Buying power and the burden of trust

COMMENTARY -- October marks Cybersecurity Awareness Month—a time to focus on the daily actions that keep our digital world secure. This year’s theme, Building a Cyber Strong America, highlights the role of state, local, tribal, and territorial governments, as well as the small and medium-sized businesses that power our economy and sustain essential services. These organizations, together with the vendors and suppliers that enable them, sit at the heart of America’s critical infrastructure. Their vigilance—and their accountability—determine the strength of the systems our nation relies on every day.

Practitioners understand that awareness is the foundation of cybersecurity, and its strength grows when technology providers share that responsibility. The 2023 National Cybersecurity Strategy confirmed this principle, calling for greater responsibility among those best equipped to reduce risk—software vendors, cloud providers, and the supply chains that connect them. For small and medium-sized businesses and local governments, this alignment is essential. Their ability to operate securely depends on partners who design, update, and maintain technology with security integrated from the start.

Building a Cyber Strong America depends on two forces working together: awareness that drives good practice, and accountability that sustains it. Awareness shapes culture: accountability turns that culture into lasting protection. Ensuring vendor accountability, however, begins with leadership from public officials. Congress, federal agencies, and the Executive Office of the President all influence how technology is purchased and deployed. Through budget decisions, procurement standards, and the continued consolidation of federal purchasing—most visibly GSA’s OneGov initiative—leaders shape what vendors must deliver and what the broader market expects from security.

Accountability at scale 

Today’s technology ecosystem is defined by consolidation. A handful of providers—AWS, Google, Microsoft, and Oracle—power most of the infrastructure that government and industry depend on. That scale brings efficiency and capability, but it also amplifies risk. As an Institute for Critical Infrastructure Technology task force recently noted, “the concentration of digital capability in a small number of vendors has created structural dependencies that magnify systemic exposure.” A single design flaw or delayed update in a dominant platform can ripple across sectors, affecting public services, private operations, and the trust that connects them.

The past year underscored this dynamic. Despite some positive examples, such as Google’s transparency and corrective action during its OAuth token exploit, persistent gaps in vendor accountability remain evident:

These incidents reflect a deeper truth: concentrated power magnifies both capability and consequence. Scale confers responsibility—the larger the platform’s reach, the greater its obligation to protect it.

Each of these providers sits at a point of national dependency. Their code, cloud environments, and identity systems support everything from local government operations to global commerce. When their safeguards falter, the effects cascade through the economy and into public trust.

Recent findings from the Cyber Safety Review Board’s Review of the Summer 2023 Microsoft Exchange Online Intrusion make that reality plain, documenting systemic weaknesses and the limited reforms that followed. Leadership in this space is measured by discipline, transparency, and speed of action. The companies that design secure-by-default architectures, disclose incidents quickly, and patch with urgency strengthen not only their own networks but also the digital infrastructure that sustains the country. In a consolidated digital ecosystem, trust is earned through performance, and accountability is its measure.

Buying power Is cyber leadership

For the government, cybersecurity leadership begins with how it buys technology. Procurement is one of the most powerful tools for shaping security standards and influencing market behavior. Every contract decision—who earns it, under what terms, and how performance is measured—signals what matters. When security is a budget priority, it becomes an operational reality.

This means using purchasing power to diversify instead of deepening monocultures, and to lead by example by structuring purchases around security, interoperability, and resilience. The 2023 National Cybersecurity Strategy reaffirmed this approach, calling for procurement to drive secure-by-design practices across the technology ecosystem. Overreliance on a single provider or rewarding negligence not only concentrates risk but also creates single points of failure. The clear solution is to incentivize vendors to prioritize security by awarding contracts to those that meet strict security standards and take responsibility, while also requiring provider diversity to reduce systemic risk.

In practice, this means making secure-by-design commitments the default, not the exception. This includes integrating NIST’s Secure Software Development Framework into contracts, requiring software bills of materials, enforcing strict patch timelines for critical flaws, guaranteeing no-cost access to security logs, mandating clear end-of-life paths, and tightening OAuth and third-party controls. These are not “nice-to-haves," they are the baseline standards. By establishing these expectations in contracts, audits, and procurement, government leaders send a clear message: in the digital age, security is the baseline for doing business.

Leadership through accountability

Cybersecurity Awareness Month reminds us that individual vigilance matters, but leadership defines outcomes. The awareness built through campaigns and training lays the foundation; accountability ensures it lasts. Every participant in our digital ecosystem—operators, vendors, and government buyers—has a role in shaping that standard.

For vendors, accountability means delivering secure products, maintaining transparency, and acting with urgency when flaws appear. For the government, this means using buying power to set expectations, reward responsible performance, and promote diversity that limits systemic risk. For practitioners and citizens alike, it means recognizing that security is not a one-time exercise but a shared discipline that protects the systems that keep the country running.

A Cyber Strong America will not be built by awareness alone or by mandates from the top. It will be built through partnership—between public officials who lead through standards and private innovators who lead by example. Accountability connects them—it transforms awareness into action and turns leadership into lasting strength.