The Information Technology (IT) Sector is one of the 16 critical infrastructure sectors under Presidential Policy Directive 21 (PPD-21) and is critical to the nation’s security, economy, public health and safety, government, and academia, and provides citizens with IT Sector services such as the internet. According to the U.S. Department of Homeland Security (DHS), the vision of the IT Sector is “to achieve a sustained reduction in the impact of incidents on the Sector’s critical functions.”
What Makes This Sector Critical to the Nation and What Possible Effects Does It Have on States and Local Communities?
The IT Sector produces and delivers products and services that support the effective operation of the worldwide information-based civilization. As technology becomes more integrated into daily functions, the dependency on IT and the IT Sector grows exponentially. In a 2001 interview, Bill Gates said, “The advance of technology is based on making it fit in so that you don’t really even notice it, so it’s part of everyday life.” IT products and services also have become essential to other critical infrastructure sectors’ daily operations and services. Government, commercial, and industrial collaborations and partnerships are crucial for enhancing IT products and services and identifying continuous risk reduction across critical infrastructure sectors. The IT Sector is connected to other prime lifeline systems like communications and energy, which sustain thriving communities. The IT Sector was added to the DHS critical infrastructure sector to encompass all types of IT systems. Although this definition is broad, this sector will become more complex with other technology integration like position, navigation, and timing systems, artificial intelligence, and other future technologies.
The IT Sector is a function-based sector encompassing physical hardware and wires, virtual systems, network operations, and cybersecurity controls for the private and public sectors. Figure 1 describes the six critical functions that support services and product production.
IT advancements in the past two decades have been the epicenter of transformation for private sector operations and processes. They have revolutionized the workplace regarding efficiency, convenience, and effectiveness in serving customers and employees. However, the federal government and some state governments have missed out on technological innovations and digital transformation largely due to poor management of IT projects – leading to technology projects being hundreds of millions of dollars over budget, implementation taking years rather than months, and delivered technologies being obsolete by the project’s completion.
What Are This Sector’s Key Assets and Interconnected/Interdependent Systems (Physical or Cyber)?
The IT Sector comprises three major industrial groups critical in manufacturing and delivering IT products and services. These three industry groups are IT hardware and equipment, IT software and services, and semiconductors and semiconductor equipment, which comprise IT equipment’s physical components.
IT depends on hardware and equipment, broken down into three main industries: communications equipment; technology hardware, storage, and peripherals; and electronic equipment, instruments, and components. IT communications equipment includes routers, switches, telephones, and switchboards. The companies within these industries produce communication equipment, including satellite communication, and local area network (LAN), wide-area network (WAN), and metropolitan area network (MAN) capabilities. Technology hardware, storage, and peripherals include computers, laptops, printers, motherboards, processors, graphical processing units, and mobile devices like tablets and cellphones. Electronic equipment, instruments, and components include companies that make equipment like barcode scanners, transformers, security systems, resistors, lasers, and electric coils. All these physical parts and pieces depend on a consistent qualitative supply chain. After the emergence of COVID-19, demand for semiconductors increased, but their slow supply chain impacted vehicle and other medical equipment production.
The IT software and services industry group includes companies that provide internet services, as well as companies that provide software and IT services like cloud environments. Internet services include Internet Service Providers (ISPs) and companies that offer interactive services or online databases, such as social networks, online shopping, or search engines. IT services include companies that provide IT consulting or data processing services to private sector companies or government departments. Finally, software consists of any software for business or consumer use, ranging from enterprise software, systems software, and education software to entertainment such as video games.
Semiconductors use materials (e.g., silicon) that can conduct electricity under specific conditions but not others, making them ideal for controlling electrical currents. This industry group includes semiconductor manufacturers and companies that make peripheral equipment for semiconductors.
What Are This Sector’s Dependencies (Physical, Cyber, Geographic, and Logical) and Interdependencies With Other Critical Infrastructures?
Power, cooling, raw materials, and data transmissions are the highest dependencies for the IT Sector to provide products and services that allow other critical sectors to operate optimally. Since these dependencies span physical and geographical, supply-chain interruptions or the above-listed dependencies would adversely impact this sector’s continued operations. COVID-19 highlighted gaps in the IT equipment supply chain. According to Bloomberg:
The semiconductor shortage has been described as due to a “perfect storm” of factors. Prior to 2020, there were already difficulties in obtaining inputs for production, including semiconductor manufacturing equipment used to make older varieties of chips, and components used in electronic assembly such as diodes, capacitors, and substrates.
