Spending by the U.S. government and industry on activities toprevent the predicted year 2000 (Y2K) crisis amounted to approximately $100billion, and other global spending may have been even greater. Debatecontinues over whether this massive effort precluded catastrophic systemfailures or the fears were overstated to begin with. This report presentsthe findings of a RAND study that attempted to shed light on this debate byaddressing the following questions: What kind of event was the Y2K crisis?Was the massive and costly remediation effort justified? What lessons doesthe Y2K experience offer for critical infrastructure protection (CIP)? Whatdo these lessons imply for federal CIP research priorities? The study included a literature review, interviews with government andindustry computer experts, and a workshop involving participants in Y2Kremediation efforts from industry and government. The report summarizes theworkshop activities and synthesizes the key conclusions from all the projectactivities. It is concluded that new R&D approaches are required to dealwith complex and adaptive settings. Vulnerabilities resulting from systemcomplexity are expanding at a much faster pace than our means ofunderstanding them. At the same time, exploitation of infrastructurevulnerabilities for criminal, terrorist, or foreign adversary purposes is athreat that potentially has no boundaries. To make CIP more manageable,research is needed that provides real data and models for understandinghighly complex and uncertainty-laden environments. Such research should be ahigh federal priority and should be pursued aggressively.