Having spent considerable resources fixing the Y2K computer problem in the U.S., governments and firms are now particularly concerned about possible effects emanating from other countries, especially where information is lacking. Lags in addressing the problem have depended on country-level factors that are much larger than merely fixing lines of code. By evaluating where the world stands and how it got there, we are in a unique position to build upon Y2K remediation efforts and attempt to institute measures preventing extensive future dislocations.
Failures have already occurred, are expected to peak on January 1, 2000, and are then expected to diminish [7]. There are abundant reports of remediation lags [12]. Much of the data from corporations is self-reported and may be too optimistic. For example, as of March 1999, three of 22 Global 2000 Coordinating Group financial institutions reported finishing the implementation of tested, compliant systems; 11 were above 90% Y2K-compliant; eight were below 90%. However, almost all forecasted completing compliance by this month [4]. Various definitions of "repair," "remediation," and "compliance," which may or may not include potential supply-chain disruptions, for example, make comparisons difficult. Small- and medium-sized enterprises (SMEs), which typically constitute over 98% of private-sector businesses in a given country, are at risk. Despite an extensive public awareness campaign and governmental financial incentives, 27% of SMEs in Singapore, for instance, do not expect to be ready. Forty-two percent of Australian SMEs plan to do nothing.
The Gartner Group's most recent grouping still placed 24 countries at risk-level 3 and 30 countries at level 4.1 Lagging industries worldwide are transportation, healthcare, government services, oil, and some utilities [7]. About 33% of major-partner U.S. telephone traffic is with countries deemed "high-risk" in telecommunications [10]. Cross-border effects may occur in infrastructure or applications systems, and may threaten public health and well-being, commerce, and systems with strategic implications. Some governments worry that failures may be a mask for malicious actions on the part of rival hostile governments, terrorist groups, large criminal organizations, or messianic religious groups.
Failures in managerial systems, specific PCs, embedded chips, and so forth, could extend commercial consequences where supply chain disturbances cause ripple effects. Fifty-five percent of 1998 ($U.S.) value imports of petroleum products, 27% of non-ferrous metals, and 22% of information and telecommunications equipment, come from countries in Gartner's risk-levels 3 and 4 [7]. U.S. officials and industry observers believe the petroleum sectors in these countries will be ready by the end of 1999, but are less sanguine about overall infrastructure readiness. The U.S. Strategic Petroleum Reserve provides a cushion unavailable in other industries using just-in-time sourcing, but neither its capacity relative to possible post-Y2K demand nor its ability to meet this demand on a timely basis have been tested.
Having realized the problem, a country's readiness is largely determined by the available resources and the available levers for making repairs.
Although firms are experiencing difficulty conducting their own end-to-end testing or testing involving business partners [9, 12], and fewer large-scale tests of interlocking systems are taking place than might be expected, some are helping to ease fears.
Thai banks performed a joint test in February 1999; integrated testing of 20 Brazilian banks took place in April, and at least 190 banks in 19 other countries performed a joint test in June. Larger tests are planned.
Over 200 North American electric power organizations participated in a drill last April that simulated losing telecommunications connections. Nav Canada has planned a cross-industry test of air traffic and telecommunications systems.
Nevertheless, internal remediation must be finished first, and getting competitors to cooperate is difficult; taking systems off-line is rarely possible, and creating testbeds is extremely expensive.
Ample evidence exists to construct both optimistic and pessimistic scenarios, but ultimately no one can say much with confidence. Mainstream publications assay palpable but not overly damaging economic effects [11]. Contingency planning is now being emphasized, although it too depends on completing an accurate inventory of systems and their dependencies [3].
The Antidote has published a framework for understanding the responses and readiness of various countries [6]. The sense of urgency and priority given to Y2K work depends not only on an awareness of dependency on computer-based technologies, but also on the absence of major distractions. Having realized the problem, a country's readiness is largely determined by the available resources and the available levers for making repairs.
Awareness. In many world regions, awareness of the problem has been slow in coming. In January 1998, less than 10 developing countries had national Y2K programs. In 1999, thousands of governmental officials were briefed, two Global Y2K conferences were held, and 100 countries applied for (and 90 so far have received) 120 World Bank planning and implementation grants. Earlier this year, awareness was deemed "high" for 33 developing countries, "medium" for 41, and "low" for eight [6]. More than 120 countries participated in the December 1998 U.N. National Y2K Coordinators Meeting, but by Spring 1999, only about 67% of 139 countries surveyed had appointed national coordinators [2]. It was in May 1999 that an African Y2K Coordinating Body was established in order to raise awareness throughout Africa. The second U.N. Coordinators Meeting (in June 1999) involved 170 countries and emphasized international contingency planning.
