UK elevates datacenters to critical national infrastructure status
Dedicated support to be assembled to prevent cyberattacks, IT outages, and bad weather from affecting availability
From today, the UK is designating datacenters as critical national infrastructure (CNI). As a result, the sector is expected to get special government support designed to prevent negative economic impacts of IT outages like CrowdStrike's, cyberattacks, and extreme weather events.
That special support will come in the form of a dedicated CNI data infrastructure team comprised of "senior government officials" tasked with monitoring the threat landscape and anticipating potential risks. That team will also be responsible for coordinating an emergency response, should one be required.
"Datacenters are the engines of modern life, they power the digital economy and keep our most personal information safe," said tech secretary Peter Kyle.
"Bringing datacenters into the critical national infrastructure regime will allow better coordination and cooperation with the government against cybercriminals and unexpected events."
The UK's National Cyber Security Centre (NCSC) is also among the undisclosed list of security agencies to be afforded priority access to datacenters should they come under any kind of fire – physical or virtual.
We asked the government's Department for Science, Innovation, and Technology (DSIT), which led the change, to elaborate on what this priority access means, and on other points made in the announcement, but it didn't immediately respond to our questions.
"Our critical national infrastructure is a high-priority target for cyber attackers – ranging from criminals to hostile states – who would seek to do the UK harm," said Felicity Oswald, CEO at the NCSC.
"I welcome today's move to designate datacenters as CNI, acknowledging the essential role their services play in driving forward our economy and society.
"CNI organizations must have a high level of security to combat the cyber threats they face and the NCSC will continue working hand in hand with operators to bolster their online resilience."
DSIT said that by adding datacenters to the CNI list, cybercriminals would be deterred from targeting them. Apparently, this means in the event of an outage of any kind, the disruption to people's lives, the NHS, and the economy would be minimized.
For a reporter who covers cyberattacks on CNI organizations weekly, it's an interesting assumption for the government to make – that the CNI designation would deter cyber scum from targeting DCs instead of making it an even juicier bullseye.
The Reg knows from CISA's regular advisories, for example, that critical infrastructure is the primary target of ransomware criminals, nation-state baddies, and the like. They want to disrupt in the most effective way possible.
The most recent warning came less than a week ago, in fact. It concerned the Russian military and how it's routinely scanning IP ranges used in government and CNI organizations.
There was a big stink made about China's Volt Typhoon earlier this year too, with Western security agencies saying cyber experts in the Middle Kingdom were pre-positioning themselves in US CNI for destructive cyberattacks.
Datacenters become the 14th addition to the UK's CNI list, which also includes the civil nuclear, defense, energy, finance, health, transport, and water sectors – all of which have been acutely impacted by IT and/or cyber-related issues in recent months.
- Ransomware batters critical industries, but takedowns hint at relief
- Revamped UK cybersecurity bill couldn't come soon enough, but details are patchy
- Ransomware continues to pile on costs for critical infrastructure victims
- Stifling Beijing in cyberspace is now British intelligence's number-one mission
It's the first update to the list in nearly a decade, following the addition of the space and defense sectors in 2015.
The news also comes just shy of a year after the NCSC was warning of a rising threat level to the UK's CNI. It said in its November 2023 annual review that the country's cyber-readiness in critical sectors isn't where it should be.
Investment opportunities
The announcement was delivered in tandem with the UK government welcoming a proposed £3.75 billion ($4.89 billion) investment in Europe's largest datacenter, planned for construction by DC01UK in Hertfordshire, a neighboring county of London.
"The huge £3.75 billion private investment announced today in Hertfordshire is a vote of confidence in [the CNI] plans and a clear example of my determination to ensure technological advancements are helping to grow our economy and create wealth across the country," said tech sec Kyle.
DSIT feels the designation of DCs to CNI status will build confidence for future investment in the sector, specifically in the UK.
In announcing its own mega multi-year investment into UK datacenters this week, AWS VP and MD for EMEA Tanuja Randery said the next few years could be crucial in cementing the status of the UK's digital economy as a world leader.
The UK's Labour government wasted no time in enacting its plans to unlock the potential of datacenters to bring economic benefits.
Just days after Starmer's Labour won a landslide general election in July, deputy prime minister Angela Rayner recalled two planning decisions that blocked the construction of datacenters in Hertfordshire and Buckinghamshire, which also neighbor Greater London.
The move was widely welcomed by the likes of BCS, The Chartered Institute for IT, in a similar vein to today's announcement.
Matthew Evans, director of markets and chief operating officer at techUK, said: "techUK welcomes the government's pivotal decision to designate the datacenters sector as critical national infrastructure and the recognition of the critical role they play in the UK's modern economy.
"Datacenters are fundamental to our digitizing economy and are a key driver of growth. We look forward to collaborating closely with the government and our stakeholders to ensure the successful implementation of these new measures and their impact on the sector. Continued engagement and partnership will be key in advancing our shared objectives of a secure, resilient, and thriving digital economy."
Toby Lewis, Global Head of Threat Analysis at global cybersecurity biz Darktrace, said in a statement it is worth remembering that modern data storage isn't limited to one country.
"Any new rules will need to work across borders. Many datacenters serve multiple customers at once meaning new restrictions could affect all users... even those not considered part of critical infrastructure. This could slow down innovation or make things more expensive for some businesses.
To avoid this, he added, bit barn operators "might need to set up separate areas just for critical infrastructure. However, this could make it harder for important services to use cloud technology efficiently, potentially leading to higher costs. Organizations need to balance the benefits of security with added cost.
"This is another strong and timely step from the government in improving resilience across critical national infrastructure, supply chains, the public sector, and strategically important businesses. By addressing these interconnected elements of our digital landscape, we can significantly reduce weak links and create a more robust cyber defense posture.” ®