We dodged the Y2K computer apocalypse 20 years ago. What's next could be worse

Article content

Twenty years ago, the world held its collective breath as the clock ticked toward midnight.

Y2K, also known as the millennium bug, was a snag that had stirred up fears that computers around the world would fail at the stroke of midnight. Planes would fall from the sky, power systems would fail, bank accounts would be wiped out and nuclear missiles would inadvertently launch.

We apologize, but this video has failed to load.

Try refreshing your browser, or
tap here to see other videos from our team.

We dodged the Y2K computer apocalypse 20 years ago. What's next could be worse Back to video

Decades earlier, computer programmers had written two-digit codes, so there were no dates after 1999. Anything with a computer in it could get confused about the date and fail or malfunction. Around the world, governments and businesses spent between $300 and $500 billion to fix glitches.

There was real fear the world could be thrust into chaos. Generators and kerosene lamps sold briskly. Bruce Beach, a survivalist in Horning’s Mills north of Toronto, was prepared to welcome 50 people to Ark Two, a bunker he had built out of 42 school buses buried underground. 

What actually happened at midnight was anti-climactic. No planes went down in flames, no missiles were launched. Beach said he was “astounded that there’s been so few reported Y2K problems” and told potential bunker dwellers to go home. There were no nuclear meltdowns, although the bug did show it could bite. In Japan, which had suffered its worst nuclear accident three months earlier, a radiation alarm system at the Shika Nuclear Power Station was shut down shortly after midnight.

Some glitches were only reported later. Pentagon officials withheld news of a major bug that cut access to a critical satellite intelligence system on New Year’s Eve. Reporters only learned of the problem after millennium celebrations in Washington and New York were over.

Canada’s six largest banks had spent a reported $1 billion on Y2K readiness. Visa Canada reported that cardholders had no problems making purchases and had spent almost $48 million in the first 18 hours of the new year.

In Ottawa, essential services — water and sewer services, traffic lights, OC Transpo, seniors homes and hospitals — all puttered into the new millennium without disruption. The scare subdued quickly. A few days after the new century clicked over, government officials were forced to defend the money they had spent on Y2K.

The Regional Municipality of Ottawa-Carleton and nearby municipalities had spent $54 million on Y2K preparedness. On New Year’s Day, officials said the only reason things had gone so smoothly was because they had spent the money.  Several regional and municipal computer networks had failed to meet compliance tests in the previous two years, which showed the 911 system and regional water would have failed at midnight on Dec. 31 without upgrades.

“We identified a number of problems in our radio dispatch system, which has to work with 911 and ambulance dispatch,” said Ottawa’s fire chief, Gary Richardson. “When we tested our system, it failed to make the rollover. The money spent on the fix was well-spent. If an emergency call had come through minutes after the new millennium, we wouldn’t have received it.”

Treasury board president Lucienne Robillard defended the $2.5 billion Canadian governments and businesses spent on Y2K updates.

“We don’t have problems because we spent that money,” Robillard said, adding that Canada’s computer systems were in better shape to withstand other crises, such an ice storm similar to the one in 1998, which left thousands of people in Eastern Ontario and Quebec without power.

Malfunctions linked to date-sensitive data have kept appearing. In 2014, the families of more than 14,000 long-dead men born between 1893 and 1897 got letters ordering them to register to join the U.S. military or face fines and imprisonment. The glitch was tracked to data transfer done by the Pennsylvania Department of Transportation, which used a two-digit code for birth years.

As Y2K has receded into the distance, it has been easy to dismiss it as a hoax or money grab on the part of computer consultants.

“It has become shorthand for, ‘You can’t believe the experts’,” said Martyn Thomas, a software engineer and cybersecurity expert who was a partner at Deloitte and later a professor at London’s Gresham College, in a 2017 lecture.

Thomas argued the danger was real, although the threat had, to a degree, been exaggerated. Organizations such as the UN, World Bank and major corporations got on board. It was the biggest information technology project most companies had ever faced.

Y2K showed that a lot of people could be motivated to complete a task on a deadline. But without a looming deadline, there is now no political will to use regulation to drive improvements in the quality and security of software, and the threats are even greater today, said Thomas. We continue to introduce dependencies on single points of failure, such as GPS. Cyber attacks are a serious and growing threat.

“Vulnerabilities are building up. The scale of those vulnerabilities is just increasing every year,” he said.

Thomas believes there were three lessons to be learned from Y2K. First, the problem was caused by poor software engineering. Most software is still being written very badly, he said. Second, testing is still the best software assurance, but it can’t find all defects. And third, Y2K was an example of a “single point of failure” that can cause large numbers of systems to fail at the same time.

