Strategic Planning and Y2K Technology Challenges:
Lessons and Legacies for Homeland Security

Reprinted with permission: PA TIMES, Vol. 24, Issue 11, Nov. 2001
(A publication of the American Society for Public Administration)

By Paula D. Gordon, Ph.D.



The tragic events of September 11, 2001 have had an impact on strategic planning and implementation efforts relating to all aspects of national infrastructure protection and security, including information technology, cyber-security, and cyberterrorism. Indeed, the lessons that can be learned from national and global efforts to address Y2K-related technology problems, can be viewed in a new light given the events of September 11. Understanding the successes and the shortcomings of the Federal government's Y2K efforts can help illumine current efforts to address the multiplicity of complex challenges and threats that now face the nation. Many of the current challenges and threats are also highly technical in character. In addition both sets of challenges have been characterized by a sense of urgency and the need to organize quickly in order to bring about desired results.

To reflect on the Federal government's Y2K efforts at this point in time constitutes something of a challenge. I will begin by summarizing some of the misconceptions concerning Y2K, misconceptions that seemed to make discussion of Y2K particularly difficult prior to September 11. These misconceptions span a wide gamut and include the following:

1) that (perhaps) Y2K was never a problem in the first place;

2) that problems occurred but that no problems of significance occurred;

3) that real challenges were addressed and that no problems of significance occurred because of the relative thoroughness of remediation efforts;

4) that it was possible to determine the overall impact of Y2K in the first weeks of the year 2000 and that it was reasonable to curtail any continuing efforts, including efforts to assess what actually happened and efforts to identify, acknowledge, and track ongoing problems;

5) that the government had a sufficient number of experts tracking, monitoring, and assessing problems before, during, and after the primary trigger date of January 1, 2000;

6) that those in positions of responsibility in the private sector were fully knowledgeable and/or fully forthcoming concerning problems that became evident after January 1, 2000 and that they were keeping public officials apprised of the ongoing problems that were occurring; and

7) that the media had sufficient technical knowledge of Y2K-related technology issues to ask the right questions and to take note of and discern the significance of the ongoing problems that have occurred.

I have addressed these misconceptions in the writing that I have done on Y2K over the past several years. From the close tracking I have done of Y2K, I would characterize Y2K efforts and what has actually happened in the following way:

1) At the time of January 1, 2000, the most critical trigger date, far more temporary as well as long-term remediation had been completed than had been reported.

2) Prior to January 1, 2000, more attention had been devoted to contingency planning and "work-arounds" than had been anticipated; more actions had been taken than any one individual in roles of public responsibility knew. No one person at the time of the January 1 rollover date knew the extent to which systems and plants were operating at reduced power, were operating partially or totally on manual control, and/or were turned off with plans to bring them back up slowly and over time so that there would be no risk of simultaneous failures and cascading effects.

3) Prior to January 1, 2000, an extraordinary amount of behind-the-scenes, outside-of-normal-channels efforts were carried out deftly throughout the world in every locale that the US military had a presence. Similarly, multi-national corporations undertook major low profile initiatives in locales where they had a presence around the world. No comprehensive reports of these efforts have been made public, nor is it likely that such reports will be issued in the future.

4) There were Y2K-related problems that were triggered before the rollover, at the time of the rollover, and subsequently that were recognized or reported as being Y2K-related problems. A wide variety of reasons accounts for such instances of non-reporting and underreporting.

5) The cumulative impact of minor and more serious Y2K-related problems has been slowly evolving since the January 1, 2001 into a low to mid-range Y2K impact scenario. Prior to September 11, impacts in all key sectors of the nation's infrastructure and economy were discernible. The significance of such impacts seems to have been totally overshadowed by the events of September 11. There remain a few reasons why it might be important to even mention these impacts now. One reason has to do with a basic tenet of problemsolving: If you have a problem and have not identified or acknowledged its cause, you may well end up treating and re-treating the symptoms or, in the case of IT systems and complex integrated systems, you may end up having to replace systems that ultimately fail. Another reason to consider these impacts is that there may be lessons to be learned concerning what has transpired and what was done. Yet another reason is that there is work that remains to be completed.

6) Temporary "fixes" that were done and remediation efforts that were not fully or adequately completed continue to need ongoing attention. At the same time, resources have dwindled, individuals with knowledge of complicated and patched-together systems may have moved on, and/or needed expertise may no longer be available.

