Zoom is now critical infrastructure. That’s a concern

It’s a cybersecurity vulnerability that would have been unimaginable as recently as last year: A single California-based company, Zoom, is now the foundation for education access from elementary school up through graduate school. It has also become a critical tool for many businesses. When Zoom goes down, teachers can’t teach, students can’t learn, and business meetings, conferences, and webinars grind to a halt.

That was demonstrated in dramatic form on Monday, August 24 when a widespread outage blocked many users from accessing Zoom. Just before 6 AM Pacific time, the company acknowledged the problem in a statement, writing “We are currently investigating and will provide updates as we have them.” An hour later, Zoom said that it had “identified the issue” and was “working on a fix.” Finally, over three hours after it had first acknowledged the problem, Zoom announced that “We have resolved the issue.”

There’s no evidence that the outage was malicious in origin. And it was resolved relatively quickly, although for teachers, students, and participants in business meetings who found themselves unable to convene, not nearly quickly enough. Without information regarding the details of how Zoom’s systems are designed and protected, it’s hard to identify the greatest sources of risk for future service interruptions. But the fact that the August 24 incident occurred at all underscores the possibility that future service outages, whether due to a systems failure or to a cyberattack, could leave classrooms and business meetings shut down for much longer.

There’s nothing new about dependence on digital technologies, which underlie several of the Department of Homeland Security’s 16 critical infrastructure sectors, including “financial services,” “communications,” and “information technology.” But in many of the verticals in these sectors—such as banking or mobile phone services—no single company dominates the market. A cyberattack knocking a leading bank or mobile phone network provider offline for a few hours would be a major event and an enormous inconvenience for thousands of individuals and businesses, but it wouldn’t shut down the entirety of the financial system or of mobile cellular communications. By contrast, a successful cyberattack targeting Zoom could bring education and an enormous amount of business activity to a complete halt.

Another challenge is that Zoom is a relatively young company (founded in 2011) that has experienced some security-related growing pains. In March 2020, the company was widely criticized for a dubious claim that it supported end-to-end encryption for videoconferences. As normally used, the term refers to exchanging encrypted content between two end users in a manner such that it can’t be decrypted while in transit, not even by the company managing the servers through which it passes. For instance, as Apple explains with respect to iMessage and FaceTime, “there’s no way for Apple to decrypt the content of your conversations when they are in transit between devices.”

Zoom’s approach was different. As a March article in The Intercept explained, Zoom was actually using “transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company.” While Zoom subsequently announced that it was working on new software that will allow it to introduce end-to-end encryption, the fact that confusion on this point had arisen at all is concerning from a security standpoint.

There are plenty of alternatives to Zoom, including Skype, Webex, and GoToMeeting. The challenge of course, is that Zoom has benefited from an enormous network effect. The time people have invested learning how to use Zoom and the licenses companies and universities have signed to make it their main platform for real-time video interactions create strong incentives against adopting an alternative. Just as most people wouldn’t want to purchase and carry two mobile phones, each connected to a different cellular network in case one of the networks goes down, organizations aren’t going to want to pay for licenses to non-Zoom videoconferencing platforms that they may rarely or never need. And people who have spent hours getting used to Zoom don’t want to start over on another platform.

In combination, these factors mean that we aren’t likely to shake our dependence on Zoom anytime soon. That’s a concern, because if a list of critical infrastructure sectors were created from scratch today, it would probably include videoconferencing as a distinct sector. Organizations that rely on video conferencing—and today, that’s most organizations—would be well served to put backup plans in place to minimize the disruption from future Zoom outages.

Apple is a general, unrestricted donor to the Brookings Institution. The findings, interpretations, and conclusions posted in this piece are solely those of the author and not influenced by any donation.