DHS report: IT sector is resilient against serious cyberattacks

Many measures already in place to mitigate risks, although more can be done, report says

A report from the U.S. Department of Homeland Security presents several scenarios in which well-chosen attacks against key IT infrastructure elements could cause disruptions on a national scale. But the document also offers a surprisingly sunny assessment of the resilience and redundancies within the IT sector to mitigate the risk of such disruptions.

The 114-page report, released Tuesday, titled "IT Sector Baseline Risk Assessment," was a joint effort between the DHS and the Information Technology Sector Coordinating Council (IT SCC). It is designed to give planners in the IT sector and in government a way to identify high-consequence risks and strategies for addressing them.

The report examines risks to six critical areas of IT: IT supply chain, domain-name resolution services, identity management and trust support services, Internet-based content and communications services, Internet service and routing providers, and providers of incident response services.

Experts in various fields evaluated high-consequence risks in their areas of expertise. They also looked at related vulnerabilities and the potential consequences of incidents that are either enabled or deliberately caused by someone with malicious intent.

On the supply chain side, for instance, the report describes a scenario where an organized crime group manages to install a bank-password keystroke-logger in the software distribution image of a notebook manufacturer. Such an event could cause considerable business disruptions and loss of consumer confidence, the report noted. Attacks against the supply chain can also manifest themselves physically, such as when the flow of materials required for manufacturing hardware becomes limited, the report noted.

Similarly, on the Domain Name System (DNS) infrastructure front, an attacker could try to establish an alternate Internet root to which DNS inquiries could be diverted, the report warned. An alternate Internet root server that denied service for financial transactions could undermine U.S. economic stability and security, the report cautioned. In similar fashion, large-scale denial-of-service attacks, Web redirects and spoofing attacks on payment processing and e-commerce companies could have cascading effects on consumers, businesses and government entities that rely on such services, the report said.

For the most part though, measures are already in place or are being planned that mitigate the likelihood of such high-consequence disruptions, according to experts at the DHS and IT-SCC who performed the risk assessment. On the supply chain side, for instance, while the consequences of an untrustworthy component entering the distribution chain are high, the likelihood of this scenario playing out is low. That's because companies use sophisticated sourcing strategies, have supply chain monitoring processes and are capable of issuing product recalls.

On the DNS services front, large-scale DNS attacks and attacks that disrupt a "single interoperable Internet" could have serious consequences, the risk assessors said. At the same time, however, the likelihood of such events playing out in reality was medium to low at best, they claimed. Here again, they said, there are many measures already in place that mitigate risk, including real-time monitoring of production equipment by network operations centers, protections against unexpected configuration changes and process checks to prevent the running of malicious code.

The geographic distribution of the servers that maintain the DNS root and top-level domains also means that an attack on one part of the Internet will not necessarily paralyze the system. Going forward, attempts to build more diversity into the DNS infrastructure and the migration to a more secure version of the DNS called DNSSEC will further reduce the risk of high-consequence threats, the report noted.

Ironically, such assessments come at a time when a growing number of government and commercial entities are coming under cyberattack from domestic and foreign adversaries. So far, most of the attacks have been either for financial gain or to leech away government and military secrets. Many experts believe cyberattackers have already penetrated many core government and financial systems and are poised to cause large-scale disruptions if needed. Such concerns have prompted calls for a comprehensive strategy for defending U.S. interests in cyberspace. They have also prompted calls for the development of offensive capabilities on the cyberfront, with the goal of not only defending against attacks but also actively deterring them.

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon