In search for Y2K of Cybersecurity

Y2K or Millennium bug — with no relation to Millennials — became a huge problem because programmers represented the four-digit year with only the final two digits. (REALLY?)

But that’s not all. Firstly, the practice of representing the year with two digits became problematic with logical error(s) arising upon “rollover” from x99 to x00. Secondly, some programmers misunderstood the Gregorian rule that determines whether years that are exactly divisible by 100 are not leap years, and assumed the year 2000 would not be a leap year.

But soon we learned that years divisible by 100 are not leap years, except for years that are divisible by 400. Thus the year 2000 was a leap year.

How could the world’s smartest engineers, mathematicians and computer scientists miss such a big thing while writing programs in 80s and 90s? No one knew what to do, until in 1997 the British Standards Institute (BSI) developed a standard, DISC PD2000–1, which defined “Year 2000 Conformity requirements.”

We finally did the right thing. Organizations worldwide checked, fixed, and upgraded their computer systems. And the world was saved from zombies’ evil plan of destroying mankind.

Fast forward twenty years later, I wonder what else we can’t see. Do we know everything about tomorrow’s cyber attacks? We don’t. Bad actors are continuing to get past conventional perimeter security, executing high profile data breaches. No one would disagree that threats today are not the same as they were five years ago. Actors are not the same. Methods they use are not the same. Attack motives are not the same. Even targets are not the same. So why are we not panicked and distraught as we were in the late nineties?

In a recent article, Glassman and Miller noted that “intensive and collaborative government and industry response resulted in effective planning and Y2K remedial work that prevented any interruption of the operation of critical banking infrastructure”.

I wonder what would be our wake up call? What will make us realize that threat is evolving faster than the cycle of measures and countermeasures and our ability to address it? What disaster are we waiting for to start the intensive remedial work to prevent interruptions of the operation of critical infrastructure? We need to stay ahead of the threat, not constantly play catch up or wait until bad things happen to begin this process. Let’s proact, not react!

Thoughts welcome!