Tech
Government faces questions about why US AWS outage disrupted UK tax office and banking firms | Computer Weekly
The UK government is being pressed for a response as to why a major, multi-hour Amazon Web Services (AWS) outage in the US disrupted UK-based organisations, including HM Revenue & Customs (HMRC) and Lloyds Banking Group.
The outage, which AWS confirmed started just before 8am UK time on 20 October, originated in AWS’s US-East-1 datacentre region in North Virginia, and caused large-scale disruption to a host of companies across the world, including in the UK.
The US-East-1 region is renowned for being Amazon’s first and flagship cloud region, as well as its largest, and is often the place where the public cloud giant rolls out new services to customers first.
For this reason, it is not unheard of for service issues with the US-East-1 region to blight overseas users of the firm’s cloud technologies.
But with concerns mounting in the UK (and other geographies) about the public and private sector’s over-reliance on US-based big tech platforms, the outage has led to renewed calls for greater transparency about the resiliency of the nation’s hosting arrangements.
“The narrative of bigger is better and biggest is best has been shown for the lie it always has been,” Owen Sayers, an independent security architect and data protection specialist with a long history of working in the public sector, told Computer Weekly. “The proponents of hyperscale cloud will always say they have the best engineers, the most staff and the greatest pool of resources, but bigger is not always better – and certainly not when countries rely on those commodity global services for their own national security, safety and operations.
“Nationally important services must be recognised as best delivered under national control, and as a minimum, the government should be knocking on AWS’s door today and asking if they can in fact deliver a service that guarantees UK uptime,” he said. “Because the evidence from this week’s outage suggests that they cannot.”
Government use of cloud under scrutiny
AWS has vowed to publish a detailed “post-event summary” detailing the causes of the outage and the steps it had to take to bring services back online.
In the meantime, and in line with Sayers’ recommendations, HM Treasury is already being asked to account for why it has not used powers conferred on it earlier this year to ensure suppliers like AWS are up to the job of delivering resilient cloud services to organisations in the financial services sector.
The chair of the Treasury Select Committee, Meg Hillier, published a letter she has written to the economic secretary, Lucy Rigby, that appears to have been penned during the AWS outage.
The letter calls on Rigby for clarification about why, despite having the power to do so since January 2025, the Treasury has apparently so far neglected to add AWS to its Critical Third Parties (CTP) list of suppliers.
This designation, which was introduced through changes made to the Financial Services and Markets Act 2020 in November 2024, is intended to provide the UK’s financial regulators with the means to include third-party suppliers to the sector within their supervisory scope – the idea being that doing so might help better manage any potential risks to the stability and resilience of the UK financial system that might arise as a result of a third-party supplier suffering from service disruption, as happened on 20 October with AWS.
As stated in Hillier’s letter, it appears the Treasury is yet to call any suppliers into the scope of the CTP regime, including AWS, which is known to be a supplier to a large number of UK financial services institutions.
“In light of today’s major outage at Amazon Web Services … why has HM Treasury not designated Amazon Web Services or any other major technology firm as a CTP for the purposes of the Critical Third Parties Regime,” asked Hillier, in the letter. “[And] how soon can we expect firms to be brought into this regime?”
Hillier also asked HM Treasury for clarification about whether or not it is concerned about the fact that “seemingly key parts of our IT infrastructure are hosted abroad” given the outage originated from a US-based AWS datacentre region but impacted the activities of Lloyds Bank and also HMRC.
On the latter point, Hiller asked: “What work is HM Treasury doing with HMRC to look at what went wrong, and how this may be prevented in future?”
Computer Weekly contacted HM Treasury for details of its response to Hillier’s letter, and to seek clarification on whether it has plans to imminently add AWS to the CTP list. It also asked if the Treasury has concerns about parts of the UK’s banking infrastructure being hosted overseas, in the wake of the outage.
A spokesperson for the government department did not directly answer the questions posed by Computer Weekly, but did provide the following statement in response:
“We know the threat cyber attackers present, which is why we are working with regulators to establish a Critical Third-Party regime, so we can hold firms providing these services to the same high standards as other financial services institutions,” the Treasury statement read.
UK reliance on overseas clouds
Hillier’s question to the Treasury about whether it has any concerns about key parts of the UK’s IT infrastructure being hosted overseas is being echoed by other UK cloud market watchers and stakeholders in the wake of the outage.
“We should be asking the obvious question: why are so many critical UK institutions, from HMRC to major banks, dependent on a datacentre on the east coast of the US?” said Mark Boost, CEO of London-based cloud services provider Civo.
“Sovereignty means having control when incidents like this happen – but too much of ours is currently outsourced to foreign cloud providers. The AWS outage is yet another reminder that when you put all your eggs in one basket, you’re gambling with critical infrastructure.
