Ross Haleliuk challenges a comforting but dangerous assumption: that our modern digital backbone is already protected by existing safety frameworks. While most analysts dissect the mechanics of the latest cloud outage, Haleliuk argues we are failing to recognize that the very definition of "critical infrastructure" is obsolete, leaving the global economy vulnerable to cascading failures from companies that regulators treat as mere vendors.
The Outdated Blueprint
Haleliuk begins by acknowledging the recent AWS outage but immediately pivots away from technical post-mortems to a deeper systemic issue. "In our discussions about supply chain risk, we have forgotten that there is something else at play here, which is that our digital world is powered by many components that are critical and virtually irreplaceable." This reframing is essential because it shifts the conversation from "how do we fix this bug?" to "why is this single point of failure even allowed to exist?" The author notes that current government definitions, such as those from the Cybersecurity and Infrastructure Security Agency (CISA), still largely reflect a 20th-century worldview focused on physical assets like power plants and water treatment facilities.
"These frameworks originated at a time when national stability was closely connected to the physical world: electricity generation, oil pipelines, airports, and emergency response systems."
The argument holds weight because it highlights a regulatory lag. While agencies have added "Information Technology" to their lists, Haleliuk points out that the specific companies driving modern dependency are often missing from the critical list. He argues that while giants like Microsoft and AWS are recognized, the "new generation of companies" that form the invisible glue of the internet are not. He cites Twilio, which handles authentication for banks and hospitals, and Stripe, which processes global payments, as examples of entities that, if they fail, cause immediate societal paralysis. "If Twilio goes down, the entire authentication and notification systems can fail across thousands of organizations simultaneously." This is a compelling observation; the fragility of the modern economy lies not in the lack of servers, but in the concentration of trust on a handful of digital intermediaries that lack the redundancy requirements of traditional utilities.
Critics might argue that expanding the definition of critical infrastructure to include every major SaaS provider could overwhelm regulators and stifle innovation with excessive compliance burdens. However, Haleliuk's point is not about regulating every app, but about identifying the specific layers where a failure creates a domino effect that threatens public safety.
The Illusion of Separation
The piece becomes even more urgent when Haleliuk connects these digital dependencies to real-world physical consequences. He references the CrowdStrike outage, where a software update failure didn't just crash computers; it grounded planes and disrupted emergency services. "In theory, an outage of the endpoint security platform should not have caused airports to crumble, but guess what, it did." This stark reality check dismantles the idea that digital and physical worlds are separate domains. The author insists that we are living in a state where "an outage of Microsoft Entra ID can disrupt planes, an outage of Duo can disrupt hospitals, and an outage of Webex and Microsoft Teams can disrupt emergency response."
"If we continue to treat cloud platforms, SaaS ecosystems, and digital intermediaries as ordinary vendors rather than as essential systems, we risk underestimating the scale of disruption a single outage can cause."
This is the core of Haleliuk's warning: the current regulatory mindset treats these companies as commercial vendors subject to market forces, rather than essential utilities subject to resilience mandates. The author suggests that the "modern economy that runs on APIs, cloud workloads, and distributed services depends on a different kind of backbone, one that is global, digital, and deeply interconnected." By failing to update the definition, the administration and regulatory bodies are essentially flying blind, unaware of where the true single points of failure lie.
"Recognizing what truly constitutes critical infrastructure has real, tangible consequences. How we define 'critical' determines what gets regulated, what resilience standards are enforced, and what kinds of incident response and redundancy planning will be put in place."
The argument here is that words matter because they dictate policy. If a company is just a "vendor," they can go down for a week with no legal requirement to have a backup plan. If they are "critical infrastructure," they must prove they can withstand attacks and failures. Haleliuk's call to action is not just semantic; it is a plea for a structural overhaul of how the executive branch and agencies like CISA approach national security in the digital age.
Bottom Line
Haleliuk's strongest contribution is the clear demonstration that the gap between our digital reality and our regulatory definitions is a national security risk, not just an IT problem. The argument's vulnerability lies in the practical difficulty of enforcing resilience standards on a global, decentralized software ecosystem without stifling the very innovation that drives the economy. Readers should watch for how the administration responds to the next major outage; if they continue to treat these events as isolated vendor failures rather than systemic infrastructure collapses, the definition of "critical" will remain dangerously outdated.