ITAA's Year 2000 Outlook March 5, 1999 Volume 4, No. 9 Published by the Information Technology Association of America, Arlington, VA Bob Cohen, Editor bcohen@itaa.org Read in over 80 countries around the world ITAA's Year 2000 Outlook is published every Friday to help all organizations deal more effectively with the Year 2000 software conversion. To create a subscription to this free publication, please visit ITAA on the web at https://www.itaa.org/transact/2ko utlooksub.htm. To cancel an existing subscription, visit https://www.itaa.org/transact/2kremove.htm. ITAA's Year 2000 Outlook is sponsored in part by CACI International Inc. and Y2Kplus. In this Issue: · Speaker Cites Y2K Info Security Concerns · Senate Report Offers Mixed View on Y2K Readiness · Justice Department Concerned Over Liability Bill · Senate Hearing Offers Cold Comfort · Inquiring Investment Minds Want to Know · Closer to Home · Business to Business · Sponsor Advertising Speaker Cites Y2K Info Security Concerns The Year 2000 software glitch may be expanding the field for computer criminals determined to plunder the information assets of many organizations. At least that is the thesis of Hank Kluepfel, SAIC vice president and speaker at ISACC '99, a conference f ocused on software assurance. An expert in critical information protection, Kluepfel says Y2K is a virtual calling card for technocrooks, industrial spies, infowarriors and others with malice in mind. For companies with lax security procedures, Kluepfel suggests that the century rollover not only raises the possibility of security threats but invites bad apples to roll right into the corporate barrel. A company's date with deception can happen in several ways, according to Kluepfel. In the rush to remediate, he says, organizations can overlook the obvious. Like background checks. Or the extensive use of reusable passwords. Kluepfel says that 80 per cent of organizations reuse passwords for authentication, creating the crack in the door that computer thieves duck through. Fifty percent of firms, he says, do not perform background checks. The combination of poor personnel screening and reusable passwords can be potent. Kluepfel cites the recent example of a telecommunications company that, in the review of its security procedures, found a Y2K contractor employee behind its firewall, takin g an unauthorized stroll through the company's information systems. Security 101. Do background checks. Change passwords. And limit access privileges to the lowest level required to get a job done. Going offshore for system repairs also has its share of risks, Kluepfel says. "Sending applications to distance shores for remediation is tantamount to surrendering control of those assets," he says. Kluepfel suggests that companies must carefully weigh the risks and benefits, holding back those applications deemed absolutely essential to the enterprise. Adversaries need not be an ocean away. Kluepfel says that info age perpetrators are "coming in over the backs" of authentic Y2K workers, particularly in cases where repairs are conducted via network connection. In these cases, just the process of making the Year 2000 repairs creates the breach that "broadband-its" penetrate. And what do these people do once inside? Two possibilities are the insertion of malicious code during the remediation of systems and the introduction of non-compliant code into fixed and tested systems. Malicious code could include backdoors to allow th e perp programmer unauthorized access to the system or a Trojan horse, a nasty bit of masquerading code designed to release viruses or facilitate other undesirable computer actions. Slamming the door on these outside agents requires a due diligence program, running the gamut from threat analysis and risk assessment to monitoring and incidence response in a secure environment. For Year 2000 work, according to Kluepfel, counter measur es could include entering into a trust relationship with suppliers whereby information security best practices become part of the contract. Kluepfel also suggests selective regression testing of repaired code with security concerns in mind. The focus of this activity, he says, should include software which establishes privileges or library calls to change passwords or mount tapes. Finally, Kluepfel cites a Defense Science Board set of recommendations which include alerting all Y2K repair crews to the security issue, involving information security officers in Y2K projects, and incorporating the possibility of security breaches in Y2 K contingency plans. Senate Report Offers Mixed View on Y2K Readiness A comprehensive report by the Senate Special Committee on the Year 2000 Technology Problem released this week fails to find "convincing evidence that the Y2K problem is well in hand" and notes that "fundamental questions of risk and personal preparedness cannot be answered at this time." The report warns that the biggest Y2K problems may lie offshore, but, even in the U.S., the widely adopted practice of organizational self-assessment is "analogous to letting students grade their own tests…" Moreover, t he nation's emergency and security planning for Y2K-related failures is in a nascent stage: "FEMA contingency plans are in draft form, but there is no national, strategic plan to assure that critical infrastructures will continue to function." Titled "Investigating the Impact of the Year 2000 Problem," the report provides an assessment of seven critical economic sectors: utilities, health care, telecommunications, transportation, financial institutions, government and general business. The new s in several