With each cloud outage, calls for government action grow louder
When a pair of high-profile internet outages took down large chunks of the internet last month, the events briefly brought hundreds of organizations to a near-halt and prevented millions of users from accessing core services for everyday business needs.
From Starbucks to crypto exchanges to the messaging app Signal, the outages rippled across nearly every sector, shining a spotlight onto the country’s — and even the government’s — reliance on a mere handful of cloud service providers.
In the wake of those incidents, watchdog groups are calling on federal regulators to scrutinize the role that massive cloud companies like Amazon and Microsoft play in owning and maintaining much of our collective backend IT infrastructure.
Meanwhile, technology and cybersecurity experts point out that, because of financial and business realities, there are very few alternatives to the large companies that now dominate the market.
The Amazon Web Services outage began Oct. 19 and lasted three days, shutting down all AWS data centers in Northern Virginia. According to Amazon’s post-mortem, a single software bug in DynamoDB — the system that manages website addresses, along with efforts to repair it — caused services in that region to go down for 15 hours.
Just over a week later, Microsoft’s Azure cloud platform experienced an outage impacting several of its services. According to Microsoft, an “inadvertent tenant configuration change” occurred in Azure Front Door, the company’s content delivery network.
The outages exposed just how fragile the country’s digital infrastructure is and showed the risks of letting a few companies hold so much power. As a result, some groups are urging federal regulators to address the issue.
Concerns over corporate consolidation abound
In a letter to the Federal Trade Commission, a coalition of advocacy groups — including Public Citizen and the Tech Oversight Project — said AWS’s hours-long outage Oct. 19 illustrated the country’s “precarious overreliance” on a small number of CSPs.
“The cloud services market that is foundational to this digital infrastructure is dominated by just a few players, with Amazon dominating the industry. Many firms, financial institutions, telecoms, and government bodies rely on these cloud service providers — and often solely on a single one,” the letter to FTC Chair Andrew Ferguson stated. “That precarious overreliance is compromising our nation’s security and commerce, as the October 19 global outage vividly illustrated. “
The FTC has been worried for years about big tech companies holding too much power. The agency has long scrutinized Amazon’s influence across its different businesses. In 2023, the agency filed an antitrust suit against Amazon, the parent company of AWS, alleging that the technology company illegally maintains a monopoly in the space.
The letter, shared first with Scoop News Group, asks Ferguson to explain how the FTC is responding to the specific outage and to the larger economic and security risks.
“We ask you to swiftly conduct a market structure review of leading cloud services providers, including but not limited to Amazon, to assess how their market dominance and use of monopoly power to stifle competition is creating systemic fragility across industries,” the letter stated.
The groups asked that the probe cover the dependencies that critical infrastructure sectors like telecommunication and government services have on any single cloud provider, along with the risks this could have on data security, privacy and consumer protection.
Other signatories to the letter include the Center for Economic Integrity, the American Economic Liberties Project, and NextGen Competition, among others. The FTC did not respond to a request for comment.
The reality of consolidated cloud infrastructure
The advocacy letter comes as technology and cybersecurity experts have raised similar concerns about a few companies controlling most of the internet’s infrastructure.
Meredith Whittaker, CEO of Signal, said users were surprised to learn that the encrypted messaging app ran partly on AWS infrastructure — but she believes they shouldn’t have been.
She explained in a post on Bluesky that the surprise from users “indicates that the extent of the concentration of power in the hands of a few hyperscalers is way less widely understood than I’d assumed.”
Whittaker pointed out that the reality for Signal — and virtually every other online business — is that running these services requires extremely expensive infrastructure and specialized expertise to work as intended. Those resources are almost entirely concentrated among large corporations with the money and capacity to support and sustain such infrastructure.
Instead of managing their own data centers, many companies and federal agencies have simply been “renting capacity” from Amazon, Microsoft and others, according to Benjamin Lee, a computer and information science professor at the University of Pennsylvania.
“All of that is very efficient. Much more efficient than what individual or private companies or smaller data centers can do,” Lee said. “With so much compute moving into the cloud, that has created, to some extent, a single point of failure.”
Amazon’s post-mortem essentially speaks to that consolidation, detailing a dizzying array of different data center clusters, technologies, hardware, bespoke tooling and expertise across multiple internet domains that can’t be easily duplicated without tremendous resources.
“The question isn’t ‘why does Signal use AWS?’” Whittaker wrote on Bluesky. “It’s to look at the infrastructure requirements of any global, real-time mass comms platform and ask how is it that we got to a place where there’s no realistic alternative to AWS and the other hyperscalers?”
One expert, a senior architect and cybersecurity adviser who works with hyperscalers, endorsed Whittaker’s points about the private sector’s collective reliance on Amazon, Microsoft and other hyperscale cloud companies.
However, the executive, who requested anonymity to candidly discuss their work, noted that there are few organizations capable of duplicating these backend functions at scale while remaining profitable.
Indeed, part of the market dominance companies like AWS enjoy is also because they’re able to process massive volumes of internet and financial transactions that underpin billions of dollars of economic activity every day.
“Sometimes when something like this happens, there’s a bunch of backseat, Monday-morning-quarterback types that are like, ‘oh, you know, if this were me and it was my data center,’” the executive said.
