Google was down for only an hour, but Monday’s outage served as a stark reminder of how much modern existence online depends on the centralized search engine colossus.
From Gmail and Google Calendar to YouTube and even Google’s two-factor authentication, the outage temporarily ground online work to a halt for many, including publications that would have otherwise been reporting on the outage.
It was a jarring reminder of the hidden costs of the easy-to-use systems that permeate the web, and just how taxing or debilitating they can be when the head of the many-tentacled beast that is Google nods off, even for just an hour.
“If an internet giant like Google can suffer such a major attack – denying millions of users access to basic internet services – it just goes to show that under the surface of the shiny web interfaces we see, internet infrastructure actually hangs in a delicate and vulnerable balance,” said Jaro Šatkevič, head of product at Mysterium Network, an open-source Web 3.0 project focused on decentralizing the internet.
Google down and out
According to a tweet from Google, the company suffered an “authentication system outage” that essentially rendered a wide variety of servers useless for about 45 minutes because the system was unable to confirm users were who they said they were.
It seemed to largely affect Europe and extended well beyond what people might normally associate with not being able to get into their email. On Android smartphones, for example, native apps like Google Maps ceased to work, and internet-connected devices through Google Home were seemingly also down.
Tal Be’ery, co-founder and security researcher at ZenGo, the cryptocurrency wallet company, said that, in theory, a decentralized solution that would have allowed users to authenticate their credentials with Google using other services might have solved that problem. Such solutions do exist; however, they were “probably not aligned with Google’s business model and therefore not implemented,” he continued.
The blackout shows just how much control and how far-reaching the effect of having a single point of failure in a centralized system can be. Services and features critical to daily life were suddenly gone, with users having no idea, and much less control over, when they might be back.
“Google infrastructure is distributed, with servers across all continents. But these depend on each other and are controlled centrally,” said Šatkevič. “They are upgraded centrally. They talk to each other – not just by using the same protocol, but through a shared software that is operated by the same employees (centrally).”
Limits of centralization
While the Google outage appears to be due to internal technical issues, the news comes on the heels of one of the more sophisticated cyber attacks the U.S. government has seen in years, with allegedly nation state-directed hackers infiltrating the U.S. Treasury and Commerce departments through a standard remote update by SolarWinds that injected malicious code into a variety of systems.
SolarWinds, which develops software for customers to manage their networks, has hundreds of customers including Fortune 500 companies and other government agencies. These include the Secret Service, the U.S. Defense Department, the Federal Reserve, Lockheed Martin and the National Security Agency.
The update allowed the hackers to then access internal emails at various agencies via Microsoft Office 365. It’s unclear what else they were able to do or access.
In a rare move, the U.S. Cybersecurity and Infrastructure Security issued Emergency Directive 21-01, which “calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”
These single points of entry, automatic updates controlled by a central actor and the swath of disruption they can enable are part and parcel of Web 2.0, which relies largely on central actors to maintain systems, control access to them and ensure they run smoothly. But that has siloed power in the hands of a few massive, centralized companies such as Google, internet service providers and others.
Pushing back on power
While there is some early pushback, including antitrust cases being brought against Google and Facebook in the U.S., there have also been extensive lobbying efforts on behalf of those behemoths to maintain their power in places like the European Union.
“My personal opinion is these companies are just old-fashioned monopolies,” said Canadian-British tech blogger and science fiction writer Cory Doctorow when I spoke with him earlier this year. “Their growth is not because of the magical properties of data or network effects or whatever. It’s just because they bought all their competitors, which is a thing that used to be illegal and is now legal.”
Decentralized architecture prevents this form of centralized control by design, making sure no one person can make a call, decision or update (or mistake) that might affect millions or even billions of people. CoinDesk has reported on the implications of this that play out in the public discourse, such as the debate over content moderation on social media, which some see as corporate censorship.
But in the case of Google, such centralized constructions of data and power show the long shadow these companies cast over seemingly mundane and increasingly critical parts of our lives.
Be’ery said at ZenGo they are not “religious” about decentralization; rather, he believes a hybrid model, smartly combining the robustness and security of decentralization and the simplicity often associated with centralized services, is the best solution for customers in many cases.
What’s next is continuing a debate to decide whether that remains the case.
“Explaining the advantages in decentralization to end users is usually harder as these advantages of greater stability and robustness do not manifest themselves on a daily basis,” said Be’ery. “Only in time of failures, such as the one experienced by Google users today, are the merits of decentralization highlighted.”