Testimony of Lawrence K Gershwin,
National Intelligence Officer For Science And Technology,
National Intelligence Council
Government Management, Information And
Technology Subcommittee Of The House Government
Reform And Oversight Committee
January 20, 1999
Good morning, Mr. Chairman. I am pleased to be able to discuss with you today the understanding that the Intelligence Community has about foreign efforts to deal with the Y2K problem. I will give you our current assessment of where we see problems as most likely to occur, but we are not yet in a position to make a confident assessment of the global impacts of the likely Y2K failures, or the implications for US interests. The Y2K situation is very fluid, and our assessments could change significantly over the next several months as more information becomes available, as countries become more aware of and deal with Y2K issues, and as incidents of Y2K failure increase. I will highlight for you today those problem areas that I think have a significant chance of affecting US interests.
Fixing the Y2K problem is labor and time intensive, and challenging with respect to project management. Current Gartner Group estimates of global expenditures to fix the problem are on the order of one to two trillion dollars, which is about 3-5 percent on average of every country's annual gross domestic product. A wide range of modern information technology is potentially affected including operating systems or applications software that use dates or date-related transactions, and embedded microprocessors in such applications as energy, transportation, telecommunications, and manufacturing systems.
All countries will be affected—to one degree or another—by Y2K-related failures. Problems in one country or sector can have widespread consequences because of interdependence between sectors worldwide. The consequences of Y2K failures abroad will range from the relatively benign, such as a localized inability to process credit card purchases, to problems within systems across sectors that will have humanitarian implications such as power loss in mid-winter. We have few indications that countries are undertaking contingency planning for recovery from Y2K failures.
Foreign countries trail the United States in addressing Y2K problems by at least several months, and in many cases much longer. Y2K remediation is underfunded in most countries:
Time and resource constraints will limit the ability of most countries to respond adequately by 2000.
Governments in many countries have begun to plan seriously for Y2K remediation only within the last year, some only in the last few months, and some continue to significantly underestimate the cost and time requirements for remediation and, importantly, testing. Because many countries are way behind, testing of fixes will come late, and unanticipated problems typically arise in this phase.
The largest institutions, particularly those in the financial sectors, are the most advanced in Y2K remediation. Small and medium-size entities trail in every sector worldwide.
Most countries have failed to address aggressively the issue of embedded processors. While recent understanding is that failures here will be less than previously estimated, it is nevertheless the case that failure to address this issue will still cause some highly dependent sectors with complex sensor and processing systems to have problems, centered right on the January 1 date.
The lowest level of Y2K preparedness is evident in Eastern Europe, Russia, Latin America, the Middle East, Africa, and several Asian countries, including China.
Global linkages in telecommunications, financial systems, air transportation, the manufacturing supply chain, oil supplies, and trade mean that Y2K problems will not be isolated to individual countries, and no country will be immune from failures in these sectors.
The coincidence of widespread Y2K-related failures in the winter of 1999- 2000 in Russia and Ukraine, with continuing economic problems, food shortages, and already difficult conditions for the population could have major humanitarian consequences for these countries. While the Russian government initiated centralized guidance to ministries and agencies in May of 1998, the State Committee responsible for initiating overall guidance has stated that there is not enough time or money to resolve the Y2K problem. We think they're right. Russian estimates of the cost of remediation of their government systems seem considerably less than Western estimates for comparable systems in other countries. Thus far both Russia and the Ukraine have exhibited a low level of Y2K awareness and remediation activity. While Russia possesses a talented pool of programmers, they seem to lack the time, organization, and funding to adequately confront the Y2K problem. Concerns include problems with computer-controlled systems and subsystems within power distribution systems and nuclear power generating stations leading to reactor shutdowns, or improper power distribution resulting in loss of heat for indeterminate periods in the dead of winter in Russia. Indications point towards a slow, reactive mode of operations on the part of the Russian Atomic Energy Ministry.
