The part of US information technology most at risk from a serious attack is the directory service that steers internet users to the websites they want, according to a federal report issued Tuesday after more than a year of study.
The report from the Department of Homeland Security and private information technology leaders rated the chances of something serious going wrong with six key functions as part of the IT sector “baseline risk assessment.” Those assessments are being published for 18 sectors deemed critical to the country’s national security.
After an exhaustive discussion of potential hazards to functions ranging from computer manufacturing to the providing the ability to connect to the internet, the report concluded that everything nefarious hatched by man was at little risk of occurring, of little consequence if it did occur, or both. The exception was for an assault on the internet’s techniques for telling people that a website they are seeking is at a numeric internet address.
The process behind the Domain Name System is invisible to regular users, who simply type the words in an address or click on a link, letting the computer handle the rest. But at many levels, DNS still relies on trust that other computers specializing in giving out that reference information aren’t deliberately providing false leads.
In the past, some hackers have taken advantage of that class of vulnerabilities and directed users to impostor sites that installed data-stealing programs. A security upgrade to the DNS system is underway but will take years to complete, according to the new report.
For now, the likelihood of a broader DNS attack with a “high” level of consequences is “medium,” the report said. In part because DNS depends on the same sort of unpredictable software, processes and people that occasionally trip up other parts of the industry, malicious actors could take down a top-level domain such as .com or .gov for political reasons or as part of a mass fraud or extortion scheme.
Unspecified “foreign military organisations” it said, have already tried.