Americas

  • United States
evan_schuman
Contributor

Data centers are now critical national infrastructure, says UK government

News
Sep 12, 20246 mins
Critical InfrastructureData CenterGovernment

The new status adds extensive cybersecurity protections for cloud and on-premises environments, alongside energy and water systems.

uk parliament
Credit: Shutterstock

The UK government added data centers to its list of protected critical national infrastructure (CNI) on Thursday, the first change to its CNI list since 2015, when it added the space and defense sectors.

“Putting data centers on an equal footing as water, energy and emergency services systems will mean the data centers sector can now expect greater government support in recovering from and anticipating critical incidents, giving the industry greater reassurance when setting up business in UK and helping generate economic growth for all,”  UK Technology Secretary Peter Kyle said in a statement. “CNI designation will, for example, see the setting up of a dedicated CNI data infrastructure team of senior government officials who will monitor and anticipate potential threats, provide prioritized access to security agencies including the National Cyber Security Centre, and coordinate access to emergency services should an incident occur.”

The government is including physical data centers and cloud operators such as Microsoft, AWS, and Google Cloud in the CNI designation.

Earlier this week, Amazon made a major investment in UK data centers. 

“In the event of an attack on a data center hosting critical NHS patients’ data, for example, the government would intervene to ensure contingencies are in place to mitigate the risk of damage or to essential services, including on patients’ appointments or operations,” Kyle said in the statement.

Confidence boost

The government hopes the new protections will boost the confidence of companies considering investing in data centers in the country.

It said the additional protections resulting from the CNI designation will mean data stored in the UK is less likely to be compromised during outages, cyberattacks, and adverse weather events. But while it might indeed discourage cyberattacks on low-value targets, if a data center has data of interest to state actors or even high-value information for phishing or ransomware attacks, it’s unlikely to make a major difference.

Eric O’Neill, a founding partner of cybersecurity consulting firm The Georgetown Group and a former FBI agent, said that it is unlikely that the UK designation and its supporting services would reduce the number of cyberattacks, and “it is not likely to reduce the likelihood of attacks. Designation doesn’t do anything to discourage an attack.”

Indeed, O’Neill argued that it is just as likely to have the opposite impact by all but daring the attackers to attack. Attackers are sometimes “about how awesome they are and are thumbing their nose at the west and making a splash with all of their friends online. They have pride,” O’Neill said. 

Brian Levine, a former government attorney who today serves as a managing director at Ernst & Young, said that he thought the UK declaration was a good thing, but “the devil is in the details” because the UK government didn’t specify the particulars of the support they will be delivering.

Overused term

“The term ‘critical infrastructure’ is often overused by governments. The definition of critical infrastructure is usually somewhat vague. In this case, including data centers is not unreasonable and may make sense, but it depends on what the government will actually be doing,” Levine said. 

The US, for example, lists a wide range of critical infrastructure sectors but doesn’t specify data centers. But it doesspecify various sectors — including information technology, healthcare, and financial services — that would absolutely impact almost every major cloud environment.

“It’s hard to imagine a data center that doesn’t have some of those sectors included as part of their customers’ information,” Levine said.

Like many other government security efforts, it is likely to help companies who have weaker security in their data centers. “If the data centers already have reasonable security and reasonable redundancy, then it may have little impact,” Levine said. “It may have the biggest impact on the smallest players, but I also wouldn’t assume that all of the larger players are performing at the level that their customers would want.”

Forrester Senior Analyst Alvin Nguyen applauded the UK move but was skeptical that it would change matters materially.

“This is unlikely to make a difference. Cyberattacks from large organizations and/or nation states have significant resources behind them. Being able to bring government resources to bear helps but will not eliminate cyberattacks on critical digital systems in data centers,” Nguyen said. “If this results in improved best practices, this might help the companies leveraging data centers mitigate simple attacks such as phishing, but not against larger, more coordinated attacks on higher value targets in the data center. This might evolve in the future to better coordinated defense of data centers that results in actual reduced cyber risk, but that isn’t clear right now.”

Government influence

Nguyen said that he thinks the UK move is likely to influence other governments to take similar actions.

“This is a nice public action that will drum up attention to the situation and provide visibility into the danger and difficulties of securing data centers,” Nguyen said. “It may not have an immediate impact on reducing cyber risks, but if considered as a first step and followed up with developing new best practices against current and future cyberattacks, I foresee other countries doing the same.”

The UK  government’s statement gave the CrowdStrike outages as an example of the kinds of problems CNI status might be able to lessen. 

“The CrowdStrike incident earlier this summer, affecting 60% of GP practices with disruption to software holding patients’ appointment details, prescriptions, and health records showed the catastrophic impact of IT and cyber threats on people’s lives,” Kyle said. “Currently, the UK is home to the highest number of data centers in Western Europe.”

evan_schuman
Contributor

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek, Computerworld and eWeek and his byline has appeared in titles ranging from BusinessWeek, VentureBeat and Fortune to The New York Times, USA Today, Reuters, The Philadelphia Inquirer, The Baltimore Sun, The Detroit News and The Atlanta Journal-Constitution. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at http://www.linkedin.com/in/schumanevan/. Look for his blog twice a week.

The opinions expressed in this blog are those of Evan Schuman and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author