This summer, the U.S. House of Representatives Committee on Homeland Security met to examine the findings from a recent Cyber Safety Review Board (CSRB) report focused on a cyber attack on Microsoft-hosted cloud environments. The report found that “a cascade” of “avoidable errors” resulted in an attack that compromised sensitive national security information and exposed vulnerabilities in the U.S. cybersecurity framework that put government agencies, public officials, and everyday citizens at risk. Ultimately, questions from lawmakers during the hearing highlighted the need for a fundamental reevaluation of the American cybersecurity system.
According to House Homeland Security Committee Ranking Member Bennie Thompson, an estimated 85% of government software is provided through legacy vendors. This dependency often leads to preventable errors that result in significant security breaches. While federal, state, and local governments often rely on private sector companies to take responsibility for implementing cybersecurity measures, the concentration of security vendors poses a serious risk, and a single breach can result in devastating consequences, demonstrating the urgent need for a multi-vendor approach.
During the hearing, House Homeland Security Committee Chair Mark Green and Ranking Member Thompson advocated for this shift. Green, for example, expressed the need to better “define the roles and responsibilities for public and private sector actors” in the face of evolving cyber threats. Meanwhile, Thompson pointed toward “non-competitive cybersecurity contracts” as a security risk for critical online infrastructure.
Ultimately, robust competition for government cybersecurity contracts is essential for establishing a baseline of security for our critical online infrastructure. Greater competition fosters accountability and innovation, encouraging private businesses to create more effective threat-hunting technologies to prevent successful online breaches and – in the event of a cyber attack – a culture of security that can minimize damage and prevent similar attacks in the future.
This challenge was also the focus of an SIIA-led letter to federal agencies regarding cybersecurity risk in June, urging them to take proactive steps to reduce the risks highlighted by the CSRB’s review. The letter emphasized the need for a multi-vendor approach to enhance security resilience, and advocated for increased vendor diversity and the adoption of open-source software to mitigate the concentration of risk associated with single-vendor reliance.
As global cyber threats evolve, American cybersecurity strategies must become stronger. The federal government must embrace a multi-vendor approach, enhance security baselines, and promote competition in order to create more resilient and secure systems. Following the House Homeland Security Committee’s recent hearing on cybersecurity challenges, Congress should take action and work to adopt a more competitive, innovative system to keep our critical online infrastructure secure