Providing IT services is power-intensive. Any electricity supply interruption would severely impact IT products and services, resulting in a massive disruption to operations because of the strong physical dependency on the Energy Sector and local energy operations. Large data centers providing cloud services by companies like Microsoft, Amazon, and Google consume energy to power hardware, provide cooling, and ensure the overall operation of the support hardware, such as storage servers, routers, switches, and physical security controls. In 2022, Microsoft announced it would pay over $800 million in extra energy costs to operate its data centers worldwide. These large data centers have alternative or backup power supplies for short power outages or power disruptions, but a large-scale power outage or power shutdown would significantly affect their services.
Cooling is imperative when running data centers that provide services on a global scale. Many data centers rely on industrial-scale cooling equipment to keep hardware from overheating due to prolonged operation and service uptimes. Cooling centers also may depend on remote monitoring operations. Without proper cooling, the components within equipment such as processors, transceivers, resistors, motherboards, or other electronic microchip components could be destroyed. Although most companies manage “on-premises” data centers, some have been considering alternatives to cool their data centers efficiently and reduce their carbon footprint. For example, Microsoft has been exploring the idea of underwater data centers to increase the performance and reliability of data centers.
Raw material supply and transportation issues also can arise when suppliers experience operational interference. IT equipment and hardware materials include plastics, steel, aluminum, copper, platinum, gold, and silicon:
- Plastics, steel, and aluminum are necessary for building equipment cases or chassis and protect internal components, like the motherboard and central processing unit. These physical dependencies rely on the output of another functional linkage between the input and output of more than two assets or commodities.
- Due to its electrical and thermal conductivity, copper is abundant in electrical appliances or devices in homes and offices. Copper is highly pliable and malleable, making it perfect for applications in cabling, wiring, and internal electronic components.
- Gold is useful for bonding transistors, printed circuits, and diodes for wires due to its excellent ductile and malleable properties.
- Platinum is ideal for its corrosion resistance and strength under extremely high temperatures and is in computer parts and components.
- Silicon is an abundant and plentiful element and is a central component for making solid-state drives and transistors.
Data transmission (i.e., digital communication) is the transfer and reception of data through a digitized analog signal or digital bitstream transmitted over a point-to-point or point-to-multipoint communication channel. Data transmission could broadly be considered broadcasting. Some information systems depend on other physical or virtual systems to provide a service or complete a transaction. Some examples include a webpage communicating with a database that tracks user login information to verify if the user’s credentials are authorized to access a system or an email system communicating with another email system to deliver a message. A dependence of this communication is the undersea internet cables that connect the internet from one continent to another. These cyber and physical dependencies span the need for communications equipment to have faster speeds and the need for fiber networks and processes that provide faster or more efficient data transmission.
What Are This Sector’s Current and Emerging Vulnerabilities, Hazards, Risks, and Threats?
One key risk to the IT Sector includes cyberattacks that can target IT systems with insufficient security controls, outdated systems that have not applied security patches, zero-day vulnerabilities, insider threats, or elaborate social engineering attacks that attempt to gain administrator-level credentials. These attempts could allow a malicious actor to access critical systems or disrupt daily operations by tampering or sabotaging hardware or services.
One notable cyberattack in 2010 involved a cyberweapon known as Stuxnet, a powerful computer worm in an Iranian computer that took advantage of a Microsoft Windows zero-day vulnerability and controlled the centrifuges. The worm checked for a specific programmable logic controller (PLC) model that controls industrial machinery like uranium centrifuges. The worm then altered the programming on the PLC and caused the centrifuge to spin out of control while sending data that the PLCs were operating normally back to the operator’s computer. The false-normal information made the attack harder to detect and respond to before the worm caused too much damage. Stuxnet’s failure to erase its electronic fingerprints and avoid capture raise concern that other unfriendly state and non-state actors might modify and use it to threaten the IT Sector.
A more recent cyberattack against critical infrastructure was the Russian attack on the Ukrainian power grid in 2015. Ukraine suffered a large-scale cyberattack that turned the power off to a major portion of Ukraine’s power grid, causing widespread blackouts for 225,000 Ukrainian citizens. During another power outage in 2017, medical professionals had to resort to pen and paper prescriptions to ensure the distribution of medications to critical patients.
