29 July 2022

Identifying Critical IT Products and Services

Sasha Romanosky, John Bordeaux, Michael J. D. Vermeer, Jonathan W. Welburn

In the past 20 years, the U.S. government, championed by the U.S. Department of Homeland Security (DHS) and in collaboration with other public and private entities, has made considerable progress enumerating the country's critical infrastructure components and National Critical Functions (NCFs). However, these efforts have not enabled specific identification of the most-critical computing systems within networks.

To help fill that gap, researchers from the Homeland Security Operational Analysis Center sought to examine and enumerate the businesses that provide the most-critical information technology (IT) products and services and lay the groundwork for DHS and other federal and private-sector elements to better apply a risk-based approach to protecting the country's most-important assets and systems. They sought to (1) create a prioritized list of software and businesses that provide IT products and services and (2) develop a framework that could continue and extend this analysis into the future to accommodate emerging technologies and the evolution of the technology market.

The work featured four workstreams: (1) identifying and integrating disparate data sources to identify the most-critical vulnerabilities and software applications in the U.S. internet protocol space; (2) collecting original data to map the software dependency and ownership structure of the most-referenced libraries; (3) leveraging existing work to identify specific IT and communication companies that were most interconnected and could suffer the greatest economic loss; and (4) developing a way to link NCFs to actual software companies supporting those functions.

Key Findings

Understanding software risk requires data from internet and security companies, as well as knowledge of vulnerabilities that exist, the industries and companies in which they exist, and how the applications support the firms and their operations.

Modern commercial applications are built on hundreds of small, distributed free and open-source software libraries that are owned and maintained differently, have their own risk profiles to understand, and are added and updated frequently.

Smaller yet more-interconnected firms can create disproportionately larger business risk.
The NCF framework can reveal the interdependence of critical infrastructure and IT products and services.

Recommendations

Gather additional contextual information about the vulnerabilities that exist in which industries and companies and how those applications support a firm and its operations.

Have policymakers notify software manufacturers of new vulnerabilities or engage companies running vulnerable software to update or upgrade their systems.

Include in risk assessment the risk profiles of the libraries called by applications used in these companies and sectors. Keep risk profiles updated as libraries are added and updated. Consider a new way to think about software risk assessment that incorporates the risk from open-source software dependencies into a broader software risk framework.

Use the objective method described in this report to identify potential impacts due to business supply chains for publicly traded companies within the IT and communication sectors.

Use the method described here to leverage market analyses to identify firms relevant to specific software market segments.

No comments: