17 October 1999
Source:
http://www.usia.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=99101510.wlt&t=/products/washfile/newsitem.shtml
US Department of State
International Information Programs
Washington File
_________________________________
15 October 1999
(State Inspector General describes beginning of "Y2K fatigue") (3840) A State Department official says that in the United States and worldwide, people are growing weary of hearing about the Year 2000 computer problem -- and this international "Y2K fatigue" could lead to complacency about a phenomenon that appears less real and less threatening than floods or earthquakes. In an October 13 statement before the Senate Special Committee on the Year 2000 Technology Problem, State Department Inspector General Jacquelyn Williams-Bridgers said that much progress has been made and "the risk of major Y2K failures appears to diminish every day." But she added that much work remains to be done to complete contingency plans and to identify high-risk locations worldwide. Following is the text of Williams-Bridgers' statement to the committee: (begin text) Senate Special Committee on the Year 2000 Technology Problem Testimony of Jacquelyn L. Williams-Bridgers Inspector General of the Department of State and International Broadcasting October 13, 1999 Mr. Chairman and Members of the Committee: I am pleased to provide a statement for the hearing record on the results of our most recent analysis of global Year 2000 (Y2K) preparedness and the potential impact Y2K failures may have in the international arena. The Y2K problem is one of the most challenging project management and systems conversion efforts ever faced by the world community. Although no one can accurately predict what will happen over the date change, we must recognize the potential for disruption both here in the United States and abroad. SUMMARY At a July 1999, hearing before this Committee on global Y2K readiness, I provided an overview of international Y2K readiness based on host country assessments developed by U.S. embassies and on our own visits to 31 sites in 24 countries. My testimony discussed our assessment of the relative risk that Y2K might cause failures in key sectors in countries around the globe -- and the message was decidedly mixed: Approximately half of the 161 countries assessed were reported to be at medium or high risk of having Y2K-related failures in their telecommunications, energy, and/or transportation sectors; Industrialized countries were generally found to be at low risk of having Y2K-related infrastructure failures, particularly in the finance sector; Anywhere from 52 to 68 developing countries (out of 98) were assessed as having a medium or high risk of Y2K-related failures in the telecommunications, transportation, and/or energy sectors; and Finally, and similar to the developing world, key sectors in the Newly Independent States and other former Eastern bloc nations, were a concern because of the relatively high probability of Y2K-related failures. We concluded that the global community was likely to experience varying degrees of Y2K-related failures in every sector, in every region, and at every economic level. In addition, we asserted that the risk of disruption would likely extend to the international trade arena, where a breakdown in any part of the supply chain would have a serious impact on the U.S. and world economies. We recommended, in light of the potential disruption that Y2K might cause, that the United States take a lead role to encourage and facilitate contingency planning by individual countries, regional partners, and international organizations such as the United Nations. Since that hearing, we have continued collecting Y2K information overseas, and have continued our oversight of the Department of State's (the Department) Y2K efforts. In this statement I will discuss the following: The results of recent Office of Inspector General (OIG) visits to four key countries to collect Y2K readiness information; The need for the Department to continue collecting information from its overseas posts concerning host country Y2K readiness, and the potential for Y2K-related failures; The need for more detailed information on host country Y2K readiness to be made available to the public to provide a clearer picture of the potential for Y2K-related failures at foreign locations; and Finally, the Department's progress in getting its mission critical systems Y2K certified. At this point, with less than 90 days to go before the Y2K transition, the Department needs to guard against complacency. In this country and around the globe a phenomenon known as "Y2K Fatigue" is beginning to occur in a public grown weary of hearing about this arcane computer problem -- one that appears less real and less threatening than floods and earthquakes. Still, although much progress has been made and the risk of major Y2K failures appears to diminish every day, much work remains to be done in contingency planning, and identifying foreign locations at high risk. Department of State International Y2K Efforts The Department has recognized that the potential for Y2K vulnerability is not restricted to its domestic operations and has implemented measures to assess the Y2K readiness of all countries where the United States has a diplomatic presence. These measures include the following: In November and December 1998, the Department's embassies and consulates used a standard survey to collect information on the effectiveness of the host country's Y2K program, vulnerability to short-term economic and social turmoil, reliance on technology in key infrastructure sectors, and the status of Y2K correctional activities. Staff under the direction of the National Intelligence Council analyzed the information from this survey, as well as from other sources, such as the World Bank, the United States Information Agency, and OIG. On January 29, 1999, the Department issued a Worldwide Public Announcement on the Y2K problem to inform U.S. citizens of the potential for problems throughout the world because of the millennium "bug." The notice cited specific areas of concern, including transportation systems, financial institutions, and medical care, as activities that may be disrupted by Y2K-related failures. Further, this announcement warned all U.S. citizens planning to be abroad in late 