This article is the last in a two-part series on
what Y2K can teach the world about cybersecurity.
Find the first part at http://url.afcea.org/May17.
The Y2K event went out with a whimper and not a bang, but not because the issue wasn’t serious. The potential for massive data disruption was there, but government and industry rallied to address
it before the January 1, 2000, deadline.
The millennium bug was squashed
because stakeholders with a lot to lose
attacked it in a coordinated effort. That
approach can serve as both a lesson
and a model for the latest security challenge: the cyber bug.
Today, the dynamic nature of cyberspace is a result of rapid advancements
in computer and communication technologies as well as the tight coupling of
the cyber domain with physical operations. Military organizations have embedded cyberspace assets—their information
technology—into mission processes to increase operational
efficiency, improve decision-making quality and shorten the
sensor-to-shooter cycle. But this cyberspace asset-to-mission
dependency can put a mission at risk when a cyber incident
occurs, such as the loss or manipulation of a critical information resource.
Nonmilitary organizations typically address this type of
cybersecurity risk through an introspective, enterprisewide
program that continuously identifies, prioritizes and documents risks. This allows for selection of an economical set
of control measures—people, processes and technology—to
mitigate risks to an acceptable level. The explicit valuation of
information and cyber resources, in terms of their ability to
support the organizational mission, enables the creation of a
continuity of operations plan and an incident recovery plan.
But above all, cyber response demands the same sense
of urgency as Y2K. In addition, information technology/
The Lessons of Y2K for Cybersecurity
BY MAJ. GEN. EARL D. MATTHE WS, USAF (RET.) operational technology (IT/OT) risk must be aligned with
real-world risk. I have not seen the same rigor about IT/
OT risk since Y2K. Unfortunately, what followed Y2K was
a huge decline in information technology spending and a
reversal to less governance of IT/OT portfolios. This led to
more risk by allowing technology to lapse naturally after a
big investment, along with the regrowth of shadow informa-
tion technology. According to a Market to Market report,
global spending on cybersecurity will be nearly $170 bil-
lion by 2020, and that figure does not include all the other
information technology spending, which is approaching
$4 trillion, analysts estimate. The money is there, but why
not spend it through a structured framework to address the
cyber bug today?
The millennium bug was considered a once-in-a-lifetime
opportunity to clean up and standardize information technology. Now we need to do it again. We did not learn our lesson after the turn of the century as we relegated information
technology back to a supporting role. Operational technology
continues in its own lane instead of being incorporated into
the overall business and mission risk equation. But for business, government and nearly every person, technology is part
of the fabric of everyday life.
The Internet of Things (Io T)
promises to advance that
principle even further.
The approach for solving
the millennium bug challenge should serve as a framework for stopping the cyber
bug. The need for a solution is becoming even more urgent
with the explosion of IoT devices. We have succeeded with
this approach before, and we can do so again. But this time,
we must be sure to learn our lesson.
Maj. Gen. Earl D. Matthews, USAF (Ret.), the former director
of cyberspace operations in the Air Force’s Office of Information
Dominance and Chief Information Officer, is vice president of
the Enterprise Security Solutions Group for DXC Technology
(formerly known as Hewlett Packard Enterprise Services), U.S.
Public Sector. The views expressed here are his own.
To share or comment
on this article go to
Connect with AFCEA
on Social Media
AFCEA is dedicated to encouraging conversations
and providing valuable information where it’s
most convenient for you. Connect and engage
with us on your favorite social platform.
JOIN our LinkedIn Group to discuss
best practices, ask questions, share
concerns and highlight news.
LIKE us on Facebook to access
important AFCEA updates.
FOLLOW us on Twitter for real-time
news that fits your busy schedule.
Find links to these pages and more under
“Connect with Us” at www.afcea.org