“The government barely thought about data centres until Covid struck – when it realised that if it didn’t let people into them as key workers the country would come to a juddering halt. Now it’s realising how important they are to the functioning of the economy and the country and it’s crapping itself that it paid so little attention to their regulation before”. That’s the blunt view of one data centre veteran speaking to The Stack this month.
The pandemic’s outbreak did bring with it horror stories of data centre operators scrambling to convince bureaucrats that they were indeed critical key workers and needed to be out-and-about keeping hospital data safe, broadcaster message flowing and market trades happening amidst an otherwise blanket lockdown.
Despite some data centres in the UK being designated Critical National Infrastructure (CNI) their security and resilience is a “largely unregulated” sector in the UK as one law firm, Morgan Lewis put it this summer; data centres are not, for example, under the scope of 2018’s Networks and Information Systems (NIS) regulations.
Now a consultation run by the DCMS, emphasises that the UK government is “developing a stronger risk management framework to address two risks associated with data storage and processing infrastructure.”
Join your peers following The Stack on LinkedIn
Change may be coming. Attention is certainly focussing on data centre security and resilience.
A call for views closed over the summer holidays, but as DCMS put it in that consultation: “Firstly, data is strategically important at a national and global level. This makes the infrastructure where large volumes of data accumulate an attractive target to those who may have the intention or capability to threaten the UK’s national security, economy or ways of life. Secondly, the UK is now reliant on large-scale data storage and processing services for the delivery of our essential services and the functioning of our broader economy. This means that ensuring the continuity of service of data storage and processing infrastructure is of national interest.”
Whilst bar the occasional inferno or eye-watering outage, the private co-location data centre sector has done a fine job on resilience and security for its demanding clients – many of whom are running things like stock exchanges or multi-billion-pound broadcast networks from them – startled civil servants have clearly started wondering whether this hands-off approach is enough given the potential risks to UK Plc if things went south.
(Whilst an advanced tier data centre typically has multiple levels security infrastructure in place, from multiple guards through to compartmentalised security zones with biometric access controls -- going through five layers of security is common -- the abiding fear of many close to the industry, is the risk of insider-threat; someone with an eye to sabotage or espionage getting a job a on-site that may be home to hundreds of customers running mission-critical applications; not all of which have the failovers in place that their owners think...)
A close read of the consultation reveals some of the government’s worst fears. These include concentration risk and diesel running out for backup power in a civil emergency. The consultation flags as concerns:
- "Site proximity: Many sites located in a close proximity which can be impacted simultaneously by physical threats or hazards such as extreme weather.
- "State threats: The risks that involve state actors with high technical capability to access data or disrupt services.
- "Supply chain: Operators using a small number of suppliers or service providers. For example, multiple sites relying on backup fuel power in an energy crisis, leading to a demand for fuel that exceeds supplier capacity in particular regions
- "Unmanaged ownership risks: Risks arising from the inappropriate influence of owners or investors where they are not already managed by existing legislation. For instance, this could include the creation of a new data centre or cloud platform which might gather, alter or disrupt data on behalf of malicious state actors.”
(The latter is not an insignificant concern for some. One friend of The Stack’s, some years back, described their hedge fund employer as finding out that a Chinese company had a significant stake in their co-location provider’s real estate and promptly descended on the site (replete with personal security guards)to start the process of ripping out infrastructure. The story’s apocryphal at this point, but not unimaginable. Do you know who the ultimate owners are of your hosting infrastructure and do you care? Perhaps not. Others do…)
“Overall", asks the DCMS in its survey – which it extended the deadline, presumably having not received enough feedback – “how would you rate the effectiveness of the security and resilience practices of the data centre sector in general at managing risks?” The Stack would love your views too. Get in touch.
Possible options for future regulation could include, DCMS suggests:
"1. Continuity of service requirements: Legal measures stating that organisations must have well-defined, explicit and tested service continuity assurances, and incident management plans in order to ensure continuity of essential functions in the event of systems or service failure.
"2. Security and resilience requirements: Legal measures stating that organisations must take appropriate and proportionate measures to identify and manage the risks associated with security and resilience. Alternatively, requirements may be more targeted, with the aim of identifying and reducing specific risks. Requirements are often supported by guidance.
"3. Incident response information sharing and cooperation requirements: Legal measures stating that organisations must notify a relevant competent authority (e.g. a regulator) of any incident that impacts the provision of their services above a certain threshold, and coordinate with government, the sector or other groups to respond to and recover from an incident.
"4. Accountability at board or security committee level: A legal requirement for organisations to have a suitable individual at board or security committee level who is fully accountable for security and resilience.
"5. Security penetration testing: government or third-party competent authority powers to gain assurance in the security of a system by attempting to breach some, or all of that system’s security, using the same tools and techniques as an adversary might.
"6. Government information gathering powers: Legal measures stating that organisations must provide information to government or a relevant competent authority when that information is needed for an investigation.
Responses, which were all in by early August, will "inform any potential evaluation of measures that the UK government could consider to support data centre operators, their partners, suppliers and customers to manage security and resilience risk" DCMS says -- The Stack has asked when we can expect to see industry submissions and will update this story when we receive an update from DCMS on its planned next steps under the new goverment.