On October 20, 2025, many UCLA students woke up to realize that Canvas, the software for accessing and submitting homework, was offline. This was caused by an outage of Amazon Web Services, the largest of the three main cloud computing companies. The outage temporarily disabled many of the websites and platforms hosted on the cloud. This highlights an issue with the internet as a whole: an overreliance on three cloud computing companies. Since so many services are tied to only a few cloud computing sources, small errors can have widespread effects. Policy action is needed to diversify and strengthen the digital infrastructure that makes up the internet. 

Other than Canvas, apps like Slack, Snapchat, and Hulu were also temporarily shut down, limiting communication and entertainment. Beyond personal usage, airlines, banks, and even governments use software that operates on the same infrastructure [1]. All of these services are hosted on the A.W.S. cloud computing platform. The outage was caused by customers being unable to connect to DynamoDB, a database where A.W.S. customers store their data.​ The database’s automated record management system was defective, causing a bug that was not repaired [2]. To fix it manually, the entire database had to be disabled, causing any services hosted on it to be unavailable for a few hours. While a few hours of downtime may seem minuscule, the scale of the outage is of more concern. In addition to what was mentioned before, Duolingo, Roblox, Signal, ChatGPT, and Ring doorbells were also offline.

To understand the widespread effects of the outage, it is important to look at the concentration of the cloud computing market. Currently, A.W.S. has about 29 percent of the market share, while Microsoft Azure has 20 percent and Google Cloud has 13 percent [3]. Other companies in the market have around three percent or less, meaning these three companies make up the majority of the market. A.W.S. alone hosts an estimated 9 million websites and powers at least 34 percent of the top 100,000 websites [4]. Firms like NASA, Netflix, and the C.I.A. are among A.W.S.’s users. Smaller providers aren’t able to compete on the same level as these three main providers because of economies of scale and high switching costs. A.W.S., Microsoft, and Google can afford to build databases and expand more easily than any providers entering the market. Additionally, once a company uses the services of any of these providers, switching to another is expensive and difficult. These barriers to entry allow the big three firms to dominate the market. 

The high concentration of companies using only three cloud computing providers presents a risk of widespread outages. When errors like the one at the DynamoDB database occur, companies using the services will experience similar effects as on October 20, 2025. However, unintentional errors are not the only cause for concern. Targeted attacks have also happened, increasing the risk posed by having so few sources of cloud computing. In July of 2024, a smaller-scale cyber-attack affected Microsoft Azure, one of the big three cloud computing companies [5]. Despite the protections in place, the attack still affected many Microsoft products, including Office and Outlook. The incident demonstrated how one weakness in a major cloud provider can produce ripple effects across multiple sectors. With such a large portion of the internet being concentrated in a few cloud computing sources, attacks such as these are much more effective. At an individual company level, companies could “diversify their cloud presence” by using different cloud computing sources. However, this would be too expensive for smaller companies due to the additional cost of operating across multiple clouds. As a result, most companies are dependent on a single cloud provider despite knowing the risks. The combination of a lack of competition in the cloud market and economic risks creates the need for policy in this area. 

Governments have already recognized the need for policy action. In the U.S., the Biden administration has identified cloud-based services as critical infrastructure. According to the National Cybersecurity Strategy, “they are also essential to operational resilience across many critical infrastructure sectors” [6]. Federal efforts such as the Federal Risk and Authorization Management Program reflect this by ensuring all cloud services and platforms used by the government meet certain security standards [7]. While FedRAMP creates a baseline of oversight, it is not a dedicated regulatory body, and its authority is limited. It can authorize certain providers to be used by federal agencies, but it does not have jurisdiction over the cloud market as a whole. This creates a gap between the government’s recognition of the importance of a secure cloud and a lack of industry-wide regulation. This gap is compounded by the incentives faced by firms using cloud infrastructure. Companies prioritize keeping costs low, therefore choosing the largest, most established cloud providers; this concentration increases their vulnerability to outages or security failures. Due to the higher cost of multi-cloud strategies and switching providers, firms often underinvest in security and diversification. The disconnect between a firm’s cost-saving incentives and the need for cloud security makes policy intervention necessary. Think tanks similarly emphasize the need for policy and regulation in this market. Many reports, including those by the Open Markets Institute, argue that the cloud should be governed as public infrastructure, like electricity or telecommunications [8]. To address these issues in the cloud computing market, governments worldwide can implement certain policies that increase competition and the security of the cloud.

