DHS, industry assess risks to IT sector

Government and industry information technology experts have identified critical functions of the country's key information technology assets, some specific risks to the IT's sector's performance and potential mitigation strategies. That information is in a baseline assessment of threats to the IT sector.

The Homeland Security Department and the Information Technology Sector Coordinating Council (IT SCC) released the document, the IT Sector Baseline Risk Assessment (ITSRA), Aug. 25 as part a joint effort to bolster protection of IT assets considered to be critical infrastructure. IT is one of 18 critical infrastructure and key resources sectors that the government identified under DHS’ National Infrastructure Protection Plan.

Approximately 80 experts, mostly from industry but also from the government, came up with the ITSRA, said Bob Dix, chairman of the IT SCC and vice president of government affairs and critical infrastructure protection for Juniper Networks. The IT SCC is made up of IT companies, professional service firms and IT trade associations.

Officials say the document is meant to provide an all-hazards risk profile that the IT sector can use to inform resource allocation for research and development and other protective program efforts. The assessment is “a baseline of national-level risk” and doesn’t deal with all threat scenarios faced by the IT sector, the document states.

In one example, the group identified the risk from the production or distribution of an untrustworthy critical product or service using an attack on a vulnerability in the supply chain. The experts said the consequence of this type of attack would be high but the likelihood of it occurring was low. The group also identified existing mitigations for that threat such as supply chain resiliency, sourcing strategies and product recall in response to compromised production.

The experts used virtual collaboration tools in their process to develop the document. The effort included three phases:

• Developing “attack trees” that describe how a function can be destroyed, incapacitated, exploited or diminished.
• Evaluating risk.
• Analyzing and reporting.

In an interview, Dix said the assessment will help identify gaps in current protective measures. He also said the assessment validated that, for the most part, the country’s IT infrastructure is resilient.

“It’s not without challenge, and it’s not without risk, but it is generally resilient,” he said. “I don’t want to suggest that what we don’t need to be vigilant, but what I do want to suggest is that what we have been able to validate is that we are largely resilient.”

Meanwhile, in a statement, Gregory Schaffer, DHS’ assistant secretary for cybersecurity and communications, said, “While elements of the assessment have already been adopted, the establishment of this iterative platform for assessing IT sector risk will also enable us to address ever more sophisticated threats.”

The report identified the six critical IT functions as providing:

• IT products and services.
• Incident management capabilities.
• Domain name resolution services.
• Identity management and associated trust support services.
• Internet-based content, information, and communications services.
• Internet routing, access, and connection services.

Dix said the document represents a first version of the assessment and that it will be updated.

Areas identified for further evaluation include risks to the identity management function, analysis of the risks of man-made unintentional threats, evaluation of the feasibility of establishing a national-level testing and simulation risk assessment capability, DHS said in a statement.