report of September 2000, but that report focused narrowly on remediation efforts of IT systems within the Federal government. The Office of the Inspector General of the U.S. Department of State in their May 2001 report identified a wide range of important lessons learned from the best practices that had been used in promulgating remediation efforts throughout the world, but the authors of the report did not attempt an overall assessment of the nature of the problems that occurred or the sufficiency of Y2K efforts.)
9) Even if the Federal government had acted to track, monitor, assess, and assist in addressing Y2K problems, those in key roles of responsibility had an insufficient amount of expertise to assess and address such problems and to inform strategic planning and implementation efforts adequately. As a result, the Federal government's efforts ended up being based on an insufficient definition of the nature and scope of the challenges to be addressed.
10) While extraordinary resources were dedicated to coordinating efforts throughout the nation and the world, and while there were numerous notable and laudable successes that spared the nation and the world much grief, there were still major gaps in the efforts that were undertaken. These could have resulted in very serious problems, here and abroad.
Essentially, the Administration's Y2K efforts were understaffed, underfunded, and lacking in sufficient technical expertise. Additional expertise was needed to help inform the efforts of those engaged in strategic planning and action.
Studying approaches that were taken to Y2K can be especially helpful because there are so many lessons to be learned. This includes lessons concerning pitfalls to be avoided.
Studying such approaches is especially germane to the government's anti-terrorist and homeland security efforts. Similar to the government's Y2K efforts, anti-terrorism and homeland security efforts need to be designed to address challenges and threats in a comprehensive way. Efforts need to be task-oriented and effectively organized, coordinated, facilitated, and directed. They need to be fully staffed and funded. Care needs to be taken to create and maintain a healthy organizational culture, one devoid of bureaucratic infighting and turf battles. Those spearheading the government's efforts need to have requisite generalist and specialist skills and expertise. They need to draw upon the expertise of individuals from a multiplicity of pertinent fields and disciplines. Considerable attention needs to be given to education, training, information dissemination, knowledge transfer, and technical assistance if efforts are to be fully effective.
Y2K efforts can be seen to bear directly on homeland security and homeland security measures in other ways as well. It seems that emergency preparedness plans and crisis management plans developed for Y2K played a role in the response of a number of companies and institutions involved in the September 11 attacks on the World Trade Center. It seems that many companies and institutions when they prepared for Y2K, focused considerable attention on emergency preparedness planning, crisis management planning and business continuity planning, data systems back up, and contingency planning. The legacy of those Y2K efforts for homeland security has been considerable. Affected companies and institutions that had prepared for Y2K eventualities benefited immeasurably as a result. In some news accounts since September 11th, the activation of emergency preparedness planning developed as a result of Y2K has been credited with the saving of lives. Crisis management planning, the backing up of data systems, and business continuity planning that were undertaken as a part of Y2K preparations have been credited with playing a very important role in accelerating the recovery of New York City and allowing for the speedy restoration of the world's financial markets. It seems that the implementation of Y2K related plans have had some extraordinarily beneficial consequences. The lessons learned and to be learned from Y2K can be expected to contribute even more to addressing the anti-terrorist and homeland security challenges now before us.
Paula Gordon has served in strategic planning, policy analyst, and troubleshooter roles in a variety of Federal agencies, including the National Institute of Mental Health, the Federal Energy Office and Federal Energy Administration, the Federal Emergency Management Agency, the Research Applied to National Needs Program of the National Science Foundation, the Environmental Protection Agency, and the Advisory Commission on Intergovernmental Relations. Her White Paper on Y2K is posted at http://www.gwu.edu/~y2k/keypeople/gordon. She is the Director of Special Projects for the Research Program in Social and Organizational Learning of The George Washington University and is currently focusing attention on homeland security initiatives. E-mail: firstname.lastname@example.org.
[End of article]
-- Paula Gordon (email@example.com), November 03, 2001
What most readers of this forum do realize, but the American public at large generally does not, is that the RESULT of terrorism could be the same as a "worst case" Y2K outcome: A total collapse of the power grid, that literally brings civilization to a sudden and total shutdown.
If the terrorists can organize and execute the complexities of the Sept. 11 attack, they are perfectly capable of bringing the power grid down. Major cascading outages have occurred from amazingly minor incidents, and there are too many thousands of miles of electrical transmission lines to guard effectively.
My greatest fear is that they are only waiting for a deep cold snap of Winter to carry this out. The lower the temperature, the shorter the time from grid shutdown to urban "InfoMagic" type devolutionary spiral type collapse. Are there contingency plans in place for such a "Y2K" type scenario? Would outside help arrive from unaffected nations in time before the large cold climate urban centers from becoming Dresdens, as people set fires in a desperate attempt to not freeze to death?
-- Robert Riggs (firstname.lastname@example.org), November 03, 2001.
Thanks very much for your comments.
The questions you raise are very important ones. In additional writing that I am doing, I will be trying to point out the relevance of the mid-range and worst case Y2K scenarios to our present situation.
Even the President's Council on Y2K (which effectively ceased functioning shortly after the rollover) left little evidence of having seriously considered and planned for possible eventualities involving a mid-range or worst case scenario. The only places that such planning was going on in the Federal government that I am aware of was the Naval War College and DOD think tank efforts. Continuity of government efforts and the Critical Infrastructure Assurance Office were others exceptions. The focus of the latter was on cyberterrorism and critical infrastructure.
I also know of very few in roles of public responsibility at the Federal, State, and local levels who seriously considered and planned for mid-range or worst case scenarios that seriously impacted most if not all of the following at once: public health and safety, social and economic stability, the social fabric, and the health and habitability of the environment.
The Department of Commerce in their April 1999 report provided an analysis of a host of interconnected problems. In their report, they effectively described some of the major elements that might be found in a mid-range scenario.
The testimony of Lawrence Gershwin of CIA and of the Department of State's IG to Senator Bennett's Committee in late 1999 also provided some realistic global scenarios that have particular relevance to our current situation. The testimony of several consulting groups also echoed many of the same conclusions found in the CIA and State Department testimony.
My present impression is that as of now no one involved in homeland security efforts in the Executive Office of the President is thinking about the relevance of these Y2K scenarios and analyses. Indeed, I know of no one in such roles who has indicated any awareness or knowledge of those Y2K scenarios and analyses. Also, to the best of my knowledge, thus far, no one in such roles of responsibility has indicated any awareness of the most effective practices and approaches that were employed for Y2K. I am hopeful that all that may change soon.
-- Paula Gordon (email@example.com), November 03, 2001.