The Institute for Critical Infrastructure Technology (ICIT), a nonprofit, nonpartisan, think tank tasked with modernizing, securing, and making resilient critical infrastructure that provides for people’s foundational needs, has formed a new Task Force to mitigate the growing risks associated with IT and cybersecurity consolidation.
This eight-member team, composed of industry and security experts, includes leaders like Marene Allison, Nick Andersen, Edna Conway, Brett Freedman, Tom Gann, Ankur Sheth, Cory Simpson, and Alissa Starzak.
According to ICIT CEO Cory Simpson, who co-chairs the Task Force, “We have assembled an extraordinary group of people to help tackle a complicated and multifaceted challenge in our digital ecosystem.”
As IT and cybersecurity technologies consolidate, driven by factors such as cost savings, efficiency, cloud modernization, and improved user experiences, concerns about vulnerabilities grow. The over-reliance on a small number of providers for critical services and platforms can lead to major disruptions, stifle innovation, and amplify risks in the event of failures. These concerns became widely apparent following the recent flaw in CrowdStrike’s update that, although affecting less than one percent of Windows devices, caused global disruptions with billions of dollars in economic losses.
The risks of consolidation are particularly acute for governments, critical infrastructure, and large commercial enterprises. Consolidation may streamline interactions by reducing the number of vendors, but it also makes it difficult to respond when failures occur in these concentrated providers. A notable example of this was the Microsoft Exchange Online intrusion in the summer of 2023. This breach, caused by a series of security failures at Microsoft, allowed Chinese state hackers to access sensitive communications of senior US and UK government officials. The Department of Homeland Security’s March 2024 Cyber Safety Review Board (CSRB) report stated that this incident “should never have happened” and highlighted the risks posed by over-reliance on single technology providers.
The ICIT Task Force aims to develop actionable recommendations to address these challenges, ensuring the benefits of consolidation are maintained while mitigating its inherent risks. With a December 2024 deadline for its final recommendations, the Task Force’s findings are expected to play a crucial role in shaping future policy and governance strategies for cybersecurity in the U.S.
The full report is set to be unveiled at a special event in Washington, D.C. later this year.
