ITAA's Year 2000 Outlook April 30, 1999 Volume 4, No. 16 Published by the Information Technology Association of America, Arlington, VA Bob Cohen, Editor bcohen@itaa.org Read in over 80 countries around the world ITAA's Year 2000 Outlook is published every Friday to help all organizations deal more effectively with the Year 2000 software conversion. To create a subscription to this free publication, please visit ITAA on the web at https://www.itaa.org/transact/2ko utlooksub.htm. To cancel an existing subscription, visit https://www.itaa.org/transact/2kremove.htm. ITAA's Year 2000 Outlook is sponsored in part by CACI International Inc., DMR Consulting Group Inc and Y2Kplus. In this Issue: · Chernobyl Virus: Leaking Y2K Lessons Learned…or Not · Y2K Liability Bill Heats Up · Local Power Distributors in the Dark on Y2K? · Closer to Home · Business to Business · ITAA Y2K Information Center · Sponsor Advertising Chernobyl Virus: Leaking Y2K Lessons Learned…or Not Computer users in countries around the world may have received an early taste of the turmoil Year 2000 has brewing eight short months from now. The Chernobyl virus damaged or destroyed computers and data in South Korea, India, China, Turkey, the United A rab Emirates and elsewhere. Major losses occurred despite early warnings and widely available prevention strategies. Meanwhile, disruption in the U.S. and Europe appears to be limited. The Chernobyl Virus attacks computers using the Windows 95 and 98 operating systems. Particularly mean-spirited in nature, the virus inserts itself in executable files and tells the machine to erase its hard drive and overwrite its system BIOS. Unlike t he Year 2000 bug, the Chernobyl virus-drawing its name from the Chernobyl nuclear power plant disaster--is the work of a single programmer and can be eliminated with readily available scanning tools and anti-virus products. Even though the problem could have been avoided, Chernobyl still caught tens of thousands of computer users napping. Unisys Information Security Analyst Fred Tompkins says the underlying message from this week is to be proactive when it comes to computer vulnerabilities. Just like the Year 2000 situation, he said large corporations saw Chernobyl coming and took the necessary preventative actions. But the ability to see computer trouble up ahead does not necessarily translate to newer generations of use rs. According to Tompkins: "With the younger generation, the availability of computer technology is taken for granted…you assume that things will work right. That's the mentality around the world: 'It can't happen here.'" But with the Chernobyl virus, "it" obviously did. Damage estimates reach into the hundreds of millions of dollars. Not in the trillion dollar plus category often predicted for Y2K, but still something of an eye-opener. Particularly when one recalls tha t the scope of the Chernobyl virus is essentially limited to Windows-based desktop machines. Peter Wan, a research scientist at Georgia Institute of Technology and Georgia Tech representative to the Forum of Incidence Response and Security Teams (FIRST), suggests that Chernobyl's destructive fury was reigned in by its preference for single user m achines, rather than servers and corporate information system platforms. Had it attacked machines serving hundreds of users, "…its impact would have been magnified," Wan said. Companies from Asia to the Middle East may still think that the present damage was bad enough. But will Chernobyl be a Year 2000 wake up call? Unlikely. Part of the problem overseas may be that computer technology in many settings is new and still some thing of a novelty, even for large companies, Wan says. He suggests that while countries may be ramping up on computers and software, the level of sophistication in areas like computer security and information assurance may lag the West. Education on is sues like computer viruses and Y2K date problems is just not part of the package. As a result, these already battered users may be on a collision course with a second drop dead date. There also may be other factors that make virus victims more vulnerable to Y2K problems. Countries lacking strong intellectual property protection regimes may also lack a strong interest in protecting their software assets. David Mussington, a policy an alyst at Rand Corporation, says that countries with a high concentration of software piracy tend to spend less on anti-virus software and security products. "If you're not purchasing your software, you're not purchasing software support. You are certain ly not receiving virus updates or alerts. You are unlikely to have access to the new versions of licensed software where bugs have been fixed and Y2K date problems remediated." A case of people not getting what they didn't pay for? Mussington says tha t poor software administration habits and Y2K slackness may not be a direct cause and effect, but a correlation between the two probably exists. Human nature also plays a role. Tompkins says that just days after the Chernobyl event, public interest is beginning to wane. In that context, Year 2000 is still too far off for many users to see it as a threat. "Three days from now, [Chernobyl] will b e a non-problem…from front page news to Section B." He says that in the U.S., if an episode like Chernobyl doesn't have significant impact, it's on to the next problem. Others agree that this week's virus may be more snooze alarm than wake up call. Robert Giovagnoni, former General Counsel on the President's Commission on Critical Information Infrastructure Protection, now with Infrastructure Defense, says Chernobyl isn 't a wakeup call for the Year 2000-an event he says "will come when it comes." He suggests that the only thing which will make Y2K seem real is the reality of the rollover itself. To illustrate his point, he says 52 percent of U.S. gross domestic produc t springs from small businesses. Many of these companies use computers that are anywhere from three to nine years old, he says, and many are not Year 2000 compliant. Giovagnoni calls the task of creating replacement chips a physical impossibility. So what can the Y2K world learn from the Chernobyl experience? Information security specialist Fred Tompkins might say that eternal vigilance is the price of disruption-free system operations. He is concerned that the U.S., coming through this week rela tively unscathed, may fall into a false sense of security around Y2K. Whether or not that proves to be so, Chernobyl may serve as a potent sign to those willing to learn that, in the information economy, an ounce of prevention is still worth a pound of cure. Y2K Liability Bill Heats Up Elected officials provided a civics lesson this week that only the