The UK government has recently designated data centers as part of its critical national infrastructure (CNI), marking the first amendment to the CNI list since 2015. Previously, sectors such as space and defense were added.
“By recognizing data centers alongside other essential services like water and energy, the sector will benefit from enhanced governmental support in both recovery and proactive handling of critical situations, which bolsters industry confidence for operating within the UK, thereby boosting economic development,” stated UK Technology Secretary Peter Kyle. He added, “With this CNI status, a specialized team of senior government officials will be established to oversee data infrastructure, liaise with security bodies including the National Cyber Security Centre, and ensure direct coordination with emergency services in case of incidents.”
This inclusion covers both physical data centers and cloud service providers including big names like Microsoft, AWS, and Google Cloud.
Just earlier this week, Amazon announced a significant investment into UK-based data centers.
“In cases where a critical incident, such as an assault on a data center containing essential NHS patients’ information occurs, the government will implement preventive measures to avoid disruptions to vital services like patients’ schedules or surgical procedures,” stated Kyle in his announcement.
The administration is optimistic that new safeguarding measures will enhance the investment appeal of data centers within the nation.
The government noted that the extra safeguards afforded by the CNI status will decrease the likelihood of data being compromised during power failures, cyberattacks, and extreme weather conditions. However, it acknowledged that while the designation could deter attacks on less tempting targets, significant data centers holding high-interest or valuable information could still be prime targets for state-sponsored or complex cyberattacks.
Eric O’Neill, a founding partner at The Georgetown Group and former FBI operative, remarked that the CNI status and accompanying measures in the UK are unlikely to decrease cyberattacks, adding that such designations do little to deter potential attacks.
Indeed, O’Neill argued that it is just as likely to have the opposite impact by all but daring the attackers to attack. Attackers are sometimes “about how awesome they are and are thumbing their nose at the west and making a splash with all of their friends online. They have pride,” O’Neill said.
Brian Levine, a former government attorney who today serves as a managing director at Ernst & Young, said that he thought the UK declaration was a good thing, but “the devil is in the details” because the UK government didn’t specify the particulars of the support they will be delivering.
“The term ‘critical infrastructure’ is often overused by governments. The definition of critical infrastructure is usually somewhat vague. In this case, including data centers is not unreasonable and may make sense, but it depends on what the government will actually be doing,” Levine said.
The US, for example, lists a wide range of critical infrastructure sectors but doesn’t specify data centers. But it does specify various sectors — including information technology, healthcare, and financial services — that would absolutely impact almost every major cloud environment.
“It’s hard to imagine a data center that doesn’t include some of those sectors as part of their customer base,” said Levine.
Similar to other government security initiatives, this move is expected to assist companies with weaker security infrastructures in their data centers. “If the data centers already possess adequate security and redundancy, the impact may be minimal,” noted Levine. “It could potentially affect smaller entities the most, but it’s also incorrect to assume that all larger entities are meeting their customers’ expectations.”
Alvin Nguyen, a Senior Analyst at Forrester, commended the UK’s strategy but expressed doubts about its effectiveness.
“It’s unlikely to bring about significant change. Cyberattacks, especially from large organizations or nation-states, are backed by substantial resources. While integrating government support is beneficial, it won’t eradicate cyberattacks on crucial digital infrastructures within data centers,” remarked Nguyen. “Should this lead to enhanced best practices, it may aid data center-utilizing companies in warding off simple attacks like phishing, but not against more sophisticated, coordinated assaults on high-value data center targets. Future developments might see better coordinated defenses for data centers, potentially decreasing cyber risks, yet this remains uncertain at the moment.”
Nguyen believes the UK’s decision could prompt similar measures by other nations.
“This visible public move will increase awareness about the complexities and risks involved in protecting data centers,” Nguyen remarked. “While it might not immediately mitigate cyber threats, it’s a good starting point that could lead to the creation of enhanced practices for combating current and future cyberattacks, potentially inspiring other countries to adopt similar strategies.”
The statement from the UK government cited the CrowdStrike failures as indicative of challenges that recognizing CNI status could help mitigate.
“The recent CrowdStrike disruption this summer majorly disturbed the operations of 60% of GP practices, affecting software that manages patient appointments, prescriptions, and medical records. It underscored the severe impact of IT and cyber issues on public wellbeing,” Kyle explained. “At present, the UK hosts the most extensive array of data centers in Western Europe.”