Learning From Y2K

We, all of us, rely on technologies we do not understand. Potential problems in these technologies are intimidating. The Y2K bugs are a prime example. The Y2K bugs involved millions of people making billions of decisions over four de-cades. If not addressed, they would have massively disrupted our lives. They threatened the basic technologies of our civilization, from electrical power to medical care, from the water in our faucets at home to the computers on Wall Street. They are not the last threat to the technologies of our lives. We can learn much from Y2K.

We will begin with a history of the Y2K bugs (which we'll just call "Y2K"). We will look at one form of Y2K, from both a technological and a business perspective. Then we will discuss two other challenges that are already upon us. The endnotes provide additional or more detailed information.

A Short History
We did not discover Y2K in the late 1990s. I first heard about it at college in 1985. As I recall, Professor Cheatham in CS-150 "Systems Programming" at Harvard described how COBOL programmers in the 60s had optimized the processor cycles and disk space on their employers' computers by representing years with two digits. Computers in the 60s were incredibly limited and expensive compared to what we as students used for our assignments in 1985. A student asked if companies were fixing the problem. Cheatham replied, "Nobody's doing anything about it. It's going to be a big problem." He did not sound worried or upset. He merely stated a fact. Y2K was old news in the computer science community even then.

I next encountered Y2K around '92. I worked for a company that sold a product that software developers used in order to build screens and applications that let users access information in databases. Large companies used this product for software applications essential for their business. These companies wanted to represent dates on the screen using two digits for the year, in a Y2K-smart way (more on this later). My employer, in response to customer demands, eventually added support for Y2K-compliant two-digit year fields. By the early 90s, large companies were addressing Y2K enough to make it an issue for some software companies.

I recall that in '97 and '98 the information technology (IT) trade press began to mention Y2K more often. Software vendors began more aggressively to notify customers of potential problems. Consultants offering Y2K services began making more noise. Many companies began surveying their IT operations to identify the work needed to become Y2K compliant. (The trade press also reported a side benefit to Y2K preparations: many companies for the first time gained a comprehensive understanding of their IT operations, a crucial step for companies to leap into electronic commerce; thus Y2K is now helping fuel both our increased use of the Internet and the longest economic boom in American history.¹ ) For my own employer, I devised Y2K test criteria for one of our products - it was time to ensure that the software we sold was Y2K compliant (as long as it ran on a Y2K compliant operating system).

By the spring of '99, reports of contingency plans seemed to increase in the information technology trade press. That was wonderful news. Fixing a Y2K bug was a technical issue; the reason a Y2K bug was worth fixing was a business issue. As January 1, 2000 approached, the costs of encountering potential Y2K problems, and the costs of fixing or not fixing Y2K bugs, became more obvious. Thus, businesses began to form contingency plans for electrical and telecommunications failures, especially in rural areas. Businesses began to plan for failures in their software applications, so that they could continue to function if the software that ran their operations malfunctioned. Businesses also began more aggressively to decide what not to fix. For some software, the cost of testing for Y2K compliance exceeded the cost of problems that might arise if the software failed due to Y2K. Businesses increasingly realized they did not have time to fix all their Y2K bugs and planned accordingly. Companies also pressured their suppliers to get ready for Y2K.

By the fall of '99, the birth pangs and early warning tremors of Y2K were not happening. Fears of a "nuclear winter" in software sales to corporations proved false. In November I bought a new home PC and checked my earthquake two-week supply of food and water, which completed my personal Y2K preparations.

Over the Y2K weekend itself, I was on call. Four hundred software developers at my employer's headquarters had to stay at the office for the weekend and had to sleep on cots. (If my employer's customers had to make emergency fixes to their software over the weekend, they would have needed our software to test it, get it ready for use, and run it. Thus, my employer wanted to make certain its customers succeeded with its products.) I was not paged, and the headquarters team went home by Sunday afternoon.

After the Y2K weekend, we discovered at my office that one of our databases did not work. The person who prepared that database for Y2K had made a mistake. You might say we encountered a Y2K-inspired bug. The press has noted various other Y2K-related failures, and if you ask around you will hear about other incidents. Y2K is not over, but we are past the single largest Y2K event, the weekend of January 1, 2000.