sectors is decidedly mixed, with health care diagnosed as, perhaps, the most desperate patient. "The health care industry lags significantly in its Y2K preparations compared to other sectors," the report notes, with 90 percent of physicians' offices doing nothing to heal themselves. The report also cites the Gartner Group's assessment that 64 perce nt of hospitals have no plans to test remediation efforts. The government sector is also found wanting with several states and many local governments behind on their Y2K remediation efforts. "Several states are not prepared to deliver critical services such as benefit payments," the report notes, adding that the status of local 911 and emergency services is of greatest concern. The report predicts that wholesale failures of the federal government or the nation's power grid are unlikely and says that interoperability testing indicates that the "U.S. communications will transition without significant problems." Red flags are hois ted for several facets of the transportation industry, including domestic airports, the Federal Aviation Administration, international air traffic control and airports and maritime shipping. Even industries leading the pack seem to have readiness issues. The utilities industry "is configured to handle interruptions, blackouts, and natural disasters," the report notes, but also observes that the overall pace of remediation for the electric po wer industry is slow. A Committee survey of the oil and natural gas industry found a lack of contingency planning, unfounded optimism and a lack of supply chain information. In the finance sector, fund managers and brokers have only recently begun to fa ctor Y2K vulnerability into investment decisions. At least one industry has cried foul over the report findings. The North American Electric Reliability Council called the assessment of the utilities industry "grossly out of date." NERC spokesman Gene Gorzelnik told BNA that the industry is in good sha pe from an overall perspective with no Y2K-related outages an achievable goal. The American Gas Association also cited the report's reliance on old numbers to characterize the readiness of the oil and gas industry. The report suggests that individuals include keeping paper records of financial statements, asking banks about Y2K readiness, and research the compliance of companies before investing. Justice Department Concerned Over Liability Bill In a Senate Judiciary Committee hearing Monday, March 1, the United States Department of Justice issued a series of questions concerning the Year 2000 Fairness and Responsibility Act, a bill to limit liability in Y2K-related disputes. In her testimony before the Committee, Assistant Attorney General Eleanor D. Acheson outlined Justice's initial reactions to the Act. "Our preliminary analysis indicates that this bill would be by far the most sweeping litigation reform measure ever enacted if it were approved in its current form. The bill makes extraordinarily dramatic changes in both federal procedural and substantive law and in state procedural and substantive law," commented Acheson. Acheson objected to Title II of the Act, suggesting it amended existing federal and state contract law, and would modify the terms of negotiated contracts and contractual relationships. The "reasonable efforts" clause in Title II, intended to allow defen dants to enter into evidence reasonable efforts they took to fulfill contract requirements was viewed by Justice as a deviation from existing law. "As a general matter, a party to a contract is obligated to fulfill its promises and is liable to the other party for damages to the latter resulting from the former's breach of the contract absent force majeure or other extremely rare circumstances. It d oes not matter whether the party breaching the contract made reasonable efforts to avoid a breach. This widespread rule of basic contract law has been in existence for hundreds of years in the common law, is currently reflected in our contract statutory s chemes (e.g., the Uniform Commercial Code), and is essential to commerce," Acheson said. A second concern for the Justice Department was Title III of the Act, which appears to alter both federal and state tort law for Y2K. According to Acheson, these sections create new defenses and limit damages that a plaintiff can claim. "Reasonable efforts" was cited as a new defense providing protection from liability. It appears to prevent recovery of damages if a defendant can "show that the plaintiff should have known of information that could reasonably have aided the plaintiff in avoiding the injury on which his claim is based." In terms of limiting damages, Acheson said the Act might hinder plaintiffs from actually recovering damages, which may have the unintended effect of destroying a small business. Further concerns were expressed about the Act amending state procedural requirements. These include federalizing Y2K class action suits and the overall scope of the Act, which explicitly covers lawsuits filed by state and federal governments. Acheson sa id that applying the Act' s limitations to these entities might have the effect of interfering with their ability to enforce their own laws. Charles Rothfeld, of Mayer, Brown and Platt viewed the Justice Department's reaction in part as a misunderstanding of what the legislation does, and part as the most expansive reading possible of the bill. He also noted that there were issues the DOJ gen erally supported, and that they expressed a willingness to work on legislative language. "This can be seen as them firing a warning shot across the