The Department of Homeland Security (DHS) and an industry group representing the Information Technology (IT) sector this week released a report outlining the national level risks to critical sector-wide IT functions and also identifies ways to mitigate those risks.
The report lists six critical IT sector functions: produce and provide IT products and services; provide incident management capabilities; provide domain name resolution services; provide identity management and associated trust support services; provide Internet-based content, information, and communications services; and provide Internet routing, access, and connection services. The report is entitled IT Sector Baseline Risk Assessment and was prepared by DHS and the IT Sector Coordinating Council.
The major risk to the production and provision of IT products and services is the purposeful production or distribution of “untrustworthy critical product/service” on a supply chain vulnerability the report says. The consequences of such an attack are high but the probability of it occurring is low, the report adds.
To mitigate this risk the report suggests the use of existing mitigation sourcing strategies such as “careful monitoring of the availability and quality of critical raw materials.”
For the provide domain name resolution services function, the report sees the major risks as denial of service attacks and attacks on the Internet. To guard against these attacks the report suggests processes to continually monitor the domain name system infrastructure and infrastructure diversity.
Under the provide Internet-based content, information and communications services function the report sees an unintentional incident that causes a “significant loss of e- Commerce capabilities.” The report believes this is very unlikely to occur although it would have high consequences. Policy and access controls already exist to mitigate this threat and security training for users and small businesses is being enhanced. In the future, rerouting of capabilities of the communications and IT sectors could be enhanced, the report says.
For the critical function of providing Internet routing, access and connection services, the report sees a major risk as being a partial or complete loss of routing capabilities due to an attack on the Internet routing infrastructure. Again, the consequences would be high but the likelihood low, the report says.
To mitigate this threat the report says there are already enhanced routers and that these capabilities are also being made more responsive to increasing Internet traffic. It also says that physical security of network access points is being improved along with incident response.
For the critical function of proving incident management capabilities, the report says the biggest risk is the “impact to detection capabilities due to a lack of data availability resulting from a natural threat.” The report sees the likelihood of this happening as “medium” with the consequences high.
There are efforts underway already to mitigate these risks, such as having national-level incident response and coordination capabilities, better information sharing for common situational awareness and diversity in the infrastructure and workforce, the report says.