Bridge to Nowhere: Inattention to the ‘Millennium Bug’ Threatens the Nation’s Security, Economy in the 21^st Century

693 Days To Go — and Counting

(Washington, D.C.): On 3 February 1998, President Clinton signed an Executive Order
creating a
“council to recognize national and local projects that commemorate the millennium.” The
council’s charter anticipates countless celebrations and initiatives aimed at welcoming in the
21^st
Century. Ironically, the President issued a second Executive Order the next day — one that
suggests that, all other things being equal, far from being a cause for celebration and
self-congratulation, 1 January 2000 will be one of the darkest, and most
dangerous, days in this
Nation’s history.

The ‘Y2K Problem’

In his Executive Order of 4 February, the President offered a layman’s description of the
potential
source of the latter, gloomy prognosis: The so-called “Millennium Bug”:

“Because of a design feature in many electronic systems, a large number of activities in
the public and private sectors could be at risk beginning in the year 2000. Some
computer systems and other electronic devices will misinterpret the year ’00’ as 1900,
rather than 2000. Unless appropriate action is taken, this flaw, known as the ‘Y2K
problem,’ can cause systems that support those functions to compute erroneously or
simply not run. Minimizing the Y2K problem will require a major technological and
managerial effort, and it is critical that the United States Government do its part in
addressing this challenge.”

Could it be a coincidence that this latest Executive Order, declaring the federal
government’s commitment to “address this challenge,” was issued on the same day that the
Federal Aviation Administration was excoriated in the press and on Capitol Hill for failing to
ensure that its air traffic control system is Y2K compliant? As USA Today reported
yesterday:
“The Federal Aviation Administration is so far behind in its efforts to fix the Year 2000
computer glitch that half the Nation’s air fleet may have to be grounded during the earliest
days, weeks or months of the new millennium, congressional officials say.”

In a House Subcommittee on Government Management, Information and Technology hearing
chaired by Rep. Stephen Horn (R-CA), the General Accounting Office testified on the status of
the FAA’s efforts to meet the immovable 1 January 2000 deadline, declaring: “At its
current
pace, it will not make it in time.”

As things stand now, the validity of this frightening conclusion seems beyond dispute.
Another
witness at the Horn hearing, consultant Stanley Graham, reported on his own analysis of the
FAA’s problem, affirming GAO’s assessment:

“The number of application systems [used by the FAA] is large; more than 875
systems, 18,000 subsystems, and 65 million lines of code. Furthermore, through
November 15, 1997 the Department of Transportation reported that the FAA’s
large complex systems were only three percent through program
remediation.
Although this number should rise with later data, we will not have a reliable number
until all 65 million lines of code and their data have been analyzed or accounted for.”

Is the Pentagon in Any Better Shape?

Unfortunately, there is reason to believe that the armed forces are no more prepared than the
FAA
to deal with the implications of the Millennium Bug. In a report issued last month entitled
Defense Computers: Air Force Needs to Strengthen Year 2000 Oversight, href=”#N_1_”>⁽¹⁾ the General
Accounting Office warned that the Air Force is at serious risk from the Y2K problem.

The following are among the most important insights from this GAO study (emphasis added
throughout):

• “As with the other military services, the Air Force is taking a decentralized
  approach to Year
  2000 correction — that is, it is relying heavily on its components to identify and correct Year
  2000 problems affecting their own systems.
• “The Air Force estimates there are 2,944 automated information systems and
  weapons
  embedded systems in its inventory and that the majority of these systems will have to be
  either renovated, replaced, or retired before 1 January 2000. Of the
  2,944 systems, 550
  (about 19 percent) are considered to be mission-critical systems, that is, they directly
  support wartime operations.

“As of 4 September 1997, the Air Force reported that all of its 2,944 systems
completed the awareness phase, 33 percent were in the assessment phase, 32 percent in
renovation, 17 percent in validation, 12 percent were in implementation, and 6 percent
will be decommissioned by December 1999. As of September 1997, the Air Force
estimated that it will cost about $405 million to successfully complete its Year 2000
program.