most pointy-headed poli sci major could love. A bill that would address Y2K liability issues stalled in the U.S. Senate when several of its backers voted against it and the President, say ing he would certainly veto the legislation, also signaled in the same message that he might eventually sign it. This tempest in the Capitol's teapot began when Sen. John McCain (R-AZ), Commerce Committee Chairman, failed to gain the 60 votes needed to bring debate on the Y2K Act, S. 96, to a close. Several Democrats who support the bill abandoned it over a proced ural issue-an issue that could only appeal to the most ardent parliamentarian. The bill remains in play, however, with a compromise version penned by McCain and Sen. Chris Dodd (D-CN) and expected to reach a floor vote next week. While the Senate squared off over its procedural issues, the White House issued an objection of its own. Saying that S.96 would serve as a disincentive to remediation and imposes new pleading requirements on the 50 states, the President also reversed his long-standing opposition to Y2K liability legislation and signaled willingness to consider a compromise version of a liability bill. Meanwhile, back on Capitol Hill, Dodd's support could bring enough Democrats on board to not only assure that the bill c lears the Senate but also positions it to withstand an eventual veto, should that happen. Other voices were also heard this week. The New York Times and Washington Post editorialized against the measure, while a group of nine high tech trade associations released a letter today supporting the amended version of S.96. The trade associations, including ITAA, said the measure would preserve the rights of those suffering real injuries while encouraging remediation and sustaining economic growth. And then there's the matter of what's in the bill itself. In its current form, S.96 would impose a 90-day cooling off period for resolving Y2K related claims seeking money damages, establish that the contract is the first point of reference when only eco nomic damages are involved, impose caps on punitive damages in tort actions involving companies with fewer than 50 employees or municipalities, and establish proportionate liability among defendants in tort actions when damages are awarded. Will these provisions be in the bill next week? Stay tuned. Local Power Distributors in the Dark on Y2K? Local power providers may be behind in their Y2K readiness. At least that's what can be read between the lines of a 57-page report issued today by The North American Electric Reliability Council (NERC). The report, a quarterly survey of approximately 8 00 of the largest electricity producers, indicates that 40% of respondents admitted they would likely miss the June 30th deadline set by the industry for Y2K testing and compliance. The producers were optimistic that they would reach completion later in the summer, by September at latest. Today's NERC report does not give indication of the readiness or preparations being made by the more than 1,200 smaller public electric distributors who did not participate in the survey. This has some Y2K leaders alarmed. In a statement issued today, S enator Bob Bennett (R-UT), Chairman of the Senate Special Committee on Year 2000, said, "On a national scale, the electric industry has a responsibility to reach 100 percent compliance for the Year 2000, and I am optimistic they will get there. However, that means ensuring the Y2K preparedness of everyone, from the large power producers down to the local distributors." Bennett continued, "Knowing that major utilities are getting ready for Y2K, and that a power grid failure is unlikely, are great public confidence boosters, but the question, 'what about the lights in my town?' is left unanswered in many communities. Tha t has to change before January." The NERC report was encouraging about the progress being made by the electric providers and distributors, with 77% of respondents now reporting completion of testing and remediation needed. This is up from 44% last November. "The bottom line," according to NERC President Michael Gent, "is that for the typical person or business in North America, the supply of electricity will be like that on any other New Year's Day." NERC is a not-for-profit corporation formed in 1968 whose mission is to promote the reliability of the electricity supply for North America. NERC's owners are ten regional councils with members representing all segments of the electric industry - investo r-owned, federal, rural electric cooperatives, state/municipal and provincial utilities, independent power producers, and power marketers. These entities account for much of the electricity supplied in the United States and Canada. Closer to Home This week ITAA announced New York State Teamsters Benefit Funds, Health and Hospital Fund, Pension and Retirement Fund of Syracuse, New York and LG-EDS Systems, Inc., Y2K Support Center, Information Technology Group of Seoul, Korea received ITAA*2000 Cert ification. ITAA*2000 is the industry's century date change certification program. The program examines processes and methods used by companies to perform their Year 2000 software conversions. Both New York State Teamsters Benefit Funds and LG-EDS Syste ms participated in a rigorous evaluation of their approach to date conversion, with extensive analysis in eleven discrete process areas deemed necessary to a successful Year 2000 conversion. Business to Business AXYN Corporation, Denver, CO, has won a contract with the United Nations Operations Organization to assist the Argentina Government with contingency planning. SunGard Data Systems Inc., Wayne, PA, has completed the acquisition of FDP Corp. ID Four Limited has released Discover Y2K, a PC-based diagnostic software program that analyzes and identifies non-compliant files and programs. Transformation Processing Inc., Mississauga, Canada, has signed Y2K contracts with the Regional Municipality of Niagara and the Regional Municipality of Durham. ITAA Y2K Information Center Solution Providers Directory http://www.itaa.org/script/2000vend.cfm ITAA*2000 Certification Program http://www.itaa.org/2000cert.htm Outlook Archive http://www.itaa.org/script/get2klet.cfm Legislative and Litigation Table http://www.itaa.org/year2000/legis.htm Calendar http://www.itaa.org/y2kcal.htm Vendor/User Status Questionnaires http://www.itaa.org/questmain1.htm Alternate Dispute Resolution (ADR) http://www.itaa.org/year2000/adr.htm Statement of Intention to Use ADR http://www.itaa.org/year2000/soi.htm, Y2K Mediators Seminar http://www.technologymediation.com/Y2K_seminar.htm Copyright ITAA 1999. All rights reserved. The Information Technology Association of America, 1616 N. Fort Myer Drive, Suite 1300