The Millennium Bug

Reasons not to Panic

This is a paper on my experience in dealing with the Millennium Bug in Cambridge University, our healthcare system and elsewhere. It correctly predicted that the fears expressed by some people - of chaos, famine and widespread deaths - exaggerated the problem significantly.

Press folk were very eager to run stories of imminent doom; the other side of the argument was not considered to be newsworthy. I tried bringing this paper to the attention of a number of prominent journalists, but got no interest at all. I passed it around the civil service; officials seemed worried in case the precautions they'd taken were criticised as unnecessary. Finally, I got the University's press office to send out a full media release. This went to over 400 organisations, but the only bites I got were four radio interviews (and three of these were done briefly over the phone).

Company managers and shareholders might be interested to know that Cambridge University spent only £20K centrally on things like overtime and consultancy, and another £47K on upgrading things like building access control systems. A bit over £100K worth of embedded systems for which departments, rather than the centre, are responsible were identified as non-compliant in ways that mattered (most of thse were medical devices). So on the most pessimistic view we spent under £200K; but if you take into account that most of the stuff we fixed was rather thoroughly depreciated, the real cost was under £100K.

Cambridge University has 7000 employees, £300m turnover and assets of £1bn. We have a huge range of business activities; our technology departments have all sorts of expensive and dangerous machines, our medical academics treat patients, and we even conduct flight operations through our aerial photography unit. Here at the computer laboratory we have a large and eclectic collection of machinery, which we didn't bother to do much with in advance; the only thing that seems to be broken is the accounting system for our supercomputer (which doesn't really matter as it produces management figures, not results).

How much did your organisation spend, and are you so much larger (or more complex) than us that the expenditure was justified?

Is this perhaps the first time in human history that company bosses will be sacked for doing due diligence, following the crowd, and heeding the over-prudent advice of their lawyers?

Time will tell. Anyway, the press release (dated the 15th December) is below, and some more recent press comment can be found here.

Ross Anderson


University study provides reassurance

With only two weeks to go to millennium, it seems the fears over the Y2K bug could be misplaced.

Dr Ross Anderson from the University's Computer Laboratory said there have been a lot of theories about the millennium bug but little hard data. Now, a study conducted within the University itself provides some welcome reassurance.

`I can't predict the future but now we've gone out and looked at a lot of systems, I'm much less worried than I used to be,' he said. `Lots of things may break, but few of them will actually matter much.'

A study carried out in the University departments, institutes and colleges provided a very broad sample of small-to-medium sized enterprises looking at a number of areas that include accommodation and catering services, medical departments, science laboratories and an aerial photography unit. `Although some systems have been replaced, none of the bugs found so far would have had a serious impact on business operations even if they had been ignored until January 2000. Anxiety about the millennium bug compliance of small-to-medium sized enterprises appears misplaced. The average small business owner, who is doing absolutely nothing about the bug, appears to be acting quite rationally.

`This does not mean that the millennium bug is harmless. There are still risks to the economy and to public safety, but in the UK at least they appear to be minor,' he said.

See Dr Anderson's paper, `The Millennium Bug - Reasons Not To Panic', for more detail.

Notes for editors:

Dr Ross Anderson directs teaching and research in computer security and software engineering at the Cambridge University Computer Laboratory.

For further information, please contact: