General John A. Gordon, USAF
Deputy Director of Central Intelligence
Written Statement for the
Government Readiness Subcommittee
of the Senate Armed Services Committee
February 24, 1999
Mr. Chairman, I am delighted to be here today to address a subject that is growing in importance by the day. I will be providing an overview of the Intelligence Community's readiness to deal with the Y2K problem and the potential for Y2K-related problems abroad to impact on the United States or US interests.
The Intelligence Community
Let me begin with progress the Intelligence Community is making in dealing with the Y2K problem. Our objective is clear and simple: Ensure uninterrupted intelligence support to the warfighter and policymaker as we go through the Y2K transition period. Today I will review with you where we have been, our current status, and what more needs to be done.
We began to address the Y2K issue as a Community in August 1996. We elevated the seriousness of the Y2K problem to senior leadership levels. All of the IC agency directors and service intelligence chiefs take an active role in overseeing their organization's progress toward resolving the Y2K problem. We hold regular sessions of the Intelligence Community Deputies, to include the services, to address our status and issues at the Community level. Additionally, I host sessions with the Intelligence Community Principals--the heads of the various intelligence agencies--to measure and drive progress from the top and to ensure adequate resources are applied, that we maintain the right priorities, and that we properly coordinate across agencies. The Intelligence Community is also participating in the Joint Staff CINC Operational Evaluations and is represented at the DoD Y2K Steering Committee, chaired by Dr. Hamre. Also, we are represented on the President's Council on Y2K and participate in several of the sector working groups.
We have in place an Intelligence Community Year 2000 Management Plan (June 1997) and an Intelligence, Surveillance and Reconnaissance Year 2000 Functional Readiness Assessment Management Plan (December 1998). These plans delineate organizational roles and responsibilities for fixing, testing, assessing overall readiness, coordinating, and reporting on Y2K. Additionally, our Intelligence Community Information Systems Strategic Plan addresses activities throughout the Y2K transition period, as well as follow-on actions that will be required after January 2000. Each of these plans was done in full coordination with our DoD counterparts.
As a Community, we are tracking the progress of 1508 systems. Of these, 546 are considered Mission Critical. Mission Critical are those systems that are indispensable to the core function of an organization, without which significant interruption of the intelligence mission would occur. One example of a mission critical system would be DIA's Military Integrated Data Base (MIDB). The MIDB contains finished intelligence data on foreign nations' military and civil infrastructure (roads, telecommunications, petroleum, etc.), military orders of battle (strengths of military components, numbers of ships, tanks, etc.), and command and control structures. 138 of these 546 Mission Critical systems are to be retired during 1999, leaving 408 systems as we go into the Y2K transition. (A system is defined as an aggregation of hardware, software, and firmware applications, which together make up a particular function.) Of the 408 systems, 247 systems are fully Y2K compliant, tested and now in day-to-day use. Another 97 are fixed and tested and are in the process of being fielded to Community locations. Therefore, 85% of the Intelligence Community's Mission Critical systems are fixed or currently being fielded. Of the remaining 64 systems, 38 are in testing. These 64 systems that are behind our self-imposed December 1998 milestone for completion of fixes have been receiving senior-level scrutiny since last summer. We have gone to significant lengths to apply funding and staff resources to accelerate fix and fielding schedules wherever possible. At this time, we anticipate that 47 of the 64 systems will be fixed by 31 March 1999, the OMB target date, and that the remaining 17 systems will be fixed by July 1999 and fielded by November 1999. These 17 systems will not meet the OMB target date for a variety of reasons. Some have been under contract for several years with specified delivery dates after 31 March 1999 and to negotiate an earlier date would have been cost prohibitive. Some of the systems are dependent upon commercial applications that were not delivered until recently, and now the whole system must be integrated and tested. And others are so complex that the extra time is needed to fix them.
All of these 408 Mission Critical systems have or will have Contingency Plans in place by 31 March 1999. These plans address both the prospect that a given system will not be ready by January 2000 and for the contingency that a system is thought to be ready but fails.
As we complete the work of fixing Mission Critical systems, we are not losing sight of the non-Mission Critical systems. Non-Mission Critical are those systems that will not cause significant degradation to an organization's core intelligence mission capability in the event of a failure or interruption of service. An example of a non-mission critical system is CIA's Congressional Affairs Tracking System (CATS). This application is a management tool used to report topics of interest and status of action items to our Congressional Oversight Committees. Of the 308 non-Mission Critical systems that are not fully compliant, 102 are in process of being fielded, leaving 206 which are in stages of fix and testing. These non-Mission Critical systems are important to us since many are essential to maintaining smooth intelligence operations, including such basic things as ensuring that intelligence personnel are paid on time. The target to complete these fixes is 31 March 1999. I anticipate that there will be some systems that do not make this date, and we have already assessed the impact and have begun contingency planning.
