Introduction

Prior to the Y2K rollover, RAND and many other organizations undertook to assess not only the potential character and consequences of possible national and international Y2K failures, but also potential lessons to be learned from both the rollover and the entire Y2K experience. Particular attention in this regard focused on ensuring that preparations were in place at the time of the rollover to harvest data that would support the assessment of Y2K lessons learned applicable to the critical infrastructure protection (CIP) problem, both in the U.S. and in other countries.

Y2K was thus viewed as a worldwide experiment in addressing the vulnerabilities of critical information infrastructures (albeit where the threat, the Y2K bug, was thought to be well understood), in the interrelationships and interdependencies of these infrastructures, and in various nations' and regions' degree of dependency on these infrastructures.

Because of the generally positive view - borne out by the rollover experience - of the adequacy of Y2K preparations in the United States, most of the analytical efforts regarding lessons to be learned from the Y2K rollover - CIP and otherwise - focused on the international Y2K situation. In particular attention focused on a number of countries - for example, countries like Russia, Ukraine, China, Indonesia, and Italy - where there seemed to be general agreement among experts that Y2K rollover problems would be manifest in one or more key infrastructures. In such countries it was expected that Y2K problems - in their root cause (to the extent that could be determined), initiation, immediate consequences, resolution, and long-term consequences (to the extent that could be projected) - would provide the lessons learned that were not expected to be found in mining the U.S. Y2K experience, or for that matter the Y2K experience in seemingly well-prepared countries like Canada or Britain.

CIP Issues

CIP issues are of interest to the United States in a number of distinct contexts: (1) protection of the United States, (2) protection of traditional U.S. allies, and (3) protection of temporary coalition partners whose infrastructure robustness and viability could be as important as that of the U.S. and its more traditional allies (recall the use of Egyptian air bases in the Persian Gulf War) and (4) the vulnerabilities of potential adversaries.

In these broad contexts, Y2K presented a potential opportunity for illuminating a variety of specific and general CIP issues within an admittedly evolving CIP agenda, a rapidly evolving infusion of information technology (IT) across all key infrastructures, and a highly dynamic global privatization of such infrastructures.

On this basis the following CIP issues were judged in advance of the Y2K rollover as potentially benefiting from the Y2K (and especially the foreign Y2K) experience:

1. Vulnerability and stability of key infrastructures (electric power, telecom, gas, oil, transportation, financial, etc.)

2. Interdependence within and between infrastructures (regionally, nationally, and internationally)

3. Information exchange (between and within infrastructures, between infrastructures and governments, between infrastructures and international agencies, between multinationals owning infrastructures and governments, etc.)

4. Alert and warning (key indicators; optimal alert and warning architectures; etc.)

5. Response to warning and events (contingency planning and other responses to strategic and tactical warning)

6. Law enforcement and legal matters (legal impediments to effective response; distinguishing criminal v. national security actions; etc.)

7. Public affairs strategy (impact of alternative public affairs strategies; coordination of public affairs strategies nationally and internationally; etc.)

8. Threat Assessment (malevolent actor level of expertise, ability to identify attacker, etc.)

In virtually all of these CIP issue areas, in terms of the international Y2K situation, it was recognized that in principle there was the potential for lessons to be gained across the full spectrum of possible international Y2K outcomes - from a large variety of serious foreign Y2K problems at the time of the rollover (and thereafter) to a relative absence of foreign Y2K problems in this same period.

In this pre-Y2K rollover period, it was also recognized that a framework for assessing the interrelationships between Y2K and CIP did not yet exist but that development of such a framework would help substantially in the analysis of both the rollover and the entire Y2K history leading thereto.

The Y2K Experience: A Surprise!

The Y2K rollover experience is now history, and thin history, albeit not completely devoid of events. However, best we know at this time, there were no major infrastructure problems anywhere in the world - a surprise to almost all of the experts. Why?

In the wake of the Y2K rollover experience and especially the international experience, RAND senior researchers Richard Mesic and Robert Anderson developed a highly useful framework for assessing the unexpected international outcome starting from the hypotheses shown in Figure 1.

(not available online)

Figure1. Candidate Explanations for Unexpected Y2K Outcomes

The hypotheses in Figure 1 are, as indicated, candidate explanations to be tested against the actual foreign Y2K experience - such as we may be able to determine it - in different countries and for different infrastructures where the Y2K outcome was far better than projected. As such they provide the starting point for an analytical framework for transferring the Y2K experience to the CIP problem. For example:

1. If there is currently far less foreign infrastructure dependence on date-specific software and hardware than was projected by experts, then it is likely that at this point in time there could be far less dependence on information technology in general in these infrastructures. However, that situation is clearly dynamic and evolving. As a minimum it points out the extreme difficulty of ascertaining the degree and consequences of infrastructure vulnerabilities to direct attack by malevolent actors.

2. If eleventh hour remediation was a major contributor to Y2K remediation, it suggests that reducing infrastructure vulnerability could be a highly dynamic phenomenon with implications both for assessing infrastructure vulnerabilities of the U.S. and its allies (and potential coalition partners) but also for assessing adversary vulnerabilities in the context of U.S. offensive information operations (IO). This explanation also has implications for the entire issue of CIP information exchange. As shown in Figure 2, there are genuine uncertainties - with varying implications - as to just how these eleventh hour remediation efforts came to pass.

(not available online)

Figure 2. Possible Explanations for Late Remediators' Success

3. If Y2k workarounds were readily developed and implemented, it might suggest that in the CIP context infrastructure systems are currently more robust than we thought. Or at least they may be robust if the systems are in an advanced state of alert - as was the case in almost every infrastructure control room world-wide. This could influence the kinds of CIP alert and warning systems that are developed and deployed. It could also boost our confidence in our allies (and potential coalition partners') abilities to withstand some forms of infrastructure attack, if they have sufficient warning. In some cases, "last minute" remediation efforts may have been successful because operators knew their Y2K dependencies were very modest and that they could afford to defer action to take advantage of remediation fixes when they became available, confident that others (other operators, equipment suppliers, etc.) would spend the necessary money.

4. If existing sources of information readily available to the government and the experts community were unable to identify the degree and success of ongoing Y2K remediation efforts, then new sources of information will have to be developed in order to provide sound assessments of both allied and adversary CIP progress. Here there is a real possibility that private sector (operators, suppliers, and consumers) led a highly successful effort at remediation that was outside the purview of most (but maybe not all) analysts. Moreover, these operators did not feel compelled to correct experts' mischaracterizations of their systems' readiness in the public domain.

5. If existing analytical frameworks for assessing Y2K infrastructures vulnerabilities and consequences are inadequate, much work needs to be done to develop analytical frameworks for the far more challenging task of assessing CIP vulnerabilities and consequences.

Note that on the basis of the above framework and assessment of the Y2K experience, little can be said about some of the important CIP issues that might have been illuminated by the Y2K experience, notably: Interdependence within and between infrastructures; Law enforcement and Legal matters; Public affairs strategy; and Threat assessment.

Overshadowing all of the speculation about Y2K lessons learned for CIP is the recognition that the Y2K threat - in terms of character, strategic warning, preciseness of timing, etc. - was inherently different from those that might be posed in the future by terrorist or nation state malevolent actors. Nevertheless, with a rational framework such as that presented here, there are clearly lessons for CIP to be drawn from the Y2K experience. However, a detailed assessment of both the national and the international Y2K experience - which should be possible, albeit difficult - will be required.

1 RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. This statement is based on a variety of sources, including research conducted at RAND. However, the opinions and conclusions expressed are those of the author and should not be interpreted as representing those of RAND or any of the agencies or others sponsoring its research.