In February, the Center for Cybersecurity Policy and Law (CCPL) and Gilbert + Tobin (G +T), in collaboration with the Tech Council of Australia (TCA), conducted a multi-stakeholder tabletop exercise, “Addressing IT Concentration Risk in the Australian Government.” The intent of the exercise was to explore the concept of concentration risk within the context of the Australian Government’s information technology (IT) environment through an interactive red team/blue team style tabletop exercise.

During the exercise, it became clear that concentration risk is not merely a theoretical concern but a tangible challenge that can have far-reaching consequences. The exercise found that over-reliance on a single vendor or technology creates vulnerabilities that can be exploited during a cyber incident. In scenarios where a single provider’s tools are compromised, the interconnected systems across government can face cascading failures, delayed response times, and limited contingency options. This practical demonstration underscored why concentration risk deserves focused attention from Australian policy makers and robust risk mitigation measures.

The exercise highlighted the critical need for strengthening risk management frameworks, improving governance mechanisms, and fostering better coordination across government entities and with IT vendors. The Australian Government is well positioned to take proactive steps to address IT concentration risk through updated policies and international cooperation to ensure resilience and security in its digital infrastructure.

Recommendations:

  1. The Australian Government should integrate IT concentration risk considerations into the Resilient Digital Infrastructure (RDI) framework being developed as part of the broader objective to uplift Commonwealth Government cyber security. Australian Government IT infrastructure policy should be designed to ensure all entities assess and mitigate the risks associated with over-reliance on single vendors or technologies, thereby enhancing the resilience and security of government IT systems.
  1. The Department of Home Affairs should consider, through its proposed Protective Security Policy Framework 25, a new Gateway Security Standard and Hosting Certification Framework reforms, directing all entities to conduct a comprehensive assessment to identify IT concentration risks, including but not limited to over reliance on a single vendor, technology, or service provider.
    • Entities would document and report identified risks to the accountable authority and the Department of Home Affairs, providing the Australian Government a better understanding of possible cascading risks related to IT concentration.
    • This assessment should align with and be underpinned by the requirements of PSPF Directive 002-2024, which mandates a technology asset inventory to identify and manage risks associated with vulnerable technologies.
  1. Similarly, the Department of Home Affairs should consider issuing guidance to responsible entities designated as Systems of National Significance under the Security of Critical Infrastructure Act (Cth) 2018 to assist with assessment of IT concentration risk as part of their Critical Infrastructure Risk Management Programs.
    • This guidance could also assist designated entities to fulfill obligations under any Enhanced Cyber Security Obligations applied by Home Affairs, such as undertaking cybersecurity exercises to build cyber preparedness and developing incident response plans to prepare for a cybersecurity incident.
    • Further, the Home Affairs should consider whether or not it has adequate visibility of critical IT assets used across those responsible entities to assess and manage IT concentration risk across sectors, and if needed, exercise its powers under the Security of Critical Infrastructure Act to obtain better visibility.
  2. The Digital Transformation Agency should update the Digital and ICT Investment Oversight Framework (IOF) and its underlying guidance, particularly those related to the use of the Risk Potential Assessment Tool, to ensure those undertaking ICT investments consider IT concentration as relevant risk.
  3. The Australian Signal’s Directorate should consider a revision to the Information Security Manual (ISM) under the Guidelines for Procurement and Outsourcing section advising organizations to assess concentration of one supplier as a relevant risk when making procurement decisions. This would enhance the current guidance which states that organisations should, “aim to identify multiple potential suppliers for critical applications, IT equipment, OT equipment and services.”
  1. The Australian Government should work proactively with allies and partners, particularly the Five Eyes countries (Canada, New Zealand, United Kingdom, and the United States) in an effort to define IT concentration risk and assess the systemic consequences across borders.

Adam Dobell, John Banghart & Alex Botting

The full report can be downloaded here. 

Read Next

Blog Post
Government

RSA Readout: Asia-Pacific

Government and cybersecurity leaders from Asia-Pacific addressed the region’s growing role in digital transformation, its exposure to geostrategic competition and cross-border threats, and efforts to harmonize cybersecurity policies and practices.

Blog Post
Government

RSA Readout: Europe

European policymakers have expressed concerns about their dependence on foreign technology for certain critical capabilities. During conversations around the RSA Conference stakeholders dove into this topic and what the future may hold.

Blog Post
Government

Cybersecurity Coalition Comments on CRA Implementing Regulation on Technical Descriptions of Products with Digital Elements

The Cybersecurity Coalition submitted comments to the European Commission’s open consultation on its draft Implementing Regulation on critical products with digital elements.