Perplexity AI Verified by Perplexity AI

Real Threats, Real Evidence

Documented incidents, systemic vulnerabilities, and why other governments are acting now

Reading time: 8 minutes

This Is Not Theoretical

In recent months, the risk of concentrated cloud dependency has ceased to be academic. Major outages have cascaded across government services, Parliament has questioned whether we have ceded control of critical infrastructure to foreign companies, and allied governments have begun executing exit strategies from US cloud platforms.

Section 1: Documented Outages

These are not separate incidents. They are symptoms of a systemic design flaw: by concentrating critical services in a small number of hyperscale regions and control planes, allied governments have inadvertently created a kill switch that can be activated—intentionally, accidentally, or via a single-point technical failure.

AWS us-east-1 DNS Failure

19 October 2025

A DNS failure in AWS's us-east-1 region cascaded across government services globally.[web:1][web:2]

  • HMRC online tax platform became unavailable
  • Multiple UK banks suffered outages affecting millions of transactions
  • UK media described a "nationwide outage" for online banking and tax services[web:3]
  • Ookla recorded 17+ million user-reported incidents[web:2]

Parliamentary response: Within three hours, Parliament began asking whether the United Kingdom had ceded control of critical financial infrastructure to a foreign private company.[web:4]

Google Cloud Global API Failure

12 June 2025

A widespread failure across Google Cloud APIs disrupted services in more than 40 regions simultaneously.[web:5][web:6]

  • Over 50 Google Cloud services affected
  • Gmail, Google Drive, BigQuery, Vertex AI, Cloud Storage all disrupted
  • Multi-region architecture provided no protection—the control plane itself failed

Azure Front Door Configuration Error

29 October 2025

A configuration error in Azure Front Door caused widespread disruption.[web:7][web:8]

  • Scottish Parliament forced to suspend a legislative vote because systems relying on Microsoft services were unavailable
  • Microsoft 365, Xbox Live, Intune, Power Apps, Entra disrupted
  • Public and private sector users affected in multiple countries

Red Sea Subsea Cable Cuts

September 2025

Multiple subsea cable cuts in the Red Sea degraded Microsoft cloud services across Europe, Africa, and the Middle East.[web:9]

  • Forced significant rerouting of traffic
  • Latency and reliability problems for customers dependent on Microsoft's cloud
  • Demonstrated physical infrastructure vulnerability beyond software control

The Pattern

The design of these platforms means that a failure or administrative decision in one jurisdiction can have immediate extra-territorial impacts. By concentrating in AWS us-east-1, Azure Front Door, and GCP core APIs, allied governments have created single points of failure for defence, healthcare, welfare, and taxation.

Section 2: Windows 11 as a Forcing Function

The transition from Windows 10 to Windows 11 has brought structural vulnerabilities into sharp focus, particularly for health systems.

End of Support: 14 October 2025

From this date, Windows 10 no longer receives security updates under standard support. Many NHS devices refreshed during Covid-19 do not meet Windows 11 hardware requirements (TPM 2.0, modern firmware).[web:10][web:11]

The NHS Dilemma

Digital leaders in NHS trusts face an impossible choice:[web:10][web:12]

  • Option A: Run unsupported Windows 10 in live clinical environments— repeating the risk pattern that made WannaCry devastating in 2017
  • Option B: Retire serviceable hardware at scale, channelling scarce NHS funds into licensing and equipment churn rather than frontline care

Privacy and Telemetry Concerns

Windows 11 is increasingly intertwined with Microsoft's cloud ecosystem, mandatory online accounts, and extensive telemetry. New features have raised significant concerns:

"AI-driven features such as Recall and Copilot+ have been criticised by security and privacy experts as a potential 'privacy nightmare', because they can silently capture and index everything visible on a user's screen, including highly sensitive information."
— BBC, Ars Technica, security researchers[web:13][web:14]

Medical Device Certification Gap

NHS hospitals are finding that medical device suppliers have been slow or unwilling to certify equipment for Windows 11. Diagnostic systems, imaging, and cardiology monitoring remain tied to older Windows versions because vendors demand substantial upgrade fees.[web:12]

"IT leaders have described a situation where they are 'hoping and praying that nothing untoward happens', with the memory of ransomware incidents and pathology outages still fresh."
— The Register, October 2025[web:12]

Section 3: Governments Are Acting Now

This is not paranoia dressed as strategy. Democratic governments with sophisticated technology sectors are already moving.