1999 or early 2000 to be aware of the potential for problems and to stay informed about Y2K preparedness in the location where they will be traveling. In addition, the Department established a special Y2K website for American citizens traveling or residing abroad with links to Y2K websites for foreign governments, international organizations, private organizations, and commercial enterprises at http://travel.state.gov/y2kca.html. In February 1999, the Department provided all of its embassies and consulates with a Contingency Planning Toolkit. The posts were instructed to use the toolkit to assess the probability that Y2K-related failures might occur in key infrastructure sectors, including finance, telecommunications, transportation, energy, and water/wastewater treatment. Based on this assessment, posts were to develop contingency plans and identify the resources (generators, radios, etc.) needed to handle Y2K-related emergencies. As of the end of June 1999, nearly all of the Department's posts had completed their host country infrastructure assessments and developed draft contingency plans. In June 1999, the Department provided instructions to its embassies and consulates on how they should approach host governments concerning Y2K issues. Posts were asked to discuss with the host government its assessment of Y2K readiness in the country; gain a deeper understanding of the local authority's remedial actions and contingency plans; and inform the host government that the Department has a responsibility to notify American citizens if it is aware of credible and specific threats to their safety and security, including Y2K problems in critical sectors. The Department hopes that approaching all countries now with this information will spur them to either correct the problems or develop contingency plans. On July 26, 1999, the Department issued a revised Worldwide Public Announcement on Y2K highlighting the need for personal preparedness on the part of private Americans and noting the inability of embassies and consulates to directly provide food, water, and shelter to the millions of U.S. citizens abroad. The Public Announcement also apprised the public of the measures the Department was taking to keep embassies and consulates functioning. On September 9, 1999, the Department conducted a worldwide test of its host country Y2K reporting system. The Department used this date because of the potential that computer systems might fail if they interpreted the 9/9/99 date as an error or as the end of a file. The test was very successful; as all posts scheduled to report did so. Further, approximately 75% of posts reported on this within an hour of their assigned reporting time. The Department plans to use this reporting system during the critical Year 2000 transition at the end of December. On September 14, 1999, the Department released updated consular information sheets containing Y2K information for 196 countries. These sheets provide the Department's official assessment of the potential disruption, if any, Y2K might cause. OIG Year 2000 Oversight Efforts International Y2K Efforts: Host Country Preparedness Results of Recent OIG Y2K Visits My office has continued its efforts in international Y2K issues by engaging host country representatives in discussions and establishing venues for information sharing and cooperation. Over the past year, we have visited 31 countries, meeting with host country Y2K program managers, representatives from key infrastructure sectors, and private sector officials to discuss their respective Y2K programs and share information. I will summarize below the results of our most recent visits to Indonesia, China, Saudi Arabia, and Egypt. Indonesia: Indonesia is generally not heavily reliant on computerized systems; however, some urban centers are dependent on information technology for telecommunications and banking. Overall, the country got a late start on Y2K remediation and does not appear to be fully prepared to deal with the Y2K problem. Consequently, there is a moderate risk of Y2K disruptions across Indonesia, specifically in the key sectors of telecommunications and banking and finance. Telecommunications appears to be the sector most vulnerable to potential Y2K disruptions. Further, the banking sector's heavy reliance on telecommunications increases the risk that it may face Y2K-related disruptions. The state electrical utility has taken steps to effectively address Y2K issues; according to utility officials, they have nearly 80 percent excess power generation capacity, thus making a power grid failure unlikely. Finally, the government has established a separate entity that will provide Y2K certification/verification assessments to systems owners. China: Major cities in the most developed region of the People's Republic of China (essentially a strip running 100 miles or so deep along the coast) are moderately reliant on computerized systems. Chinese Y2K remediation and contingency planning efforts have focused on critical infrastructure systems in these cities, which are generally well prepared to deal with the Y2K problem. Ninety percent of U.S. citizens in China live in these major cities. Little information is available concerning the Y2K readiness of China's interior provinces; still, we were told that reliance on computerized systems is much lower in these areas, and thus Y2K will likely have a low impact. China's power grid passed a Y2K test in early September, 1999, during which power generating and transmission companies rolled through all the Y2K critical dates. Chinese authorities expect that any potential disruptions will be concentrated in small- and medium-sized enterprises, and that there is a moderate risk of disruption in freight-forwarding and distribution networks. Saudi Arabia: The Kingdom of Saudi Arabia has implemented a comprehensive Y2K effort across all of its ministries. According to the July 1999, assessment by the Saudi Arabian Y2K National Committee, 100 percent of systems in the financial services, clearing/settlement, and government sectors were Y2K compliant. Basic utilities were 96 percent compliant, transportation systems were at 95 percent, and telecommunications at 90 percent. The Saudi petroleum sector began its Y2K efforts in 1994, and has since completed remediation, testing, and certification of its systems, except for a