Cybercrime turned the internet into a breeding ground for theft, fraud, and abuse. Cybercriminals took advantage of misaligned networks through the COVID-19 pandemic as businesses moved to remote work environments. In 2020, malware attacks increased 358% compared to 2019. Cybercrime turned the internet into a breeding ground for theft, fraud, and abuse – from simple small criminal rings looking to make money stealing digital information from personal computers to large, organized crime syndicates and nation-state-backed organizations specializing in corporate espionage, extortion, intellectual property theft, and unauthorized access to government classified information.
In 2022, the cost of cybercrimes reached $6 trillion, with 80% related to phishing attacks. One high-profile cybercrime case involved the Chinese company Sinovel Wind Group, which stole intellectual property from U.S. company American Superconductor (AMSC) over three years to boost China’s wind turbine production. At the trial, AMSC claimed to have lost over a billion dollars in shareholder equity and about 700 jobs, losing over half of its global workforce due to the theft.
One risk to the IT Sector is the global supply chain and the transportation of goods. The U.S. supply chain relies on having goods and raw materials arrive “just in time.” When one piece of the chain fails, the whole system can collapse and halt. The COVID-19 pandemic showed how fragile the supply chain system was and how it greatly impacted the ability for the U.S. to receive raw materials and goods from foreign countries. The pandemic, combined with a semiconductor shortage in 2020, affected the sector’s ability to provide computers, mobile phones, car electronics and components, and computer parts and peripherals.
Another risk is the cost of internet services. High costs could lead to minimal efforts to create a secure environment or connect rural communities as the internet becomes a new normal for families and businesses. In a rural Nebraska community in 2023, it cost approximately $53,000 to get internet to homes for the Winnebago Tribe using fiber optics:
The U.S. has committed more than $60 billion for what the Biden administration calls the “Internet for All” program, the latest in a series of sometimes troubled efforts to bring high-speed internet to rural areas.
How Would a Human-Caused, Natural, or Technological Disaster Impact This Sector’s Preparedness, Response, and Recovery Efforts?
As climate changes impact the environment, current studies are considering the short- and long-term effects of these changes on the existing critical infrastructure, particularly the power grid and telecommunication. For example, heatwaves reduce the generation efficiency of power grids, increase power transmission and distribution loss, decrease the lifetime of equipment such as power transformers, increase peak power demand, and sometimes force power plants offline, resulting in brownouts or rolling blackouts.
Losing power, technology systems, or telecommunications significantly affects communities, government, and daily operations. For example, Hurricane Sandy in 2012 disabled 25% of U.S. East Coast mobile phone towers. At the same time, the loss of electricity forced many mobile phone carriers and ISPs offline, meaning companies and residents could not send or receive information. Wireless infrastructure, fiber infrastructure, and data centers are at high risk of damage associated with storms, tornadoes, hurricanes, typhoons, tropical storms, floods, heat, and wildfires. High winds and wildfires can incapacitate power lines, transmission towers, telephone lines, and microwave receivers. In 2017, Hurricanes Maria and Irma destroyed 90% of mobile phone towers in Puerto Rico, St. Martin, Dominica, and Antigua and Barbuda.
The 1859 Carrington event demonstrated the vulnerabilities of the less advanced world of telegraph communications. The same event today would have a more significant impact due to society’s overdependency on IT. Geomagnetic storms and solar flares can wreak havoc on the electrical grid and disrupt or permanently damage telecommunication equipment, crippling telecommunications and technology systems worldwide. The sun releases plasma energy known as a solar flare, which can dramatically change the Earth’s magnetic field and result in a disaster that could disable power plants, transmission lines, power substations, and mobile phone towers for large territories and cities. The Deep Space Climate Observatory (DSCOVR) and the National Science Foundation regularly study solar storms and flares. In April 2001, one of the most significant solar flares in history, which did not directly aim toward the Earth, managed to disrupt Canada’s power grid.
Poorly designed network and security misconfigurations can lead to catastrophic human-caused disasters. A security misconfiguration can occur when implementing errors into security settings or not properly applying computer security settings. The lack of security controls or misconfigured security settings creates a security gap for that network, leading to exposure to a cyberattack or a possible data breach. Many security misconfigurations occur when system administrators fail to change or validate a system’s default settings, like a default administrative login or default administrative password. Tools such as vulnerability scanners or online resources such as Shodan can detect these default settings. This example of a security misconfiguration is problematic because many cyberattacks begin with reconnaissance – malicious bad actors and hackers looking for a system’s default credentials and passwords. Changing the default settings can significantly reduce the risk of a breach or cyberattack.
What Else Do Emergency Preparedness, Response, and Recovery Professionals Need to Know About This Sector?