Minimize Barriers to Entry

Firstly, policymakers should minimize barriers to entry in the market. The big three cloud computing providers dominate the market because they already have the infrastructure in place to expand. To even the playing field, governments need to promote standardization to enable compatibility among different cloud providers. This standardization is considered interoperability, that is, the ability of different cloud systems to exchange and use information more seamlessly [11]. Open, widely used standards enable data to be transferred to new cloud providers. These standards allow companies to choose when to transfer to a new cloud provider or even use a multi-cloud approach for greater security. The U.S. Senate has proposed bills such as the Multi-Cloud Innovation and Advancement Act of 2023; however, action hasn’t been taken on it since December 2024 [9]. This bill proposed that the General Services Administration, National Institute of Standards and Technology, Cybersecurity and Infrastructure Security Agency, and the U.S. Digital Services work together to guide federal agencies to use multiple cloud networks. This same framework can be applied to laws in the public sector, mandating that standards be met by computing companies. This will ensure interoperability and standardization, making the cloud market more competitive and secure.

Structurally Separate Large Providers

Non-cloud services that are offered by the big three providers also give them leverage to remain at the top of the market. Currently, providers like Microsoft can leverage their control over non-cloud services, such as the Windows operating system, to lock customers into their cloud infrastructure [8]. Structurally separating the large cloud computing companies can benefit competition in the market. Requiring these firms to run the cloud as an independent entity can prevent them from giving preferential access to other services they own and locking customers into their cloud. This idea mirrors I.B.M.’s unbundling of its hardware and software services in 1969. Before this, I.B.M. dominated the hardware and software market, making it hard for other companies to enter. Faced with pressure from an antitrust lawsuit, I.B.M. decided to price hardware and software separately, causing the software market to expand [14]. Similar action can be taken in the cloud computing market to expand to new providers.

Limit Egress Fees

Another way cloud providers lock in customers is through egress fees. These are fees paid by cloud customers to transfer their data out of certain clouds [12]. It is free to upload data into the cloud, but downloading and transferring it out incurs costs. The cost varies based on the amount of data and the region it is being transferred to or from. However, the cost of the egress fees is often higher than the actual cost of transferring the data. In order to ensure this doesn’t happen, legislators can use price ceilings to ensure that egress fees reflect the actual cost of transferring data and are not used as exclusionary tools to maintain market dominance. The E.U. has taken steps in this direction, passing the Data Act. Article 29 of the E.U. Data Act states that the charges imposed on users should not exceed the costs incurred by the provider of transferring the data [13]. It also establishes a timeline for removing switching costs entirely by 2027. Similar legislation is necessary in the U.S. to ensure competition in the domestic market.

Establish Governmental Oversight

Even with the market more accessible to new competitors, cloud computing should still be subject to government oversight, like any other form of critical infrastructure. Industries such as electricity, telecommunication, and railways already have regulatory frameworks in place. Similar models should be applied to the cloud. Having a dedicated regulatory body that audits and stress tests the cloud providers would ensure that they are up to standard. Comparing this to the existing critical infrastructure, the F.C.C. regulates telecommunication, and the F.E.R.C. regulates electricity. By creating similar departments for cloud regulation, governments can increase reliability among cloud providers. For example, the department can ensure clouds have multiple points of failure, so one error doesn’t cause cascading failures [12]. This measure would enhance both transparency and security, ensuring clouds on the market are resilient and prepared. 

The October A.W.S. outage serves as a reminder of what can happen, or worse, if governments do not protect the cloud. With a majority of internet services being provided by only three companies, many services are vulnerable to widespread outages. Both day-to-day services and critical software are in the cloud, so it is vital that they are protected. By creating legislation that increases market competition and regulations that ensure security and reliability, policymakers can take steps towards a safer, more secure cloud.