Lawrence K. Gershwin,
National Intelligence Officer for Science and Technology,
National Intelligence Council
Written Statement for the
Senate Special Committee on the Year 2000 Technology Problem
March 5, 1999
Mr. Chairman, I am pleased to be able to discuss with you today the understanding that the Intelligence Community has about foreign efforts to deal with the Y2K problem. We continue to watch the problem closely, and I have our current assessment of where we see problems as most likely to occur. The Y2K situation continues to change, and our assessments will similarly evolve as more information becomes available, as countries become more aware of and deal with Y2K issues, and as incidents of Y2K failure increase.
As we have said before, Mr. Chairman, all countries will be affected--to one degree or another--by Y2K-related failures. Global linkages in telecommunications, financial systems, air transportation, the manufacturing supply chain, oil supplies, and trade will virtually guarantee that Y2K problems will not be isolated to individual countries. No country will be completely immune from failures. Fixing the Y2K problem has proven to be labor and time intensive, as well as expensive.
There remain significant information gaps that make it difficult for us to assess how serious the Y2K problem will be around the world. In many cases, foreign countries only recently have become aware of the problem and begun to examine their critical infrastructure systems for potential Y2K failures. In comparison, the United States has made a significant effort to identify and redress Y2K problems, and it was only after the process was well underway that it was possible to get a good appreciation of the extent of the problem and its implications. Many foreign countries, particularly those that are the furthest behind, have not made such an effort, so--for our part--we can identify their likely problem areas but cannot make confident judgments at this point about what is likely to happen. Those problem areas that we have detected that have the potential to affect US interests include, among others, foreign nuclear reactors and power grids, military early warning systems, trade, the oil and gas sectors, and worldwide shipping and air transport, all of which I will elaborate on.
The consequences of Y2K failures abroad will range from the relatively benign, to problems within systems across sectors that will have humanitarian implications such as power loss in mid-winter. The coincidence of widespread Y2K-related failures in the winter of 1999-2000 in Russia and Ukraine, with continuing economic problems, food shortages, and already difficult conditions for the population could have major humanitarian consequences for these countries.
Foreign countries trail the United States in addressing Y2K problems by at least several months, and in many cases much longer. Y2K remediation is underfunded in most countries. We do see indications that countries are undertaking contingency planning for recovery from Y2K failures:
Time and resource constraints will limit the ability of most countries to respond adequately by 2000.
Governments in many countries have begun to plan seriously for Y2K remediation only within the last year, some only in the last few months, and some continue to significantly underestimate the cost and time requirements for remediation and, importantly, testing. Because many countries are way behind, testing of fixes will come late, and unanticipated problems typically arise in this phase.
The largest institutions, particularly those in the financial sectors, are the most advanced in Y2K remediation. Small and medium- size entities trail in every sector worldwide.
Most countries have failed to address aggressively the issue of embedded processors. While recent understanding is that failures here will be less than previously estimated, it is nevertheless the case that failure to address this issue will still cause some highly dependent sectors with complex sensor and processing systems to have problems, centered right on the January 1 date.
The lowest level of Y2K preparedness is evident in Eastern Europe, Russia, Latin America, the Middle East, Africa, and several Asian countries, including China.
The World Bank recently noted that the Y2K problem within developing countries has been overlooked because many observers assume developing countries are less dependent on computers in everyday national life. They point out that the majority of developing countries, even the poorest, have computerized essential services such as power generation, telecommunications, food and fuel distribution, and the provision of medical care. The Bank says that a general failure of such systems could endanger the health, security, and economic well-being of people in the developing world. We agree with this assessment.
Middle Eastern countries and firms have basic awareness of the Y2K problem and have made modest progress in remediation. The business sector, especially banking, seems best prepared in that region. Egypt, Jordan, Lebanon, Saudi Arabia, Oman, Qatar, and the United Arab Emirates believe that their banks will be ready. Most government, business, and military remediation efforts are however, in general, poorly coordinated.
