Y2K lessons learned

We live today in a new global risk landscape not unlike a past time of high uncertainty: the pre-Year 2000 period.

Left unaddressed, the Year 2000 date change would have disrupted firms' operations and services. Individual preparation and collaboration across organizational and national boundaries prevented disaster. Those at the epi.center of destruction last Sept. 11 benefited from those preparations. After 200,000 phone lines failed in New York, the city and Verizon Communications restored service using procedures developed for the Year 2000. Thanks to safeguards developed in 1999, bond markets reopened in two days. The New York Stock Exchange used Year 2000 testing protocols to validate its back-up trading system. Many other organizations used Year 2000 procedures to determine whom to contact, review the backup of systems, set up command centers and direct evacuations.

Preparation is essential to protect against current cybersecurity risks. Action is needed in five areas: readiness assessments, risk management strategies, useable security tools, crisis management networks and public relations.

For the Year 2000, organizations produced comprehensive inventories of their most important partners, systems and information; the functions they performed; and the interconnections among them. These inventories must be updated. Firms also surveyed their suppliers to ensure their readiness. Today, few organizations are systematically evaluating the computer security posture of their trading partners. Organizations need to assess their readiness to prevent and respond to disruptions caused by attacks.

For the date change, organizations identified mission-critical systems and fixed them first. Today, once systems inventories and supplier risks have been identified, resources must be allocated to address the most important risks first. And personnel security and management must be given additional attention.

For the Year 2000, the computer industry created tools that found and fixed the bugs. Today, many technical security solutions are available, but applying them to organizations' particular situations and systems requires a level of sophistication beyond most network managers.

For the Year 2000, infrastructure owners and operators organized cooperative networks to share information, exercise contingency plans and coordinate emergency response. Today, not enough co.operation and information sharing is occurring, except in the financial services sector, where long-standing trust relationships support strong coordination. A bill modeled on Year 2000 information-sharing legislation is pending in Congress and deserves support.

Finally, before the Year 2000, firms and industry groups organized public information campaigns to reassure shareholders and the public that the impact of the bug would be minimal. To date, post-Sept. 11 corporate publicity has expressed compassion. Focus should shift to creating a coherent message of reassurance.

McConnell, former chief of information policy and technology at the Office of Management and Budget, is president of McConnell International LLC (www.mcconnellinternational.com).