few medical devices used in its hospitals. The electric power utility is nearly 100 percent compliant, and in any event will have 25 percent excess capacity in January 2000 because of lower usage. In the water sector, the Saline Water Conversion Corporation has 25 plants at 15 locations around the country, producing 700 million gallons of water a day. Most of the process control devices used in these plants are analog, some nearly 30 years old, and which do not have Y2K issues. Saudi Arabia has one of the most advanced telecommunications systems in the world, and it will be 100 percent compliant by October 31, 1999. Finally, according to officials at the National Committee, the health care sector has the most significant Y2K-related problems, with the government-run hospitals being the furthest behind. They are currently concentrating on contingency planning. Egypt: The Government of Egypt has implemented a centrally directed, well-organized and comprehensive Y2K effort across all civilian ministries. The ministries of Interior and Defense have separate programs. The Central Bank of Egypt and the country's 54 commercial banks have completed their remediation and testing for all critical dates, including international clearing. The Egyptian Electric Authority states that it has a high level of confidence in its Y2K readiness because it has fixed and tested all critical systems and embedded devices. Public hospitals, which do not expect to be compliant, are implementing a thorough risk management and staff training initiative to prepare for contingencies. The telecommunications sector is 85 to 90 percent Y2K-ready and is pursuing an ongoing Y2K program. Water and sewage treatment appear to be mostly manual operations; the embassy in Cairo is continuing to assess these and other sectors, such as natural gas and hazardous materials. In addition, our embassy in Cairo is strongly supporting the Egyptian Government's Y2K program. This effort includes $15.75 million in U.S. assistance targeting, among others, the power, telecommunications, health, water, wastewater, and civil aviation sectors. Finally, the Suez Canal Authority states that it will keep the Canal clear of ships from around 11:00 p.m. on December 31, 1999, through the early morning hours of January 1, 2000. During this transition period, canal pilots will inspect shipboard navigation and other systems of transiting vessels. The Suez Canal Authority will also be checking the status of its own systems. Currently, an OIG team is visiting 3 Latin American countries --Brazil, Venezuela, and Mexico -- to collect Y2K information and develop a final snapshot of Y2K readiness in these key locations. Host Country Y2K Information Flow Needs to Continue As discussed earlier, the Department's embassies and consulates have been reporting on their respective host countries' Y2K readiness since late 1998. This information has been used to develop contingency plans for post staff, and to inform the public of where Y2K-related failures might occur. Further, the Department, including my office, has used this information to develop worldwide assessments of the potential impact of the Y2K problem on key infrastructure sectors (energy, transportation, communications, etc.). At the Committee's July 1999 hearing on Y2K Readiness and Global Trade, based on embassy information and our own visits, we discussed the relative risk that Y2K-related failures might occur in key sectors of the world's industrial, developing, and eastern bloc countries. Because the Y2K global landscape is constantly changing, it is essential that the Department continue to collect Y2K readiness information from its overseas posts and other sources. Posts are continually providing updated country assessments, and these are provided to other U.S. government agencies and to the National Intelligence Council, which is responsible for maintaining a global Y2K database. As we enter the final 90 days of 1999, it is critical that the National Intelligence Council keep this information updated in order to facilitate decision-making on Y2K issues by U.S. government officials both here and abroad, and in order to keep the public informed of potential global Y2K problems. More Detailed Y2K Readiness Information Needs to be Released As discussed earlier, the Department has issued Consular Information Sheets for 196 countries describing Y2K readiness and the potential for Y2K-related disruptions. This ambitious and noteworthy effort to inform the public about potential disruptions abroad has focused public attention on a worldwide problem. However, based on a review of 29 information sheets, we have concerns about their adequacy. Thirteen of the 29 contained adequate Y2K information that was correct and specific enough to enable someone to make an informed decision about whether to travel to those countries. The other 16 Consular Information Sheets did not contain adequate assessments because the Y2K information provided was too vague. The Department, in its on-going process of updating consular Y2K information, is continuously reviewing Y2K information for all countries. In particular, the Department is now focusing on possible revision of current consular information for some countries. Some specific examples of consular information sheets that can be improved are as follows: Czech Republic: The information sheet on the Czech Republic notes that "greater progress in remediation efforts and contingency planning in rail service, electricity generation, water supply, and health care will help lower the risk of potential disruption." It would be more useful if the Department stated whether there was any evidence that such progress was being made, and whether it would be made in a timely manner. Indonesia: The Department's advisory notes that there is a moderate risk of Y2K disruptions across Indonesia, specifically in the key sectors of health, telecommunications, and banking and finance. However, the sheet goes on to warn, "A long-term disruption of electrical power in Jakarta and other major cities is a potentially serious Y2K problem." This sentence is inconsistent with information collected during our visit with Indonesian power industry officials in August 1999, where we were briefed on their extensive efforts to remediate Y2K problems in the power sector. Italy: The information sheet is