Nearly all websites rely on a service provider like Fastly — which runs what’s called a “content delivery network” or CDN (we’ll get into what that means later on) — as a layer between internet users and the servers where their content is hosted. The problem: There are only a small handful of CDN operators. If one of them goes down — whether because of a benign software bug, as in Fastly’s case, or a cyberattack — huge swaths of the internet could go with it.
“Absolutely the biggest centralized point on the internet is these CDNs,” making them a potential target for cybercriminals or government actors, said Nick Merrill, research fellow at UC Berkeley’s Center for Long-Term Cybersecurity.
Utilities, social media platforms, news organizations, financial services, government agencies and more rely on CDNs like Fastly to operate their websites. Although Fastly was able to restore its service quickly, one can imagine problematic future scenarios if the resolution is slower.
“The problem with the internet is it’s always there until it isn’t,” said former Microsoft Chief Technology Officer David Vaskevitch, who now runs photo storage service Mylio. “For a system with so many interconnected parts, it’s not always reliable. Any one fragile part can bring it down.”
Even before this week’s outage, internet infrastructure experts have been ringing the alarm about concentration in the CDN space, where the small number of major providers could make for big targets for an attack.
What is a CDN?
For websites to load and run as quickly as we expect them to, they need to have computing power located physically close — at least relatively — to the people wanting to access them.
That’s why companies like Fastly exist. Fastly’s “content delivery network” is essentially a collection of “cloud” servers distributed across various geographic locations where websites can store content in close proximity to their users. This makes it possible for apps and websites to load within seconds and enables high quality streaming. It also saves huge amounts of energy.
“They’re indispensable infrastructure,” Merrill said.
With any technology, occasional failures and outages are inevitable.
“There is no error-free internet, so the measure of success is how quickly a major internet firm like Fastly can recover from a rare outage like this,” said Doug Madory, director of internet analysis at network analytics firm Kentik.
To be sure, CDNs have backup protections in place and websites can contract with more than one CDN operator in case of failures. Most of the time, an outage will be like Tuesday’s — a temporary inconvenience. And websites could still appear online without a CDN, they’d just load slowly and be more at risk of cyberattacks.
But experts say there is still a risk that a bigger player like Cloudflare is targeted, or that multiple CDNs are hit at once.
“Worst case, it’s going to be an attack on Cloudflare,” Merrill said. “The Russian government or the Chinese government is going to take down Cloudflare and it’s going to break the internet.”
“People are really concerned rightly about antitrust issues in the tech space” Merrill said. “I don’t think that CDNs are as visible to people, but they’re probably the most important part of the core internet infrastructure that’s been privatized and centralized.”