Denmark (June 2025)

Denmark announced plans to move away from Microsoft Office and other Microsoft cloud services in central and municipal government.[web:15]

"Denmark is completely dependent on American tech companies—that situation is unsustainable."
— Jan Damsgaard, Copenhagen Business School
  • Ministry of Digital Affairs: 6-month migration timeline
  • Copenhagen and Aarhus municipalities evaluating similar moves
  • Driven by digital sovereignty, licensing costs, and concentration risk

Schleswig-Holstein, Germany (2024-2025)

The German state committed to phasing out Microsoft Office and related products in favour of LibreOffice and open-source alternatives.[web:16]

  • 30,000+ workstations migrated
  • €9 million one-off migration cost
  • €15 million annual licence savings
  • Payback period: approximately 7-8 months
  • Five-year projected net benefit: approximately €66 million

Munich LiMux Project

The city of Munich migrated approximately 15,000 desktops serving 33,000 staff onto a Linux-based platform over nine years, reporting savings of €11.7 million.

Lesson learned: The initiative was partially reversed in 2017 for political reasons, then revived in 2020. This illustrates that incomplete migration and residual dependencies (e.g., retaining Microsoft Exchange) can create ongoing friction that opponents exploit politically.

The Common Thread

These governments are not driven by the US election cycle or political theatrics. They are driven by a simple calculation: a catastrophic event affecting every hospital, welfare payment, and tax collection centre simultaneously would be politically and economically devastating. They are purchasing insurance.

Section 4: The Strategic Calculation

The handbook's risk framework treats denial of US cloud services as a low-probability but high-impact event:

Scenario Probability (5 years) Confidence
Complete, deliberate US service termination to an ally 0.5-2% Low (no precedent)
Partial restrictions, data access demands, or de-facto denial 5-25% Medium
Economic impact of 2-day full-spectrum denial (UK alone) £50-200 billion GDP disruption

The Investment Threshold

If the true probability of serious service denial exceeds roughly 2-12% over the programme period, then the proposed £4.2-6.2 billion investment is justified on expected value grounds alone—before considering strategic autonomy and democratic resilience.

References

  1. [web:1] GovTech, "AWS outage disrupts services and raises concerns for government reliance on US cloud," October 2025.
  2. [web:2] Ookla, "Revealing the cascading impacts of the AWS outage," October 2025.
  3. [web:3] BBC, "AWS outage and over-reliance on US big tech," October 2025.
  4. [web:4] Computer Weekly, LinkedIn commentary, Lords session on AWS outage, October 2025.
  5. [web:5] NewsFromTheStates, "Google Cloud outage leading to global internet disruption," June 2025.
  6. [web:6] ByteByteGo blog, "Technical analysis of the Google Cloud outage," June 2025.
  7. [web:7] Silicon Republic, "Microsoft Azure Front Door outage impacting global services," October 2025.
  8. [web:8] Vendor analyses, "Scottish Parliament vote suspended," October 2025.
  9. [web:9] BBC, "Microsoft cloud services disrupted by Red Sea cable cuts," September 2025.
  10. [web:10] DigitalHealth, "NHS cyber security concerns raised about move to Windows 11," March 2025.
  11. [web:11] Cybersecurity Insiders, "NHS faces cybersecurity challenges amid Windows 11 upgrade dilemma," March 2025.
  12. [web:12] The Register, "NHS left with problematic PCs as suppliers resist Windows 11 certification," October 2025.
  13. [web:13] WIRED, "Microsoft Will Switch Off Recall by Default After Security Concerns," June 2024.
  14. [web:14] BBC, "Copilot+ Recall described as a 'privacy nightmare.'"
  15. [web:15] Borncity, "Digital sovereignty: EU cloud and Microsoft exit in Danish digital ministry," June 2025.
  16. [web:16] ZDNet, "German state Schleswig-Holstein's decision to uninstall Windows and adopt Linux and LibreOffice," June 2025.

Continue Reading

This briefing is part of a sequence designed for decision-makers:

  1. The Kill Switch Problem – What the risk is
  2. Real Threats, Real Evidence (this page) – Documented incidents and the case for action
  3. The Solution: Sovereign Control Plane – What we propose to do
  4. Strategic Case – Full business case and investment analysis

Document Status

Version: 1.0 | Last updated: January 2026
Classification: Official
Audience: Ministers, Permanent Secretaries, Senior Officials
Source: Verified by Perplexity AI

Back to Executive Briefing