Executive Summary

On April 29, 2025, adjacent to the RSA Conference 2025, the Center for Cybersecurity Policy and Law (“the Center”) convened the latest in a series of multi-stakeholder tabletop exercises exploring information technology (IT) concentration risk. Over the past 18 months, the Center has led similar exercises that have directly and indirectly examined IT concentration risks. 

What began as an exploration of the theoretical risks that governments may be exposed to through the concentration of vendors and specific IT products and services has since grown to be an ongoing series investigating various aspects of the very tangible threat that IT concentration risk poses to governments and critical infrastructure. The exercises have taken place at a time when cybersecurity resilience is more aggressively being tested by nation-state and non-nation state actors. 

This report summarizes the findings and recommendations of the RSA exercise. Previous exercises focused on how individual governments assess their concentration risk and consider guidance or policies to mitigate risks. In contrast, the purpose of this exercise was to explore IT concentration risk within a broader international context and was conducted with Five Eyes officials and industry representatives. Specifically, it was centered on exploring IT concentration risk in the context of coordinated Chinese-state actor cyber operations against a trio of fictional countries representing a Five Eyes alliance dynamic.

The Five Eyes countries are uniquely positioned to lead efforts to improve the understanding of IT concentration risk and to develop common definitions, metrics, and methodologies because of their longstanding cybersecurity cooperation, robust policy and legal frameworks, and trusted information-sharing mechanisms that underpin joint decision-making and collective defense in the cyber domain.

The outcomes of the exercise informed the following recommendations:

1. An internationally trusted entity with experience in developing consensus-based standards and guidance, potentially the U.S. National Institute of Standards and Technology (NIST), should work toward developing and promoting a common definition of IT concentration risk and a methodology or metric to measure and assess it. 
2. Governments should assess the presence and associated risks of IT concentration within and across government and critical infrastructure environments, and develop policies that establish appropriate risk tolerance in various contexts. To do this effectively, governments should employ a developed and standardized definition of IT concentration risk, along with a methodology and metric to measure and evaluate it.
3. Governments should assess the potential cascading and cross-border effects of IT concentration risk. This includes effects within their own government and those of regionally proximal and geopolitically aligned governments. Particular attention should be paid to those countries with which they have dependencies in critical sectors such as defense.

•  IT concentration risk should be raised and addressed at an appropriate political level in bilateral and multilateral forums among those countries that have shared dependencies in critical sectors.
• The Five Eyes governments should work together to develop and share intelligence assessments with industry, particularly critical infrastructure operators, of how adversaries - particularly nation-state actors -  might exploit IT concentration to inflict cascading and cross-sector degradation of systems across their networks. This effort should leverage existing intelligence-sharing frameworks and be informed by national threat assessments, such as the Canadian Government’s National Cyber Threat Assessment 2025–2026, which identifies IT concentration as a key cybersecurity trend. These shared assessments will strengthen defensive postures and resilience initiatives within the Five Eyes community and among allies.

In addition to the above recommendations, the exercise identified potential areas for further research and assessment, and raised some valuable questions that the exercise was not specifically designed to address.

This after-action report summarizes the exercise itself, provides additional guidance regarding the recommendations above, and identifies additional areas in need of further exploration. Given the growing prevalence of IT vendor concentration, we hope that the paper will spur additional efforts to assess and mitigate the associated risks, to the benefit of cybersecurity and resilience in public and private IT networks.

‍