Trending Articles

Latest Features

Trending Topics

cni protection to data centres shown by bubble around British data centre
British data centres are now a fraction more secure (image: Copilot Designer)

Hackers beware: UK data centres now have critical national infrastructure protection (CNI)

In the first designation of a new critical national infrastructure (CNI) for almost ten years, the UK’s Labour government has added data centres to the list. It joins the space and defence sectors, which gained the same protective classification in 2015.

The announcement by Peter Kyle MP, the Secretary of State for Science, Innovation and Technology, states that data centres will be given additional protections against both cyber criminals and IT blackouts. “Department for Science, Innovation and Technology Data centres powering the economy will be designated as Critical National Infrastructure (CNI) alongside energy and water systems,” read the statement.

The CNI label is more than just window dressing. It enables the government to provide support to the data centre sector should a critical incident, be that a ransomware attack, unforeseen system glitch or even a weather-related event cause serious issues that could potentially impact the UK economy.

A dedicated CNI data infrastructure team, comprising senior government officials, is to be established that will monitor and hopefully anticipate potential threats as well as giving the National Cyber Security Centre prioritised access to incidents.

“CNI organisations must have a high level of security to combat the cyber threats they face,” said NCSC CEO Felicity Oswald. “The NCSC will continue working hand in hand with operators to bolster their online resilience.”

What CNI protection means

Although the government announcement states that it hopes CNI status will “deter cyber criminals from targeting data centres that may house vital health and financial data,” that fire door has long since closed. Ransomware affiliates are now happy to take on such targets, it seems. You only have to look at how healthcare has become a primary victim of such mercenary cybercriminals looking for, and often getting, a big pay day.

“Data centres are fundamental to our digitising economy and are a key driver of growth,” said Matthew Evans, Director of Markets and Chief Operating Officer at techUK. He added that “continued engagement and partnership will be key in advancing our shared objectives of a secure, resilient, and thriving digital economy”.

“As we witnessed during the recent CrowdStrike outage this summer, IT and cyber-related incidents have the impact to cause significant disruption and endanger lives” said Andy Kays, CEO at Socura, a company that helps protect some of the largest public sector organisations in the UK such as the NHS and local authorities.

However, Kays pointed out that most data centres, and certainly those that are operated by large tech companies, already meet the highest standards of security and operational resilience.

“Extra support from a dedicated CNI data infrastructure team which can help anticipate attacks and support incident response, can only be viewed as a positive,” Kays concluded.

Industry response to CNI protection for data centres

Kays’ view is echoed by others within the industry. “Consumers, businesses and the public sector alike should commend the UK Government’s designation of data centres as Critical National Infrastructure,” said Sylvain Cortes, VP of Strategy at Hackuity.

“Data is the foundation of trillions of annual transactions, to say nothing of the other CNI dependent on these very data centres. Coincidentally, that makes them a prime target for the $10-trillion cybercrime industry.”

Graeme Stewart, Head of Public Sector at Check Point Software also welcomes the move, but his hand clap sounds slightly more forced. “Interestingly, data centres are one of the few constants across the other 13 critical national infrastructure (CNI) sectors, making it logical to elevate their importance.

“Our key questions centre on the standards that will be enforced, particularly regarding the cybersecurity of these data centres, how these regulations will be governed and measured, and who will bear the associated costs.”

Related news by Davey Winder:

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.

NEXT UP