Mainframes are easier to fix than LANs | Interview with Chris Weiss, Y2Ktechnologist

GCN: Some agencies have been
slapping color-coded year 2000 readiness stickers on their PCs—green for OK, red for
needing replacement and so on. Is this happening everywhere?

WEISS: Many organizations are putting on Y2K stickers that say “checked” or
“not checked.” This whole issue has forced them to look at everything they have.

GCN: What does such a notice mean? Has
someone physically visited the PC, turned it on, updated the BIOS and checked the version
numbers of the programs?

WEISS: It’s just a simple flag, meaning here’s an item in the inventory that
has been checked once. But the checks need to continue regularly up to and through 2000.
The sticker is just a visual indicator.

The inventory process needs to be much more detailed than just checking the BIOS. There
needs to be a five-layer check: the BIOS, the operating system, the hardware, the
applications, the data files. Agencies need to highlight where the data-sharing issues
are.

GCN: How do products like yours
work? Are they software agents?

WEISS: They are commonly agents that are installed on network servers and deploy out to
the clients at log-on. There are also agents that go out on a floppy disk for standalone
machines, which are a big part of the problem.

Think of the road warriors, intranet users, people with laptops doing inventory all
over the country. Their PCs need to be scanned as well. Agents can go out on floppy,
across the network or intranet, even through e-mail—any way you can get at the PCs.

GCN: How do the e-mail agents work?

WEISS: We have a small agent that is about 70K in size, a single executable file. It
can be e-mailed out and produces results in text files that can be zipped up and e-mailed
back or posted to an intranet or a File Transfer Protocol site. A year 2000 project team
compiles them into a single, overall view of the risks on that network. Machines
don’t have to be connected to be incorporated into the risk management report.

GCN: Say you have a network with 50 PCs. How
do you manage the risks?

WEISS: The first thing is to throw out the idea that you know you have 50 PCs. Everyone
who has ever done a first inventory knows that they must also count the unconnected PCs
and home PCs.

You need to design the deployment. Look down your network topology and your
organizational structure and see how to do your risk assessment in bite-sized pieces.

Everybody wants to get a 30,000-foot view for the chief information officer, and
that’s important. But your risk assessment, triage, contingency planning and
remediation will happen at the LAN level.

A single report would work for a 50-client LAN. On a large network with 100,000 PCs,
you have to report LAN by LAN, domain by domain, directory by directory. You take a
snapshot assessment and use that massive amount of data to build your prioritization and
contingency plans. And you do triage—a critical step. You have to decide what
you’re going to throw out.

When you take the first snapshot, you find a big mess: many date-dependent applications
per PC, lots of old hardware, lots of data-sharing. When you know the total picture, you
can begin to look at your core process—what your agency is responsible for providing.
You find the overlap that you have to fix, where the Y2K exposure affects the service
you’re providing.

Triage and contingency plans let you say, “We’re not going to deal with
that.” A good plan will help you survive. But when your exposure overlaps your core
process, you have to fix it. Upgrade applications, scan and fix data files, train users.
It becomes a risk management exercise and not a chase-after-the-compliance myth.
Compliance doesn’t exist today.

GCN: So it will remain a moving target?

WEISS: If I were to give you a compliant PC, it would be useless. It would have to
operate in a vacuum and share no data. It would have no network or Internet connectivity.
The applications would be paralyzingly hard to use because they were forced into a
compliance model. You couldn’t do any business on that PC.

We have tested more than 5,000 common applications. We found that all five layers
interact—the BIOS and real-time clock and CMOS and operating system settings and
Microsoft Windows applications. Spreadsheets and databases are stored locally or on a
server. There’s data-sharing. What happens when you download, manipulate, cut, paste,
drag and drop? There’s no single technology that can make all five layers compliant
and make them work together.

The mainframe is easy to fix. The PC is just the opposite. It’s an uncontrolled
environment where nothing is responsible for all the layers at once. We shouldn’t
freeze like a deer in the headlights over the word compliance.

When people understand this, they will stop asking manufacturers, “What’s
your compliance statement?” They’re all different. The manufacturers are not
responsible; the user agreed to the license. It’s a user-created problem, and the
user has to accept the responsibility; compliance is a myth.

Risk management and prioritization help define what’s critical and noncritical. In
the time we have left, that’s all we can do.

GCN: Why has it taken so long for the danger
to PC LANs to become obvious?

WEISS: The PC problem was slow to be recognized and understood because it’s not a
mainframe problem.

You can inventory a mainframe quickly. PCs grow like mushrooms in a dark closet. It
takes about half an hour to set one up. We have customers who thought they knew how many
PCs they had and found tens of thousands they didn’t know they had. These things
happen.

Solutions on the mainframe are part of the problem on the PC. Windowing was one way we
dealt with data on the mainframe.

The PC problem is that we’re a two-digit-year culture. We enter two digits in our
macros and spreadsheets. Our applications are programmed to accept two digits, so we had
to come up with a way to assume the other two digits for the century. But different
date-windowing can cause different errors in our spreadsheets and macros.

When MS-DOS finds 00 in the hardware, the BIOS will put it together with a century flag
of 19. But it dates from 1980 and cannot accept 1900. So it will revert to 1980.

Windowing algorithms assume that any year between 00 and an arbitrary pivot point
should be assigned to the 21st century. That point might be 50, it might be 99; it’s
arbitrary. The PC picks up data from different mainframe applications and downloads it to
a spreadsheet, which may or may not assume the correct window. You take the spreadsheet
home and work on it in a different application that assumes the century information
another way. Then you save it to a flat file and upload it back. Again, the export can
affect the century information.

The PC becomes the weak link in the chain. You have to start doing risk assessment at
each of these layers. Some organizations have decided to buy all new PCs, but that solves
only about 1 percent of the problem. You might get as many as 6 percent of new PCs today
that still fail.

The manufacturers are telling us that PC supplies are going to be drained by midyear.
People thought they were going to be finished by now, but that’s a myth, too.

GCN: Are there any other big pitfalls
awaiting us?

WEISS: This is actually good news. We cannot make PCs compliant, but we can get around
the problems. Agencies are being graded by their overseers. They can show progress by
approaching the point where they can be assured of having service continuity for their
constituents. Until they understand the risks, they can’t take control. Don’t
wait for the silver bullet, it’s not going to come. But you can manage the rest.

GCN: What about vendors’ year 2000
guarantees? Are they any good?

WEISS: I’m wary of them. Everyone should take the time to read the licenses on
software. There are rules of thumb, but there is no strong definition of compliance.

Personally, I’m not going to buy a generator or hoard gold. It won’t be the
end of the world.