This article is the first in a two-part series about
what Y2K can teach the world about cybersecurity.
I’ve heard a lot of talk about cyberthreats over the past 15 years, yet I haven’t seen anyone offer a holistic way to address them. As I reflect on my own experiences and challenges in information and operational
technology, the last problem of this
magnitude that we had to face was
the feared millennium bug, or Y2K.
A mere 17 years later, the information
technology landscape looks eerily the
same. For many chief information
officers (CIOs) and chief information
security officers (CISOs), the size and
scope of the millennium bug is about
the same as today’s major security challenge: the cyber bug.
We can find many similarities between present-day cybersecurity concerns and the ramp up to Y2K, when the world
spent billions patching and replacing systems to prevent
massive infrastructure failures.
Although the causes of these problems are not the same,
we could, and should, use the same approach to cyber that
solved Y2K. Cyberthreats reach infrastructures globally
through everything from toasters to cars, air traffic control
systems, medical components, power grids and erroneous
missile launches. The cyber bug problem is magnified by the
advent of the Internet of Things (Io T), which reportedly will
add 50 billion devices by 2020.
The Y2K problem was driven by the Julian calendar—
programmers conserved memory by using two digits for
years instead of four—and primarily affected business systems. The cyber bug is driven primarily by cyber crime,
espionage, competitive advantage and warfare, all stemming
from inadequate built-in security in software, hardware,
embedded systems, business processes and complex architectures. Another risk factor is the lack of cultural security
Looking back on the plan to address the Y2K problem,
awareness and education, along with a sense of urgency,
created the foundation for recognizing and addressing the
challenge. This was a whole-of-nation, indeed global, execution, not just a government-led effort. Governments and
businesses formed formal groups to identify and initiate the
actions necessary to avert infrastructure failures.
Y2K Offers a Template
To Squash the Cyber Bug
BY MAJ. GEN. EARL D. MATTHEWS, USAF (RET.) Several themes common with Y2K play out today. CIOs
and CISOs need to know what applications and devices they
actually have—it is time for asset discovery and documenta-
tion. It is also time to move away from an “if it isn’t broken,
don’t fix it” mentality that keeps outdated equipment and
software, increasing cyber risk. While Y2K was the single
biggest driver for adopting packaged, off-the-shelf software,
today cyber concerns are moving data to the cloud. And as
with Y2K, cybersecurity has stirred up fears, becoming a
board room discussion. Among C-suite executives, it has
generated a lot of review and exercise of business contin-
In some ways, it seems as if we are back at the same starting point as with Y2K: having to convince the powers that
be that we have a continuing and growing problem amid
actions that are not congruent with a holistic national or
global framework to achieve the required objective. The
cyber bug appears to be larger than life because we neither
approach it in a synergistic way, nor are U.S. and international laws in place to address underlying causes. Lawmakers cannot even agree on common security standards for
the Io T.
I can hear the same pundits then and now saying that Y2K
turned out to be an overhyped nonevent. It was a nonevent
only because of tremendous efforts by many to avoid a huge
catastrophe. Y2K was real and, yes, a number of organizations did overspend on the problem. Nonetheless, it needed
attention. This time, the cyber bug has far more serious
implications for the very survival of companies and the
overall economic power of
our country—let alone the
effects on national security,
which I believe are one and
the same. When you add in
our civil liberties and privacy, the magnitude is tenfold. If we are to take the cyber bug
seriously, then we need to treat this like any other risk and
apply the right resources as we go forward.
The second part of this series will appear
in the June issue of SIGNAL Magazine.
Maj. Gen. Earl D. Matthews, USAF (Ret.), the former director of cyberspace operations in the Air Force’s Office of Information Dominance and Chief Information Officer, is vice president
of the Enterprise Security Solutions Group for DXC Technology
(formerly known as Hewlett Packard Enterprise Services), U.S.
Public Sector. The views expressed here are his own.
To share or comment
on this article go to