As we are less than a year from the first critical Y2K milestones, our attention has begun to shift significantly to risk management. This involves preparations to not only ensure we have solved Y2K problems correctly, but to make sure contingency plans are in place and shared with partner organizations as well. This encompasses three initiatives: First, we are preparing an overall mission-oriented readiness assessment; second, we are working at the Community-level for contingency planning; and, third, we have begun planning for crisis operations during Y2K's potential problem intervals, such as the transition from 31 December 1999 to 1 January 2000, as well as 28-29 February and 29 February-1 March due to the fact that 2000 is a leap year.
The Intelligence, Surveillance and Reconnaissance Readiness Assessment is a functional evaluation of our Community's success at fixing the Y2K problem. This initiative is closely linked to the DoD Commanders in Chief (CINCs) Operational Evaluations that are in the planning and early execution phases. As indicated earlier, not all of the Mission Critical systems are fully compliant at this time, so--as the CINCs begin their operational evaluations--we are doing one of three things: deferring the system test until the backup test phase, testing the contingency plan, or providing a product such as archived data instead of a real time data input. Key for the Intelligence Community is the joint US Central Command, Space Command and Transportation Command operational evaluation in April. In addition to participating in the CINC evaluations, we are using their requirements to assess our Community's supporting processes and systems readiness. We will also conduct national-level assessments to ensure continued support to National Command Authority requirements. Our readiness assessment activities are targeted to begin this spring and last through the summer.
The second major aspect of our risk management effort is contingency planning. Most of the effort to date has been by individual agencies aimed at their own systems-level preparations. Now, we are planning at a Community-level not only from the perspective of our intelligence system-of-systems, but also as it relates to our basic infrastructure, such as commercially-provided power, water, and telecommunications to ensure the intelligence mission will be sustained in the event that there are significant losses of infrastructure or information technology capabilities. The challenge here is to coordinate common, realistic planning assumptions across our diverse community of providers and consumers.
Finally, the third piece of our risk management effort is crisis operations. Throughout the Intelligence Community, we have Alert Centers which monitor and respond to international events. Additionally, most organizations have some form of Systems Operations Centers, addressing problems that arise with their computer systems and networks. Both types of centers are preparing for the potential implications of Y2K, whether they be international or domestic. We are strengthening the communications processes between centers. We are preparing for the potential that there may be many situations erupting worldwide and within our own systems environment. We are developing a Community-level monitoring, notification, prioritization, and tasking mechanism which may be required if multiple significant events occur. Other aspects we are examining are: alternate sites of operation, redundant crisis communications, crisis response teams, and visibility into all levels of contingency planning efforts.
In sum, Mr. Chairman, the Intelligence Community has stepped up to the challenge of the Y2K problem, which threatens our ability to continue mission critical support to our consumers. While several critical systems have not fully completed repairs, Community and agency leadership are aggressively managing their attack on the problem and have contingency plans in place should the need arise.
Risk management is the theme of the day. We have instituted an intense, cross-Community test and assessment program to ensure we will be able to support our customers. In the event that there are failures, as there are bound to be with a problem of this magnitude and complexity, we will have contingency plans in place to ensure that there will be no interruption to the critical aspects of the intelligence support mission.
Foreign Y2K Readiness
Now, Mr. Chairman, I would like to turn to the understanding that the Intelligence Community has about foreign efforts to deal with the Y2K problem. All countries will be affected--to one degree or another--by Y2K-related failures. Global linkages in telecommunications, financial systems, air transportation, the manufacturing supply chain, oil supplies, and trade mean that Y2K problems will not be isolated to individual countries, and no country will be immune from failures that may occur in these sectors. Fixing the Y2K problem is labor and time intensive, as well as expensive. Current Gartner Group estimates of global expenditures needed to fix the problem are on the order of one to two trillion dollars.
I need to say at the outset, Mr. Chairman, that there are significant information gaps that make it difficult for us to assess how serious the Y2K problem will be around the world. In many cases, foreign countries only recently have become aware of the problem and begun to examine their critical infrastructure systems for potential Y2K failures. In comparison, the United States has made a significant effort to identify and redress Y2K problems, and it was only after the process was well underway that it was possible to get a good appreciation of the extent of the problem and its implications. Many foreign countries, particularly those that are the furthest behind, have not made such an effort, so--for our part--we can identify their likely problem areas but cannot make confident judgments at this point about what is likely to happen. Our assessments will change as more information becomes available, as countries become more aware of and deal with Y2K issues, and as incidents of Y2K failure become apparent. I will highlight those problem areas that I think have a significant chance of affecting US interests. These include, among others, foreign military systems, trade, and the oil and gas sectors, all of which I will elaborate on.
