ITAA's Year 2000 Outlook November 20, 1998 Volume 3, No. 43 Published by the Information Technology Association of America, Arlington, VA Bob Cohen, Editor bcohen@itaa.org Read in over 80 countries around the world ITAA's Year 2000 Outlook is published every Friday to help all organizations deal more effectively with the Year 2000 software conversion. To create a subscription to this free publication, please visit ITAA on the web at https://www.itaa.org/transact/2ko utlooksub.htm. To cancel an existing subscription, visit https://www.itaa.org/transact/2kremove.htm. ITAA's Year 2000 Outlook is sponsored in part by CACI International Inc., DMR Consulting Group Inc., and Y2Kplus Report Puts Y2K Bug at Ground Zero Too bad Halloween is in October. A report released this month by the British American Security Information Council (BASIC) on Y2K and the world's nuclear arsenal makes for some tense reading. The Bug in the Bomb: The Impact of the Year 2000 Problem on Nuclear Weapons comes off with a bang, arguing that the U.S. Department of Defense is essentially bungling its date conversion mission. The report argues that current U.S. and Russian defense strategies like "launch on warning" should be scrapped in resp onse to the date bug, and that nuclear powers should stand-down their nuclear operations, adopting a "safety-first" approach. The basic mission at BASIC is nuclear disarmament, so it should come as no surprise that the group sees Y2K as just one more good reason to pull the plug on the world's nuclear missiles. The point is readily conceded by report author Michael Kraig, a Sco ville Fellow at BASIC, who indicates that using an issue like Y2K to advance an agenda is just business as usual among non-governmental organizations. He also stresses that Y2K errors alone are extremely unlikely to cause warheads to detonate or missiles to be fired by mistake. Having said that, however, Kraig builds the type of Strangelovian case that could conceivably bring the world to the nuclear brink. Like so much in the Y2K realm, it all comes down to timing. In this case, Kraig is concerned about the amount of time political leaders have to call off a nuclear attack. The Cold War may be over, but the U.S. and Russia still maintain command, control, communication and intelligence (C3I) systems, bringing them eyeball-to-eyeball and enabling them to adopt launch on warning defensive postures, according to Kraig. The goal of this strategy is a massive pre-emptive strike in response to an initial nucl ear attack. Accurate, verifiable information to confirm the reality of such an attack is critical to avoid cataclysmic mistakes. And that information must be gleaned in 30 minutes or so--all the time that may stand between modern society and the Planet of the Apes. So what happens if Y2K is a sharp stick in the eye of one of these critical surveillance systems, eliminating verification information or cutting in half the amount of time the President has to react? C3I systems are composed of multiple integrated subsy stems, including satellites, receiving stations, radars, and computers. "…the breakdown of even a few components in the C3I network could cause partial early warning blackouts that would severely truncate the decision time available to political leaders and military officials," the report notes. Suppose, for instance, that infrared satellites pick up evidence of a missile launch, but Y2K problems have caused a blackout in a particular Ballistic Missile Early Warning System (BMEWS) radar corridor. According to the BASIC report, "officials would b e hard-pressed to verify the initial launch evidence given by [Defense Support Project] satellites. Data sources would then include only the first indications of attack by satellite, prior intelligence indications of preparatory military maneuvers, and t he explosion of one or more warheads on US territory. This would represent a seriously unstable and potentially catastrophic development under a 'launch on warning' regime…" "If Y2K breakdowns produce inaccurate early-warning data, or if communications and command channels are compromised, the combination of hair-trigger force postures and Y2K failures could be disastrous," the report warns. The BASIC report argues that any new breaks in the chain make a bad situation worse. Pre-launch intelligence, it claims, "is notoriously faulty and deficient." Satellites blink out for reasons that have nothing to do with Y2K and bad eye-in-the-sky data has sent NORAD commanders into "missile event conferences" in "hundreds of cases." While DoD is thankfully adept at screening out electronic garbage and keeping the missiles in the silos, the Pentagon has been far less effective at targeting the Millennium bug, according to BASIC: "Initial research findings by a number of different agencies and teams of experts both inside and outside the Department of Defense have resulted in no confidence that