For the second time in 10 days, a massive swath of the internet went down due to an outage at a company most people have probably never heard of.
The websites of Southwest Airlines (LUV), United Airlines (UAL), Commonwealth Bank of Australia (CBAUF), the Hong Kong Stock Exchange and others all went blacklist on Thursday after an issue at cloud service provider Akamai (AKAM) Technologies.
The situation was almost identical to another recent outage caused by a similar company called Fastly, which shut down major sites including Reddit, CNN, Amazon (AMZN) and a UK government website.
While the outages were both short-lived, they serve as shocking reminders of the Internet’s fragility. And at a time when As concerns grow about cyber risks to critical physical US infrastructure, the outages could also raise alarms about risks to our digital infrastructure.
Almost all websites rely on a service provider such as Fastly or Akamai – who run what’s called a “content delivery network” or CDN (whatever that means later) – as a layer between internet users and the servers where their content is hosted. The problem: There are only a handful of CDN operators. If one of them goes down – either because of a benign software bug, like in Fastly and Akamai’s event, or a cyber-attack – huge swaths of the internet could accompany it.
“Definitely the biggest centralized point on the Internet are these CDNs,” making them a potential target for Cyber criminals or government actors, Nick Merrill, research fellow at UC Berkeley’s Center for Long-Term Cybersecurity, said after the Fastly outage.
Utilities, social media platforms, news organizations, financial services, government agencies and more rely on CDNs to operate their websites. While Fastly was able to quickly restore its service, if the resolution is slower, problematic future scenarios can be envisioned.
“The problem with the Internet is that it’s always there until it’s gone,” said former Microsoft Chief Technology Officer David Vaskevitch, who now runs photo storage service Mylio. told CNN Business earlier this month. “For a system with so many interconnected parts, it’s not always reliable. Any breakable part can bring it down.”
Even before the recent outages, internet infrastructure experts have been sounding the alarm about concentration in the CDN space, where the small number of major carriers could be prime targets for attack.
For websites to load and run as fast as we expect, the computing power needs to be physically close – at least relatively – to the people who want to access it.
That’s why companies love Fastly and Akamai exist. Their “content delivery networks” are essentially a collection of “cloud” servers spread across various geographic locations where websites can store content in close proximity to their users. This allows apps and websites to load in seconds and high quality streaming. It too saves a lot of energy.
CDNs play a critical security role by preventing so-called “distributed denial-of-service” attacks, in which attackers send tons of requests to access a website in an attempt to overwhelm and shut down the systems.
“It’s indispensable infrastructure,” Merrill said.
The catch is that so many websites – big and small – use CDNs as a layer between users and the servers where their content resides, that when a CDN goes down, much of the internet can be used to do so.
In Fastly’s case, a software bug that appeared as part of a regular update briefly took out about 85% of the company’s network, the company said. Akamai said about 500 of its customers were affected by an issue with its DDOS mitigating software that caused the outage.
And it’s not just CDNs. Amazon Web Services, a cloud computing service that supports numerous popular websites, has also faced outages that eventually shut down large swathes of the internet.
With any technology, occasional failures and outages are inevitable.
“There is no flawless Internet, so the measure of success is how quickly a major Internet company like Fastly can recover from a rare outage like this,” said Doug Madory, director of Internet analytics at network analytics firm Kentik.
The problem was quickly detected “within one minute,” and within an hour, 95% of the network was working normally, senior vice president of engineering and infrastructure Nick Rockwell said in a blog post. Akamai also said it notified customers of the issue within seconds and the issue was resolved within four hours, though it took steps to ensure most affected customers were offline for only a few minutes.
The bigger problem with the Internet’s massive reliance on just a few CDNs is the possibility of them becoming the target of an attack, Merrill said. He is also concerned about a potential government order dictating what such companies can and cannot support, which could amount to government censorship of the Internet.
Fastly is actually one of the smaller players in the CDN market. The largest is Cloudflare, which supports approximately 25 million Internet sites, including state websites, national health ministries, and corporate giants such as IBM and Shopify. In 2019, Cloudflare was briefly in the spotlight after blocking support for 8Chan, making it difficult for the controversial online message board site to stay online.
Akamai is also one of the larger CDN providers.
Just to be sure, CDNs have backup protections and websites can contract with more than one CDN operator in case of outages. Usually a failure will be like Fastly’s — a temporary inconvenience. And websites can still appear online without a CDN, they just load slowly and are more at risk from cyber attacks.
But experts say there’s still a risk of targeting a bigger player like Cloudflare, or hitting multiple CDNs at once.
“At worst, it becomes an attack on Cloudflare,” Merrill said. “The Russian government or the Chinese government is going to take down Cloudflare and break the internet.”
The solution, he said, could be industry antitrust regulation — similar to the regulatory burden faced by more consumer-oriented tech companies — or fostering the growth of more CDN alternatives.
“People are rightly concerned about antitrust issues in the tech space,” Merrill said. “I don’t think CDNs are that visible to people, but they are probably the most important part of the core Internet infrastructure that has been privatized and centralized.”