It has been almost two years since the U.S. government joined 60 global partners to call for a single global internet and technology ecosystem that is truly open and fosters competition. And yet, a single vendor controls 85% of the market for the government’s most commonly used technology. In an increasingly interconnected world facing a growing number of sophisticated threat actors, overreliance on any one technology vendor creates significant risks.

A bold vision requires bold action, and the most effective way for the U.S. government to take the lead in realizing the change it and its partners seek in the digital world is to get its own house in order. To do so, it must prioritize ensuring that its marketplace reflects the values it promotes by addressing the risks that persist from its IT monoculture.

The federal government is the largest consumer of goods and services in the world, spending roughly $600 billion each year—including more than $100 billion on IT and cyber investments. A large majority of these investments are directed toward Microsoft. Relying so heavily on a single IT provider not only increases the target profile of that provider, but also limits the ability of the government to defend itself against future cyberattacks. As Sen. Eric Schmitt, R-Mo.,recently stated, “only meaningfully employing one vendor” creates a single point of failure that adversaries can exploit.”

These concerns have been echoed across government agencies, including the U.S. Departments of Veterans Affairs and Defense. Current and former officials tied the VA’s move to go “all-in” on a single vendor to the accidental disclosure of 1,500 U.S. veterans’ personal data. Similarly, former DoD senior officials questioned the department’s decision to replace its long-running cybersecurity program with off-the-shelf tools from the same vendor providing the DoD’s software and cloud services, calling the move an “unacceptable level of risk” for the department.

In December, with the passage of the 2024 National Defense Authorization Act came lawmakers’ agreement to a key insert to the act by Sen. Schmitt (section 1553) compelling the Department of Defense (DoD) to assess the cybersecurity capabilities of the technologies it uses so as to ensure competition and interoperability—the concern being that both competition and interoperability are hindered by the DoD’s overreliance on legacy vendors. Cybersecurity experts know that an impartial analysis will likely find the DoD’s overreliance on a single vendor is severely limiting competition and interoperability, and is as a result a threat to U.S. national security.

The DoD represents the largest portion of the U.S. government marketplace, but the need to diversify IT and cybersecurity vendors extends across the government and aligns with the Biden Administration’s National Cybersecurity Strategy. The strategy is rooted in two central themes: rebalancing the responsibility to defend cyberspace and realigning incentives to favor long-term investments. As part of this, the U.S. government and major technology providers are called on to protect data, assure the reliability of critical systems, and make cyberspace more resilient and defensible over the long term.

The best place to start is in its own marketplace—where the U.S. government has the most control. For the government to best protect its systems and invest in a secure digital ecosystem, it must foster greater competition and diversify the vendors it relies on to provide and secure its digital ecosystem. Doing so would drive the values the administration seeks to realize in the broader digital world and enhance our national security posture. Additionally, such a move in the largest marketplace in the world would be a major incentive to drive change and almost certainly reduce the need for extensive regulation to enforce an open, free, interoperable market.

Until the U.S. government’s marketplace exemplifies its vision for the broader digital world, it can’t expect to lead others in realizing such a vision—at home or abroad. The U.S. government should prioritize leading by example and ensure its IT marketplace fosters competition, privacy, and security, and ultimately by selecting a more diverse set of cybersecurity and IT vendors. In this way, the U.S. government will lead by example, not exception, in bringing about the global internet and technology ecosystem that it envisions at home and abroad.

Cory Simpson is the founder and CEO of Gray Space Strategies, Inc., a professional services and strategic advisory firm based in Washington, D.C., and serves as CEO of the Institute for Critical Infrastructure and as a Senior Advisor to the Cyberspace Solarium Commission.

In Other News
Load More