The Growing Susceptibility of Our Digital World: Why Outsourcing to the Cloud Amplifies Outages

This week saw the popular AI chatbot Claude become inaccessible, a disruption that mirrors a recurring pattern of service interruptions affecting major technology firms, government portals, and healthcare facilities. The increasing frequency of these incidents prompts an examination of their underlying causes.

A significant factor contributing to the modern internet’s vulnerability is the pervasive adoption of cloud computing. This widespread reliance places a multitude of websites and services in the hands of a few key providers, such as Amazon and Microsoft. In the early commercial internet era of the 1990s, businesses typically managed their own hardware and software infrastructure. Akin to individual shops on a street, a problem with one entity would only affect its immediate operations, leaving others unaffected. Today, however, companies frequently opt to host all their operations on cloud platforms, which function as an integrated utility network, encompassing roads, utilities, and power grids. A failure within this centralized system incapacitates all dependent services, leading to widespread awareness of the issue.

These disruptions are sometimes a consequence of simple human error. The risks associated with such incidents were starkly illustrated in a 2024 event. Cybersecurity firm Crowdstrike inadvertently released a software configuration file that disabled millions of Windows computers globally. This malfunction disrupted operations for airlines, financial institutions, broadcasters, and emergency service call centers.

Joseph Jarnecki of the Royal United Services Institute, a UK defense think-tank, suggests that extensive and broadly impactful outages are rarely the result of deliberate sabotage. Ransomware criminals, whose modus operandi involves compromising systems, encrypting data, and demanding payment, tend to avoid direct confrontations with major technology corporations staffed by experts. Instead, they commonly target smaller, more vulnerable entities.

Tim Stevens at King’s College London notes a discernible trend where ransomware attacks are increasingly directed towards local government bodies and critical infrastructure. The profit motive for these attackers stems from disrupting services that people depend upon. Consequently, essential resources like municipal water supplies, electricity grids, or local government functions represent attractive targets.

The United Kingdom has witnessed a number of such attacks. Examples include ransomware incidents targeting Hackney Council, Gloucester City Council, and Leicester City Council, alongside disruptions affecting the National Health Service (NHS) and water utility providers. Stevens characterizes the ongoing struggle between hackers and security professionals as a perpetual “cat-and-mouse game” that has persisted since the advent of computing. Currently, however, he observes that the adversaries hold the advantage. “I have heard within the last year or so from more people than usual within the profession saying that we’re losing,” Stevens stated. “Not just that we’re behind, but we’re actually losing.”

Similarly, state-sponsored cyber actors from nations such as Russia and China are unlikely to aim for the complete shutdown of a cloud provider. Jarnecki explains, “They definitely target them, but not to destroy and disrupt. They’re incredibly highly targeted.”

A pertinent illustration of this strategy was the 2023 intrusion into Microsoft-operated US Government email accounts, attributed by the company to a China-linked group. While the broader service remained largely operational, the attackers succeeded in accessing sensitive information from a substantial volume of US state secrets.

Sarah Kreps of Cornell University points out that nations also employ targeted cyberattacks within what is termed the “grey zone.” This state of heightened tension falls short of outright conflict but represents a carefully calibrated and measured contest. Such actions deliberately avoid escalating to full-scale warfare.

Kreps elaborates, “This is a form of economic sanction in a way, because so much of our GDP, our economic welfare, relies on the internet. If you can take that down, you’re handicapping the adversaries’ ability to generate wealth. And the ability to generate wealth is how you develop the resources to fund a war, to fund allies in a war.”

Kreps further indicates that this practice is not exclusive to Russia and China. While Western cyber warfare efforts, such as the noted GCHQ and MI6 operation against al-Qaeda where bomb recipes were altered, are occasionally publicized, such activities occur regularly but are highly classified and conducted discreetly.

“My understanding based on interactions with the US intelligence community is that that is going on,” Kreps remarked. “You do have an incentive to erode the strength of an adversary. There’s a good motive behind [attacks on] Russia for their involvement in Ukraine and there’s a good motive for trying to erode China’s capabilities as they become a peer competitor.”

Stevens suggests that Western nations face limitations regarding the scope and targets of their cyber operations due to adherence to legal frameworks, unlike some other states. “I have no doubt whatsoever that our intelligence agencies and our security services in general are conducting operations in cyber against Russian assets,” Stevens affirmed. “But it’s hard work and there are lawyers always in the room and we are somewhat constrained. I think there’s a lot of frustration about that.”

Although Claude has since been restored to full operation, Anthropic has not provided details regarding the cause of the outage in response to inquiries from New Scientist.