Data Center Security Concerns
The growth of data centers and the increasing threat of cyber and physical attacks have left lawmakers contemplating whether the federal government has the right setup to defend them. At a hearing of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, industry witnesses and experts testified that giving data centers their own standalone designation as a critical infrastructure sector might be the answer.
Rep. Andy Ogles, R-Tenn., emphasized the importance of securing data centers, stating that if a major data center is attacked, disrupted, or taken offline, the consequences can reach far beyond one company or one sector. However, he noted that the current framework does not provide a clear, unified approach to data center security, leaving questions about which federal agency is responsible for understanding the risk, coordinating with industry, or leading the response when this infrastructure is targeted.
Industry Perspective
Three providers - Amazon Web Services, Microsoft Azure, and Google Cloud Platform - account for 63 percent of the market share of data centers. The United Kingdom has already deemed data centers as a standalone critical infrastructure sector, and some experts believe that the US should follow suit. Reps. Vince Fong, R-Calif., and LaMonica McIver, D-N.J., asked panel witnesses about federal protection of data centers, with Robert Mayer, senior vice president for cybersecurity and innovation at USTelecom, suggesting that having a unique coordinating council for data centers would be beneficial.
Mark Montgomery of the Foundation for Defense of Democracies suggested that a sector combining data centers and cloud providers would be more effective, given the overlap in ownership. Samuel Visner, chair of the board of directors of the Space Information Sharing and Analysis Center, agreed that regarding data centers as part of our critical infrastructure and protecting them accordingly is absolutely necessary, given their role in the US economy, military, and other dependencies.
Recent Incidents
Last month, Iranian drones targeted two Amazon data centers in response to the US-Israel bombing campaign on Iran, and a third data center in Bahrain was struck as well. These incidents highlight the need for a clear and unified approach to data center security. As the use of artificial intelligence continues to fuel a boom in the building of data centers across the US, the importance of securing these facilities will only continue to grow.
Way Forward
The 2024 rewrite of a White House national security memo left some experts disappointed that it didn’t designate cloud computing as a critical infrastructure sector. However, Scott Algeier, executive director of Information Technology Information Sharing and Analysis Center, noted that his organization had created a special interest group for data center providers, and that data centers are already integrated into critical infrastructure discussions.
As the US continues to rely on data centers for its economic, military, and other dependencies, it is essential that the federal government develops a clear and unified approach to securing these facilities. By designating data centers as a critical infrastructure sector, the US can ensure that these facilities are protected from cyber and physical attacks, and that the consequences of an attack are minimized.
Source: CyberScoop