The cloud is invulnerable. Enterprise systems are resilient. AI scales infinitely.
The story we tell ourselves is smooth, automated, bulletproof. The reality underneath? Far messier.
The problem is organizational, not technical
I've spent 30 years watching infrastructure grow in complexity. What I see now is a genuine paradox: we've built systems of staggering reach, yet significant portions of the global internet depend on the continued presence of very few people.
Not because we lack the technical capability to distribute maintenance. Because the economics don't align.
Critical pieces of the plumbing that billions of transactions flow through every day are maintained on volunteer time, minimal budgets, or single-person codebases with zero succession planning.
This isn't an edge case. It's the pattern.
Five projects that hold everything up
OpenSSL. The foundation of HTTPS security. For years, a skeleton crew on a laughable budget. When Heartbleed hit in 2014, a single memory leak in an underfunded project had exposed the encryption keys protecting most of the internet's traffic. One bug. One overwhelmed maintainer. Billions at risk.
NTP (Network Time Protocol). Synchronizes time across servers and devices globally. Without temporal coherence, certificates break, logs become useless, authentication fails, financial systems stall. For decades: a handful of individuals who maintained it because they cared, not because anyone paid them.
Bash. The default shell on Unix/Linux. The universal control layer for millions of production systems. Shellshock showed that a vulnerability here could hand attackers root access across the entire web. The bus factor, as they say, was not reassuring.
cURL. A library and tool for data transfer. Invisible to end users. Present everywhere: backends, firmware, IoT devices, CI/CD pipelines. One person, for years, against an infinite surface of use cases and attack vectors. (His name is Daniel Stenberg. Worth knowing.)
core-js. A JavaScript polyfill for browser compatibility. Baked into the dependency chain of an enormous fraction of the web. Maintained by one person, with minimal resources, who at some point started writing very public letters about the situation. Nobody in management was reading them.
The pattern
Massive diffusion. Invisibility to business leadership. Maintenance radically under-resourced relative to impact. Weak governance. No real substitutes.
The breaking point isn't a sophisticated attack or a novel zero-day. It's a maintainer burning out and walking away.
It's a bug that sits unpatched because the one person who understood the codebase has moved on. It's a supply chain compromise that cascades through billions of devices because the foundational layer was never audited.
Where the money actually goes
Most organizations fund the visible. They audit hyperscaler contracts. They invest in cloud-native architecture. They launch the AI initiative with a dedicated team and a shiny budget.
Meanwhile, the foundation their entire operation secretly rests on is being held together by someone working nights.
This is how you end up with perceived security that's high and actual resilience that's fragile. Two completely different numbers.
What needs to change
Map your supply chain. Not theoretically. Actually. Trace every dependency, transitive or direct, down to the individual projects and maintainers keeping them alive.
Triage by impact. Which of these projects would cause real damage if they disappeared tomorrow? Which ones have a single point of failure?
Contribute directly. For the critical ones: send money. Send developers. Sponsor the maintainers. Fund professional security audits on code that billions rely on.
Plan fallbacks. For components with real bus factor problems, invest in alternatives or forks. Before the crisis, not during.
Audit continuously. Supply chain security isn't a checkbox. It's a practice.
The actual problem
Internet infrastructure isn't fragile because of technical limits. It's fragile because the economic and governance base is completely misaligned with the criticality of what's being maintained.
We've built a system of staggering reach on a foundation of individual generosity and unsustainable labor. We called it "open source" and convinced ourselves that's a business model.
It's not. It's a dependency chain held together by people who care more than they're compensated for.
That's fixable. But only if leadership decides to see the invisible infrastructure for what it is: the actual foundation of everything else.