The UK government added data centers to its list of protected critical national infrastructure (CNI) on Thursday, the first change to its CNI list since 2015, when it added the space and defense sectors.
“Putting data centers on an equal footing as water, energy and emergency services systems will mean the data centers sector can now expect greater government support in recovering from and anticipating critical incidents, giving the industry greater reassurance when setting up business in UK and helping generate economic growth for all,” UK Technology Secretary Peter Kyle said in a statement. “CNI designation will, for example, see the setting up of a dedicated CNI data infrastructure team of senior government officials who will monitor and anticipate potential threats, provide prioritized access to security agencies including the National Cyber Security Centre, and coordinate access to emergency services should an incident occur.”
The government is including physical data centers and cloud operators such as Microsoft, AWS, and Google Cloud in the CNI designation.
Earlier this week, Amazon made a major investment in UK data centers.
“In the event of an attack on a data center hosting critical NHS patients’ data, for example, the government would intervene to ensure contingencies are in place to mitigate the risk of damage or to essential services, including on patients’ appointments or operations,” Kyle said in the statement.
Confidence boost
The government hopes the new protections will boost the confidence of companies considering investing in data centers in the country.
It said the additional protections resulting from the CNI designation will mean data stored in the UK is less likely to be compromised during outages, cyberattacks, and adverse weather events. But while it might indeed discourage cyberattacks on low-value targets, if a data center has data of interest to state actors or even high-value information for phishing or ransomware attacks, it’s unlikely to make a major difference.
Eric O’Neill, a founding partner of cybersecurity consulting firm The Georgetown Group and a former FBI agent, said that it is unlikely that the UK designation and its supporting services would reduce the number of cyberattacks, and “it is not likely to reduce the likelihood of attacks. Designation doesn’t do anything to discourage an attack.”
Indeed, O’Neill argued that it is just as likely to have the opposite impact by all but daring the attackers to attack. Attackers are sometimes “about how awesome they are and are thumbing their nose at the west and making a splash with all of their friends online. They have pride,” O’Neill said.
Brian Levine, a former government attorney who today serves as a managing director at Ernst & Young, said that he thought the UK declaration was a good thing, but “the devil is in the details” because the UK government didn’t specify the particulars of the support they will be delivering.
Overused term
“The term ‘critical infrastructure’ is often overused by governments. The definition of critical infrastructure is usually somewhat vague. In this case, including data centers is not unreasonable and may make sense, but it depends on what the government will actually be doing,” Levine said.
The US, for example, lists a wide range of critical infrastructure sectors but doesn’t specify data centers. But it doesspecify various sectors — including information technology, healthcare, and financial services — that would absolutely impact almost every major cloud environment.
“It’s hard to imagine a data center that doesn’t have some of those sectors included as part of their customers’ information,” Levine said.
Like many other government security efforts, it is likely to help companies who have weaker security in their data centers. “If the data centers already have reasonable security and reasonable redundancy, then it may have little impact,” Levine said. “It may have the biggest impact on the smallest players, but I also wouldn’t assume that all of the larger players are performing at the level that their customers would want.”
Forrester Senior Analyst Alvin Nguyen applauded the UK move but was skeptical that it would change matters materially.
“This is unlikely to make a difference. Cyberattacks from large organizations and/or nation states have significant resources behind them. Being able to bring government resources to bear helps but will not eliminate cyberattacks on critical digital systems in data centers,” Nguyen said. “If this results in improved best practices, this might help the companies leveraging data centers mitigate simple attacks such as phishing, but not against larger, more coordinated attacks on higher value targets in the data center. This might evolve in the future to better coordinated defense of data centers that results in actual reduced cyber risk, but that isn’t clear right now.”
Government influence
Nguyen said that he thinks the UK move is likely to influence other governments to take similar actions.
“This is a nice public action that will drum up attention to the situation and provide visibility into the danger and difficulties of securing data centers,” Nguyen said. “It may not have an immediate impact on reducing cyber risks, but if considered as a first step and followed up with developing new best practices against current and future cyberattacks, I foresee other countries doing the same.”
The UK government’s statement gave the CrowdStrike outages as an example of the kinds of problems CNI status might be able to lessen.
“The CrowdStrike incident earlier this summer, affecting 60% of GP practices with disruption to software holding patients’ appointment details, prescriptions, and health records showed the catastrophic impact of IT and cyber threats on people’s lives,” Kyle said. “Currently, the UK is home to the highest number of data centers in Western Europe.”
Source:: Network World