After enormous amounts of work, Y2K glitches affected some of us in small ways. Let's now turn our attention to the technological and business aspects of one form of the Y2K bugs, computer screens that represent the year portion of dates in a Y2K-unsafe way.

One Form of the Y2K Bug
Many computer screens were 80 characters wide and 24 characters high. Imagine a software developer in 1990 needing to fit a large amount of information onto an 80 by 24 screen. He had two basic options: He could clearly present a small part of the information at a time, and let the user flip between screens as needed, or he could squeeze the information onto fewer screens. In making that tradeoff, he needed to weigh several factors. For example, for many business transactions, the people using the screens can become familiar and skilled with a crowded screen, but find that they make mistakes and work more slowly if they constantly have to flip from screen to screen. Scrunched up information that preserved screen real estate often helped users work faster and more reliably. That produced happier customers and higher profits. Thus, users often wanted screens with two-digit year fields.

Some screen-building methods assumed that two-digit year fields represented dates in the twentieth century. They inserted a "19" in front of the year digits, an obvious Y2K problem. Other tools were more flexible, and followed Y2K-smart rules to determine if the year was in the twentieth or twenty-first century.² Many screen-development tools did not have Y2K-smart versions in 1990. That left software developers and users with unpleasant choices, assuming they were concerned about Y2K at the time.

A developer using a Y2K-unready tool could respond in several ways. First, if he acted as a purist and unilaterally refused to do the work because of a lurking Y2K problem, he probably lost the job. The users would find someone else to do the work. Second, if the users provided requirements for the program, and did not mention Y2K compliance, the developer could use Y2K-unready two-digit year fields and thereby create a Y2K bug. Some developers were not aware of the issue. Some wisely chose to act in terms of the users' requirements. Some decided to leave the mess for someone else to fix. Alternatively, the developer could have tested the software for Y2K compliance, but that was often contrary to the users' wishes. Y2K tests could have significantly increased the development time, which would have increased development costs and delayed the date when the users could use the application. Delaying the date threw away revenue. Third, perhaps the users wanted a Y2K compliant program, but after discussion with the developer were willing to accept Y2K bugs in order to be able to start using the program more quickly.

A company that worries about every potential consequence of a decision is probably moribund and on its way out of business. Analysis paralysis is more characteristic of bureaucracies than successful companies.

The developer and users faced the intersection of business needs and technical possibilities. Users often wanted the software yesterday, and needed the developer to provide it. The user might have been ignorant of Y2K, might have been willing to accept the tradeoff of handling Y2K later in order to receive the software quickly, and in some cases might have hidden the problem so that it became someone else's problem. Often, the increased revenue of deploying the application quickly and not testing for or fixing Y2K problems more than paid for fixing any future Y2K problems. Furthermore, computers and software grew more powerful and, as the software industry provided better ways to address Y2K, achieving Y2K compliance cost less than in 1990 or earlier. Waiting to address Y2K often provided an advantage in the short term, since the application potentially worked better, increasing revenue; was ready for use earlier, increasing revenue; and future advancements would make Y2K compliance easier, saving money.

A company that worries about every potential consequence of a decision is probably moribund and on its way out of business. Analysis paralysis is more characteristic of bureaucracies than successful companies. When Y2K seemed far away, many software developers and users did not consider it. Considering other, more immediate, factors often produced greater business success.

Although Y2K is mostly behind us, the general characteristics of the Y2K bugs are very much with us. Let's look at two examples, and then compare them with Y2K.

What's Next?
The front page of the San Jose Mercury News on January 31, 2000, had this front-page headline: "Invaders target home PCs for attack." The article states, "An Internet connection isn't just an on-ramp for the Web. It also can be a pathway into your home computer for hackers. And if your connection is always on, your home is a likely target. . . . Malevolent hackers are constantly searching for new computers from which to launch attacks on others while hiding their identities." Your computer may be a conduit for stolen data or a malicious attack on some other computer. "In some cases, child pornography has been hidden on an unsuspecting user's machine, available to outsiders via the network connection."³ The solution for most home PC users is to install firewall software, which blocks unauthorized network communications between your computer and the rest of the world.⁴