GPS is a single point of failure, for almost all of the economy in many parts of the world. It is used widely not just for positioning, but also timing and navigation. “It is a major risk,” Thomas said.

Twenty years after Y2K, the fact is that we all rely on computers, and we don’t understand what they do, said Jason Jaskolka, a cybersecurity researcher and assistant professor of systems and computer engineering at Carleton University.

“They’re tools, but they’re not tools like a hammer. You know what a hammer can do, but you don’t know all that a computer can do.”

In 1999, computer programmer and author Ellen Ullman told Wired magazine: “Y2K is showing everyone what technical people have been dealing with for years: the complex, muddled, bug-bitten systems we all depend on, and their nasty tendency toward the occasional disaster.”

That is still a problem today, as demonstrated by Microsoft’s constant patching of its operating systems for flaws that were overlooked or not identified before shipping, said Patrick Ouellette, the coordinator of the information and communications technology security program at Algonquin College, and a Certified Ethical Hacker.

“Sometimes it’s by using obsolete or old systems for which security wasn’t a concern at initial design and implementation. But the reality of the situation is that companies will keep using older technology so long as it still meets the requirements. And the fact that it saves them money doesn’t hurt,” he said.

The other problem is that the number of computer systems that were connected to the internet in the ’90s was quite small. Now, it’s in the billions. At the same time, supply chains are increasingly complex, and most of the global economy depends on them.

“As soon as we rely on things from others in the supply chain, we have to think about whether they can be trusted,” said Jaskolka.

“All of these vulnerabilities are waiting for a trigger, whether it’s the time, or a malicious attacker. We are due for another one of these. It’s like an earthquake.”

Y2K was a known problem — computer experts were aware it was an engineering issue and they knew it could be fixed. The race in Y2K was the calendar, not a malicious adversary. Cyber attacks could happen at any time. In 2007, a cyberattack in Estonia took down banks, media outlets and government bodies. In 2015, an attack on power plants in the Ukraine cut power to 225,000 people.

Jaskolka is most worried about system glitches in critical infrastructure, such as an energy grid which has other systems dependent on it. “A hospital can’t run for long periods of time without power,” he said.

Transportation systems are also vulnerable to ransomware attacks, potentially disrupting global commerce. In 2017, for example, the Danish shipping giant A.P. Moller-Maersk was the target of an attack that locked access to systems used to operate shipping terminals around the world. The attack took two weeks to fix and cost the company a reported $200 to $300 million.

On Dec. 13, Canada’s largest private provider of diagnostic testing, LifeLabs, reported that it was hit by a cyberattack in October and had paid an undisclosed ransom to retrieve the stolen data. The attack may have compromised the personal information of some 15 million customers.

Not too long ago, personal data was often on paper and electronic data was kept in one place. Now data is kept in a number of places — a cellphone, laptop, cloud storage and USBs, said Ouellette.

“Not only is everything interconnected and interdependent now, we simply don’t have a grasp on how the data flows through different systems,” he said. “There’s the wild west of technology out there.”

You’ve probably heard of celebrities who have had their cellphones hacked, often for compromising photos. Well, everyone’s data is valuable, said Ouellette.

“Most of these kinds of attacks are data grabs to see what they could get and what they would do with it after. Everything is useful. It’s a big net thrown out there to see what they can get.”

Ouellette believes one of the biggest security risks is the Internet of Things — the interconnection of everyday objects, such as cellphones, security systems, thermostats, smart speakers and even appliances, all of which have computing devices embedded into them, allowing them to send and receive data.

Convenience trumps security and people will realize they are vulnerable only after the fact. If you have a computer in your refrigerator, it can be used as a starting point for malware, he said.

“Convenience is the death of security. The only thing anyone can do is to get informed about what the system can do, and protect your data in any way possible.”

Jaskolka agrees.

“We’re introducing all these systems into our daily lives, and we’re not thinking of the consequences. We’re sacrificing security and privacy for the convenience of these things,” he said. “Imagine your insurance company has access to your Fitbit and increases your premiums as a result.”

While laws are in place to force companies to disclose security breaches, laws can’t keep up with cyber threats.

“If we’re to have a comprehensive solution, there has to be regulation and legislation. But there’s slow-moving progress and it’s a very slow-moving process,” said Jaskolka. “I’m not sure if we really know what to do. It’s hard to lasso this wild west together again.”

Perhaps the greatest threat in this environment is an attack from a well-funded adversary such as a nation-state with a malicious intent to wreak havoc.

“We know the Russians have an 11-storey building dedicated to hacker groups. Six floors are dedicated to Facebook attacks,” said Ouellette.

“Y2K is a lesson we can’t forget. Humans seem to have the unique capability of forgetting important things. The younger generation has to understand that technology is not perfect.”