Download eBook for Free

FormatFile SizeNotes
PDF file 0.5 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 Format Price
Add to Cart Paperback58 pages $16.00

Research Questions

  1. What businesses provide the IT products and services that are most critical to the U.S. internet protocol space?
  2. How can DHS continue and extend this analysis into the future to accommodate emerging technologies and the evolution of the technology market?

In the past 20 years, the U.S. government, championed by the U.S. Department of Homeland Security (DHS) and in collaboration with other public and private entities, has made considerable progress enumerating the country's critical infrastructure components and National Critical Functions (NCFs). However, these efforts have not enabled specific identification of the most-critical computing systems within networks.

To help fill that gap, researchers from the Homeland Security Operational Analysis Center sought to examine and enumerate the businesses that provide the most-critical information technology (IT) products and services and lay the groundwork for DHS and other federal and private-sector elements to better apply a risk-based approach to protecting the country's most-important assets and systems. They sought to (1) create a prioritized list of software and businesses that provide IT products and services and (2) develop a framework that could continue and extend this analysis into the future to accommodate emerging technologies and the evolution of the technology market.

The work featured four workstreams: (1) identifying and integrating disparate data sources to identify the most-critical vulnerabilities and software applications in the U.S. internet protocol space; (2) collecting original data to map the software dependency and ownership structure of the most-referenced libraries; (3) leveraging existing work to identify specific IT and communication companies that were most interconnected and could suffer the greatest economic loss; and (4) developing a way to link NCFs to actual software companies supporting those functions.

Key Findings

  • Understanding software risk requires data from internet and security companies, as well as knowledge of vulnerabilities that exist, the industries and companies in which they exist, and how the applications support the firms and their operations.
  • Modern commercial applications are built on hundreds of small, distributed free and open-source software libraries that are owned and maintained differently, have their own risk profiles to understand, and are added and updated frequently.
  • Smaller yet more-interconnected firms can create disproportionately larger business risk.
  • The NCF framework can reveal the interdependence of critical infrastructure and IT products and services.


  • Gather additional contextual information about the vulnerabilities that exist in which industries and companies and how those applications support a firm and its operations.
  • Have policymakers notify software manufacturers of new vulnerabilities or engage companies running vulnerable software to update or upgrade their systems.
  • Include in risk assessment the risk profiles of the libraries called by applications used in these companies and sectors. Keep risk profiles updated as libraries are added and updated. Consider a new way to think about software risk assessment that incorporates the risk from open-source software dependencies into a broader software risk framework.
  • Use the objective method described in this report to identify potential impacts due to business supply chains for publicly traded companies within the IT and communication sectors.
  • Use the method described here to leverage market analyses to identify firms relevant to specific software market segments.

This research was sponsored by the National Risk Management Center and conducted within the Strategy, Policy and Operations Program of the Homeland Security Operational Analysis Center (HSOAC).

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.