In Africa, efforts in South Africa are the best organized. South Africa leads the continent in recognition of the Y2K challenge and in activities to address it. As in the Middle East, most other government and military remediation efforts throughout the continent are, in general, poorly coordinated.
We see problems in Latin America. An October 1998 Gartner Group study indicated that in many nations of Latin America, at least 50 percent of companies will experience at least one mission critical failure. Even if governments and firms in Latin America devote sufficient resources to the problem, they will be hard pressed to complete remediation within the next 10 months to avoid systems failures.
Although Western Europe is in relatively better shape than most other regions, European awareness of and concern about the Y2K problem is uneven, and the Europeans lag the United States in fixing their problems. European attention was focused on modifying computer systems for the European Monetary Union conversion, which was implemented successfully on 1 January, but this was done, in many cases, by postponing coming to grips with Y2K problems.
The Asian economic crisis has hampered the Y2K remediation efforts of most of the Asia-Pacific countries. The appeal to the World Bank and others this week from eighteen Asia-Pacific nations during the Manila Y2K summit, asking for funding for Y2K remediation, was not surprising. There is much to be done. After a slow start in addressing the Y2K problem, China has stepped up efforts over the past two months in an attempt to meet a March 31 deadline imposed by the Ministry of Information for detection of Y2K problems. In mid-February 99, Chinese officials conducted the first test of several key systems in the financial, telecommunications, and electric power sectors. The civil aviation sector reportedly is also preparing for a nationwide test. While the lines of authority for China's Y2K effort have been established, remediation efforts in critical sectors such as electric power, transportation, and telecommunications appear to be lagging. China's late start in addressing Y2K issues suggests Beijing will solve some, but not many of its Y2K problems in the limited time remaining, and will probably experience failures in key sectors. China's problems are exacerbated by the fact that, by some estimates, over 90% of the software used in China is pirated, including most of the software used in government offices and state owned enterprises. This could make it very difficult to approach software vendors for technical fixes and coincidentally, limits China's legal recourse should their software suffer Y2K-related problems.
Russia has exhibited a low level of Y2K awareness and remediation activity. While the Russians possess a talented pool of programmers, they seem to lack the time, organization, and funding to adequately confront the Y2K problem. The $3 billion estimate last month from Alexander Krupnov, Chairman of the Russian Central Telecommunications Commission, is six times the original estimate. Frankly, we do not know how they arrived at this number.
One issue we are watching in Russia relates to vulnerability of Soviet-designed nuclear plants in Central and Eastern Europe and Russia to Y2K-related problems. DOE analysts have done a systematic analysis of the safety of foreign reactors, and some of the former Soviet models are the worst. US nuclear reactor specialists know a great deal about the design and safety of these reactors, but they do not yet know what specific Y2K problems they may have. Documentation for plant equipment and software in use in Soviet-designed reactors is either poor or nonexistent. Many of the vendors who supplied this equipment or software have not been in business since the fall of the Soviet Union and are not available to help.
We envision two ways in which potential problems with Soviet- designed reactors could evolve. The first involves the operation of internal components or sensors crucial to the operation of the plant, being affected or degraded by Y2K problems. For example, a valve with a digital controller designed to automatically adjust the flow of cooling water, could potentially malfunction because the digital controller does not recognize the year 00. The second involves problems arising from the loss of off-site power to the reactor due to Y2K problems in the power grid. This could lead to a series of Y2K problems possibly occurring simultaneously, presenting an even greater challenge to the reactor operators.
While loss of electric power would in itself normally result in reactor shutdown, that process could potentially be complicated if internal Y2K problems arise within the reactor complex itself. We have not yet identified any safety-related equipment with Y2K-related problems within Soviet-designed reactors; however, other, non-safety-related equipment used to operate the plant may have problems. For example, in some Soviet-style reactors (RBMK's - 14 graphite moderated, water cooled reactors) a computer is used to control power production. Failure of this computer would cause activation of the safety systems, the control rods would automatically be inserted, and the reactor would begin to shut down. When external power is lost, diesel generators are used to supply power to cooling pumps to remove heat from the core. These diesels must have adequate fuel supplies on hand for at least a week in order to prevent fuel melt.