“When a single point of failure can take down HMRC, it becomes clear that our reliance on a handful of US tech giants has left core public services dangerously exposed,” he said.
AWS has operated a UK datacentre region since 2016, with a key selling point of these facilities being that it would allow UK-based organisations to access locally hosted versions of its public cloud services.
This adds further weight to Boost and Hillier’s line of questioning about why a US outage impacted UK-based organisations when, presumably, these organisations should be relying on the UK region to access AWS services.
When Computer Weekly put this question to AWS, citing the disruption caused to HMRC during the outage as an example, a company spokesperson advised the publication to direct that comment directly to the government tax agency.
Shared responsibility model
That response (or lack thereof) potentially speaks to the notion of the “shared responsibility model” that AWS subscribes to, whereby the organisation considers security, compliance and the resilience of its customers’ cloud environments to be something of a shared burden.
As detailed on the company’s Shared Responsibility Model reference web page, this setup is designed to “relieve” AWS customers of the operational burden of running their own cloud infrastructure, but they remain responsible for whatever data they choose to host in it.
“Customers should carefully consider the services they choose [to host in AWS] as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations,” said AWS.
“The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment.”
Speaking to Computer Weekly, Brent Ellis, principal analyst at IT market watcher Forrester, said the fact the outage originated in the AWS US-East-1 region and impacted UK organisations suggests “at least some part” of the HMRC and Lloyds setups had a dependency on that region.
“That would have been an architecture choice by those companies, but not necessarily a fault of AWS,” said Ellis. “That dependency could also have been introduced by a nested SaaS [software as a service] component for the organisations involved.
“Generally, I think this shows how complex and interconnected modern cloud-based infrastructure is, and that is a problem from a resilience perspective, especially if you do not have visibility into the nested dependencies that underlie your business technology stack.”
Regulatory intervention
Because of the impact such dependencies can have, Ellis is of the view that the AWS outage may prompt calls for regulatory intervention to prevent a repeat of it, in a similar vein to what Hiller and her colleagues on the Treasury Select Committee are calling for. “I do think it gives fodder to the greater push for sovereign cloud,” he said. “It also will probably spur regulation to increase visibility into dependencies and fault domains for critical sectors like finance.”
What users of hyperscale cloud services, such as AWS, need to know is what services and capabilities within their chosen suppliers’ extended portfolios are hosted in the UK, and how resilient they are, added Sayers.
To highlight why this is important, he cited the findings of a series of investigations into Microsoft’s cloud hosting arrangements in the Scottish policing sector that he worked with Computer Weekly to make public.
That work resulted in an initial disclosure from Microsoft that it could not guarantee the sovereignty of UK policing data stored and processed in its M365 platform.
This was later followed up with further revelations that policing data hosted in the Microsoft cloud could be processed in more than 100 countries, without users explicitly knowing about it.
“We already know Microsoft do not have a UK-based capability for all their services, but we need to know exactly what the [overseas hyperscalers] can deliver in the country and how resilient that actually is,” said Sayers. “We need to properly understand their points of failure and how they can be engineered around.”
Some of the hyperscalers have sought to evade answering questions on this point, claiming the information is commercially sensitive, he continued. “That’s not a defence we can tolerate anymore,” said Sayers. “These services are increasingly friable, increasingly complex and increasingly hidden from our view. If we are to rely on them, we need to know they are reliable, and if they aren’t then we need to pivot – at least for critical services.”
Customer-created issues
Ellis’s colleague, Dario Maisto, is a senior analyst at Forrester, who told Computer Weekly that AWS is aware that customer-created, cross-region architectural dependencies are part of a “bigger sovereignty problem” facing its European customer base.
“[AWS] is about to launch a perfect replica of its services [in Europe] under the AWS EU [European Union] sovereign cloud offer, with the first isolated [sovereign] region in Germany,” he said.
“In fact, the only way a client can be sure that its data and workloads do not suffer from any dependency from infrastructure abroad is physical and logical isolation of the cloud regions the client uses [so that it] must not be possible at all that the client is able to make any choice that creates a dependency on foreign infrastructure.”
Achieving this outcome, continued Maisto, means all of the services the customer needs must be hosted within the isolated region as the only ones the client can access. “A data boundary or a commitment to the market cannot guarantee what only a precise architectural construct of the client’s cloud environment can grant,” he added.
AWS is far from the only cloud provider to suffer an outage, and any cloud company an enterprise entrusts their data to could suffer a similar fate at some point in their existence.
However, Civo’s Boost said the incident highlights why enterprises should be looking to diversify their pool of cloud providers, but also why governments and regulators need to be taking a closer look at how much of the world’s infrastructure runs on a relatively small number of hyperscale cloud platforms.
