We need to talk about the tech stack problem

The temporary outage from Amazon’s AWS services this week reminded us yet again just how much our lives depend on a system few of us even understand. The list of affected applications read like pulling random organizations out of a hat: Signal, Peloton, Roblox, Lyft, the UK Government … it went on from there.

I laughed yesterday seeing the graphic floating around the social sphere that shows the complex Jenga tower of systems we have built held up by an precariously small leg. The leg, of course, is labeled “US-East-1,” the name of the data center where the outage apparently originated. One little push, and the entire system comes down.

Here’s the uncomfortable truth: this isn’t an isolated case. Monoculture is the problem, one the government is not immune from. Today, nearly every federal agency runs on a single, predictable stack:

• Microsoft for identity and collaboration
• SharePoint for document management (and masochism, I assume)
• Salesforce for CRM (and other things designed not to look like a CRM but still are)
• Oracle for databases
• ServiceNow for workflows

It’s convenient. It’s standardized. It’s unnecessarily fragile.

The problem with such monoculture is it creates the conditions where one outage, one patch delay, or one zero-day exploit can ripple across the enterprise. In an era where software is more and more becoming the weapon of future combat, tech risk is a national security risk that must be addressed.

This all was already on my mind coming into this week. Last Thursday, I got one of Norton’s friendly ‘you-should-be-aware’ security messages about the recent Salesforce breach. The vulnerability in this case was in an integration that allowed malicious actors to steal OAuth tokens, ultimately giving access to CRM systems. Salesforce has since said the breach did not result from a vulnerability in its core platform, which sounds like saying the bank robbers didn’t open the main vault, they just got your safe deposit box.

Thanks, I guess?

I had this weird moment of déjà vu at reading the story. After a moment, I remembered what it was. Just a few months ago, I had read another article about Salesforce that said the company was throttling back on hiring engineers because of AI.

While I’m not saying one necessarily caused the other, I do think it’s obvious that less human oversight leads to less accountability. And I also believe the confidence to add risk like this represents a luxury of thinking available only to the monoliths of this space who assume size guarantees security. Or, worse yet, that size insulates from bad security. For them, compliance is a department. For the rest of us (read: small businesses), it’s expensive paperwork that doesn’t equate to more security. Sometime it’s a financial cliff.

And herein lies the crux of my concern. Small businesses, who are the true drivers of innovation, are forced to exist in this ecosystem where a a few massive vendors sit underneath everything. It’s their world and we’re just struggling to survive.

If we’re serious about innovation and security, we have to stop conflating size and security. We need to diversify the stack and stop letting a handful of giants own the digital backbone of government. Surely the perceived inefficiencies of navigating different stacks is a price worth paying for spreading out the risk. Doing this also opens pathways for new players, which inherently benefits small businesses, who until now have often been a token accessory or an afterthought to primes.

Let’s bring technical depth back in-house because this problem obviously isn’t going away.