the Pentagon's present program will meet the Year 2000 challenge." The report charges America's war fighting machine with having "no general theory or methodology" for assessing Y2K compliance, expresses concerns about the reluctance of DoD to share information, cites a lack of Congressional oversight about the defense-r elated aspects of the Y2K situation, and charges: "…there are severe and recurring problems across the entire DoD Y2K remediation program, including ill-defined concepts and operating procedures, ad-hoc funding and imprecise estimates for final costs, la x management, insufficient standards for declaring systems 'Y2K compliant,' insufficient contingency planning in case of Y2K-related failures, and poor inter-departmental communications." Clamming up maybe one major Defense strategy in response to its Y2K conundrum. Here's an example. DoD has used the Defense Integrated Support Tool (DIST) database as a repository of Y2K status and readiness information for systems throughout the militar y. Given the nature of DoD's interlocking systems, the DIST was intended to provide Y2K remediators in the defense establishment with a ready resource for sharing system compliance and interface information. But the wheels began to fall off the DIST ba ttlewagon when the General Accounting Office (GAO) and DoD Inspector General's office reported the database contained incomplete, imprecise, outdated and duplicate information. "Whatever its faults, this method of information sharing was dismantled on early February 1998," the BASIC report notes, when the National Security Agency (NSA), fearing info terrorists, classified the DIST top secret. The move put efforts towards integr ation and cooperation among DoD components in a black hole. "Any incomplete cross-department remediation efforts being carried out by staff without top secret clearance were effectively halted in midstream," BASIC claims. Even words coming down from the top seem to be up in the air. The BASIC report questions assertions by DoD Deputy Secretary John Hamre that all mission critical nuclear systems have been fixed and only 100 mission critical systems overall remain to be re paired. Systems in both categories are supposed to be ready for validation testing by January 1999. No so, according to the think tank. The report cites Admiral Richard Mies, Commander-in-Chief of the Strategic Command (STRATCOM), stating in a closed door September meeting that eleven crucial STRATCOM nuclear systems would fail to meet a revised Decemb er repair deadline. "Mies added that twelve new systems currently in development will not be compliant with Y2K program standards," according to the report. If the world's most powerful nation is taking on water as the result of its Y2K problems, what's the situation like on the other side of the nuclear pond? Clearly, no one is yellin' the praises of Boris Yeltsin. At least not where Y2K is concerned. " The civilian and military leaders of Russian nuclear weapons systems and C3I have thus far steadfastly denied that there will be Y2K difficulties for the country's nuclear forces." Russia uses "special technologies" according to Igor Sergeyev, the nation 's Defense Minister, thereby sidestepping Y2K problems in its nuclear forces. How "special" such technologies are is highly debatable. BASIC suggests they are old and obsolete. "Russia's decaying nuclear systems are…in danger of Y2K failures…" the report states. Russian defense systems utilize "wired logic systems" which are fa ctory sealed and harder to fix, according to a Russian technician quoted in the report. Report author Michael Kraig says the U.S., Russia and other nuclear powers-if unwilling to disarm completely-should at least consider taking intermediate steps that would add critical hours, days or even weeks to a launch countdown. In nuke-speak, this is called "de-alerting." BASIC says such steps could include de-coupling warheads from missiles, removing nose-cones from warhead bodies, and "pit stuffing," which packs the core of the warhead with wire and prohibits it from exploding. While Kraig says such approaches "run up against the wall" of the STRATCOM planning apparatus, other trends may be converging to make the timing right for a new discussion of the issues. According to Kraig, Sen. Bob Kerrey (D-NE) has suggested unilateral cuts in U.S. nuclear arms to SALT II levels and a Congressional Budget Office ordered by Senate Minority Leader Tom Daschle raises a series of options for shoring up Russia's shaky C3I infrastructure. Such options include early-warning information shari ng, transfer of 1970s-vintage satellite sensor and data processing technology, payments to Russian scientists for the integration of western sensor technology, even funding a buildup of Russian research into next generation technology. America funding Russian research into advanced C3I technology? Sounds like the stuff of Hollywood