“First of all, stop: Your data center can have maintenance windows like 6 a.m. on Sunday morning,” they continued. “These guys can’t; they don’t have outages. They are built at a scale that is staggering.”
That argument was shared by Nicholas Weaver, a senior researcher focused on network security at the International Computer Science Institute, who said that the relative rarity of major outages like the kind experienced by AWS and Azure in recent weeks is the exception that proves the rule.
“Being down for 6 hours once every 2 years+ is damn near [perfect] reliability (99.99% uptime),” Weaver wrote about AWS. “Certainly 10x better than the edge network I use to connect to it.”
The hyperscaler adviser largely agreed with that perspective, telling Scoop News Group that AWS and Azure handle countless IT tasks for businesses, from backups to security fixes and maintenance. In return for rare outages, companies get instant access to top technology and expertise they couldn’t afford on their own.
“Yeah, our options are limited, but on the other hand I kind of view this as: 10 years ago, I was fine running my own mail server as sort of a hobbyist,” the executive said. “You’d be an idiot to do that today, because you need such deep resources on IP reputation, on anti-DDoS [and other specialties] that you need the cloud players of the world.”
Security gaps exist
Beyond the risks of technical glitches leading to mass outages, some cybersecurity researchers worry that this same complexity could also be exploited by malicious actors to cause widespread internet disruption.
A quarterly threat report released last week by DigiCert, a company that provides validation services for digital certificates like Transport Layer Security (TLS) and Secure Socket Layer (SSL), looked at trillions of network events across their different platforms and noted that large-scale disruptive attacks targeting internet infrastructure appears to be getting more common.
Between July and August, the company faced two distributed-denial-of-service attacks with massive, “tsunami”-like scale: one flooded traffic at 2.4 terabits per second while the other topped out at 3.7 terabits per second.
Michael Smith, DigiCert’s chief technology officer for application security, said that “while most DNS activity remains healthy, operational anomalies surfaced at scale.”
“These anomalies — typically caused by misconfigured resolvers or automated scanning but sometimes a symptom of scanning or an attack — highlight how small inefficiencies can ripple globally through interconnected systems,” he added.
Meanwhile, the U.S. continues to struggle with Chinese hackers infiltrating its critical infrastructure. Many U.S. officials and experts worry China could launch cyberattacks if the U.S. responds to a potential invasion of Taiwan. The small number of tech companies responsible for the cloud ecosystem could be a target for malicious hackers in an effort to cause prolonged widespread outages.
How an outage could impact federal agencies
The letter to the FTC also raised concerns about government agencies’ potential reliance on cloud service providers, particularly during outages — even as the impact of those outages on federal services remains unclear.
AWS and Microsoft are two of the biggest cloud providers for government agencies. Both companies offer special government cloud services with extra security for sensitive data. For example, AWS has GovCloud and Microsoft has Azure Government — each with regions that are “physically isolated” from their standard commercial cloud systems to better protect government information.
The post-outage report for AWS did not mention GovCloud as one of the impacted regions and the GovCloud online health dashboard shows no disruptions on Oct. 19. AWS did not provide any comment by publication time.
While GovCloud appeared shielded from impact, speculation swirled online that some federal workers’ functions may still have been affected. A source familiar with the IT government contracting space told Scoop News Group that AWS’s commercial cloud is often used and preferred by federal agencies, even when GovCloud services are offered.
“For standard, civilian government use cases and workloads, there’s frankly not a compelling reason to use GovCloud most of the time,” the source said, speaking on the condition of anonymity. “It’s more expensive and has fewer features than the commercial offering, and updates to common features happen sometimes months ahead of GovCloud.”
The four U.S. regions of the standard, commercial AWS cloud have received a Provisional Authority to Operate (P-ATO) at the moderate impact level under FedRAMP. As a result, the commercial version can be used when the work in question does not require the higher compliance levels that GovCloud offers, another source familiar with AWS platforms said.
Like AWS, Microsoft’s Azure Government platform also uses physically isolated data centers and networks in the U.S. only. Microsoft’s preliminary outage report does not include Azure Government on the list of impacted services. When asked about both the corporate consolidation concerns and the government impacts, a Microsoft spokesperson pointed Scoop News Group to the company’s statement about the Oct. 29 outage.
James Rodd, a senior principal cloud architect at SAIC, also speculated that there could be additional security risks since the outage occurred during a government shutdown.
“We happen to be in a very precarious situation right now with the government shutdown, where the agencies that should be watching this are lower-staffed,” said Rodd, who served as an enterprise cloud architect at the Federal Emergency Management Agency for three years before joining SAIC.
Amid speculation over the outages, conversations about corporate consolidation also seeped into the government tech sector.
Timothy Edgar, who served as a national security official in the Obama administration, said the topic is often complicated and requires government oversight. There are “real advantages” to the size of companies like Amazon, including giving customers the ability to “scale up quickly” and gain access to essential cybersecurity tools.
“I wouldn’t say that the fact that there are a few big cloud providers is necessarily a bad thing, but it does create problems with having a big company when something does go wrong,” Edgar said. “Just with any big industry that’s really essential to national security, the government has an important role in holding these industries accountable.”
