DHS, industry assess risks to IT sector

A new assessment evaluates risks to critical IT functions

Government and industry information technology experts have identified critical functions of the country's key information technology assets, some specific risks to the IT's sector's performance and potential mitigation strategies. That information is in a baseline assessment of threats to the IT sector.

The Homeland Security Department and the Information Technology Sector Coordinating Council (IT SCC) released the document, the IT Sector Baseline Risk Assessment (ITSRA), Aug. 25 as part a joint effort to bolster protection of IT assets considered to be critical infrastructure. IT is one of 18 critical infrastructure and key resources sectors that the government identified under DHS’ National Infrastructure Protection Plan.

Approximately 80 experts, mostly from industry but also from the government, came up with the ITSRA, said Bob Dix, chairman of the IT SCC and vice president of government affairs and critical infrastructure protection for Juniper Networks. The IT SCC is made up of IT companies, professional service firms and IT trade associations.

Officials say the document is meant to provide an all-hazards risk profile that the IT sector can use to inform resource allocation for research and development and other protective program efforts. The assessment is “a baseline of national-level risk” and doesn’t deal with all threat scenarios faced by the IT sector, the document states.

In one example, the group identified the risk from the production or distribution of an untrustworthy critical product or service using an attack on a vulnerability in the supply chain. The experts said the consequence of this type of attack would be high but the likelihood of it occurring was low. The group also identified existing mitigations for that threat such as supply chain resiliency, sourcing strategies and product recall in response to compromised production.

The experts used virtual collaboration tools in their process to develop the document. The effort included three phases:

  • Developing “attack trees” that describe how a function can be destroyed, incapacitated, exploited or diminished.
  • Evaluating risk.
  • Analyzing and reporting.

In an interview, Dix said the assessment will help identify gaps in current protective measures. He also said the assessment validated that, for the most part, the country’s IT infrastructure is resilient.

“It’s not without challenge, and it’s not without risk, but it is generally resilient,” he said. “I don’t want to suggest that what we don’t need to be vigilant, but what I do want to suggest is that what we have been able to validate is that we are largely resilient.”

Meanwhile, in a statement, Gregory Schaffer, DHS’ assistant secretary for cybersecurity and communications, said, “While elements of the assessment have already been adopted, the establishment of this iterative platform for assessing IT sector risk will also enable us to address ever more sophisticated threats.”

The report identified the six critical IT functions as providing:

  • IT products and services.
  • Incident management capabilities.
  • Domain name resolution services.
  • Identity management and associated trust support services.
  • Internet-based content, information, and communications services.
  • Internet routing, access, and connection services.

Dix said the document represents a first version of the assessment and that it will be updated.

Areas identified for further evaluation include risks to the identity management function, analysis of the risks of man-made unintentional threats, evaluation of the feasibility of establishing a national-level testing and simulation risk assessment capability, DHS said in a statement.


About the Author

Ben Bain is a reporter for Federal Computer Week.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • Social network, census

    5 predictions for federal IT in 2017

    As the Trump team takes control, here's what the tech community can expect.

  • Rep. Gerald Connolly

    Connolly warns on workforce changes

    The ranking member of the House Oversight Committee's Government Operations panel warns that Congress will look to legislate changes to the federal workforce.

  • President Donald J. Trump delivers his inaugural address

    How will Trump lead on tech?

    The businessman turned reality star turned U.S. president clearly has mastered Twitter, but what will his administration mean for broader technology issues?

  • Login.gov moving ahead

    The bid to establish a single login for accessing government services is moving again on the last full day of the Obama presidency.

  • Shutterstock image (by Jirsak): customer care, relationship management, and leadership concept.

    Obama wraps up security clearance reforms

    In a last-minute executive order, President Obama institutes structural reforms to the security clearance process designed to create a more unified system across government agencies.

  • Shutterstock image: breached lock.

    What cyber can learn from counterterrorism

    The U.S. has to look at its experience in developing post-9/11 counterterrorism policies to inform efforts to formalize cybersecurity policies, says a senior official.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group