movies or liberal think tanks. Kraig admits that the old guard in Congress is unlikely to abandon a "launch on alert" national defense posture, Y2K proble ms or not. He claims, however, a group of new Republicans may indeed be questioning the need to have thousands of warheads "on hair trigger alert." Is Y2K likely to bring new life to the nuclear disarmament discussion? "The dangers of Y2K-induced nuclear systems failure are of sufficient probability and magnitude to warrant serious and immediate action by the President, Congress, the Pentagon, gover nmental investigative branches, outside experts, and the public," BASIC says, adding, "The principle informing such action should be to insure that safety takes precedence over force readiness." Tough choices to be sure with thoroughly unpredictable con sequences. Hey, welcome to the new Millennium. Financial Services Firm Sees F500 Holding the Line on Y2K Spending Morgan Stanley Dean Witter says companies are putting the brakes on Y2K spending. A survey of Fortune 500 CIOs and other top IT execs released this week by the firm finds that two thirds will spend less than 10 percent of their 1999 budgets on Y2K; just one in eight said that Y2K expenditures would add up to more than one-third of budgets next year. Overall spending increases for IT are expected to drop from between seven and nine percent to between four and six percent. Nearly one-third of those surve yed said they have deferred new projects because of Y2K issues; fifty-seven percent said they have a post-Y2K project backlog to address. Three quarters of the respondents said Y2K considerations have pushed them to increase spending on commercial off th e shelf products. SEC Clarifies Disclosure Guidance Practice makes perfect. The Securities and Exchange Commission has issued a series of Year 2000 Frequently Asked Questions this month to explain what the agency meant in its July 1998 interpretative release. First up, the SEC says its July release shoul d not be used as a "checklist." "Merely because a matter was addressed in the Release does not mean it applies to every company." For a meaningful disclosure, public companies have to supply information about their Y2K state of readiness, costs, risks a nd contingency plans. The amount of information necessary in each category will vary over time, the SEC says. For instance, the level of risk and contingency planning information may rise next year. Historical or estimated cost disclosures are only req uired if deemed material. SEC says its interpretive release suggested disclosures and contained examples of situations that do not apply to every company. The agency indicates that its disclosure requirements for Y2K risks do not need to be overly broad . "Companies need not address all possible catastrophic events, including failure of the power grid or telecommunications," unless, of course, the company knows that these events are reasonably likely to occur. Closer to Home This week marked a milestone for the ITAA*2000 Certification Program. ITAA announced that Ford Motor Company's Year 2000 operation is the 100th organization to receive ITAA*2000 Certification. ITAA also announced this week that Rockville, Maryland based Manugistics, Inc., Supply Chain Products Division received ITAA*2000 Certification. Both Ford Motor Company's Year 2000 operation and Manugistics' Supply Chain Products Division underwent an an alysis which examined their processes and methods used to perform Year 2000 software conversions. The program involves a rigorous evaluation of an organization's approach to date conversion, with extensive analyses in eleven discrete process areas deemed necessary to a successful Year 2000 conversion. To learn more about the ITAA*2000 Certification program, visit http://www.itaa.org/2000cert.htm Business to Business Century Technology Services, Inc., McLean, VA, has announced the availability of Escape2000, their new supply chain audit service. BrightStar Information Technology Group, Inc., Lafayette, LA, has been awarded a Y2K contract by Petroleum Helicopters, Inc. WRQ, Hong Kong, China, has introduced version 4 of Express 2000 Software Manager, which will be available at the end of November. Ford Motor Company, Merrillville, IN, has signed an agreement with CIMCOR, Inc. to purchase their Y2K software assessment tool, PLC SCAN2000. ITAA Y2K Information Center Solution Providers Directory http://www.itaa.org/script/2000vend.cfm ITAA*2000 Certification Program http://www.itaa.org/2000cert.htm Outlook Archive http://www.itaa.org/script/get2klet.cfm Legislative and Litigation Table http://www.itaa.org/Y2Klaw.htm Calendar http://www.itaa.org/y2kcal.htm Vendor/User Status Questionnaires http://www.itaa.org/questmain1.htm Copyright ITAA 1998. All rights reserved. The Information Technology Association of America, 1616 N. Fort Myer Drive, Suite 1300, Arlington, VA 22209. Internet: http:\\www.itaa.org