Posted inAnalysis

Gremlins highlight how vulnerable companies are online

A small part of the world went dark last week. On 8 June, the websites of Amazon, Reddit, the British government, CNN, PayPal, Spotify, and Al Jazeera, among others, suffered an outage lasting nearly an hour. Service was swiftly resumed, but it was a reminder of how vulnerable we all are, and how delicate and fragile the mainstays of our virtual world can be.

The outage, which was traced back to tech company Fastly, was not malicious.  According to Barron’s, “At 5:47 a.m. Eastern time, a Fastly customer made a change to its internet configuration, the kind of tweak that happens every day. This time, however, the change triggered an undetected bug in Fastly’s software. And that, in turn, triggered the crash. At 6:27 a.m., Fastly figured out what had happened, and nine minutes after that, the network began to recover.”

Fastly is what is known as a content delivery network (CDN), a support system for websites so that they do not become overloaded with traffic. Instead of multiple connections to one site, which can prove too much, a site’s content is often copied across multiple locations on a CDN, meaning that if one goes down, the rest should—theoretically—remain unaffected.

This was not the first time such an outage had happened. In July last year, Cloudflare—a major rival of Fastly’s—suffered a similar outage that lasted for 27 minutes. And, just this week, there was an outage in Phoenix, Arizona, caused by a utility fire.

As Deutsche Welle reported, the consequences were not merely an hour of lost time upon the internet. “The outage,” they wrote, “could have cost companies hundreds of millions in lost revenue, after consumers were unable to access websites and online shops”. 

Malicious attacks

While gremlins and goblins in the machine explain last week’s outage and that of July, attacks on internet security and tech infrastructure will likely be among the battlegrounds of future international conflicts. This is something that the US has itself, seemingly belatedly, begun to realise. Already this year, meatpacking giant JBS in the US suffered a ransomware attack that forced it to halt its entire operations. Similar attacks have been reported on the City of Tulsa in Oklahoma, hospitals in Ireland and Alabama, and the colonial pipeline.

So far, that appears to have been the work of organised criminal gangs, but state actors have also been known to employ such methods. In 2016, infamously, the Russian government, through its Internet Research Agency based in St Petersburg, managed to hack into the Democratic National Committee’s emails through a phishing scam and strategically and surreptitiously release information that may—probably—have played a decisive role in that year’s US election.

The risks to funds in this space are vast and deep. It is entirely possible that a fund’s entire technical infrastructure could one day be held to ransom, freezing them out from doing business. A concerted, direct attack could theoretically strip a fund of its investments and assets before the alarm is raised (it is also how the bad guys attacked Batman in The Dark Knight Rises). Funds are also only as good as—and reliant upon—the data and information if they have. Compromise the data, and you compromise the fund.

Anyone taking action?

So are firms ramping up their tech security? That is a hard one to tell, although it should be noted that investments in cybersecurity firms have been growing in recent years. So well, in fact, that companies like Allianz GI have launched their own cybersecurity funds. Others such as Polar Capital Technology Trust and Blackrock Global Funds World Technology are also crowding into this space. According to Crunchbase, investment in privacy and security firms was nearly $10bn in 2019, up more than five times what it was in 2010.

Much of this growth has been driven by the pandemic, with many working from home, meaning that solutions cannot be sourced to a single, or low number of locations. And what can be stolen—data—cannot be burned or used up and can be duplicated an infinite number of times.

As Adrian Lowcock, head of personal investing at Willis Owen told Morningstar, “Data has become a valuable commodity. If someone steals your personal data, there are huge consequences on your person as well as stress and potential financial loss.”

One of the great philosophies in life is that you have to put your own house in order before you try to take on someone else’s. There is no way to effectively eliminate all online threats to a business or organisation, just an ongoing, proactive battle of trying to get enough things right while looking for all the things that could do wrong. If funds are looking to invest wisely in online security, it might be best to invest in their own first.

Pete Carvill

Pete Carvill is a reporter, writer, and editor based in Berlin who has been writing for the B2B and mainstream media since 2007. He is a contributing writer for Expert Investor and, in addition, has...

Part of the Mark Allen Group.