Opinion

America’s most secretive utility

by Timothy L. O’Brien

Amazon.com Inc.’s ubiquitous cloud-computing network, the spine for a lot of digital communications and transactions across the U.S., went dark for several hours last Tuesday.

Here are some things that might have freaked you out:

  •  You were jogging and couldn’t order your Roomba to vacuum the third floor of your house.
  •  You were at the airport and your Ring camera couldn’t show you who was at your front door.
  •  You were in bed and Alexa couldn’t read headlines and weather to you.
  •  You had trouble buying stuff at a theme park.
  •  You couldn’t play “League of Legends.”
  • Who cares? This isn’t really essential, right?

The cloud has provided bounteous advantages but also excess — a cornucopia of nice-to-haves, much of it silly. Being locked out of your home because your Ring is haywire is more serious than not being able to film visitors on the stoop, of course. Seniors unable to turn on house lights at night or receive prescription drug deliveries because of cloud troubles is more problematic than being unable to stream “Free Guy.”

Even those comparisons don’t truly surface the most substantive threats to consider when digital meltdowns or significant hacks occur on vital private networks such as Amazon Web Services. AWS is the biggest cloud provider in the U.S., but outages happen with some regularity at other leading cloud services, too. Alphabet Inc.’s Google Cloud Platform has had its share of woes, as has Microsoft Corp.’s Azure service.

These cloud networks not only power the consumer indulgences that people whine about when there’s an outage, they also fuel core government and corporate work such as national security and blockbuster financial transactions. Alphabet, Amazon, Microsoft and Oracle Corp. are all jockeying to secure an important cloud contact with the Defense Department, for example.

Yet some of these same cloud services have been central to startling and sprawling nation-state hacks over the last year involving, for example, the SolarWinds Corp. Based on the limited information Amazon disclosed on its “service health dashboard” about its outage last Tuesday, hackers or a denial-of-service attack were not responsible. Amazon cited a “network device issue” and said the outage was largely confined to the East Coast. That’s about as much as we know because that’s all that Amazon decided to share. That lack of transparency and disclosure is a big problem, one that Amazon has shown little interest in resolving.

Widespread use of cloud computing is here to stay, and its benefits far outweigh its disadvantages. But Amazon’s secrecy — and its unwillingness to provide greater insight into its operations — is emblematic of how much unnecessary autonomy it enjoys. Amazon doesn’t have to operate this way.

Consider Microsoft. It has been willing to share information publicly about intrusions or breakdowns so it can help form public-private alliances to insulate computer networks. It has also taken the bold step of identifying countries such as Iran, North Korea, Russia and China for their roles in orchestrating digital assaults. Amazon, on the other hand, declined to testify at congressional hearings earlier this year about the SolarWinds breach, even though hackers used Amazon’s cloud servers to stage digital assaults. Regulators shouldn’t continue allowing it to stay mum, but Washington may lack the backbone needed to be more aggressive. A defense bill moving through Congress recently shed provisions that would have required companies to report cyberattacks and ransomware payments to the federal government.

Amazon runs a sophisticated shop, and its cloud architecture sits atop an armada of separate servers with lots of redundancies, abilities to scale and clever ways of balancing vast loads of information so breakdowns can be avoided. But it’s not foolproof nor bulletproof. Nothing is.

Recent digging from Wired and the Center for Investigative Reporting examined how cavalier Amazon appears to be with the “vast empire of customer data” it manages on the retail side of its business. The reporting indicated that Amazon’s oversight “had become so sprawling, fragmented and promiscuously shared within the company that the security division couldn’t even map all of it, much less adequately defend its borders.” Amazon disputed that account, noting what it described as a strong track record around digital security. It also emphasized its dedication to securing systems throughout the company.

Given that governments and corporations have outsourced so much of their network management, and given how the internet has become as essential as other necessities such as water and electricity, it would be useful to think of cloud services as a public utility of sorts — with all of the requisite disclosure and supervision that comes with that. After all, it’s hazardous out there. Microsoft said on Monday that a federal court gave it the go-ahead to seize 42 websites from Chinese hackers who had been on intelligence-gathering sprees targeting government agencies, think tanks, universities and human rights organizations. Last week, a rural electric utility in Colorado serving 34,000 customers disclosed that a recent hack of its network “led to 90% of internal controls and systems becoming corrupted, broken or disabled.” It also said that “a majority of historical data dating back more than 20 years was lost.”

Think about all of that the next time your Roomba doesn’t respond.

Timothy L. O’Brien is a senior columnist for Bloomberg Opinion.