7) Having averted a worse case scenario, a victory was "declared" and no one in government continued to follow in an active way those problems that became evident after the first few weeks of the year 2000. (One of the resources that have tracked Y2K-related and other infrastructure problems since January 1, 2000, has been the Grassroots Information Coordination Center on the Worldwide Web.) Tracking, assessment, and monitoring of Y2K-related problems by the government effectively ceased in the first half of the year 2000.

8) In the late 1990's, it was commonly understood by analysts and experts most knowledgeable concerning Y2K that it could take 18 to 24 months after the initial trigger date of January 1, 2000 before the cumulative impacts of Y2K might become known. Persons in key roles of responsibility in the government seemed to have abandoned that understanding when a mid-range or worse case scenario did not materialize in the first weeks of the year 2000. Both the Administration and the key Committees in Congress declared an early victory and ended practically all Y2K-related efforts. In doing so, they neglected to authorize or undertake a comprehensive assessment of national and global efforts, problems, and impacts. The General Accounting Office's did issue a report of September 2000, but that report focused narrowly on remediation efforts of IT systems within the Federal government. The Office of the Inspector General of the U.S. Department of State in their May 2001 report identified a wide range of important lessons learned from the best practices that had been used in promulgating remediation efforts throughout the world, but the authors of the report did not attempt an overall assessment of the nature of the problems that occurred or the sufficiency of Y2K efforts.)

9) Even if the Federal government had acted to track, monitor, assess, and assist in addressing Y2K problems, those in key roles of responsibility had an insufficient amount of expertise to assess and address such problems and to inform strategic planning and implementation efforts adequately. As a result, the Federal government's efforts ended up being based on an insufficient definition of the nature and scope of the challenges to be addressed.

10) While extraordinary resources were dedicated to coordinating efforts throughout the nation and the world, and while there were numerous notable and laudable successes that spared the nation and the world much grief, there were still major gaps in the efforts that were undertaken. These could have resulted in very serious problems, here and abroad.

Essentially, the Administration's Y2K efforts were understaffed, underfunded, and lacking in sufficient technical expertise. Additional expertise was needed to help inform the efforts of those engaged in strategic planning and action.

Studying approaches that were taken to Y2K can be especially helpful because there are so many lessons to be learned. This includes lessons concerning pitfalls to be avoided.

Studying such approaches is especially germane to the government's anti-terrorist and homeland security efforts. Similar to the government's Y2K efforts, anti-terrorism and homeland security efforts need to be designed to address challenges and threats in a comprehensive way. Efforts need to be task-oriented and effectively organized, coordinated, facilitated, and directed. They need to be fully staffed and funded. Care needs to be taken to create and maintain a healthy organizational culture, one devoid of bureaucratic infighting and turf battles. Those spearheading the government's efforts need to have requisite generalist and specialist skills and expertise. They need to draw upon the expertise of individuals from a multiplicity of pertinent fields and disciplines. Considerable attention needs to be given to education, training, information dissemination, knowledge transfer, and technical assistance if efforts are to be fully effective.

Y2K efforts can be seen to bear directly on homeland security and homeland security measures in other ways as well. It seems that emergency preparedness plans and crisis management plans developed for Y2K played a role in the response of a number of companies and institutions involved in the September 11 attacks on the World Trade Center. It seems that many companies and institutions when they prepared for Y2K, focused considerable attention on emergency preparedness planning, crisis management planning and business continuity planning, data systems back up, and contingency planning. The legacy of those Y2K efforts for homeland security has been considerable. Affected companies and institutions that had prepared for Y2K eventualities benefited immeasurably as a result. In some news accounts since September 11th, the activation of emergency preparedness planning developed as a result of Y2K has been credited with the saving of lives. Crisis management planning, the backing up of data systems, and business continuity planning that were undertaken as a part of Y2K preparations have been credited with playing a very important role in accelerating the recovery of New York City and allowing for the speedy restoration of the world's financial markets. It seems that the implementation of Y2K related plans have had some extraordinarily beneficial consequences. The lessons learned and to be learned from Y2K can be expected to contribute even more to addressing the anti-terrorist and homeland security challenges now before us.


E-mail: pgordon@erols.com.

 

flag.gif (10636 bytes)

 

Return to Paula Gordon's Homeland Security Page