Roslyn Layton examines the recent Amazon Web Services outage and compares it with last year’s CrowdStrike outage to illustrate differences in scope, responsibility, and systemic impact. She argues that cloud providers should contribute to the Universal Service Fund, ensuring financial contribution to resilience and critical infrastructure for essential services.
Last year, a software update from cybersecurity company CrowdStrike malfunctioned, causing an outage that affected millions of Microsoft Windows users. I examined whether the market concentration of CrowdStrike’s software worsened the problem and found that, while concentration can create vulnerabilities, it also provides a high level of protection against everyday cyberattacks. The key lesson was that robust safeguards—such as artificial intelligence-driven testing and gradual rollouts—can prevent similar incidents without introducing the risks that deconcentrating the market might entail.
A different problem arose with the recent Amazon Web Services (AWS) outage. On October 20, a seemingly minor backend error rippled across the economy, causing businesses to lose an estimated $75 million per hour, along with downtime, recovery, and engineering costs. The United Kingdom tax authority, which has an agreement with AWS worth 1.7 billion pounds, went down. Overall losses from the incident may reach tens of billions of dollars.
The CrowdStrike and AWS outages both exposed vulnerabilities in digital infrastructure, but they differ fundamentally in scope and responsibility. The CrowdStrike failure stemmed from a faulty software update that crashed millions of Windows devices—a disastrous but client-side event that did not disrupt the internet itself. In contrast, the AWS outage originated within the core of cloud infrastructure, taking down websites, payment platforms, hospitals, and logistics systems that depend on it. CrowdStrike accepted responsibility and worked to fix the issue, while AWS has so far routinely disclaimed liability and provided no compensation to downstream users. The policy lesson is clear: CrowdStrike’s outage reflects the potential problems of software market concentration, while AWS’s outage exposes a structural risk—an unregulated, privately controlled infrastructure so essential that when it fails, the internet itself falters. While competition may prevent a similar CrowdStrike outage, the nature of AWS and cloud computing (which holds a global 30% market share) suggests a different policy response may be necessary.
Policy options: buyer beware, competition, or regulation
In which case, what, if anything, should policymakers do in response to the AWS outage? One view is that this is simply how “best efforts” services operate—trying as hard as reasonably possible to deliver a result without guaranteeing it—and cloud computing’s improvement to existing internet services outweighs the potential risks. Yet the consequences of even a few hours of downtime can be devastating. While cloud customers pay premiums for better service and purchase insurance to cover losses, everyday users of essential services—work, education, government, and more—are left with no alternatives and no recourse. This is a classic principal-agent problem: cloud providers (agents) optimize for paying customers and profit, while end users (principals) bear the risks of failure without leverage or protection, highlighting a misalignment of incentives that may warrant policy intervention.
Policymakers disagree on the best methods for addressing potential systemic failures in industries that affect consumers and businesses, like cloud platforms. One route is to encourage more competition in the industry under the belief that more competition will push incumbents like AWS to improve the quality of their service. This follows a classic liberal economic view that the market will self-correct if allowed in response to failures like the AWS outage, with business leaders, investors, and consumers shifting their business to more reliable competitors.
Indeed, American research firm Gartner observed in the wake of the AWS outage that “if your business absolutely cannot tolerate downtime for certain functions, consider application substitutability—having alternative platforms or manual workarounds ready to go if your primary system fails.” The European Security and Markets Authority noted in 2021 that concentration in the cloud market poses a particular concern for the financial industry.
The big three cloud providers of AWS, Google, and Microsoft together hold 60% of the global market, amounting to an oligopoly. AWS is by far the largest cloud provider, though, with 30% of the market, followed by Microsoft with 20%. Could breaking up AWS into smaller pieces reduce the vulnerability of cloud provision and the internet? Would more cloud providers allow firms to host their services over multiple providers, thus allowing them to survive an outage with only minor inconveniences? In theory, a capable chief technology officer should hedge risk by spreading workloads across multiple cloud providers. But diversification requires technical staff, governance systems, and the financial capacity to manage parallel vendors—luxuries many small and mid-sized enterprises simply don’t have.
