MaSSSoftech

Government and industry information technology experts have identified critical functions of the country's key information technology assets, some specific risks to the IT's sector's performance and potential mitigation strategies. That information is in a baseline assessment of threats to the IT sector.

The Homeland Security Department and the Information Technology Sector Coordinating Council (IT SCC) released the document, the IT Sector Baseline Risk Assessment (ITSRA), Aug. 25 as part a joint effort to bolster protection of IT assets considered to be critical infrastructure. IT is one of 18 critical infrastructure and key resources sectors that the government identified under DHS’ National Infrastructure Protection Plan.

Approximately 80 experts, mostly from industry but also from the government, came up with the ITSRA, said Bob Dix, chairman of the IT SCC and vice president of government affairs and critical infrastructure protection for Juniper Networks. The IT SCC is made up of IT companies, professional service firms and IT trade associations.

Officials say the document is meant to provide an all-hazards risk profile that the IT sector can use to inform resource allocation for research and development and other protective program efforts. The assessment is “a baseline of national-level risk” and doesn’t deal with all threat scenarios faced by the IT sector, the document states.

In one example, the group identified the risk from the production or distribution of an untrustworthy critical product or service using an attack on a vulnerability in the supply chain. The experts said the consequence of this type of attack would be high but the likelihood of it occurring was low. The group also identified existing mitigations for that threat such as supply chain resiliency, sourcing strategies and product recall in response to compromised production.

The experts used virtual collaboration tools in their process to develop the document. The effort included three phases:
* Developing “attack trees” that describe how a function can be destroyed, incapacitated, exploited or diminished.
* Evaluating risk.
* Analyzing and reporting.