“The more concentrated our infrastructure becomes, the more fragile and externally governed it is,” he said. “If Europe is serious about digital sovereignty, it needs to accelerate its shift towards domestically governed and diversified infrastructure. Governments and regulators have a responsibility to create the conditions for real competition. That means rethinking procurement, funding sovereign alternatives and making resilience a baseline requirement.”
Anthropic won a preliminary injunction barring the US Department of Defense from labeling it a supply-chain risk, potentially clearing the way for customers to resume working with the company. The ruling on Thursday by Rita Lin, a federal district judge in San Francisco, is a symbolic setback for the Pentagon and a significant boost for the generative AI company as it tries to preserve its business and reputation.
“Defendants’ designation of Anthropic as a ‘supply chain risk’ is likely both contrary to law and arbitrary and capricious,” Lin wrote in justifying the temporary relief. “The Department of War provides no legitimate basis to infer from Anthropic’s forthright insistence on usage restrictions that it might become a saboteur.”
Anthropic and the Pentagon did not immediately respond to requests to comment on the ruling.
The Department of Defense, which under Trump calls itself the Department of War, has relied on Anthropic’s Claude AI tools for writing sensitive documents and analyzing classified data over the past couple of years. But this month, it began pulling the plug on Claude after determining that Anthropic could not be trusted. Pentagon officials cited numerous instances in which Anthropic allegedly placed or sought to put usage restrictions on its technology that the Trump administration found unnecessary.
The administration ultimately issued several directives, including designating the company a supply-chain risk, which have had the effect of slowly halting Claude usage across the federal government and hurting Anthropic’s sales and public reputation. The company filed two lawsuits challenging the sanctions as unconstitutional. In a hearing on Tuesday, Lin said the government had appeared to illegally “cripple” and “punish” Anthropic.
Lin’s ruling on Thursday “restores the status quo” to February 27, before the directives were issued. “It does not bar any defendant from taking any lawful action that would have been available to it” on that date, she wrote. “For example, this order does not require the Department of War to use Anthropic’s products or services and does not prevent the Department of War from transitioning to other artificial intelligence providers, so long as those actions are consistent with applicable regulations, statutes, and constitutional provisions.”
The ruling suggests the Pentagon and other federal agencies are still free to cancel deals with Anthropic and ask contractors that integrate Claude into their own tools to stop doing so, but without citing the supply-chain-risk designation as the basis.
The immediate impact is unclear because Lin’s order won’t take effect for a week. And a federal appeals court in Washington, DC, has yet to rule on the second lawsuit Anthropic filed, which focuses on a different law under which the company was also barred from providing software to the military.
But Anthropic could use Lin’s ruling to demonstrate to some customers concerned about working with an industry pariah that the law may be on its side in the long run. Lin has not set a schedule to make a final ruling.
President Donald Trump and top defense officials are reportedly weighing whether to send ground troops to Iran in order to retrieve the country’s highly enriched uranium. However, the administration has shared little information about which troops would be deployed, how they would retrieve the nuclear material, or where the material would go next.
“People are going to have to go and get it,” secretary of state Marco Rubio said at a congressional briefing earlier this month, referring to the possible operation.
There are some indications that an operation is close on the horizon. On Tuesday, The Wall Street Journal reported that the Pentagon has imminent plans to deploy 3,000 brigade combat troops to the Middle East. (At the time of writing, the order has not been made.) The troops would come from the Army’s 82nd Airborne Division, which specializes in “joint forcible entry operations.” On Wednesday, Iran’s government rejected Trump’s 15-point plan to end the war, and White House press secretary Karoline Leavitt said that the president “is prepared to unleash hell” in Iran if a peace deal is not reached—a plan some lawmakers have reportedly expressed concern about.
Drawing from publicly available intelligence and their own experience, two experts outlined the likely contours of a ground operation targeting nuclear sites. They tell WIRED that any version of a ground operation would be incredibly complicated and pose a huge risk to the lives of American troops.
“I personally think a ground operation using special forces supported by a larger force is extremely, extremely risky and ultimately infeasible,” Spencer Faragasso, a senior research fellow at the Institute for Science and International Security, tells WIRED.
Nuclear Ambitions
Any version of the operation would likely take several weeks and involve simultaneous actions at multiple target locations that aren’t in close proximity to each other, the experts say. Jonathan Hackett, a former operations specialist for the Marines and the Defense Intelligence Agency, tells WIRED that as many as 10 locations could be targeted: the Isfahan, Arak, and Darkhovin research reactors; the Natanz, Fordow, and Parchin enrichment facilities; the Saghand, Chine, and Yazd mines; and the Bushehr power plant.