Low awareness often stems from the mistaken impression that recently computerized countries had little legacy code and therefore little vulnerability. However, even newer PCs may experience failures. 1998 audits of 100,000 PCs in the U.K. found that 25% could not handle the Y2K rollover, and 46% would require some intervention. PCs from the same manufacturer could use different components, requiring each PC be checked individually [6].
Some countries thought to use mainly PCs actually have a much wider range of systems, whether mainframes in use by multinational corporations or embedded microprocessors in purchased equipment [11]. In Russia, it is estimated that as many as 3,000 pre-1992, Soviet-era functional copies of IBM 360 and 370 mainframes are still running, many in the military-industrial complex. At the Pulkovo airport in St. Petersburg, air traffic control still uses a 1983 Soviet Nairi-4 minicomputer, a system deployed at several Russian airports. There may be thousands of Soviet-era controllers in process control applications, some of which are known to have date dependencies [8]. Chinese firms using a wide range of imported hardware and software are further hindered because they expect foreign vendors to fix the problems.
Distractions. Levels around the world vary. They include the global currency crisis, which has made hardware and software replacement especially difficult in Asia and parts of the Middle East, effects of natural disasters and wars, changes in governments, and software-related tasks such as the Euro introduction [6]. Convincing officials in many countries of the need for action has been difficult.
Resources. Global remediation costs have been estimated to be anywhere from $250 to $900 (U.S.) billion. While the advanced industrial nations will bear much of this burden, other countries are scrambling to find the needed resources. Direct compliance telecommunications costs will amount to at least $200 million in Sub-Saharan Africa [2], characterized by the National Reliability and Interoperability Council along with Latin America and the Indian Sub-Continent as high risk in this sector [10]. Remediation costs have often been pushed down to regional and local units, even when they have few resources.
Suspicions that Western companies are using the Y2K computer problem as a cover to rake in huge profits has been a significant barrier to allocation of resources in a number of countries (such as China and much of the Middle East). In Russia, one of the main worries of the central government is that inflated requests for financing will be diverted from Y2K computer work. At the same time, a select group of privatized Soviet-era organizations received a new status of government organization, allowing them to be preferred providers, receive tax breaks and subsidies, and make private-sector profits [8].
Levers. Once countries are sufficiently aware of the problem, the levers available to address it vary considerably. China and Russia have been trying to use the command economy approach with little success. St. Petersburg's April 1999 law forbidding the sale of noncompliant software is largely symbolic. Passing legislation has proven to be more difficult than expected as various interest groups fight over projected legal consequences. Many countries (for example, Brazil) do not have governments sufficiently centralized to create a nationwide Y2K computer policy, and the global trend toward privatization of infrastructure elements such as telecommunications and electricity has made direct control more difficult.
Many international coordination and regulatory bodies, such as the International Telecommunications Union (ITU) and the International Atomic Energy Agency (IAEA) have taken leading roles in their sectors [3]. The International Civil Aviation Organization (ICAO) published evaluation criteria and critical assessments, carried out surveys, and sponsored monthly meetings for many stakeholders. Numerous new organizations, such as the International Y2K Coordinating Center and the Global 2000 Coordinating Group, have been created to promote awareness, to identify best practices, and to disseminate technical assistance. Effective public/private partnerships have been established in such countries as Canada, the U.K., Australia, and South Africa, although defections to the private sector of qualified personnel from the National Year 2000 Decision Support Center has reduced its effectiveness. Businesses are working under the agency's auspices with South African local governments to perform contingency and disaster planning.
The Y2K computer problem presents difficult choices for some governments. For example, countries that have turned a blind eye to software piracy have benefited from widespread use of inexpensive software and are often cut off from distribution channels that would warn them about the need for Y2K upgrades, patches, or workarounds. Some governments have implored software companies to provide cheaper or free legal copies of compliant software, but many are unwilling [1]. The estimated cost of buying these packages runs from (U.S.) $3 billion in Asia/Pacific, to (U.S.) $500 million in Eastern Europe, to about (U.S.) $200 million each in Africa and the Middle East [5].
Similarly, public disclosure is needed for contingency planning, but may engender counterproductive behaviors. Eighty- seven percent of respondents in the latest Cap Gemini survey report it is "'very likely' or 'potentially likely' that they would not do business with noncompliant suppliers and partners," leading to the potential of some kind of quarantine of regions perceived as most risky [12]. Countries that have started compliance testing later and plan to "finish" at the "last minute" may not have time to calm public apprehension.
Despite the massive amount of Y2K remediation business sent to these countries, for example, the Indian government only began a public awareness campaign in February, 1999 [6]. In Taiwan, 85% of people surveyed had "no understanding" of the Y2K computer problem, according to an April 1999 poll, despite the presence of many high-tech firms in Taiwan.