• “Before its Year 2000 effort, the Air Force did not have a comprehensive service-wide
  system
  inventory. As such, it could not readily determine the magnitude (much less the cost to fix) of
  the Year 2000 problem service-wide when it began the assessment phase. While its inventory
  now contains 2,944 systems, the Air Force is still expanding it to include information on
  infrastructure-related devices, such as elevators, traffic control and security devices,
  telephone switching systems, and medical equipment. These devices rely on either
  microprocessors or microcontroller chips that may be vulnerable to Year 2000
  problems.
• “In August 1997, [one aircraft weapon system] program office reported that it fixed [a Y2K]
  problem [with ground software equipment] for about $300,000, using a temporary work
  around. However, according to a program office official, because the existing equipment
  consists of old IBM mainframes and outdated Jovial code it will have to be replaced
  eventually — and likely at a higher cost — in order to support future planned aircraft
  enhancements such as Joint Direct Attack Munition and Joint Standoff Weapon.
• “…None of the five weapon system program offices we surveyed had
  fully determined the
  actual impact or program status of their system interfaces. One program office
  told us
  that it did not plan to do so until the Air Force prescribed a uniform approach to
  interfaces. In addition, we found other weapon system program approaches to
  identifying
  their interfaces to be considerably different.
• “Without centralized oversight over the identification and correction of interfaces,
  there is a
  chance that some systems and interfaces, for which ownership is unclear, may not be
  identified and corrected. In addition, there is also a higher risk that conflicting
  interface
  solutions will be implemented without the data bridges that are necessary to ensure that
  information can still be transferred.

“For example, one system manager may choose to fix a system by expanding its date
and year, while another may choose to keep the two-digit format and use procedural
code or sliding windows as a strategy for becoming Year 2000 compliant. According
to current Defense guidance, either fix is acceptable, but both parties need to know of
the potential conflict so that they can install the data bridge.

“At the time of our review, however, none of the five program
offices we
visited had prepared such agreements, and the Air Force was not tracking
whether these or comparable agreements were being instituted.

• “Due to the complexities and risks involved with testing, components that are not currently
  planning their testing strategies run a high risk of not competing the Year 2000 effort on time.
  This is because components must not only test the year 2000 compliance of individual
  applications, but also the complex interactions between scores of converted or replaced
  computer platforms, operating systems, utilities, applications, data bases, and
  interfaces….For these reasons, it is critical that Air Force headquarters
  ensure that
  components are taking time now to assess their testing needs and that the Air Force is
  well-positioned to provide components with additional testing facilities and tools.
• “To its credit, the Air Force has recognized that virtually
  every computer system it operates
  is vulnerable to the Year 2000 problem; it has raised the awareness of the Year 2000
  problem among system owners; and it has begun assessing the Year 2000 impact on Air Force
  systems. However, the Air Force is unnecessarily putting its Year 2000 program at risk
  of
  failure because it has not yet refined cost estimates based on actual assessment data,
  fully examined resource trade-offs, and ensured strong and continuous oversight for
  interface, testing, and contingency planning issues.“

The Air Force has the reputation of being the most sophisticated of all the services when
it
comes to identifying and adapting to new technological developments. If so, it is likely
that the
rest of the Pentagon is probably in no better, and probably considerably worse shape
than
the Air Force with respect to the Y2K problem. This point is borne out by a report in
the
trade publication, Phillips C⁴I, on 18 December 1997:

“The Pentagon is among 14 of the 24 major federal agencies not on track to fix
their Year 2000 computer problem by the millennium change…Only the
Department of Labor and the Department of Energy lag behind the Pentagon according
to data [prepared for Congressman Horn’s subcommittee]….

“As of 15 November [1997], the Pentagon had assessed 93 percent of its
‘mission critical systems,’ renovated 44 percent, tested 16 percent for compliance
and fixed 2 percent, according to Horn and the latest quarterly
Y2K report
issued by the White House Office of Management and Budget.” (Emphasis
added.)

