Data centers in the UK will be elevated to critical national infrastructure (CNI) alongside energy and water systems.
This decision, announced on September 12 by the UK Technology Secretary Peter Kyle, aims to better protect UK data from cyber-attacks and prevent major IT blackouts.
Kyle also unveiled a proposed £3.75bn investment in a new data center in Hertfordshire, in the north of London, the same day.
UK Government Cyber Team Dedicated to Securing Data Centers
As CNI, data centers will now receive greater government support in recovering from and anticipating critical incidents.
A dedicated CNI data infrastructure team of senior government officials will be set up to monitor and anticipate potential threats, provide prioritized access to security agencies including the National Cyber Security Centre (NCSC), and coordinate access to emergency services should an incident occur.
“In the event of an attack on a data center hosting critical NHS patients’ data, for example, the government would intervene to ensure contingencies are in place to mitigate the risk of damage or to essential services, including on patients’ appointments or operations,” the UK government noted in a public statement.
Read more: UK Plans Tough New Security Rules For Datacenters
Technology Secretary Kyle also commented: “Bringing data centers into the Critical National Infrastructure regime will allow better coordination and cooperation with the government against cyber criminals and unexpected events.”
The UK is home to the highest number of data centers in Western Europe, with the sector making estimated annual revenues of £4.6bn ($6bn).
On September 11, UK Chancellor Rachel Reeves secured an £8bn ($10bn) investment from Amazon Web Services (AWS) into building, operating and maintaining data centers in the UK an investment estimated to support around 14,000 jobs per year across the UK.
The decision to elevate data centers as CNI was welcomed by NCSC CEO Felicity Oswald, who said it “acknowledges the essential role [data center] services play in driving forward our economy and society.”
According to Andy Kays, CEO of Welsh cybersecurity firm Socura, most data centers already have the level of security required for CNI organizations.
However, he added, “Extra support from a dedicated CNI data infrastructure team, which can help anticipate attacks and support incident response, can only be viewed as a positive.”
“The move also sends an important message to business leaders – that the UK is looking to cement its position as one of the safest countries in the world to do business.”
Call for a Wider Internet Redundancy Strategy
Jennifer Holmes, chief commercial officer at the London Internet Exchange (LINX), a longstanding critical infrastructure organization, said she supports this recognition for data centers, many of whom are partners of LINX.
“This move should form part of a wider internet redundancy strategy, creating protocols and fail-safes to reroute network traffic in the event of an outage. Threats such as cyber-attacks or extreme weather conditions are a case of when, not if, so it’s vital to have redundancies in place to not only protect data centers, but ensure networks stay online,” she continued.
“This will work in tandem with the proposed Cyber Security and Resilience Bill to strengthen the UK’s cyber defenses.”
Read more: EU’s NIS 2 v UK's Cyber Security and Resilience Bill
Aleksandr Yampolskiy, CEO of SecurityScorecard, also believes that more must be done to identify and address single points of failure across the UK critical infrastructure network.
“Contrasting with the European Union’s proactive stance in cybersecurity legislation with the introduction of NIS2 and CRA directives, the UK currently lacks a cohesive legislative counterpart despite commendable efforts from the NCSC,” he said.
The elevation of data centers to CNI is the first CNI designation in almost a decade, since the space and defense sectors gained the same status in 2015. The UK now recognizes 14 sectors as critical national infrastructure.
Read more: What Does NIS2 Mean for EU and Non-EU Organizations?