The digital domain has become as essential as the physical world, underpinning economies, national security, healthcare, and everyday connectivity. However, the unprecedented concentration of digital functions within a few dominant entities—referred to as digital consolidation—poses significant societal risks.
A new report by the Institute for Critical Infrastructure Technology (ICIT) outlines an urgent call for action, presenting a framework of four key pillars: Resourcing, Recovery, Rehearsals, and Response.
Risks of Digital Consolidation
While digital consolidation has led to efficiencies and innovation, it has also created systemic vulnerabilities. The reliance on hyperscalers such as Amazon, Microsoft, and Google for cloud infrastructure, as well as the dominance of companies in sectors like artificial intelligence, creates single points of failure. These centralized systems are prime targets for cyberattacks, operational errors, or natural disasters, which can cascade across interconnected networks, affecting millions.
The geopolitical context exacerbates these risks. Nations like China have leveraged state-controlled digital ecosystems for economic and strategic gains, presenting an alternative to the open, private-sector-led model of democracies. This splinternet model not only challenges global standards but also introduces additional security threats.
A Framework for Resilience
The ICIT report emphasizes the necessity of proactive measures to safeguard critical digital infrastructure through its “Four Rs”:
1. Resourcing: The report highlights that market forces alone cannot ensure the robustness of digital systems. Government investments are necessary to foster technological diversity, enhance redundancy, and prioritize resilience. For instance, legislation should mandate interoperability and recovery standards, enforced by agencies like the National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA).
2. Recovery: Planning for digital disasters is as crucial as for physical ones. This involves setting Recovery Time Objectives (RTOs) across federal systems, modernizing procurement practices, and creating a National Recovery Dashboard to monitor and guide recovery readiness. Effective recovery not only restores functionality but also strengthens public trust and deters adversaries.
3. Rehearsals: Regular cyber exercises are essential to stress-test recovery protocols and refine coordinated responses. National Cyber Rehearsals involving public and private stakeholders should simulate realistic scenarios, revealing vulnerabilities and fostering cross-sector collaboration. Such preparedness signals a robust defensive posture to potential adversaries.
4. Response: Establishing clear deterrence policies, supported by advanced technical attribution capabilities, is critical to protecting consolidated systems. The report advocates for a tailored cyber response doctrine that integrates military, economic, and diplomatic measures. Partnerships with the private sector must also be strengthened, ensuring alignment between governmental and corporate strategies for incident response.
CyberRisk Alliance Study Captures Attitudes Toward Tech Consolidation
In October and November 2024, ICIT partnered with CyberRisk Alliance (CRA) to create The ICIT 2024 Digital Consolidation Study. It explores trends, challenges, and benefits associated with consolidating IT systems and cybersecurity tools and is based on insights from a survey of 302 IT, cybersecurity, and business executives recruited from the CRA audience, which includes readers of SC Media and CISOs from CRA’s CyberRisk Collaborative membership.
The study shows that while some organizations are increasingly consolidating their IT systems and cybersecurity tools - In hopes of enhancing efficiency and compatibility and driven largely by cloud modernization efforts – they also understand and worry about the significant security challenges identified earlier in this report.
Other respondents are more reluctant to consolidate because, along with lower costs and customization, they see diversity of systems as something that is harder to breach.
The survey illustrates that, while some do see benefits in consolidation, most companies understand and worry about the increased cybersecurity risks that come with fewer and bigger platforms.
Why Action Is Imperative
The report concludes with a stark warning: The future of American leadership and stability hinges on the ability to secure the digital domain. As technology evolves, so must our strategies for resilience. Protecting the interconnected fabric of modern life is not just a defensive necessity but a proactive commitment to global leadership in the digital age.