Panic can easily spread across borders [3]. In some countries where the populace already highly distrusts the government, pronouncements meant to calm may have the opposite effect [11].
Lack of awareness of dependencies on computer-based technologies, distractions, lack of resources, and limited policy levers have all contributed to the likelihood that many countries will not finish necessary Y2K repairs in time. Though numerous cross-border effects are possible, and messy problems are almost certain to arise, hope comes from two sources. First, because so many people have conducted and continue to conduct so much work, the chances of truly catastrophic consequences are greatly diminished, provided complacency doesn't set in. Second, increased awareness has led to the emphasis on contingency planning, which can make a huge difference in preventing the worst effects and calming the public.
The Y2K computer problem has presented a unique opportunity to reveal and test global computer-related dependencies. The National Research Council has initiated a three-phase Y2K project with the International Y2K Cooperation Center, the IEEE, and other partners, including data gathering, analysis, and synthesis of lessons learned in power, telecommunications, finance, health, and transportation. Specific resources should be earmarked to fund this and similar projects around the world. Specific escrow repositories with firm restrictions on data use in legal cases could be endowed under U.N. or World Bank auspices to ensure essential data are not lost.
But research alone is not enough. Newly formed remediation teams and organizations cut across traditional boundaries, among such entities as emergency management agencies, regulators, standards bodies, competitors, consulting firms, and governments. The most effective should be identified and given new, on-going mandates, track new technologies and their impact on critical infrastructure, urge that contingency plans are kept up-to-date and work for periodic large-scale testing of cross-border and cross-industry interdependencies. Resources should regularly be provided to developing countries for evaluating and reducing technological risks, and policies that may inadvertently promote unsafe practices should be addressed.
Together these measures will keep awareness high, helping to ensure that future potential catastrophes are not crowded out by current distractions, and will create credible independent sources of technology evaluation that can advocate prevention. We have invested billions of dollars in the most massive technological fix ever attempted. Let's make sure our investment pays off well beyond this particular problem.
1. Berman, D. The Y2K time bomb could sink software pirates. Business Week Online (Mar. 2, 1999); www.businessweek.com/bwdaily/ dnflash/mar1999/nf90302g.htm.
2. Bond, J.P. The world bank group and the Y2K bug threat to developing countries. World Bank Web site (Feb. 1999); www.worldbank.org/ infodev/y2k/bennettff.htm.
3. Bosch, O. The year 2000 issue: International action and national responsibilities. In Proceedings of the NATO Partnership for Peace Seminar: The Millennium Date Change Problem and Crisis Management. Organized by the Swedish Agency for Civil Emergency Planning, Stockholm, Sweden (Mar. 810, 1999).
4. Global 2000 Coordinating Group. Member self-reported data (Apr.-May 1999); www.global2k.com.
5. International Planning and Research Corporation. 1998 Global Software Piracy Report (May 1999); www.bsa.org/statistics/GSPR98/ index.html?/statistics/GSPR98/index.shtml.
6. Managing your business around Y2K. The Antidote 20 (1999); www.theantidote.co.uk/y2k.
7. Marcoccio, L. Year 2000 international state of readiness. Gartner Group, Mar. 5, 1999; Expert Testimony to the U.S. Senate Special Committee on the Year 2000 Technology Problem, Washington, D.C.; www.gartner.com/public/static/y2k/y2k0399.pdf.
8. McHenry, W. The Year 2000 Problem in Russia. Mitre Corporation Report (Mar. 2, 1999).
9. McKendrick, J. At this point, many simply giving up on Y2K testing. Midrange Systems (Feb. 9, 1999); www.midrangesystems.com/ article.asp?searchresult=1&ID=2599104608AM.
10. Roth, G. National Reliability and Interoperability Council Network Assessment Report #2 (Apr. 14, 1999); www.nric.org/meetings/ docs/1999apr-fg1-sc1-gerryroth-presentation.ppt.
11. Survey: The Millennium Bug. The Economist (Sept. 19, 1998), special section.
12. Year 2000 compliance lags behind expectations, survey finds. Y2KWire (May 17, 1999); www.year2000.com/releases/NFcap5_18_1999.html.
1These categories refer to the percentage of firms expected to experience at least one mission-critical failure: level 1: 15%; 2: 33%; 3: 50%; 4: 66%. Risk-level 4 also implies widespread, severe: interruptions of government service; widespread, moderate: power loss/brownouts, telephone and air transportation interruptions; and moderately distributed, severe: imports and exports interruptions.
Readers are encouraged to send comments, suggestions, anecdotes, insightful speculation, raw data, and articles on subjects relating to international aspects of IT to contributing editor Sy Goodman ([email protected]).
©1999 ACM 0002-0782/99/0800 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 1999 ACM, Inc.
No entries found