R Concepts for Enhancing Critical Infrastructure Protection Relating Y2K to CIP Research and Development David Mussington Prepared for the Office of Science and Technology Policy Science and Technology Policy Institute The research described in this report was conducted by RAND’s Science and Technology Policy Institute for the Office of Science and Technology Policy under Contract ENG-9812731. Library of Congress Cataloging-in-Publication Data Mussington, David, 1960– Concepts for enhancing critical infrastructure protection : relating Y2K to CIP research and development / David Mussington. p. cm. “MR-1259.” Includes bibliographical references and index. ISBN 0-8330-3157-0 1. Year 2000 date conversion (Computer systems)—United States. 2. Computer security—United States. I.Title. QA76.76.S64 M88 2002 363,34'97—dc21 2002024936 RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND® is a registered trademark. RAND’s pub- lications do not necessarily reflect the opinions or policies of its research sponsors. © Copyright 2002 RAND All rights reserved. No part of this book may be reproduced in any form by any electronic or mechanical means (including photocopying, recording, or information storage and retrieval) without permission in writing from RAND. Published 2002 by RAND 1700 Main Street, P.O. Box 2138, Santa Monica, CA 90407-2138 1200 South Hayes Street, Arlington, VA 22202-5050 201 North Craig Street, Suite 102, Pittsburgh, PA 15213 RAND URL: http://www.rand.org/ To order RAND documents or to obtain additional information, contact Distribution Services: Telephone: (310) 451-7002; Fax: (310) 451-6915; Email: [email protected] iii Preface The Y2K crisis involved thousands of firms and nearly every government in the world in a massive effort to head off potential system failures in computer infrastructures that were feared in the event of the date change from 1999 to 2000. In the wake of these efforts, costing hundreds of billions of dollars over several years, massive system failures did not materialize. Did the large-scale global effort prevent these failures? What are the relevant lessons from Y2K for critical infrastructure protection (CIP) more generally and where do we need to know more? This project addressed these questions. The project was undertaken for the White House Office of Science and Technology Policy (OSTP) in order to examine the relationship of Y2K issues and concerns to CIP R&D priorities and plans. OSTP is charged under both Presidential Decision Directive 63 and the current national plan for information systems protection with coordinating the federal government’s critical infrastructure protection research and development programs and plans. The Science and Technology Policy Institute at RAND was created by Congress in 1991 as the Critical Technologies Institute and renamed in 1998. It is a federally funded research and development center sponsored by the National Science Foundation and managed by RAND. The institute’s mission is to help improve public policy by conducting objective, independent research and analysis on policy issues that involve science and technology. To this end, the institute ∑ Supports the Office of Science and Technology Policy and other executive branch agencies, offices, and councils; ∑ Helps science and technology decisionmakers understand the likely consequences of their decisions and choose among alternative policies; ∑ Helps improve understanding in both the public and private sectors of the ways in which science and technology can better serve national objectives. iv In carrying out its mission, the institute consults broadly with representatives from private industry, institutions of higher education, and other non-profit institutions. Inquiries regarding the Science and Technology Policy Institute may be directed to the address below. Helga Rippen Director Science and Technology Policy Institute Science and Technology Policy Institute RAND Phone: (703) 413.1100, ext. 5351 1200 South Hayes Street Web: http://www.rand.org/scitech/stpi Arlington, VA 22202-5050 Email: [email protected] v Contents Preface ...................................................................................................iii Summary ...............................................................................................vii Glossary.................................................................................................xv Acknowledgments............................................................................... xxiii Chapter 1. Introduction ............................................................................1 Background ......................................................................................1 Project Purpose and Overview ...........................................................2 Tier I Critical Infrastructures ...........................................................2 Tier II Critical Infrastructures ..........................................................3 Project Methodology .........................................................................3 Project Structure .............................................................................4 Workshop Design...........................................................................4 Hypotheses ....................................................................................5 Relating Y2K Activities to CIP Research and Development................7 Chapter 2. The Y2K/CIP “Lessons Learned” Workshop ........................... 11 Introduction.................................................................................... 11 Y2K/CIP Deliberations.................................................................... 11 Part One – Y2K Lessons Learned ................................................... 11 Part Two – Priority Research and Development Areas..................... 15 Overlapping R&D Areas.................................................................. 18 Overall Workshop Assessment......................................................... 18 Chapter 3. An Analysis of the Federal CIP R&D Portfolio ......................... 21 Introduction.................................................................................... 21 Proposed CIP R&D Priorities ........................................................... 21 Portfolio Analysis............................................................................ 24 Chapter 4. Conclusions........................................................................... 25 Defining Y2K .................................................................................. 25 The Political/Institutional Dimension ............................................ 25 The Technical Dimension .............................................................. 26 Was Y2K Overhyped?...................................................................... 27 Lessons for CIP ............................................................................... 28 Implications for CIP R&D Priorities.................................................. 29 Improve Understanding of System Interdependencies .................... 29 Consider CIP in a Broad Context ................................................... 30 Examine/Model Complexity Effects .............................................. 30 Consider Formal Information-Sharing Processes............................. 31 Concluding Observations................................................................. 31 vi Appendix A. Evaluating the Relationship Between CIP and Y2K ……………………… 33 B. Workshop Materials ………………………………………………………….. 55 Bibliography ……………………………………………………………………… 73 vii Summary “Then there was the curious incident of the dog in the nighttime.” “The dog did nothing in the nighttime.” “That was the curious incident,” remarked Sherlock Holmes.” — Silver Blaze, the memoirs of Sherlock Holmes Like the dog in the nighttime, the year 2000 (Y2K) crisis was puzzling because of its uneventfulness. None of the widely feared system failures materialized. Yet spending on preventive activities was hardly a non-event. According to Commerce Department estimates, the Y2K crisis cost American government and industry combined approximately $100 billion dollars between 1995 and 2001.1 Global spending above and beyond this is hard to gauge, but an additional $100 billion is a probably a conservative estimate. Debate continues over whether the massive remediation efforts precluded catastrophic system failures or the fears were overstated to begin with. This report attempts to shed light on this debate and, by extension, examine what Y2K tells us about critical infrastructure protection (CIP) and where more knowledge is needed. Study Purpose and Approach This project examined the Y2K crisis and its potential to inform future efforts to protect critical infrastructures. ∑ What kind of event was the Y2K “crisis”? Was the massive and costly remediation effort justified? ∑ What lessons does the Y2K experience offer for CIP? ∑ What do these lessons imply for federal CIP research priorities? To address these questions, the project team conducted three tasks: a literature review, focused interviews with government and industry computer experts, and a workshop involving participants in Y2K remediation efforts from industry and government. Some of the findings appear in other appended documents (the selected bibliography, the white paper presented in Appendix A, and the exercise materials presented in Appendix
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages100 Page
-
File Size-