Power consumption and the type of power are important aspects for all data centers. Most modern data centers use alternate current (AC) power distribution systems. In the past few years, there has been a growing interest in the IT Sector to explore and utilize direct current (DC) power distribution systems as an alternative option. For example, leading telecommunication companies like Verizon and Comcast use DC power for their data centers, which is key when ordering and delivering backup power supplies. Major computer companies also sell servers that can operate on both DC and AC power as a stop-gap measure to help with resiliency. It is imperative to consider both options when designing, servicing, or responding to a data-center emergency.
Each company and government entity is unique and builds on different standards. Building off general plans, communities combine short- and long-term planning efforts for future growth. For example, smaller communities like Loomis, California, are looking at short- and long-term growth efforts. Due to its smaller footprint, considerations like equipment costs and dependencies on outside IT, energy, and communication providers are crucial to planning efforts. These dependencies build and integrate infrastructure for businesses and homes. In contrast, large cities like New York may have their own power and gas companies (e.g., New York State Electric & Gas). Efforts designed and built in-house can have fewer dependencies on external companies to help streamline communications and emergency preparedness. When emergency managers and planners are part of the city’s overall process, they tend to be familiar with the language in emergency operation manuals, laws, and policies.
Emergency responders should consider the type of fire suppression system to use. Water and electronics do not mix, so most data centers use a fire suppressant material to extinguish electrical fires. In the past, halon was the leading choice for data-center non-water fire suppression agents but has been removed as a fire suppression choice as halon depleted the ozone. Although modern data centers have phased out halon in favor of FM-200 or NOVEC 1230 fire suppression systems, responders should be aware that older data centers may still use halon.
Solutions for emergency managers and other preparedness professionals in IT emergencies must be rapid and may be challenging to sort through. All the complexities the IT Sector presents on blue-sky days are doubled on grey-sky days and can be even more complex and confusing. A cyber response plan is vital for local and state governments to have in place. The Cyber Security and Infrastructure Security Agency (CISA) has an Incident Response Plan that helps highlight challenges before a cybersecurity incident, including NIST SP 800-61 standards that help to guide the private sector with computer security incident response.
Applying organizational structure to IT systems and understating incident and vulnerability response also should be part of planning efforts. The document “Federal Government Cybersecurity Incident & Vulnerability Response Playbooks” contains standards that help facilitate better coordination and effective response among affected organizations, enable tracking of cross-organizational successful actions, and allow for cataloging of incidents to better manage future events with guides to analyses and discovery.
The IT Sector is complex and fast-growing, with services and functions that a combination of public and private entities operates and maintains. Although IT resilience differs among businesses and federal, state, and local governments, this sector’s dependency on other critical infrastructure sectors creates unique challenges and opportunities. As society becomes more global and the physical and cyber worlds become more integrated, emergency managers, law enforcement departments, and fire agencies will have to better prepare and catch up to threats, policies, and resources to maintain effectiveness in preparedness and response.
Paul Galyen, CISM, is an experienced information security professional skilled in vulnerability management, security architecture, and endpoint security hardening, currently working with the California Cybersecurity Integration Center. Before state service, he worked as a contractor providing cybersecurity and digital forensic analysis for a large IT company and a major aerospace company. In addition, he served eight years as a communications specialist with the United States Army Reserve with the 801st Engineering Company (Horizontal Construction) and the 305th Engineering Company (Route Clearance), including a military deployment to Afghanistan in 2014 in support of Operation Enduring Freedom. He received a Master’s of Information Technology Management with a specialization in cybersecurity from Colorado State University Global Campus.
Nathan DiPillo currently serves as a California Governor’s Office appointee assigned to the California Office of Emergency Services as a Critical Infrastructure Analyst in the State Threat Assessment Center. Before state service, he functioned as a critical infrastructure specialist with the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA). He also spent over 15 years with the Transportation Security Administration, where he assisted in standing up the agency with policy development, training, and recruitment. He has over 25 years in the emergency management and security industry, beginning as a resident firefighter/emergency medical technician. He also served with the California State Military Department, and Army National Guard in the 223rd Training Command ending his career as a Sergeant First Class. During that time, he served in many units, finishing his career attached to the 102nd Military Police Training Division in an Opposition Force Unit. He currently serves on a small-town planning commission and assisted in coordinating an emergency family communications group in his local area. He possesses a Master of Emergency Management/Homeland Security from the National University and other Federal Emergency Management Agency (FEMA), U.S. Department of Homeland Security (DHS), and military certifications. He currently serves as an advisor to the Domestic Preparedness Journal.