The consequences of Y2K failures abroad will range from the relatively benign, such as a localized inability to process credit card purchases by computer, to problems within systems across sectors that will have humanitarian implications such as power loss in mid-winter. The coincidence of widespread Y2K-related failures in the winter of 1999-2000 in Russia and Ukraine, with continuing economic problems, food shortages, and already difficult conditions for the population could have major humanitarian consequences for these countries.
Foreign countries trail the United States in addressing Y2K problems by at least several months, and in many cases much longer. Y2K remediation is underfunded in most countries. We have few indications that countries are undertaking contingency planning for recovery from Y2K failures:
Time and resource constraints will limit the ability of most countries to respond adequately by 2000.
Governments in many countries have begun to plan seriously for Y2K remediation only within the last year, some only in the last few months, and some continue to significantly underestimate the cost and time requirements for remediation and, importantly, testing. Because many countries are way behind, testing of fixes will come late, and unanticipated problems typically arise in this phase.
The largest institutions, particularly those in the financial sectors, are the most advanced in Y2K remediation. Small and medium-size entities trail in every sector worldwide.
Most countries have failed to address aggressively the issue of embedded processors. While recent understanding is that failures here will be less than previously estimated, it is nevertheless the case that failure to address this issue will still cause some highly dependent sectors with complex sensor and processing systems to have problems, centered right on the January 1 date.
The lowest level of Y2K preparedness is evident in Eastern Europe, Russia, Latin America, the Middle East, Africa, and several Asian countries, including China.
Although Western Europe is in relatively better shape than most other regions, European awareness of and concern about the Y2K problem is uneven, and the Europeans lag the United States in fixing their problems. European attention was focused on modifying computer systems for the European Monetary Union conversion, which was implemented successfully on 1 January, but this was done, in many cases, by postponing coming to grips with Y2K problems.
The Asian economic crisis has hampered the Y2K remediation efforts of most of the Asia-Pacific countries. While the lines of authority for China's Y2K effort have been established, its late start in addressing Y2K issues suggests Beijing will fail to solve some, but not many of its Y2K problems in the limited time remaining, and will probably experience failures in key sectors such as telecommunications, electric power, and banking.
Russia has exhibited a low level of Y2K awareness and remediation activity. While the Russians possess a talented pool of programmers, they seem to lack the time, organization, and funding to adequately confront the Y2K problem. The $3 billion estimate earlier this month from Alexander Krupnov, Chairman of the Russian Central Telecommunications Commission, is six times the original estimate. Frankly, we do not know how they arrived at this number.
One issue we are watching in Russia relates to vulnerability of Soviet-designed nuclear plants in Central and Eastern Europe and Russia to Y2K-related problems. Our analysts have done a systematic analysis of the most dangerous foreign reactors, and some of the former Soviet models are the worst. US nuclear reactor specialists know a great deal about the design and safety of these reactors, but they do not yet know what specific Y2K problems they may have. DOE specialists have been heavily involved in the process of helping US reactors overcome Y2K problems, and this process has required long and very detailed work using extensive documentation of how these reactors work. In comparison, documentation for Soviet-model reactors is poor, and no comparable effort has yet been made to trace potential Y2K failures.
We envision two ways in which potential problems with Soviet-designed reactors could evolve. The first involves the operation of internal components or sensors crucial to the operation of the plant, being affected or degraded by Y2K problems. For example, a valve with a digital controller designed to automatically adjust the flow of cooling water, could potentially malfunction because the digital controller does not recognize the year 00. The second involves problems arising from the loss of off-site power to the reactor due to Y2K problems in the power grid. This could lead to a series of Y2K problems possibly occurring simultaneously, presenting an even greater challenge to the reactor operators. While loss of electric power would in itself normally result in reactor shutdown, that process could potentially be complicated if internal Y2K problems arise within the reactor complex itself. There are digital controllers in some of the reactors that are used to drive pumps, valves, backup diesel generators, or other equipment crucial to the shutdown process. These controllers would have to work in order to ensure safe reactor shutdown if off-site power were lost.
