Internet outage illustrates lack of resilience at heart of critical services

Tuesday morning’s 45-minute internet outage, which knocked out the Gov.uk domain as well as a string of publishers and other websites, cannot easily be dismissed as an isolated event. It demonstrates a lack of resilience at the heart of critical government services.

Anybody wanting to book a Covid test in the late morning on Gov.uk would have struggled. There is an alternative method, by phone, but who knows the number to call: 119? Government services that once delivered by form and post, then call centres, now only really exist through online connections.

The problem appears to have stemmed from Fastly, a website provider that, ironically, exists to prevent outages. Once Fastly discovered the cause, it released a fix. It will have been a relief that the problems lasted for less than an hour.

What is unclear is if the government or any of the other websites affected had an alternative solution that would have allowed them to be back online promptly.

Britain’s government has been developing online government services over the past two decades, a trend accelerated by the pandemic, where for example use of the test-and-trace app has become a necessity within a few short months.

Yet, Paddy McGuinness, a former deputy director of national security until 2018, observes that “technology that starts out as nice to have is rapidly become fundamental to the way we operate. But too often resilience is an afterthought.”

Some parts of Britain’s national infrastructure, such as nuclear power, have a high degree of resilience built in from the start for safety reasons. But that has not been the case with other economically useful or practically significant services, not least the growing amount of business undertaken online.

A couple of months earlier, McGuinness warned that the UK’s recently published Integrated Review of defence and foreign policy gave insufficient weight to homeland security or “how vulnerability can be reduced at home”. It was arguably too easy to focus on military hardware or foreign policy priorities, while, as happened with the pandemic, de-emphasising the threats the UK actually faces.

It is a point not lost on hostile states, in particular Russia, which has pursued a sustained campaign of increasingly sophisticated hacking against the west in the past three years. Although there is no immediate evidence that the disruption to Fastly was caused by a hostile state, the Kremlin has demonstrated it is willing to exploit relatively obscure but widely available software.

Last year, Russian state sponsored hackers quietly penetrated the Orion IT network management tool made by SolarWinds, and have repeatedly used it to steal secrets from a range of US federal agencies including the Treasury, the Department of Commerce and even the National Nuclear Security Administration.

And while it might be argued that Russia would not want to disrupt public services and normal life, it was North Korea that is believed to have been behind the WannaCry computer virus that badly affected large parts of the NHS in 2017. It was not intended to directly target the NHS, but the impact of the rogue software was real enough: about 50 trusts were forced to turn patients away for appointments and even surgeries.

Britain’s government and security establishment says it is a world leader in computer security, with politicians often highlighting the country’s National Cyber Security Centre. But as the Fastly network outage reveals: new dependencies and new vulnerabilities are emerging and it is not obvious if those responsible for homeland security are always one step ahead.