largely boilerplate and provides vague information. It should be updated to reflect more specifics regarding the current state of Y2K remediation and contingency planning to ensure that millions of travelers considering a visit to Italy for any of the planned millennium celebrations have timely, comprehensive information. Russia and Ukraine: The information sheets on these two countries contain strong language about the high risk of potential Y2K problems, which is generally consistent with the information contained in the embassy assessments. However, despite this recognized high risk, the Department only provides a vague warning to travelers, suggesting that they "take into account fully the information in this document in planning their travel and its timing." Over the past year the Department's embassies and consulates have provided thousands of reports to Washington concerning Y2K efforts in their respective host countries. A number of embassies, such as the U.S. Embassy in Beijing, China, have made their Y2K reporting available to the public through their public web sites. These are linked to the Department's Y2K website at http://travel.state.gov/y2kca.html. The British Foreign and Commonwealth Office's travel website contains detailed, sector-specific (energy, water, etc.) Y2K information collected by British embassies in dozens of countries. These assessments and other analyses by host governments are also available via the Department of State's website links. Some of the Department's recently issued Consular Information Sheets do not fully capture the scope and content of the Y2K information collected by its overseas staff, and may not, in all cases, be as useful to the American public as they could be. While country-specific Consular Information Sheet Y2K language was approved by the respective U.S. embassy, in some cases it reflected more recent, updated information than that contained in the post's formal assessment reports. In such cases, posts' Y2K country assessments should be revised to reflect the changes made during the final information sheet drafting process. We recognize that in many countries information concerning the level of Y2K readiness is sensitive, given the potential impact that Y2K might have on the country's economy, its reputation, or even its internal political stability. Nonetheless, so Americans can make reasoned, informed decisions about where they plan to be on December 31, 1999, we recommend that the Department release additional information as it becomes available on international Y2K readiness. OIG Work within the Department of State OIG is also assisting the Department to meet the millennium challenge facing its respective information technology infrastructures, including computer software, hardware, and embedded devices. The Department has recognized that it is vulnerable to the Y2K problem, and over the past 2 years has taken steps to remediate its systems and infrastructure to prevent disruptions to its critical business processes. The Department has established a Program Management Office (PMO) that is responsible for the overall management of the Department's Y2K program. The PMO's responsibilities include tracking and reporting on the progress being made by the bureaus in remediating systems, providing technical advice and assistance, issuing contingency planning guidance, and certifying systems for Y2K compliancy. As of May 15, 1999, the Department reported that 100 percent of its mission-critical systems had been implemented. My office has assisted in establishing a process through which the Department can certify the Y2K compliancy of its mission-critical systems. The purpose of this process, which we understand is one of the most rigorous in the Federal Government, is to provide the Department's senior management with assurance that every feasible step has been taken to prevent Y2K-related failures on January 1, 2000. We assisted in writing detailed guidelines that each bureau must use in developing application certification packages for submission to the Y2K Project Management Office. In addition, through an agreement with the Under Secretary of State for Management, OIG is reviewing the adequacy of all certification packages for mission-critical systems before they are provided to the Y2K certification panel. Thus far, we have evaluated and provided our comments to the Department on 27 application certification packages, and 14 of those have been officially certified. Another nine certification packages are in the pipeline, and we expect to review them shortly. Finally, in April 1999, the Department initiated planning for end-to-end testing of its core business functions. The purpose of end-to-end testing is to ensure that the Department can maintain its core business functions on and beyond the rollover to the Year 2000. The Department's end-to-end test is a test of the critical transaction flows through the organization across the major business functions, applications, and vendor products that support these transactions. State has organized its end-to-end testing around five clusters, each of which combines a number of related business functions. For example, the Business Management Cluster includes such processes as personnel actions, financial management, and logistics. The other four clusters are Consular, E-mail, Command and Control Communications, and Security. As of September 30, 1999, the Department had completed end-to-end testing of four clusters, and plans to complete testing on the fifth cluster (Business Management) by October 31, 1999. In conclusion, over the next 75 days or so, the Department faces the difficult challenge of maintaining the momentum it has developed, and keeping the world focused on the Y2K problem. While much progress has been made by a large part of the international community to prepare for Y2K and to develop contingency plans, much of this effort will be for naught if complacency is allowed to take hold. The Department has a clear and unequivocal role to play over the next two months, through its efforts to continue to fine tune its own contingency plans, to collect information on host country Y2K activities, and to assure the American public is adequately informed about global Y2K readiness. (end text) (Distributed by the Office of International Information Programs, U.S. Department of State)