While some Soviet-designed reactors are less vulnerable to problems from Y2K failures due to safety improvements incorporated into their designs, other reactors currently in use in Russia and other former Soviet states and allies, such as the remaining reactor at Chernobyl, are of more concern. While DOE has initiatives underway designed to assist the Russians in reducing the risk of Y2K-related reactor safety issues, the Russians have been slow to accept our help. DOE is sponsoring a study at Pacific Northwest Laboratories to identify the most likely Y2K failures in Soviet-designed reactors from internal Y2K problems or from electric power grid problems--and to assess the implications of potential failures.
Russia's Gazprom Natural Gas Pipeline network, which supplies over one-third of Europe's natural gas, also is susceptible to potential Y2K outages. Russia's ability to transport and export natural gas could be interrupted in mid-winter. Potential problems include:
Soviet-era mainframes--roughly equivalent to the IBM 360 and 370 series--have been used in Gazprom's pipeline operations centers and are highly likely to contain Y2K vulnerabilities.
Gazprom uses supervisory control and data acquisition (SCADA) systems to monitor and control some pipeline operations. Nearly all SCADA systems purchased prior to the late 1990s contain some degree of Y2K vulnerability.
Satellite ground stations used to transfer data between gas-producing regions to Gazprom's headquarters may have Y2K problems.
Several hundred unattended equipment stations along remote Siberian sections of Gazprom's pipelines may rely on vulnerable embedded processors. While most of these should work, they all need to be tested to ensure their reliability. These stations are used to relay communications and may be used to control pipeline valves. Many of them are accessible only by special convoys or helicopter, and under normal circumstances are only visited twice per year. Compressor stations--over six hundred of which pump gas through the pipeline network--also contain embedded processors that could be vulnerable.
Military systems and their command and control are particularly information-technology dependent, and thus potentially vulnerable to disruption if Y2K problems are not adequately addressed. We have been attentive to the possibility that foreign strategic missile systems, particularly in Russia and China, may experience Y2K-related problems. Missile-related concerns involve the vulnerability of environmental control systems within silos to Y2K disruption. Sensors and controllers need to be Y2K safe. Liquid-fueled missiles within silos must be monitored for fuel leaks. Optimum temperature and humidity levels must also be maintained within the silos. I want to be clear that while local problems are foreseeable, we do not see a problem in terms of Russian or Chinese missiles automatically being launched, or nuclear weapons going off, because of computer problems arising from Y2K failures. In fact, we currently do not see a danger of unauthorized or inadvertent launch of ballistic missiles from any country due to Y2K problems.
Based on our analysis, we think the Russians may have some Y2K problems in the early warning systems that they use to monitor foreign missile launches, and at their command centers. These could lead to incorrect information being provided by such systems, or system outages. DoD has been engaging the Russians for months on these problems. A DoD delegation visited Moscow last week to help the Russians get up to speed on potential Y2K-related nuclear early warning problems.
Regarding world trade and oil, some of our most important trading partners--including China and Japan--have been documented by, among others, the Gartner Group, as behind the US in fixing their Y2K problems. Significant oil exporters to the United States and the global market include a number of countries that are lagging in their Y2K remediation efforts. Oil production is largely in the hands of multinational corporations in the oil-producing countries, but this sector is highly intensive in the use of information technology and complex systems using embedded processors, and is highly dependent on ports, ocean shipping, and domestic infrastructures. Y2K specialists have noted that world ports and ocean shipping are among the sectors that have done the least to prepare for the Y2K problem.
One additional issue I want to raise is that many foreign officials and companies who are aware of Y2K problems are looking to the West, particularly the United States, for help and technical solutions. In some cases, we have information that foreign companies or governments may blame the United States and other foreign vendors for problems in equipment and thus seek legal redress for their failures.
In closing, let me note that today we are closely monitoring a broad range of countries and sectors worldwide in terms of their susceptibility to disruption by Y2K failures. We are gathering information from all branches of the US Government, industry sources, a vast array of open sources (including hundreds of Web sites), and our own intelligence collection efforts so that we can accurately predict failures abroad and assess the implications. We are working very closely with the rest of the government, through the President's Council on Year 2000 Conversion, and will continue to share relevant information on the Y2K situation abroad. As our collection continues, and awareness of and reporting on Y2K problems abroad increases, our estimates of the type and extent of failures we are likely to see around the world will become more precise.
Mr. Chairman, the Intelligence Community is aggressively attacking the Y2K problem. While we have not met every deadline, I am highly confident that we will have fixed, tested, and deployed systems to avoid or work around the problem. Every system will be tested. Every interconnection will be tested within the Community and with our customers. But, Mr. Chairman, I am equally certain that there will be an unforeseen problem that will jump up and bite us on New Year's Day. We must and will be prepared to respond aggressively to that near certainty.