Back in September, Technology Secretary Peter Kyle announced that UK data centres would be designated as “critical infrastructure”, alongside energy and water systems. This is big news, and it has implications both for data centre operators in the UK, and for the UK’s security community more broadly. So, in this piece, which is the first of our new deep dive features, we hear from some data centre and security experts about what the news means for the security industry, and what the implications might be. This is the first of two instalments.
The classification of data centres as CNI means that these sites would be better-protected from cyber-attacks, with strengthened cyber security, as well as from other potential threats. The government describes this change as “as a massive boost” to the sector.
The government’s website states that the new legislation will mean that data housed and processed in UK data centres – from photos taken on smartphones to patients’ NHS records and sensitive financial investment information – is less likely to be compromised during outages, cyberattacks, and adverse weather events. Putting data centres on an equal footing as water, energy and emergency services systems will mean the data centres sector can now expect greater government support in recovering from and anticipating critical incidents, giving the industry greater reassurance when setting up business in UK and helping generate economic growth for all.
CNI designation will, for example, see the setting up of a dedicated CNI data infrastructure team of senior government officials who will monitor and anticipate potential threats, provide prioritised access to security agencies including the National Cyber Security Centre, and coordinate access to emergency services should an incident occur.
Also in September, it was reported that US firm Blackstone would open A £10bn artificial intelligence data centre, in Cambois, near Blyth in Northumberland, creating 4,000 jobs.
Since then, it has been reported that US firm CloudHQ will build a new £1.9bn data centre campus in Didcot, Oxfordshire, creating 1,500 jobs, and other US tech companies, ServiceNow, CyrusOne and CoreWeave have also committed to investments with ServiceNow to invest £1.15 billion over five years, CyrusOne to inject £2.5 billion, with CoreWeave to add an £750 million.
Prime Minister Keir Starmer has described this investment as a “huge vote of confidence”, which demonstrates that the UK is “open for business” and proves that Britain was back as a “major player on the global stage”.
What does this news mean for the UK?
In terms of what the reclassification to CNI broadly means for the UK, our respondents noted it as a “positive step, or “significant milestone”, which, as Nick Smith, Business Development Manager at Genetec (pictured right), comments, “recognises their vital role in safeguarding national security, economic stability, and public safety”.
He adds that this decision is timely and strategic from a physical security standpoint. “As the backbone of the digital economy, data centres house vast amounts of sensitive information,” he says, “making data centres attractive targets for both physical and cyber threats. While data centres are better equipped than most businesses to secure data, this designation will give operators greater reassurance that the government will support them in recovering from and anticipating critical incidents, minimising the impact on the economy.”
Glenn Stephenson, Operations Director – Electronic Security at Datalec, adds that the move to reclassify data centres, along with the investment in the sector, is likely to accelerate the UK’s position as a global leader in tech innovation and digital services, sending a clear message that the UK is serious about digital infrastructure. This is likely to attract more global tech companies, cloud service providers, and data-centric businesses, (as we’re already beginning to see). This will all lead to jobs, and the ripple effects are already promising, he says.
What are the implications for data centre security managers?
In terms of the implications and impacts for data centre security managers, Ben Yoxall, Commercial Director at Secure Logiq (pictured, below left), believes that the reclassification is likely to be seen as a double-edged sword. “On one hand, it validates the significance of their role in protecting an essential piece of the nation’s infrastructure, but the increased requirements due to their CNI classification may be difficult to achieve in the short term and will require an increase in the budget, which is not always easy to obtain.”
He notes that the elevation to CNI status means that security managers will have access to increased government support, both in terms of funding and expertise. This is good news, as it signals stronger backing from the government, in theory providing them with additional resources that will enhance their ability to safeguard against both physical and cyber threats.
“The extra government funding could facilitate improved physical security measures such as advanced surveillance with new analytics, fortified perimeters, and enhanced access controls, ensuring that these data hubs are not only protected from external physical threats but also from insider attacks. Furthermore, greater financial resources would enable investment in cutting-edge cybersecurity tools, threat intelligence platforms, and training programs for personnel, all of which are critical to addressing the increasing sophistication of cyberattacks,” Yoxall continues.
What are the implications for data centre operators and the wider security industry?
For data centre operators, the reclassification presents both challenges and opportunities, Yoxall says.
Where challenges are concerned, operators will be subjected to more stringent regulations, requiring them to have more robust security frameworks, and with potentially heavy penalties for non-compliance.
“They will have to meet more stringent standards of protection, continuity and performance, ensuring that their facilities can withstand cyberattacks, natural disasters, and other disruptions,” Stephenson (pictured right) adds.
Yoxall goes to note that while some operators may view this as a burden due to increased compliance costs, the long-term benefits could outweigh the immediate financial strain as increased security protocols lead to greater levels of trust from clients, especially from industries such as finance, healthcare and government services that handle sensitive data. “In turn this could enhance business opportunities, making these data centres more attractive to clients with elevated security needs.”
Stephenson adds that the recognition also means there will be opportunities for investment, access to resources, such as national cybersecurity frameworks, and it will mean that operators have a closer relationship with government when planning and upgrading their infrastructure. Stephenson goes on to explain that “by elevating the status of UK data centres, the UK government is ensuring that these critical hubs are equipped to handle the challenges of an increasingly digital world.”
In the next instalment of this feature, we will cover the implications to the wider security industry and discuss the benefits to the public of this change in legislation, which gives data centres CNI status.
*top image caption – Artistic rendering of a typical data centre design for conceptual purposes, courtesy of Northumberland County Council
For more data centres news, click here