SHORTCUT: Revisiting Y2K ... I mean CrowdStrike!
We ran this exercise once before
I love to do scenario-based planning regarding future unknowns, the whole purpose being to eliminate shock (I had no idea it could be like this!) and reduce it to mere surprise (Oh! It finally happened!).
I have led a lot of scenario-based simulations over the years, both F2F enclaves (Delphi Method) and those involving masses of experts online. I consider scenario-based planning (alternative scenarios) to be my favorite and best thinking-ahead, broad-framing toolkit. It is what I want Throughline’s Broad Framing Initiative to be mostly about in exploring things like the Military Singularity, or China’s Quantum Grand Strategy, or what a US grand strategy on climate change would look like.
I ran a big, scenario-driven series of table-top exercises (TTXs) in the 18 months leading up to Y2K. It was my first big assignment at the Naval War College (NWC) and I hated it — at first. I felt like I got this big messy bunch of nothing because I was the most recent hire, and I was accurate in that assessment.
But the guy who gave it to me, who thought up the entire project, was Art Cebrowski, then a three-star admiral known as the “father of net-centric warfare.” Art was convinced the world would learn plenty about itself from the anticipation of, and preparation for, Y2K. He was correct in that assessment. I myself got a world of education in those workshops.
In December 1998, we ran a scenario-building workshop at NWC, which got us the chart highlighted above in now-YouTube-hosted big brief I delivered all over the country and to just about all of the major military commands and major USG agencies — to include the White House.
Once we had a framework (Mania, Countdown, Onset, Unfolding, Peak, Exit), we ran a second workshop at Salve Regina U. the next month (Jan 1999) to fill it in. In both instances, we had a wide variety of experts from across the government, industry, and the national security world.
Then, in March 1999, we ran a national-security focused version of the TTX at my old stomping grounds, the Center for Naval Analyses, and then we ended with a financial system variant (hosted by Cantor Fitzgerald) in May at World Trade Center 1 on the 105th-floor Windows on the World restaurant.
In all, we had several dozen participants across the four workshops, all of which were a blast in intellectual terms.
Art’s big interest was in the rules that would result from the event, however easy or bad it turned out to be.
It was Art’s and my sense that Y2K was going to end up teaching us a great deal about what was then being described as the “new economy” driven by IT advances and globalization.
We developed four “onset” models based off of two questions: how big and bad and interconnected the Y2K breakdown versus how robust or vulnerable our systems ended up being.
We then developed weather storm analogies for the four scenarios:
This is how the four onset models — all weather storm analogies — laid out in the 2x2:
So, those were our four onset models, and we figured we’d see all four in some measure, depending on the development level of the country, the maturity of various industries when it came to IT, remediation efforts prior, government’s performance in any response, etc.
Then, in wrapping up, we projected historical outcomes, ranging from a big nothing burger overall (Run of the Mille), plenty of problems but handle-able (Houston, We Have a Problem), a bad storm we weather just fine (Humans 1, Computers 0), and a serious IT knockdown (Y2 KO!).
In retrospect, Y2K was mostly Run of the Mille, in large part because it was so firmly scheduled in advance, unlike the CrowdStrike surprise.
So, looking at the CrowdStrike cascading failure via MS, what are the similarities to the Y2K experience?
Widespread impact, including airlines, hospitals, banks, and media outlets
Technology-driven crisis (it didn’t start anywhere else!)
Sudden, systemic failure of IT systems (CrowdStrike—>MS)
Critical infrastructure affected (check)
Global readiness test (who passes?)
Surprisingly wide global impact (but limited by use of MS products)
Vulnerability exposure (some sectors got burned)
Public reaction (to include Y2K-like concerns and discussions about societal dependence on technology)
Underlying cause (Y2K resulted from poor coding strategy decades prior, while CrowdStrike’s issue was a software update error).
One fascinating tidbit: because the trigger was a security update, and many of our security updates target potential Chinese mischief, China itself was basically unaffected by the cascading shutdowns.
How do I view CrowdStrike based on the work I did all those years ago?
Bit of the Tornado model in that certain domains (e.g., Mac users) completely unaffected.
Bit of Hurricanes, especially in the airline, healthcare, media, and banking industries (serious paths of disruption)
Bit of Flood, if you’re China or countries similar (no big whup)
Bit of the Ice Storm, if you’re that poor bastard stuck at O’Hare and it seems like the world is coming to a complete stop!