While some Soviet-designed reactors are less vulnerable to problems from Y2K failures due to safety improvements incorporated into their designs, other reactors currently in use in Russia and other former Soviet states and allies, such as the remaining reactor at Chernobyl, are of more concern. While DOE has initiatives underway designed to assist the Russians in reducing the risk of Y2K-related reactor safety issues, the Russians have been slow to accept our help. DOE is sponsoring a study at Pacific Northwest Laboratories to identify the most likely Y2K failures in Soviet-designed reactors from internal Y2K problems or from electric power grid problems--and to assess the implications of potential failures.
Russia's Gazprom Natural Gas Pipeline network also is susceptible to potential Y2K outages. It supplies nearly 50 percent of the total energy consumed by Russia, almost 15 percent of the total energy consumed by Eastern Europe, and 5 percent of that consumed by Western Europe. Based on the natural gas storage capacity and the drawdown capability at the storage sites, we believe that Western Europe can survive a Gazprom shutdown for over 30 days. This assumes that there are no Y2K problems associated with distribution of the gas from the storage areas. Of greater concern are Eastern Europe, Russia itself, and the other states of the former Soviet Union should Russia's ability to transport and export natural gas be interrupted in mid-winter. Russia will lose virtually all of its natural gas and the information that we have on the storage capacity and drawdown capability of Eastern Europe and other states of the former Soviet Union suggests that those countries could experience severe shortages should Gazprom shut down. Like all major pipeline operators, Gazprom has emergency contingency plans to assure continued gas delivery after a pipeline shutdown or explosion. While available options include manual equipment operation, use of stored gas, and switching to backup pipe segments, it is unclear whether these measures are sufficient to deal with the scale of problems that could occur due to Y2K failures.
Potential problems include:
Soviet-era mainframes--roughly equivalent to the IBM 360 and 370 series--have been used in Gazprom's pipeline operations centers and are highly likely to contain Y2K vulnerabilities.
Gazprom uses supervisory control and data acquisition (SCADA) systems to monitor and control some pipeline operations. Nearly all SCADA systems purchased prior to the late 1990s contain some degree of Y2K vulnerability.
Satellite ground stations used to transfer data between gas-producing regions to Gazprom's headquarters may have Y2K problems.
Several hundred unattended equipment stations along remote Siberian sections of Gazprom's pipelines may rely on vulnerable embedded processors. While most of these should work, they all need to be tested to ensure their reliability. These stations are used to relay communications and may be used to control pipeline valves. Many of them are accessible only by special convoys or helicopter, and under normal circumstances are only visited twice per year. Compressor stations--over six hundred of which pump gas through the pipeline network--also contain embedded processors that could be vulnerable.
Military systems and their command and control are particularly information-technology dependent, and thus potentially vulnerable to disruption if Y2K problems are not adequately addressed. Foreign strategic missile systems, particularly in Russia and China, may experience Y2K-related problems. Missile-related concerns involve the vulnerability of environmental control systems within silos to Y2K disruption. Sensors and controllers need to be Y2K safe. Liquid-fueled missiles within silos must be monitored for fuel leaks. Optimum temperature and humidity levels must also be maintained within the silos. I want to be clear that while local problems are foreseeable, we do not see a problem in terms of Russian or Chinese missiles automatically being launched, or nuclear weapons going off, because of computer problems arising from Y2K failures. And, our assessment remains that we currently do not see a danger of unauthorized or inadvertent launch of ballistic missiles from any country due to Y2K problems.
Based on our analysis, we think the Russians may have some Y2K problems in the early warning systems that they use to monitor foreign missile launches, and at their command centers. You may have seen Maj. General Dvorkin's statement at a Moscow press conference this week that the Y2K problem does threaten early warning and space control systems. Problems within these systems could lead to incorrect information being either transmitted, received, or displayed or to complete system outages. General Dvorkin stated that tests have revealed which hardware and software needs to be remediated or replaced and that final tests of the adjusted software will take place in October of this year. DoD has been working with the Russians for months on these problems. DoD has announced plans to establish a joint US-Russian Defense Y2K Coordination Center in Colorado Springs, CO in order to share early attack warning information, thus preventing confusion should any Y2K- related false or ambiguous warnings occur. A DoD delegation visited Moscow last month to help the Russians get up to speed on potential Y2K- related nuclear early warning problems.
