Why our rickety internet infrastructure needs an upgrade

What’s happened?

Last Tuesday morning, for about an hour, some of the internet’s most visited websites were unavailable, including Amazon, Reddit, PayPal and Spotify. Also down were the BBC, The Guardian, the Financial Times, The New York Times and CNN. Perhaps most worrying, the UK government’s gov.uk domain was among those knocked out. The cause wasn’t any kind of malicious attack or conspiracy. Rather, it was the result of a single customer of Fastly – a San Francisco-based content-delivery network – updating their configuration settings, and unwittingly triggering a hitherto unknown bug in Fastly’s new software.

How could that take down Amazon?

Due to the way the internet has grown and changed as the amount of web data has ballooned. Specifically, it’s due to the rise of content-delivery networks (CDNs) – that is, cloud services that provide a worldwide fleet of servers to customers who cannot easily handle bandwidth spikes on their own. The purpose of CDNs (ironically enough) is to make the internet faster and more stable by letting users connect to servers physically close to them. Their main job is to provide “digital liquidity” – giving businesses greater geographical spread and proximity to customers, flexibly absorbing shocks and pooling the costs of maintaining spare capacity. Fastly is the fifth-largest provider globally. But there’s a paradox here.

What’s that?

The whole idea of the internet is built on decentralisation, and the resilience that comes from widely distributed risk. Yet the CDN model tends towards “market concentration because it depends on overwhelming bandwidth, economies of scale, expensive physical data centres and serious programming talent”, says Corinne Cath-Speth of the Oxford Internet Institute in The Daily Telegraph. The three biggest CDNs are Cloudflare, Amazon Web Services (AWS) and Akamai. Together they have around 89% of the market and all have suffered similar episodes since 2010. In this case, Fastly at least lived up to its name, getting 95% of the network back up and running as normal within the hour.

Subscribe to MoneyWeek

Subscribe to MoneyWeek today and get your first six magazine issues absolutely FREE

Get 6 issues free

Sign up to Money Morning

Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter

Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter

Sign up

How much financial damage did it do?

Estimates vary wildly from millions of pounds to many billions. ParcelHero, the e-commerce delivery company, estimated that retailers across the UK, Europe and US will have lost around £1bn because of the outage. Counterintuitively, Fastly itself was not among those to take a hit. Although its share price dropped 5% as news broke of the issue, the share price ended the day up 11%. Investors were either impressed by the swift resolution, or maybe those who hadn’t heard of the firm before liked what they saw. But either way, the whole episode has heightened worries about the inherent vulnerabilities of the internet.

Is this just a commercial issue?

No, it’s a security and geostrategic issue too. If the Fastly farce “makes the modern internet sound alarmingly like a house of cards built on shaky foundations, that’s because it is”, says James Ball on CapX. The services, like Fastly, that keep the network operating behind the scenes “have long chains of dependencies – one service might draw on code from another site, that in turn relies on open-source code libraries that may or may not have been kept updated for decades”. This architecture makes big firms vulnerable to internet breakdowns. But it also means that malign actors – state or otherwise – have no shortage of targets. “A country wanting to launch a military operation against a neighbour could, for example, launch massive cyberattacks to take out much of the internet... Others might take down the internet for fun, or for profit.”

How big a threat are such attacks?

Big and getting bigger. Ransomware attacks have surged by 60% over the past year, with recent high-profile targets including Ireland’s health service and Colonial Pipeline in the US, which exposed the risks to critical energy infrastructure in the world’s biggest economy. Moreover, the average ransom payment has roughly doubled over the past year, according to Coveware, a tracking firm. Here in the UK, the nation’s cyberdefence chief has warned that criminal hackers carrying out ransomware attacks now pose a bigger risk to UK national security than online espionage by hostile states. In a speech this week, Lindy Cameron – chief executive of the National Cyber Security Centre, a branch of GCHQ – discussed the very real threats to business and security from state actors including China, North Korea, Iran and Russia. But for most people and businesses – including suppliers of critical national infrastructure and government services – “the primary threat is not state actors but cybercriminals”, says Cameron.

What can be done?

Ransomware is obviously separate from the issue of structural vulnerabilities exposed by the Fastly affair, but both are about threats to internet infrastructure robustness. On the ransomware issue, says the ex-MI6 boss Alex Younger in the Financial Times, it’s clear that many of the key groups are based in Russia, and are tolerated as long as they don’t threaten Russian interests. Thus, part of the solution involves getting President Putin to own the problem, using the “full range of geopolitical carrots and sticks”. Second, governments should discourage the payment of ransoms, make it compulsory for such payments to be disclosed, and must upgrade their anti-money-laundering capabilities for the age of cryptocurrencies. On the wider infrastructure issue, says John Villasenor of the Brookings Institution, government should promote diversification in the number and types of firms providing infrastructure services. There’s been an intense government focus in recent years on visible parts of the internet ecosystem. Henceforth, policymakers must be equally focused on the bits of the internet we don’t normally see.