The Cloudflare network security system, which enables about a fifth of all websites, was the latest platform to encounter service difficulties earlier this week, following incidents affecting AWS and Microsoft
The latest in a series of significant vendor tech outages impacted a number of public services, but government representatives have asserted that Whitehall departments and the NHS mitigate risks “by using a variety of cloud service providers”.
Earlier this week network security services provider Cloudflare – whose technology is estimated to support at least one in five websites worldwide – suffered serious technical difficulties. The issues, which lasted from about 11am to 5pm on Tuesday, impacted a wide range of websites, online services and apps around the globe. Those affected reportedly included Microsoft Teams, Spotify, X, and ChatGPT, as well as major UK companies such as Vodafone, Asda, and Marks and Spencer.
Also among the affected services were those offered by several public sector entities – including the websites of both the UK and Scottish parliaments.
In response to enquiries from PublicTechnology, the government acknowledged that it had faced online difficulties during the incident – but also pointed to inherent measures that help it cope with supplier service shutdowns.
“We ensure resilience across government’s digital estate by using a variety of cloud service providers,” a government spokesperson said. “While some government services were temporarily impacted during the Cloudflare outage, through our established incident response arrangements, we remained in contact with the company throughout to understand the situation and ensure that recovery was underway.”
All public services and platforms are now operating as normal, it is understood, and government is currently considering whether anything learned from the incident could inform processes and responses going forward.
These considerations will surely also bear in mind the impact suffered as a result of two other outages suffered over the past month – respectively affecting Amazon Web Services and Microsoft – both of which impacted government services.
The Department for Science, Innovation and Technology is leading investigations and response into these incidents, the latter of which caused “disruption to online government services across several departments”, according to recent comments from digital government minister Ian Murray.
Following the AWS outage, meanwhile, Murray indicated that “it will take some time to fully understand the scale of the impact [and] DSIT will be gathering a full picture of the impact on government in the coming weeks”.
In light of these incidents and their effect on government digital services, a number of questions have been asked about the state’s resilience to such challenges, and whether or not public bodies rely too much on a handful of major providers.
Related content
- HMRC says ‘majority of core systems continue to operate during outages’
- Microsoft outage: Government to ‘review lessons learned and improve response plans’ for future shutdowns
- AWS and Microsoft refute CMA competition concerns – but smaller players endorse watchdog’s findings
In one recent query, Liberal Democrat MP Martin Wrigley asked the Department of Health and Care to address “the challenges of hosting the NHS Federated Data Platform on cloud services”.
In response, health innovation minister Zubir Ahmed returned to the theme of using a diversity of suppliers to ensure greater resilience.
“The FDP has been designed to be modular and standards-based, enabling integration with multiple systems and avoiding over-reliance on any single cloud provider,” he said.
The minister indicated that “NHS England have conducted a comprehensive assessment of the technical, operational, regulatory, and public trust considerations associated with hosting the platform on cloud services”.
“It is a contractual requirement that all processing and storage of patient information take place within the United Kingdom,” he said. “Data within the FDP and NHS Privacy Enhancing Technology cannot be accessed by provider personnel or contractors based outside the UK. This is stipulated in the overarching FDP Data Protection Impact Assessment and enforced through technical controls. All data is protected through strong encryption, access controls, and audit trails, in compliance with the UK General Data Protection Regulation and the Data Protection Act 2018. These measures ensure that National Health Service data remains fully under UK jurisdiction.”
Ahmed added: “Robust security measures are in place, including firewalls, intrusion detection and prevention systems, regular penetration testing, and vulnerability scanning. Live service teams continuously monitor the platform to identify and address any issues promptly.”
The programme to deliver FDP – which is intended to provide a central national architecture to connect data sets from across the health service – formally began work in 2022. The rollout of the system throughout the NHS commenced two years later, following the award of a potential £500m deal to US tech vendor Palantir, whose technology underpins the platform. The choice of supplier has proven controversial, with high-profile critics including representatives of the British Medical Association and Amnesty International.
