When most people think about the internet, they likely picture websites and apps. What they rarely see are the invisible services that make those experiences possible: systems that translate names into numbers, verify who you are, deliver messages and block malicious traffic.
Author
- Doug Jacobson
University Professor of Electrical and Computer Engineering, Iowa State University
For example, DNS, the Domain Name System, has quietly become a single point of failure . DNS is the internet's phone book. When it fails, large parts of the internet effectively disappear, even if servers are still running.
DNS is not alone. Over the past decade, four core internet services - DNS, authentication, email and security infrastructure - have consolidated into a small number of global platforms. As a cybersecurity researcher , I see that this concentration has fundamentally changed how outages unfold . What would once have been a local failure is now often a systemic event, affecting thousands of organizations simultaneously.
The internet was designed to assume failure. Mail servers, DNS resolvers, authentication systems and security monitors were meant to be distributed and locally controlled. Today, for reasons that make economic sense, many companies and organizations outsource all four to the same handful of providers . One cloud service monitoring organization referred to 2025 as the year of the global cloud outage .
DNS, authentication, email and security
Outages are no longer rare exceptions, but a predictable byproduct of efficiency at a global scale. That pattern becomes apparent when you look at a few major outages that have affected each of the four services.
DNS outages are a prime example of systemic risk. If DNS cannot resolve a name, a website may as well not exist. A growing share of global DNS resolution now depends on a small number of providers. That concentration means that a single configuration error, routing issue or attack can ripple across much of the web .
Authentication outages are less visible to the public but often more disruptive inside organizations.
For example, on Oct. 29, 2025, Microsoft Azure experienced a major outage that disrupted authentication and access for millions of users worldwide for over five hours. Another authentication provider, Okta, suffered an outage on Oct. 3.
Authentication has become a universal gatekeeper. When identity services fail, modern organizations don't degrade gracefully; they come to a halt.
Despite decades of predictions about its decline, email remains a central component of how employers function. Password resets, invoices, legal notices, emergency notifications and incident response coordination all depend on it. When large cloud email providers experience outages, companies and organizations not only lose communication but also struggle to recover accounts and coordinate recovery efforts effectively. In 2025, both Yahoo and Microsoft email services suffered outages.
Since many companies and organizations no longer operate independent mail systems, email outages are increasingly affecting entire industries simultaneously. In an emergency, the system that people rely on to respond may be unavailable.
Security as a service is a rapidly growing market. Cybersecurity infrastructure, including distributed denial-of-service mitigation, firewalls and bot protection, is designed to keep services online. When this infrastructure fails, it can have the opposite effect .
Misconfigured security rules and routing errors at global security providers have repeatedly blocked legitimate traffic on a massive scale. In one well-documented incident in 2024, a routine configuration change by cybersecurity company CrowdStrike caused widespread outages across thousands of unrelated websites.
Why outages are getting more expensive
Industry data suggests that while outages may be becoming less frequent, they are becoming far more costly.
The professional services organization Uptime Institute reports that more than half of major outages now cost over US$100,000, and roughly 1 in 5 exceeds $1 million. These estimated costs reflect lost revenue , stalled operations, reputational damage and, in some cases, risks to health and public safety.
Centralization magnifies these costs. A single failure now affects a greater number of users, employers and critical services simultaneously. What was once an IT problem has evolved into a multifaceted economic and societal issue.
Concentration is the real risk.
Regulators are beginning to recognize this pattern. In the United States, federal guidance now emphasizes the importance of inventorying cloud dependencies and reducing reliance on a single provider . These efforts reflect a growing realization: The greatest risk is not any one outage, but the structure of dependency that makes those outages unavoidable and wide-reaching.
Accounting for inevitable failures
The internet was designed to route around damage. In the pursuit of convenience and scale, the tech industry has rebuilt key parts of it around a small number of global trust brokers for names, identity, messaging and security. The result is a byproduct of the cloud services business model, where routine failures become systemic events.
Companies and organizations don't need to abandon the cloud to address this issue. But I believe that it's important to measure concentration, design for diversity, and rehearse what happens when shared services fail. Resilience does not come from perfection. It stems from choice, redundancy and the ability to fail locally rather than everywhere at once.
Doug Jacobson does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.
