It has been a rough few months for the internet.
In June, Fastly Inc.’s content-delivery network failure forced some of the world’s biggest e-commerce and media websites offline. Later, there were massive data breaches at T-Mobile US Inc. and Amazon.com Inc.’s Twitch streaming service. And last week, Facebook Inc.’s main social networks, Instagram and WhatsApp, were down for about six hours. Then on Friday, it happened again – albeit more briefly.
All the incidents had a common corporate response. It goes something like this: We are sorry, it was an unintentional configuration error, we’ll do better next time! After Facebook’s outage, the engineering director at security software firm Cloudflare Inc. called it a reminder about the fragile nature of the internet, where millions of interconnected systems are dependent on each other to make it work.
There was a time in the early days of the web when these excuses would be acceptable. But the internet, and many of these companies, now constitute the backbone of the modern economy. Billions of consumers and millions of small businesses rely on Facebook’s communication tools for daily living. If the web is held together by rubber bands and toothpicks, it’s clear that the U.S. needs to take urgent action to mitigate those vulnerabilities.
What can be done? First, we should hold companies accountable when they fail to implement proper safeguards and security policies. The sheer frequency of the problems shows the industry, in aggregate, doesn’t take the issue seriously. Companies don’t prioritize the problem or invest enough to fix it. That’s why it’s important to make negligence much more painful by raising the size of financial penalties and increasing the liabilities for management teams.
T-Mobile is one of the most egregious examples. According to the Wall Street Journal, a self-proclaimed hacker said he was able to get inside the wireless carrier’s systems through an unprotected router, with devastating consequences. The company revealed in August that personal data for nearly 50 million accounts were compromised – including some Social Security numbers and driver’s licenses. Incredibly, this last incident is T-Mobile’s fifth data breach over roughly the last three years.
Another possible fix would be to increase governmental oversight. With Facebook and Fastly saying their outages were based on simple employee errors, I shudder to consider the level of damage a rogue employee or a state-sponsored actor could cause. Similar to how the Federal Reserve’s bank examiners aim to prevent systemic risk by working on-site at financial institutions, a new team of regulators should get authority to inspect key technology companies’ redundancy and security plans. At a minimum, we need to do whatever it takes to reduce future human network configuration errors.
Yes, the Biden administration has acknowledged the importance of the country’s internet vulnerabilities on national security and economy security grounds. But thus far, the White House has not done much to closely regulate the private sector other than to develop voluntary standards. Governments need to be more forceful.
We can’t keep letting companies off the hook. There’s much to be done to prevent the worst-case scenario from becoming a reality.