While you may value the information on your home or small business PC, and may take the time to back it up and protect it with anti-virus software, the information on your computer is worth far less than the information and services on corporate computers. Crackers can use your computer as a stepping stone to break into corporate computers and steal information, damage information, or break an application. Crackers can also use your computer to attack a web site and make it inaccessible to other users.⁵

As our society increasingly relies on the Internet and other forms of electronic communications, we will become more vulnerable to attacks from crackers. For example, software pundits, vendors, and users eagerly anticipate an explosion of B2B (business to business) e-commerce as residual Y2K problems wind down. As companies increasingly conduct business over the Internet, they will be able to automate many of the decisions needed to conduct business efficiently. In recent years, SAP, Oracle, and many other vendors sold enormous quantities of software and services to help companies manage their internal operations. In the near future, many companies anticipate using the Internet to manage their suppliers better. Also, we are seeing the rise of firms that specialize in running this new software for companies so that the companies can focus on their own business and do not need to think about the minutiae of IT operations.

These moves make business sense — they potentially cut costs and increase efficiency. They may also make our society more vulnerable to crackers, cyberterrorism, and electronic warfare. We already see crackers attacking web sites by overloading the web server. Imagine a future war where aggressors shut down each others' electrical power and water supplies by attacking each others' computers.

As with Y2K, the computer science community is aware of these new potential problems before the general populace. As with Y2K, individuals and companies are willing to accept imperfect products. Most home PCs are vulnerable to attack by crackers. Web sites on the Internet are vulnerable to other forms of attack by crackers. Companies are willing to use products developed "on Internet time"— products rushed to market that probably will need babysitting and have many flaws that later will need to be fixed. The potential benefits of these new products, such as products that make web sites sizzle, are high enough that businesses deploy them. At times the businesses are unaware of the problems, at times they recognize that short-term benefits will more than defray the cost of fixing problems later, and probably at times the managers hope to sell the business so someone else can clean up the headache.⁶

A computer science professor at Stanford quipped a few years ago that "The only reason all the computers in the world haven't crashed at the same time is that they aren't all connected together." One of the scariest Y2K scenarios was the possibility that large parts of the IT infrastructure that make our lives possible would crash. As we increase our reliance on the Internet, we may create the potential for a widespread and devastating crash. Another scary but more subtle Y2K scenario involved applications generating and passing on bad data, thereby making the information in, for example, the financial system computers terribly out of synch with the real world. Increased B2B e-commerce has these same potentialities.

With Y2K, software users applied market pressures to push their suppliers towards Y2K compliance. In the last few years, whenever someone discovered a security flaw in, for example, Java or the Netscape browser, the IT trade press, and sometimes the mainstream press, reported the problem. The supplier of the software then fixed it very quickly to keep people from switching to other products. Similarly, when a major web site is slow, users go to other sites. For example, if Netscape is slow, users might use Yahoo. And if a major site goes down for an extended time, the owner loses revenue and faces scorching publicity, even from the mainstream press.

Bogeymen and Bad Problems
Y2K woke a bogeyman hidden in the soul of many American Christians. The prevailing belief among scientists is that billions of years ago life spontaneously generated from inorganic matter. Many scientists seemingly attack the Christian Faith in this and other ways. Therefore, the things of science have a scary coloring for many American Christians. Y2K was a high technology problem, closely tied to the results of science. Similarly, the Internet is most decidedly hi-tech, the result of science, and has elements, such as porn sites, that offend Christians. Yet Christians need to provide essential salt and light. Biblical quarantine laws need to inform the debate about computer viruses and PC firewall software. Biblical principles about theft need to inform the debates on intellectual property and personal information. Technology and business tradeoffs for short-term gain may have terrible consequences for our families.

Y2K was threatening. Some people entirely ignored the potential of Y2K, a foolish choice because if we had not fixed the problems they might have killed us. Y2K involved technologies and business tradeoffs that few understand well. Y2K was also simple enough to summarize that network news anchors easily described it. Not all the challenges we face will be as easy to understand. Y2K, both the bugs and the fixes, resulted from the choices of millions of people. The shape of how we use the Internet is the result of the decisions of millions of people. We will create problems. We will have to create fixes. By God's grace, we had the technology and resources to largely address Y2K. God willing, we will have the technology and resources to address more sophisticated, subtle, and potentially damaging problems.

