Concentration risk isn’t a well defined or commonly used term in the information technology (IT) sector, but it has been gathering more attention due to recent cyberattacks. Concentration risk is a term more often associated with the financial services sector which looks at the potential risk of having too many holdings in one investment, asset class or market segment but at a high level it begs the question, “do I have too many eggs in one basket?”

In terms of information technology (IT) it’s a matter of whether an organization relies too heavily on one vendor, creating a “IT monoculture.”This occurs when several or all computer systems, applications, networks in the same environment share similar or identical software, configurations, or hardware. While IT monoculture can manifest in different ways, there is no specific measurement or threshold of when or how it does or does not exist.

The general understanding relies heavily on “we know it when I see it,” which naturally results in inconsistency and debate. Recent cybersecurity incidents have prompted calls for a greater examination of this “IT monoculture” and some of the risks associated with it. 

Because of the questions around definitions or metrics, the Center for Cybersecurity Policy and Law conducted a multi-stakeholder tabletop exercise entitled Addressing Concentration Risk in Federal IT in April. The purpose of the exercise was to explore IT monoculture within the context of federal information technology.

To explore the security impact of IT monoculture within federal agency IT, the Center developed a red team/blue team exercise grounded in several fictional elements. The scenario was designed to create a plausible real-world situation, and reflective of real-world U.S. government agency infrastructures. The exercise simulated a nation-state level cyberattack by the People's Republic of China sponsored threat actors against the U.S. government.

The primary intent of the exercise was to assess how the differing levels of IT monoculture between two government agencies influenced the actions, successes, and failures of the adversarial team.

Throughout the exercise the Center identified a number of areas for further research and assessment. Overall recommendations include:

• In coordination with industry, the National Institute of Standards and Technology (NIST) should undertake an effort to further define the types and boundaries of IT monoculture and how organizations can measure the potential risk it creates in the context of their purchasing and implementation decisions. Results should be considered for inclusion in the Cybersecurity Framework and other risk management guidance published by NIST.
• To better understand the scope and potential risk of IT monoculture in the U.S. federal government, the Office of the National Cyber Director (ONCD) should direct the Cybersecurity & Infrastructure Security Agency (CISA), the Department of Defense (DoD), the General Services Administration (GSA), and other agencies as appropriate, to ascertain the existence of IT monoculture across all departments and agencies.
• Congress, and specifically the Committee on Homeland Security and Governmental Affairs (HSGAC) should investigate and provide oversight on the risk of IT monoculture across federal government departments and agencies.

The full report can be found here. 

‍