The Electronic Equivalent of the Plague

Of course, the Millennium Bug’s potential for devastation of an advanced,
computer-dependent
society like that of the late 20^th Century United States is not confined to America’s
air traffic
control system or its national security apparatuses. Scarcely any business, community or
individual citizen will remain unaffected — some in minor ways, others in potentially
catastrophic ones — if the Y2K problem is not universally corrected.

In fact, those familiar with the vulnerabilities of the U.S. infrastructure to information warfare
(IW) believe that Y2K problem, unless addressed on a truly national basis, could have much the
same effect as a deliberate IW assault by a determined adversary. The implications for public
order and safety, to say nothing of national security can scarcely be overstated.

Mainframe computers with their immense lines of computer code represent the greatest
challenge.
Every line of code has to be checked and, if necessary, corrected. A further complication is the
fact that a significant part of many mainframes’ source codes (some estimates run as high as 20%)
will have to be recreated from scratch.

Once these main frame computers have been fixed, they must be rigorously tested. The fixes
made in one must be able to interface with those in the next. And all computers that
have been
made compliant must be protected from contamination by non-compliant systems with
which they might share data.

Y2K-non-compliant chips and microprocessors imbedded in innumerable other products —
from
cars to elevators to telecommunications, to name but a few — have to be replaced. Finally, the
many millions of personal computers (and their chips) will have to be replaced or otherwise made
Y2K-compliant.

It should come as no surprise that a recent survey of “400 of America’s most influential”
computer industry executives conducted by CIO Magazine found that:

• “Nearly 70% are not confident the Millennium Bug will be fixed by the 31
  December
  1999 deadline.”
• “When asked if they would fly on a commercial airline on 1 January 2000, more
  than 50%
  either said they would not fly or are unsure about flying on a commercial carrier.“
• “A full 60% recommend that Americans need to investigate their bank’s Year 2000
  compliance to ensure the safety of their personal assets.” And
• “Nearly 50% are concerned their job will be in jeopardy if they are unable to fix their
  company’s Year 2000 problem.”

The Bottom Line

The United States government must regard the Y2K problem as a public policy, health and
safety
issue of no less gravity than a widespread outbreak of bubonic plague or polio. It is not enough
to establish councils, hold meetings and file discouraging reports while the clock inexorably ticks
toward the 21^st Century. A crash program to validate and bring to bear
automated
techniques for addressing in the most cost-effective and least time-consuming manner
possible the most daunting challenge: Making the Nation’s civilian (government and
private sector) and military mainframe computers Year 2000-compliant. It goes without
saying that as less time is available (now fewer than 700 days), the higher will be the prices
programmers can command for their time.

A further argument for using automated techniques to the maximum extent possible is to
reduce
the unavoidable problems that will arise from human error. This is a particularly acute problem
when the task is as tedious and labor-intensive as that associated with checking millions of lines of
computer code under the mounting pressure of an unmovable deadline. And even one percent
error makes the whole product 100% non-compliant.

An innovative proposal has been offered by Dr. Morris Davis, the inventor of a program
known as
Transition Software that has demonstrated impressive capabilities to accomplish such corrective
action on mainframe computers in a fraction of the time — and at far less cost than is currently
associated with human review of each line of code. He has offered to provide at no cost to the
government the conversion of 100,000 lines of software code on a mainframe computer to
demonstrate his program’s abilities.

While neither this, nor any other, software program is a panacea for a problem of
the magnitude
and complexity of the Millennium Bug (especially since some parts of the problem are
hardware-related), it would seem prudent to conduct such a test, together with
competing automated
software programs, on one or more mainframes operated by the FAA, the Air Force or some
other priority government agency.

In the event such tests prove effective in both fixing the problem and keeping it
fixed on the
tested mainframe, no effort should be spared to make the successful program available to
government and private sector users as part of a comprehensive approach to make the
Year 2000 the beginning of a promising new millennium, not the apocalyptic end of the last
one.

– 30 –

1. See GAO/AIMD-98-35. The World Wide Web site for the GAO
is www.gao.gov.