Furthermore, having more competitors in the market is only helpful if they can provide equal or superior technology compared to dominant firms. The obverse is mostly true. Smaller firms have less capital to invest in technology. Gartner ranks providers by cloud technology and strategy, noting advantages for large firms.
In any event, an AWS breakup would take years, and outages would still be possible in the meantime. Amazon’s massive scale—across e-commerce, advertising, logistics, and cloud—raises antitrust questions that require scrutiny. However, an investigation and legal intervention might not lead to regulators’ desired breakup. As seen in the recent Google Search case, a court can recognize a monopoly yet decline to impose a breakup, leaving consumers exposed. Ultimately, antitrust law is intended to punish abuse of market power, not to mandate resilience in critical services.
If companies in the digital age need cloud computing and competition alone cannot protect businesses, then treating cloud providers as telecommunications providers, which comes with more regulation, may make more sense. Traditional telecommunications are easily regulated, as each step of the service journey is identifiable and controllable. Telecom providers bear numerous regulatory obligations, including maintaining backup power, offering customers backup options, providing mandatory outage reporting, requiring next-generation 911 emergency communications, sending customer outage notifications, paying fines for non-compliance, and contributing financially to the Universal Service Fund (USF), the federal program that expands infrastructure and ensures affordability to low-income consumers.
In contrast, cloud services like AWS have none of these obligations, despite underpinning essential services and critical parts of the economy. This regulatory gap leaves end users exposed and highlights the need to reconsider how cloud infrastructure contributes to resilience or lack thereof.
A possible solution
If policy cannot at this time adequately regulate cloud providers or create competition, at least it can require that cloud hyperscalers fund infrastructure and resiliency to lessen the impact of outages. Historically, USF has supported broadband build out. With contributions from AWS and other large cloud providers, more redundant physical connectivity (fiber routes, exchanges, and edge data centers) could be financed, reducing the number of single points of failure that feed into cloud interconnections. The more diversified and ubiquitous the network fabric, the less catastrophic a cloud or interconnection failure becomes. USF could fund regional, local and edge nodes where communities and anchor institutions like schools rely on centralized hyperscalers today. By supporting distributed computing and storage capacity, AWS contributions could reduce over-dependence on a few hyperscaler data centers and enable localized fallback systems during outages. Resilience—the ability of a network to continue operating and maintain acceptable service levels in the face of disruptions, failures, or attacks, and to recover quickly—can be delivered in part with the provision of new, upgraded equipment and/or network design provided by the USF. Since the USF provides internet connectivity in some way to more than 130 million Americans each year, cloud providers that depend on and monetize that connectivity should help fund its upkeep.
A public conversation worth having
Cloud services have enabled extraordinary innovation. But the more essential they become, the more acutely we feel the consequences when they fail. Cloud services now underpin banking, transportation, healthcare, emergency communications, and government functions. When AWS goes down, hospitals reroute patients, payments stop processing, and government systems go dark. Yet unlike telecom operators, AWS bears no statutory obligation to ensure continuity, contribute to universal service, or compensate the public for systemic harm.
This asymmetry is not accidental—it is the product of deliberate lobbying, regulatory forbearance, and a policy framework that treats cloud providers as private conveniences rather than critical infrastructure. That fiction is no longer tenable. AWS and cloud providers should at least pay to cover the costs they create when consuming broadband network resources. This will go a long way to recover the cost to build and maintain broadband and improve its resilience to outages.
Author Disclosure: Roslyn Layton is a research fellow at Aalborg University and co-editor of the forthcoming Handbook for Digital Regulatory Agencies by Edward Elgar. She is the executive vice president at Strand Consult, an independent consultancy specializing in the global mobile telecommunications industry. You can view Layton’s other affiliations with academic and public policy institutes here.
Articles represent the opinions of their writers, not necessarily those of the University of Chicago, the Booth School of Business, or its faculty.
Subscribe here for ProMarket’s weekly newsletter, Special Interest, to stay up to date on ProMarket’s coverage of the political economy and other content from the Stigler Center.
