The Millennium Bug 20 Years On

Anyone who’s over 30 years old must remember that 20 years ago the world was going to end. The Millennium dawned, and among many apocalyptic prophecies one stood above all others: the Millennium Bug, aka The Year 2000 problem, Y2K problem, the Y2K, the Y2K bug, the Y2K glitch. These names refer to a class of computer bugs related to the formatting and storage of calendar data for dates beginning in the year 2000. Problems were anticipated because many programs represented four-digit years with only the last two digits, making the year 2000 indistinguishable from 1900.

The assumption of a 20th century date in such programs could cause various errors, such as the incorrect display of dates and the inaccurate ordering of automated dated records or real-time events. All sorts of doomsday scenarios were heard all over the globe from nuclear meltdown (due to the computer system’s failure) and planes falling from the skies to communication breakdown and global shutdown.

Fortunately, none of these disaster scenarios materialized. The Y2K bug is now remembered as a moment of hysteria, a funny anecdote in time, much like the incidents that occurred 1000 years before it, when many were certain that the new Millennium would spell doom to them all (spoiler: that also didn’t happen!).

But the importance of The Millennium Bug was that for the first time in history, decision makers and ordinary citizens alike were considering cyber as a serious threat to our way of life. Fast forward 20 years and the internet is everywhere; we all use smartphones and order stuff online that is delivered to us overnight (and very soon by drones and electric vehicles). But with everything that has changed since the dawn of the millennium, are we more or less vulnerable than we have been before? Let’s examine some factors.

Connectivity: Power With a Fatal Weakness

The most notable difference between now and then is just how connected the world has become. In this sense, we are much more vulnerable today than we were before. We cannot imagine our lives without constant connectivity and all its benefits: online shopping, social media and online journalism. If this were taken away from us, even for a short while, panic might well ensue. Just remember the Dyn attacks of 2016 that resulted in “internet blackout” across the US east coast.

Connectivity is the backbone that enables the modern data economy and global commerce, but since we’ve become 100% reliant on it, if something were to happen that prevented our using it, the results would be grave.  

Open Source: Free Software, Free Vulnerabilities

20 years ago many companies were still selling perpetual software licenses, and it was impossible to imagine that free, open source software, developed by a community of hobbyists, would help many organizations run their businesses. But now open source software is an important component of almost every technology stack.

However convenient and cheap, it embodies many risks. For instance, a recent study found that the most copied StackOverflow Java code snippet of all time contains a bug. A Java developer from Big data software company Palantir submitted this code back in 2010, and since then this code has been copied and embedded in more than 6,000 GitHub Java projects, more than any other StackOverflow Java snippet.

Utilizing someone else’s software has never been easier, but in doing so, we’re exposing our products to dependencies that may contain flaws and vulnerabilities as well as risking the possibility of a hard-to-detect supply-chain attack.

Mobiles: Universal Trackers, Universal Attackers

We had mobile phones back then. I mean, there were phones, and they were mobile: you could carry a phone in your pocket and talk to and text people and, well, that’s about all you could do with a phone in the year 2000. Fast forward to today, and it is hard to imagine how we could pass a single day without our smartphones, glued to the screen or broadcasting every aspect of our lives to the entire world in words, pictures and videos.

Unfortunately, this reliance on mobile technology makes us all more vulnerable. Cyber criminals know this and utilize this in myriad ways for fraud, theft and other exploits. In addition, since the mobile phone has become everyone’s “mobile command center” it has become the target of choice for reconnaissance and espionage efforts, which target users with crafted spearphishing and smishing attacks and tailored exploits for Android and iOS.

With mobile devices increasingly used on corporate networks, loaded with apps that are rarely evaluated for vulnerabilities, backdoors or data scraping and with a history of having been connected to a variety of external, possibly insecure networks, they present a rising threat to both personal and enterprise security.

The Cloud of Uncertainty: Who Has My Data?

The cloud represents an even bigger revolution than the smartphone. It was obvious to anyone back in 1999 that mobile phones would become more powerful and serve us to consume and create media. But very few people believed back then that we would all be storing our data on someone else’s Linux server, sitting quietly in some remote location completely unknown to us.

Moreover, no one would have believed that enterprises and governments would also utilize this same infrastructure to host data and run applications. And yet, thanks to Amazon and Microsoft, the traditional IT infrastructure (which required a chilled data center at every physical location) has been replaced by a virtual infrastructure hosted somewhere in a huge data center on the other side of the world.

Our dependency on cloud services is complete. We cannot operate the global commerce and knowledge economy without it, but when an outage occurs like that which happened to MS Azure back in November – resulting in outage of several Microsoft services including Office 365, Xbox App, Xbox Live, Skype, Microsoft Azure – or the AWS outage of September, it has a tremendous impact on individuals, businesses and governments.

When mission critical services rely on data held outside our own immediate control, the notion of ‘security’ becomes an article of faith. Who is to say if those remote servers won’t lock us out unexpectedly? How are we to know who else has access to our data or whether the devices holding it have been compromised without our knowledge?

The Internet of Things: Network Entry Points, Everywhere

The cloud is also the enabler of the next revolution, that of connected ‘smart’ devices, aka ‘Machine to Machine (M2M) or ‘Internet of Things’ (IoT) devices. This connectivity bridges the divide between the physical and the online world and enables wired devices to “sense” their environment and then “talk” to other devices, or, through the cloud, with their owners.

This kind of connectivity is being brought to everything from garbage cans to street lights to autonomous vehicles and aviation. However, it also enables nefarious cyber activities on a scale we’ve never seen before, like the Mirai botnet that generated the largest DDoS attack the world had seen to that point, and other huge botnets, sometimes comprising as many as 850,000 computers, that are then used for cryptocurrency mining.

IoT devices bring security risks and privacy risks. Increasingly, wired ‘Smart’ devices are being recruited by botnets to gain entry into networks, and many devices leak personally identifiable information.

Meet Cybercrime: The New ‘Cost of Doing Business’

As we’ve seen, the changes that have taken place over the last 20 years have given various threat actors fertile ground on which to flourish, and flourish they have. Cybercrime has become a truly global phenomenon which impacts most industries and is expected to cost the world over $6 trillion annually by 2021.

On the defenders side, cybersecurity-related spending is predicted to reach $133 billion in 2022, and the market has grown more than 30x in the last 20 years, adding to the overall financial burden on companies and governments, most of which see the money invested in cyber as a loss or “cost of doing business”, as it is generally viewed as an expense that does not yield profit or generate revenue.

However, this ‘new’ cost of doing business is a reality that no modern enterprise can afford to ignore. From script kiddies with ransomware projects to sophisticated attackers targeting universities, the only way to do business in 2020 is with cybersecurity firmly factored in to the operational budget.

From the smallest business to the largest multinational organization, being part of the connected world in 2020 exposes you to risks that simply didn’t exist in the year 2000.

Final Thoughts…

December 1999 feels like a log time ago. Indeed, it really is closer in nature to the remnant of the previous century and even millennia than to our time today. It is highly unlikely that a single point of failure (like the Millennium Bug) could lead to the “end of the world”. But on the other hand, our hyper-connected environment makes us more vulnerable on so many levels, in our offices, cars and even our homes. Luckily, the technology hasn’t stood still and modern security mechanisms now exist that are capable of dealing with these threats across platforms, including IoT, using the latest in our tech arsenal, leveraging AI and machine learning. The Y2K bug hasn’t taken us back to the analogue world, and if we continue to safeguard our connected way of living, neither will the hackers.