Hindsight is 20-20. Y2K is largely behind us. Similar and potentially larger challenges are already upon us. It would be wise to learn from Y2K.

Notes

1. Most businesses make money by selling product or services; and IT assets and operations supported the real work of the business. The company's primary focus was not on IT, and companies often handed IT departments small budgets and ambitious goals. Thus, if some part of the IT operations worked, how it worked or even what it needed to work was often forgotten. The specter of Y2K forced many companies to identify the software applications they needed, and how the applications worked, an often tedious task. At the same time that companies worked to understand their own operations better due to Y2K, the Internet was growing more important. As companies better understood their own IT operations, they had an easier time letting outsiders — customers and suppliers — gain access to their business operations, and outsiders simultaneously gained the ability to reach the company through the Internet. Y2K forced us to do painful and difficult work that happens to be necessary for Internet ecommerce, exactly when the companies would need to understand their own operations better in order to engage in ecommerce. Thus, Y2K forced companies to prepare for ecommerce. Second, in companies that rely on ecommerce, IT operations are central to the business, rather than something that unfortunately has to be done in order to do business. However, in an ecommerce world, any IT glitch is potentially instantly visible to vast numbers of customers. Thus, in order for companies to do business over the Internet, they need to run their IT operations better. Y2K forced companies to understand their IT operations, a necessary step for running their IT operations better, which in turn is a necessary step for companies to rely more heavily on ecommerce. Rather than destroying us, Y2K has arguably pushed us towards greater prosperity.

2. The software needed a reliable way to tell which century each of the 100 combinations of two numeric digits represented. Thus, products often used a 100-year long "window" into time. For example, if a two-digit year field represents a year between 1970 and 2069, the software can reliably convert any two-digit year into the correct four-digit year.

3. "Keeping 'crackers' out of your computer," San Jose Mercury News, January 31, 2000.

4. "Keeping 'crackers' out of your computer" listed these inexpensive firewall products for your PC: ZoneAlarm 2.0, www.zonelabs.com, free and easy to use. ConSeal PC Firewall and ConSeal Private Desktop, from Signal 9 Solutions, www.signal9.com, about $50 each. Sybergen Secure Desktop from Sybergen Networks, www.sybergen.com, about $30, "lacks features other products offer." Norton Internet Security 2000, Symantec, www.symantec.com, about $60. BlackIce Defender, Network ICE Corp., www.networkice.com, about $40.

www.secure-me.net on 22 January, '00, had this to say: "Most normal Internet machines [owned by corporations] are designed and configured with security as a high priority. Most of the hordes of home PCs coming online over DSL and cable were designed to be friendly and accessible. It is a great time to be a cracker."

Should you quit using your PC until you have installed a firewall? Probably not. If you leave your computer turned on and connected to the Internet for hours or days at a time, such as with a DSL Internet connection, you are far more prone to attack than users who connect for short periods of time to download email or look up something on the web. Also, once you install firewall software on your computer, along with your anti-virus and other background software, you may use up enough memory or CPU resources to slow your system down. You will have to consider the tradeoffs. I plan to purchase firewall software and more memory very soon, but am using my home PC on the Internet in the meanwhile.

5. For example, a cracker might use someone else's computer to constantly request web resources from a site (via HTTP). This makes the web server, and the server's connection to the Internet, busy, making the web site slow or unusable. That case is relatively easy to detect and block compared to more sophisticated attacks. The IT trade press has begun to talk about crackers using hundreds of computers, each generating relatively few HTTP requests, to overload a site. Your home PC, if always connected to the Internet via a DSL line, is a good candidate for this type of attack, as the load on your computer and Internet connection would be small enough you might not notice it.

6. Many "dot com" companies are moving so fast that over time they are not certain how all their operations work. Like many companies that prepared for Y2K, they may face a day of reckoning when they have to painstakingly assess their IT operations. A potential malicious underside of dot coms is deliberately, and sinfully, hiding their vulnerabilities from investors and potential buyers.