Prompted by the effects of the global IT outage caused by CrowdStrike, the UK has moved to protect UK data-centres by classing them as ‘Critical National Infrastructure’ (CNI).
CrowdStrike
Back in July, a global IT outage caused by a faulty update (impacting Windows systems) from the cybersecurity firm CrowdStrike significantly affected multiple sectors in the UK, including data-centres, the NHS, and the financial industry. It led to widespread disruptions and, although it was not a cyberattack, it does appear to be a motivating factor for the UK government’s announcement of a change classification of UK data-centres.
Not Just Protection Against Cyber Criminals
Although the CrowdStrike effects may have been a major catalyst for the new classification of data centres, their classification as CNI should also help create provision to give them more protection from major environmental disasters and other IT blackouts. This new classification is part of a wider movement to give them the special protection they merit. As highlighted in the government’s announcement, much of the data housed and processed in UK data-centres, such as photos taken on smartphones to patients’ NHS records and sensitive financial investment information, could be considered as “powering the economy”.
How Does The New Classification Compare?
The idea to now classify UK data-centres as ‘Critical National Infrastructure (CNI)’ will mean that in terms of added protection, they have been put on an equal footing to water, energy and emergency services systems. This means that they can, as the government says: “now expect greater government support in recovering from and anticipating critical incidents, giving the industry greater reassurance when setting up business in UK and helping generate economic growth for all.”
Also, as Technology Secretary Peter Kyle says: “Bringing data-centres into the Critical National Infrastructure regime will allow better coordination and cooperation with the government against cyber criminals and unexpected events.”
More specifically, the government says this “support” will mean:
– The setting up of a dedicated CNI data infrastructure team of senior government officials who will “monitor and anticipate potential threats, provide prioritised access to security agencies including the National Cyber Security Centre, and coordinate access to emergency services should an incident occur”.
– The government intervening in the event of (for example) an attack on a data-centre hosting critical NHS patients’ data. In this event, with the new classification of data-centres, the government says it will “ensure contingencies are in place to mitigate the risk of damage or to essential services, including on patients’ appointments or operations.”
– The UK is already home to the highest number of data-centres in Western Europe. Giving CNI status to data-centres in the UK could increase business confidence in investing in data-centres in the UK, an industry which already generates an estimated £4.6 billion in revenues a year.
Deterrent?
It appears that the government believes that the status will also deter cyber criminals from targeting data-centres that may house vital health and financial data, minimising disruption to people’s lives, the NHS, and the economy. Presumably, this deterrent effect would come from increased penalties, greater cybersecurity investment, and enhanced monitoring / better threat detection efforts.
Just In Time
With the UK government recently welcoming a proposed £3.75 billion investment in Europe’s largest data centre (for DC01UK in Hertfordshire) and with it expected to create over 700+ local jobs and support 13,740 data and tech jobs across the country, the new CNI status for data-centres appears to have been given just in time.
The Cyber Security and Resilience Bill Too
As an additional measure, earlier this summer (during the King’s Speech), the government’s Department for Science, Innovation and Technology (DSIT) also announced it will be introducing the Cyber Security and Resilience Bill. It’s thought this will strengthen the country’s cyber defences by enhancing incident reporting requirements, helping safeguard vital sectors such as healthcare and finance, ensuring stronger protections against cyber threats like ransomware, and “mandating that providers of essential infrastructure protect their supply chains from attacks”.
Support
Support for the re-classifying of data-centres as CNI has come from several key data-centre industry players. For example, Bruce Owen, UK Managing Director of digital infrastructure provider Equinix, said: “We welcome today’s announcement by the government which recognises the critical nature of data centres and digital infrastructure to the economy and society.”
What Does This Mean For Your Business?
The reclassification of UK data-centres as Critical National Infrastructure (CNI) is a strategic response to immediate threats (like the CrowdStrike outage) and a forward-looking move to secure the country’s digital infrastructure. By placing data-centres on par with essential services like energy and emergency systems, the government appears to be trying to recognise their pivotal role in supporting the digital economy and vital public services such as the NHS.
As CNI, data-centres now gain access to increased government resources, including the support of the National Cyber Security Centre (NCSC), and a dedicated CNI data infrastructure team to monitor and anticipate threats. This could ensure quicker responses to vulnerabilities and a stronger defence against cyberattacks, particularly for centres hosting critical data, such as health and financial information. The new classification also aims to protect against broader risks, such as natural disasters or IT blackouts, which could severely impact businesses and public services alike, thereby trying to provide protection that takes account of any serious eventuality.
The government’s commitment to boosting this sector is clear, as evidenced by the approval of a £3.75 billion investment in Europe’s largest data-centre project in Hertfordshire. The new status, could, therefore encourage further investments, reinforcing business confidence and supporting sustainable growth in the tech industry. The Cyber Security and Resilience Bill, expected to be introduced soon, may also further strengthen these protections e.g., by enforcing stricter incident reporting and ensuring supply chain security for essential services.
Support from industry leaders reflects the importance of securing the country’s digital infrastructure, as more businesses rely on data-centres to manage sensitive information. This reclassification is not just a reactive measure, but many would argue it is a necessary step in ensuring the continuity of services that millions rely on daily.
By classifying data-centres as CNI, the UK is laying the groundwork for a more secure and resilient digital future. With increased investment, enhanced government support, and forthcoming legislative measures, this decision may help position the UK as a leader in digital infrastructure protection, helping to safeguard its economy, public services, and reputation as a global hub for technological innovation.