bow, but not necessarily preventing a bill in some form," said Rothfeld. Rothfeld cited two examples where the Justice Department took an overbroad reading of the bill. Citing their criticism of allowing a defendant to introduce evidence of "reasonable efforts", he maintained that the bill does not create an "in contract" reas onable efforts defense, but rather is designed to potentially mitigate damages. This is unlike a tort action where a reasonable efforts defense could eliminate liability. Rothfeld also views their concerns with the "economic loss" rule as an expansive de finition, saying this provision would codify common law, whereas Justice read the provision as a dramatic change in the law that would cut off the ability to sue. Supporters of the bill recognized that the objections are a starting point for negotiations, and that most bills require many rounds of negotiations before they reach a final form. James T. Bruce, Partner at the Washington, DC law firm Wiley, Rein and Fielding does not disagree with some of the D.O.J. concerns. "The normal legislative process permits careful scrubbing of legislative proposals and especially their unintended consequ ences. The problem for this legislation is that there's a tradeoff between its reach and the time remaining for enactment. I think it would be imprudent to dismiss the Justice Department's comments in their testimony," Bruce said. Lino Lipinsky, Of Counsel for McKenna and Cuneo, points out that the opposition from the Justice Department could affect the bill's likelihood of passage. "This testimony shows that the bill will not sail smoothly through the legislative process. The Wh ite House and ATLA have significant concerns that have to be addressed if the bill is to garner bipartisan support. It shows the bill will need to be modified to win Democrat votes or avoid a veto," said Lipinsky. The Year 2000 Fairness and Responsibility Act is backed by a large coalition of industry, including the Information Technology Association of America. Senate Hearing Offers Cold Comfort Witnesses testifying before a Senate panel today described how Y2K could deliver a world of hurt to many overseas. As first reported by Reuters, State Department officials said that travel warnings and evacuation plans may become necessary. State Depart ment Under Secretary Bonnie Cohen called the Y2K efforts of some governments "inadequate, belated and uneven." CIA national intelligence officer Lawrence Gershwin indicated that Soviet-designed nuclear power plants in Russia and Central and Eastern Europ e are problematic and could leave several countries in the cold during mid-winter. Ditto the Russian gas monopoly, Gazprom. Gershwin said Y2K problems in China are compounded by the use of pirated software in government systems. In a related matter, Reuters reports that Serhiy Parashin, an independent Ukrainian nuclear power expert, says that energy authorities in his country do not understand the problem and that Y2K could pull the plug on the nation's five nuclear power plants next year. Olexander Parhomenko, director of the state nuclear power agency, says Ukrainian nuclear plants are not fully computerized and, therefore, not at risk. Inquiring Investment Minds Want to Know The California Public Employees Retirement System (CalPERS) has queried 2,600 foreign corporations for Y2K status information. As first reported by BNA, CalPERS is a $150 billion pension fund with $26 billion invested overseas. CalPERS wants these comp anies to provide the status of their mission critical systems, contingency plans, costs, risks and related details. Earlier, the pension fund polled 1,600 domestic companies. All responses are to be posted on the group's website at www.calpers-governanc e.org. Closer to Home This week ITAA announced that the Consulting Group of Computer Sciences Corporation (CSC) received ITAA*2000 certification. ITAA*2000 is the industry's century date change certification program. The program examines processes and methods used by compani es to perform their Year 2000 software conversions. The Consulting Group of CSC participated in a rigorous evaluation of their approaches to date conversion, with extensive analysis in eleven discrete process areas deemed necessary to a successful Year 2 000 conversion. Business to Business MigraTEC, Inc., Dallas, TX, has entered into a licensing agreement with Ctek, Ltd. SunGard Data Systems Inc., Wayne, PA, has completed the acquisition of Automated Securities Clearance, Ltd. (ACS). Data Dimensions, Inc., Bellevue, WA, has introduced Ardes 2k Risk Manager, an interactive knowledgeware tool that enables risk managers to quickly identify and respond to enterprise-wide business issues. Turn of the Century Solution LP (TOCS), Wayne, PA, has signed a world-wide patent license with Precision Software Ltd. ITAA Y2K Information Center Solution Providers Directory http://www.itaa.org/script/2000vend.cfm ITAA*2000 Certification Program http://www.itaa.org/2000cert.htm Outlook Archive http://www.itaa.org/script/get2klet.cfm Legislative and Litigation Table http://www.itaa.org/year2000/legis.htm Calendar http://www.itaa.org/y2kcal.htm Vendor/User Status Questionnaires http://www.itaa.org/questmain1.htm Alternate Dispute Resolution (ADR) http://www.itaa.org/year2000/adr.htm Statement of Intention to Use ADR http://www.itaa.org/year2000/soi.htm, Y2K Mediators Seminar http://www.technologymediation.com/Y2K_seminar.htm Copyright ITAA 1999. All rights reserved. The Information Technology Association of America, 1616 N. Fort Myer Drive, Suite 1300, Arlington, VA 22209. Internet: http:\\www.itaa.org