Although Western Europe is in relatively better shape than some of the regions I have cited earlier, European awareness of and concern about the Y2K problem is uneven, and they do lag the United States in fixing their problems. European attention was focused on modifying computer systems for the European Monetary Union conversion, which was implemented successfully on 1 January, but this was done by, in many cases, postponing coming to grips with Y2K problems. For example, the Netherlands has expressed concern that the EU members are not working together to solve Y2K problems, and has threatened to cut off its power grid from the rest of Europe in order to protect domestic power distribution from external problems.
The Asian economic crisis has hampered the Y2K remediation efforts of all of the Asia-Pacific countries except Australia. While the lines of authority for China's Y2K effort have been established, its late start in addressing Y2K issues suggests Beijing will fail to solve many of its Y2K problems in the limited time remaining, and will probably experience failures in key sectors such as telecommunications, electric power, and banking.
We are focusing increasingly in our study of foreign Y2K problems on those critical sectors that directly affect US interests. These include, among others, foreign military systems, trade, and oil production and distribution, all of which I will elaborate on.
Military systems and their command and control are particularly information- technology dependent, and thus potentially vulnerable to disruption if Y2K problems are not adequately addressed. We have been especially attentive to the issue of foreign strategic missile systems, in particular those in Russia and China, to experience Y2K-related problems. US and Russian officials have been discussing these issues for some time now, and we do not see a problem in terms of Russian or Chinese missiles automatically being launched, or nuclear weapons going off, because of computer problems arising from Y2K failures.
The problem we are more focused on is whether the Russians will manage to locate and fix problems in their early warning systems that they use to monitor foreign missile launches, and how their leadership is preparing to deal either with the prospect of incorrect information being provided by such systems, or with system outages. The level of concern in Russia is growing as awareness of the nature of the Y2K problem grows.
Regarding world trade and oil: some of our most important trading partners have been documented by, among others, the Gartner Group, as behind the US in fixing their Y2K problems (China and Japan, for example). Significant oil exporters to the United States and the global market include a number of countries—Venezuela, Saudi Arabia, Mexico, Nigeria, Angola, and Gabon— that are lagging in their Y2K remediation efforts. Oil production is largely in the hands of multi-national corporations in the oil-producing countries, but this sector is highly intensive in the use of information technology and complex systems using embedded processors, and is highly dependent on ports, ocean shipping, and domestic infrastructures.
The industry is fraught with potential Y2K problems. Embedded microprocessors are found throughout in the oil industry in drilling, pumping, transportation, processing, and refining operations. A typical offshore platform or onshore gas plant reportedly uses 50-100 embedded systems, each containing up to 10,000 individual microchips. While the industry has been actively involved in remediation, planning for remediation of a single offshore platform can reportedly involve up to 60 different vendors. We are concerned about the shipping of oil products, because ocean shipping and foreign ports have both been flagged as among the least prepared sectors.
One additional issue I want to raise is that many foreign officials and companies who are aware of Y2K problems are looking to the West, and particularly the United States, for help, and to Western suppliers for technical solutions. In some cases, foreign companies or governments may blame the United States and other foreign vendors for problems in equipment and thus seek legal redress for their failures. Worldwide litigation issues are quickly becoming a part of the Y2K scene.
In closing, let me note that today we can list all the issues that concern us worldwide, in terms of the impact of Y2K failures on infrastructures, economies, countries and regions, national security, trade, and so on. But today we cannot yet provide good answers or predictions that would be meaningful on the consequences. We have cast a wide net for information on Y2K developments and are working very closely, through the President's Council on Year 2000 Conversion, with the rest of the federal government. As the time for greater likelihood of failures comes nearer, awareness of, and reporting on Y2K problems abroad should increase dramatically, and we thus expect to have a better handle on the type and extent of failures we are likely to see around the world.
But the incredible complexity of global interconnectivity and interdependence, and the effects when some parts of the information technology baseline start to fail, is a daunting challenge to interpret and analyze.
There will be many analysts, in public and private sectors, here and abroad, trying to make reasonable judgments about the consequences and implications. The problem is formidable, but we will do our best to support the US government in assessing these consequences.