Protect and regulate the internet’s hidden power brokers

On June 8, 2021, Amazon went down. CNN went down. GitHub, Reddit, Twitch, StackOverflow were all down. What happened? A coordinated cyberattack? Nope. Fastly, a content delivery network, or CDN, went offline.

CDNs are the internet’s invisible infrastructure, but they are critical infrastructure, just like water treatment and electric power plants. Over the past decade, they’ve become tremendously concentrated among a handful of companies, all of which are based in the United States. The result is a central point of fragility in the global Internet — one our enemies could use against us, and one the U.S. could in theory leverage to create an American “Great Firewall,” if it wished to do so, restricting internet access both domestically and worldwide.

It doesn’t have to be this way. In the immediate term, infrastructure security agencies like CISA should help to protect CDNs. In the longer term, U.S. states should consider regulating these behemoths in a manner similar to internet service providers. Open-source developers should build decentralized, open-source alternatives to these large monopolies.

While the internet was originally designed to be decentralized, our work at UC Berkeley’s Center for Long-Term Cybersecurity shows how countries and companies compete for power over the internet. Understanding who manages internet infrastructure can uncover pressure points and opportunities that different actors have used to dictate what content is available on the internet.

CDNs sit at a critical point between users’ queries (“Give me nytimes.com”) and servers’ responses (“here’s the New York Times”). Everything needs to go through them.

Websites use CDNs to protect themselves against large-scale attacks. CDNs also host copies of content closer to the people requesting them, increasing website download speeds and decreasing the energy required to transmit data, which in turn reduces carbon emissions.

CDNs serve an essential purpose. The problem is that they’re concentrated in the hands of a few large corporations. That centralization poses a huge risk not just for the internet, but for society at large.

Consider the recent outage. A Fastly customer made a mistake in configuring its service, and a large part of Fastly’s network went down for a while as a result. Unfortunately, they brought down with them a host of some of the most-visited websites on the planet. Now, consider: Fastly only has 5 percent of the market. Cloudflare has 80 percent.

This isn’t the first time a major CDN has gone down. A problem between only two Cloudflare data centers resulted in a nearly two-hour rolling outage in 2020. In November of that year, an Amazon AWS outage took down Flickr and Washington Post along parts of the West Coast.

Issues with CDNs have a way of cascading, causing new issues as services fall like dominoes. An issue just a bit bigger than the ones we’ve experienced so far could cause wide-spread chaos.

Imagine you go to the grocery store and no one’s credit card is working. You try to access a news site to find out why, but that site’s not working either. This scenario is more than about lost revenue. It’s a recipe for panic-buying, hoarding and social unrest.

CDNs are also prime targets for the United States’ adversaries. Russia’s and China’s interest in internet sovereignty have made them less dependent on its infrastructure. Recently, Russia practiced disconnecting itself from the global internet. Putin would have little to lose from disrupting a CDN. But the impacts for the U.S. and its allies could be catastrophic.

Not only is the CDN market dominated by a handful of companies, 97.6 percent of the global market share rests with U.S.-based providers. This gives the U.S. itself tremendous power to restrict access to content globally. Imagine the U.S. government demanding Cloudflare, Fastly and Amazon block traffic bound for China. Imagine a digital “do not fly” list that restricts content to certain people or organizations. (Amazon already placed Parler on its own do-not-fly list after the Jan. 6 capital riot; a government-instituted version would be much more impactful).

If these scenarios sound far-fetched, consider that the U.S. government already uses its power over the internet’s naming system (e.g., the “.com” in “nytimes.com”) to seize websites. Counterfeiters, media pirates, and dark web marketplaces are frequently taken down by the ICE-led Operation In Our Sites, which seizes offending domain names, effectively taking the websites down, and holds them without due process — sometimes taking down the wrong site by mistake.

CDNs are critical infrastructure, just like electrical plants and water treatment facilities. Unlike that infrastructure, a tiny handful of companies run CDNs for the entire world. That centralization isn’t just a monopoly problem — it provides a central point of failure for the whole internet. But it’s not too late for meaningful change.

First, it’s time for infrastructure security agencies like CISA to step in. CISA can help CDNs protect themselves against sophisticated, state-backed attacks. This step is well within the power of the Biden administration, and could prevent a catastrophic outage — especially as tensions with Russia over cyberattacks escalate.

Second, state governments should consider whether net neutrality or common carrier laws could apply to CDNs, as they do to internet service providers in California and other states. This regulation would prevent CDNs — either by their own volition or with federal government encouragement — from enacting bans on internet content or users.

Finally, open-source developers should focus their attention on building better, decentralized solutions. In an age of blockchain-based art and decentralized finance, this is innovation the world actually needs. Technologies like IPFS (effectively, a globally-distributed hard drive run by volunteers), could power a less centralized, less unilateral version of the same infrastructure.

We need this change now. The Fastly outage was a warning shot. We’re lucky it was only an accidental outage by a smaller CDN. The next one could be much, much worse.

Nick Merrill directs the Daylight Lab at the UC Berkeley Center for Long-Term Cybersecurity. He writes a newsletter on the Internet and politics.