DHS, industry assess risks to IT sector

A new assessment evaluates risks to critical IT functions

Government and industry information technology experts have identified critical functions of the country's key information technology assets, some specific risks to the IT's sector's performance and potential mitigation strategies. That information is in a baseline assessment of threats to the IT sector.

The Homeland Security Department and the Information Technology Sector Coordinating Council (IT SCC) released the document, the IT Sector Baseline Risk Assessment (ITSRA), Aug. 25 as part a joint effort to bolster protection of IT assets considered to be critical infrastructure. IT is one of 18 critical infrastructure and key resources sectors that the government identified under DHS’ National Infrastructure Protection Plan.

Approximately 80 experts, mostly from industry but also from the government, came up with the ITSRA, said Bob Dix, chairman of the IT SCC and vice president of government affairs and critical infrastructure protection for Juniper Networks. The IT SCC is made up of IT companies, professional service firms and IT trade associations.

Officials say the document is meant to provide an all-hazards risk profile that the IT sector can use to inform resource allocation for research and development and other protective program efforts. The assessment is “a baseline of national-level risk” and doesn’t deal with all threat scenarios faced by the IT sector, the document states.

In one example, the group identified the risk from the production or distribution of an untrustworthy critical product or service using an attack on a vulnerability in the supply chain. The experts said the consequence of this type of attack would be high but the likelihood of it occurring was low. The group also identified existing mitigations for that threat such as supply chain resiliency, sourcing strategies and product recall in response to compromised production.

The experts used virtual collaboration tools in their process to develop the document. The effort included three phases:

  • Developing “attack trees” that describe how a function can be destroyed, incapacitated, exploited or diminished.
  • Evaluating risk.
  • Analyzing and reporting.

In an interview, Dix said the assessment will help identify gaps in current protective measures. He also said the assessment validated that, for the most part, the country’s IT infrastructure is resilient.

“It’s not without challenge, and it’s not without risk, but it is generally resilient,” he said. “I don’t want to suggest that what we don’t need to be vigilant, but what I do want to suggest is that what we have been able to validate is that we are largely resilient.”

Meanwhile, in a statement, Gregory Schaffer, DHS’ assistant secretary for cybersecurity and communications, said, “While elements of the assessment have already been adopted, the establishment of this iterative platform for assessing IT sector risk will also enable us to address ever more sophisticated threats.”

The report identified the six critical IT functions as providing:

  • IT products and services.
  • Incident management capabilities.
  • Domain name resolution services.
  • Identity management and associated trust support services.
  • Internet-based content, information, and communications services.
  • Internet routing, access, and connection services.

Dix said the document represents a first version of the assessment and that it will be updated.

Areas identified for further evaluation include risks to the identity management function, analysis of the risks of man-made unintentional threats, evaluation of the feasibility of establishing a national-level testing and simulation risk assessment capability, DHS said in a statement.

About the Author

Ben Bain is a reporter for Federal Computer Week.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group