- It indicates a progressive shift in governmental policy towards greater protection of digital infrastructure.
- UK government aims to foster an environment of improved coordination and cooperation in the face of cyber threats and unexpected challenges.
In an era characterised by rapid digitalisation, the United Kingdom’s decision to classify data centres as “Critical National Infrastructure” (CNI) signifies a pivotal moment in enhancing national cybersecurity. The initiative, the first of its kind in nearly a decade, aligns data centres with other essential services such as water and energy, thereby underscoring their fundamental role in the nation’s operational ecosystem.
The government’s designation aims to bolster protective measures against escalating cyber threats, which have increasingly jeopardised crucial sectors of society, including healthcare and financial services.
The announcement, made by UK Technology Minister Peter Kyle, indicates a progressive shift in governmental policy towards greater protection of digital infrastructure.
Data centres, which serve as the backbone of the UK’s communications systems, will now receive enhanced support and safeguards against cyberattacks. The decisive action is particularly relevant in light of recent incidents that exposed vulnerabilities within such facilities.
For instance, the CrowdStrike outage in July significantly disrupted health services across the country, highlighting the immediate need for robust cybersecurity frameworks.
The government’s move to designate data centres as CNI is intended not only to safeguard sensitive information—ranging from personal data to critical health records—but also to reassure corporations concerned about the security of their investments in UK data facilities.
The implications of this designation are profound. By placing data centres on equal footing with traditional critical services, the UK government aims to foster an environment of improved coordination and cooperation in the face of cyber threats and unexpected challenges.
Proactive approach
Establishing a dedicated CNI data infrastructure team of senior officials is a strategic component of this initiative, providing enhanced monitoring and response capabilities against potential threats.
The proactive approach will ensure that data centres possess prioritised access to security agencies, such as the National Cyber Security Centre, thereby streamlining efforts to mitigate risks and enhance incident response.
Moreover, the designation is expected to bolster investment confidence in the data centre sector, which already generates an estimated £4.6 billion in revenues annually. The investment by Amazon Web Services, amounting to £8 billion over the next five years, further underscores the growing importance of this sector and the government’s commitment to creating a secure infrastructure for digital operations.
With the CNI status, companies like DC01UK, which is proposing a significant investment for Europe’s largest data centre, can proceed with greater assurance, knowing that their infrastructure will be fortified against potential disruptions.
Ransomware attacks
The critical nature of safeguarding digital infrastructure is further emphasised by real-world examples of cyber vulnerabilities impacting essential services.
The ransomware attack on Synnovis, a private firm handling blood test analyses for London hospitals, serves as a stark reminder of the potential ramifications of IT failures.
The incident not only jeopardised medical operations but also brought about serious complications in emergency healthcare services.
Similarly, the CrowdStrike outage disrupted the management of sensitive patient data across a substantial percentage of general practices, illustrating how cyber threats could lead to severe consequences for public health and safety.
Cross border deals
As the UK embraces this new CNI designation, it is crucial to recognise that data storage and digital infrastructure transcend national borders.
The interconnectedness of global digital networks necessitates a comprehensive understanding of cybersecurity threats, requiring international cooperation and collaboration.
As Bruce Owen, UK MD of digital infrastructure provider Equinix, noted, the digital infrastructure has become as vital to daily life as traditional utilities. Thus, ensuring its resilience against potential threats is not only a national priority but also a global imperative.
The UK is currently home to the highest number of data centres in Western Europe.
“As we bring data centres into the spotlight, we need to remember that modern data storage isn’t limited to one country,” Toby Lewis, Global Head of Threat Analysis at global cybersecurity firm Darktrace, said.
Any new rules will need to work across borders, he said and added that many data centres serve multiple customers at once meaning new restrictions could affect all users of a data centre, even those not considered part of critical infrastructure.
“This could slow down innovation or make things more expensive for some businesses. To avoid these issues, data centres might need to set up separate areas just for critical infrastructure,” he said.
However, this could make it harder for important services to use cloud technology efficiently, potentially leading to higher costs. Organisations need to balance the benefits of security with added cost.
“Vast amounts of information are stored and managed in data centres, so it’s about time the UK government declared them a critical national infrastructure,” said Camellia Chan, CEO and co-founder of Flexxon.
“This is especially important since the presence of such huge amounts of data – which is increasing with the rise in data-hungry applications like AI – is a massive motive for cybercriminals,” said Chan.
“The effects on business operations and continuity, as well as the financial losses of a cyber attack can be devastating – in 2023, the average cost of a data breach was $4.45 million.”