Regarding world trade and oil, some of our most important trading partners--including China and Japan--have been documented by, among others, the Gartner Group, as behind the US in fixing their Y2K problems. Significant oil exporters to the United States and the global market include a number of countries that are lagging in their Y2K remediation efforts. Oil production is largely in the hands of multinational corporations in the oil-producing countries, but this sector is highly intensive in the use of information technology and complex systems using embedded processors. Microprocessors and computer systems are utilized for oil and gas production, processing, and transportation. Computers and microprocessors are used to monitor, report, and store data on the status of equipment and facilities and to assist in performing or controlling operations. In more sophisticated infrastructures, operations of equipment and facilities may be highly automated to enable networks of facilities to be controlled remotely. This places that industry at risk of Y2K-related problems which could result in a slowdown of extraction, refining and delivery.
The oil sector is also highly dependent on ports, ocean shipping, and domestic infrastructures. Y2K specialists have noted that world ports and ocean shipping are among the sectors that have done the least to prepare for the Y2K problem.
Waterborne commerce carries not only oil but a significant amount of the world's goods of all types. It is difficult to predict at present the effect of Y2K on the shipping industry, however, many ships and transshipment points use higher level computer systems and equipment that contain embedded systems. Widespread failures in waterborne commerce carriers could also have significant impacts in the supply of food and commercial goods, resulting in possibly severe economic disruptions. Malfunction of navigational equipment either aboard or external to the ship may also occur, resulting in either collisions or groundings, potentially resulting in environmental problems.
Aviation has been one of the pioneers in automation and computer systems which are used on board aircraft and in control towers at airports. If global air traffic (personnel, air freight, package, and mail delivery) is seriously curtailed in 2000, this could have a significant impact on global business activity, not just the travel industry. Problems within this sector include the existence of radar systems deemed "legacy systems" that run older software and thus may be vulnerable.
Y2K problems in the telecommunications networks could negatively impact a broad range of other sectors that rely on the networks not only for communications but also for monitoring and load management. Many countries have telecommunications equipment with components purchased elsewhere, a fact that complicates the identification and remediation of Y2K-related problems. Sectors that are heavily dependent on telecommunications include banking, defense, electric power, natural gas, water, transportation, and food distribution. In addition, a functioning telecom network is crucial in emergency situations.
Our global and domestic markets for financial securities, commodities, products, and services depend completely on the smooth functioning of the vast information technology (IT) infrastructure. The banking industry is particularly affected by the year 2000 problem because nearly every aspect of the business is dependent on computer systems for processing transactions and providing information. It is as yet unclear what effect non-remediated foreign banks will have on the international banking system when they attempt to interact with the rest of the world.
The Y2K-related litigation issue continues to grow. Concerns about litigation have, in some cases, stifled the open exchange of information on Y2K-related issues. Many foreign officials and companies who are aware of Y2K problems are looking to the West, particularly the United States, for help and technical solutions. Foreign companies or governments may blame the United States and other foreign vendors for problems in equipment and thus seek legal redress for their failures.
In closing, let me note that today we are closely monitoring a broad range of countries and sectors worldwide in terms of their susceptibility to disruption by Y2K failures. We continue to gather information from all branches of the US Government, industry sources, a vast array of open sources (including hundreds of Web sites), and our own intelligence collection efforts so that we can accurately predict failures abroad and assess the implications. We are working very closely with the rest of the government, through the President's Council on Year 2000 Conversion, and will continue to share relevant information on the Y2K situation abroad. As our collection continues, and awareness of and reporting on Y2K problems abroad increases, our estimates of the type and extent of failures we are likely to see around the world will become more precise.