According to the International Atomic Energy Agency, Isfahan likely has the majority of the country’s 60 percent highly enriched uranium, which may be able to support a self-sustaining nuclear chain reaction, though weapon-grade material generally consists of 90 percent enriched uranium. Hackett says that the other two enrichment facilities may also have 60 percent highly enriched uranium, and that the power plant and all three research reactors may have 20 percent enriched uranium. Faragasso emphasizes that any such supplies deserve careful attention.
Hackett says that eight of the 10 sites—with the exception of Isfahan, which is likely intact underground, and “Pickaxe Mountain,” a relatively new enrichment facility near Natanz—were mostly or partially buried after last June’s air raids. Just before the war, Faragasso says, Iran backfilled the tunnel entrances to the Isfahan facility with dirt.
The riskiest version of a ground operation would involve American troops physically retrieving nuclear material. Hackett says that this material would be stored in the form of uranium hexafluoride gas inside “large cement vats.” Faragasso adds that it’s unclear how many of these vats may have been broken or damaged. At damaged sites, troops would have to bring excavators and heavy equipment capable of moving immense amounts of dirt to retrieve them
A comparatively less risky version of the operation would still necessitate ground troops, according to Hackett. However, it would primarily use air strikes to entomb nuclear material inside of their facilities. Ensuring that nuclear material is inaccessible in the short to medium term, Faragasso says, would entail destroying the entrances to underground facilities and ideally collapsing the facilities’ underground roofs.
Softening the Area
Hackett tells WIRED that based on his experience and all publicly available information, Trump’s negotiations with Iran are “probably a ruse” that buys time to move troops into place.
Hackett says that an operation would most likely begin with aerial bombardments in the areas surrounding the target sites. These bombers, he says, would likely be from the 82nd Airborne Division or the 11th or 31st Marine Expeditionary Units (MEU). The 11th MEU, a “rapid-response” force, and the 31st MEU, the only Marine unit continuously deployed abroad in strategic areas, have reportedly both been deployed to the Middle East.
The WIRED Reviews Team has been covering Amazon’s Big Spring Sale since it began at on Wednesday, and the overall deals have been … not great, honestly. So far, we’ve found decent markdowns on vacuums, smart bird feeders, and even an air fryer we love, but I just saw that Cadence Capsules, those colorful magnetic containers you may have seen on your social media pages, are 20 percent off. (For reference, the last time I saw them on sale, they were a measly 9 percent off.)
If you’re not familiar, they allow you to decant your full-sized personal care products you use at home—from shampoo and sunscreen to serums and pills—into a labeled, modular system of hexagonal containers that are leak-proof, dishwasher safe, and stick together magnetically in your bag or on a countertop. No more jumbled, travel-sized toiletries and leaky, mismatched bottles and tubes.
Cadence Capsules have garnered some grumbling online for being overly heavy or leaking, but I’ve been using them regularly for about a year—I discuss decanting your daily-use products in my guide to How to Pack Your Beauty Routine for Travel—and haven’t experienced any leaks. They do add weight if you’re trying to travel super-light, and because they’re magnetic, they will also stick to other metal items in your toiletry bag, like bobby pins or other hair accessories. This can be annoying, especially if you’re already feeling chaotic or in a hurry.
Otherwise, Capsules are modular, convenient, and make you feel supremely organized—magnetic, interchangeable inserts for the lids come with permanent labels like “shampoo,” “conditioner,” “cleanser,” and “moisturizer.” Maybe you love this; maybe you don’t. But at least if you buy on Amazon, you can choose which label genre you get (Haircare, Bodycare, Skincare, Daily Routine). If this just isn’t your jam, the Cadence website offers a set of seven that allows you to customize the color and lid label of each Capsule, but that set is not currently on sale.
How Cole Hutson is taking a role in the next wave for the Capitals
Men’s March Madness live tracker: Updates from every Sweet 16 game Thursday
Man City to seek Rodri talks amid Real Madrid links – sources
-
Fashion1 week agoSales at US apparel, clothing accessories stores up 4% YoY in Jan 2026
-
Fashion1 week agoSpain’s Inditex FY25 sales rise 3.2% to $46.28 bn amid strong demand
-
Entertainment1 week agoVal Kilmer revived 1 year after death through AI
-
Politics1 week agoIran strikes Tel Aviv with cluster-warhead missiles in retaliation of Larijani’s martyrdom
-
Sports1 week agoMarch Madness 2026 – How to watch in SA, start time, schedule, TV channel for NCAA championship basketball tournament
-
Fashion1 week agoUS’ G-III Apparel’s FY26 sales fall 7% to $2.96 bn
-
Fashion6 days agoChina’s textile & apparel exports surge 17% to $50 bn in Jan-Feb 2026
-
Politics1 week agoUS judge directs Trump administration to bring VOA employees back