Researchers have identified the software and businesses that provide critical information technology products and services and developed a framework to continue this analysis as technology evolves. Assessing software risk, business risk, and interdependencies among businesses, the authors recognize that highest revenue does not necessarily equal greatest risk.
Identifying Critical IT Products and Services
- What businesses provide the IT products and services that are most critical to the U.S. internet protocol space?
- How can DHS continue and extend this analysis into the future to accommodate emerging technologies and the evolution of the technology market?
In the past 20 years, the U.S. government, championed by the U.S. Department of Homeland Security (DHS) and in collaboration with other public and private entities, has made considerable progress enumerating the country's critical infrastructure components and National Critical Functions (NCFs). However, these efforts have not enabled specific identification of the most-critical computing systems within networks.
To help fill that gap, researchers from the Homeland Security Operational Analysis Center sought to examine and enumerate the businesses that provide the most-critical information technology (IT) products and services and lay the groundwork for DHS and other federal and private-sector elements to better apply a risk-based approach to protecting the country's most-important assets and systems. They sought to (1) create a prioritized list of software and businesses that provide IT products and services and (2) develop a framework that could continue and extend this analysis into the future to accommodate emerging technologies and the evolution of the technology market.
The work featured four workstreams: (1) identifying and integrating disparate data sources to identify the most-critical vulnerabilities and software applications in the U.S. internet protocol space; (2) collecting original data to map the software dependency and ownership structure of the most-referenced libraries; (3) leveraging existing work to identify specific IT and communication companies that were most interconnected and could suffer the greatest economic loss; and (4) developing a way to link NCFs to actual software companies supporting those functions.
- Understanding software risk requires data from internet and security companies, as well as knowledge of vulnerabilities that exist, the industries and companies in which they exist, and how the applications support the firms and their operations.
- Modern commercial applications are built on hundreds of small, distributed free and open-source software libraries that are owned and maintained differently, have their own risk profiles to understand, and are added and updated frequently.
- Smaller yet more-interconnected firms can create disproportionately larger business risk.
- The NCF framework can reveal the interdependence of critical infrastructure and IT products and services.
- Gather additional contextual information about the vulnerabilities that exist in which industries and companies and how those applications support a firm and its operations.
- Have policymakers notify software manufacturers of new vulnerabilities or engage companies running vulnerable software to update or upgrade their systems.
- Include in risk assessment the risk profiles of the libraries called by applications used in these companies and sectors. Keep risk profiles updated as libraries are added and updated. Consider a new way to think about software risk assessment that incorporates the risk from open-source software dependencies into a broader software risk framework.
- Use the objective method described in this report to identify potential impacts due to business supply chains for publicly traded companies within the IT and communication sectors.
- Use the method described here to leverage market analyses to identify firms relevant to specific software market segments.
Table of Contents
Research conducted by
- Homeland Security Operational Analysis Center
HSOAC is a federally funded research and development center operated by the RAND Corporation under contract with DHS.