A modern hyperscale facility may not possess the exquisite beauty of Shakespeare’s Juliet, but we have long known that data centers are critical national infrastructure in all but name.
So formal recognition of the strategic importance of our sector, however belatedly, should not be much of a surprise. The real mystery is how this fact escaped UK government for so long. For a country as digitally-dependent as the UK, it is extraordinary that data centers were not designated CNI years ago. That said, the current list of CNI sectors does have a slightly nineteenth-century whiff.
Although the announcement may seem sudden to some, this new designation is not a reactionary policy shot from the hip, nor is it attributable to quick thinking by the new Government, although it does align perfectly with Labour’s manifesto commitments and subsequent policy positions supporting data centers.
Rather, it is the result of four years of careful consideration by a dedicated team, which started in DCMS (Department for Digital, Culture, Media and Sport) and latterly moved to DSIT (Department for Science, Innovation and Technology). The creation of a whole new government Department is itself an encouraging indication that digital technology is starting to get the attention it deserves.
Why so long before the penny dropped? In my view, there are several reasons. Firstly, this infrastructure has been privately funded and therefore has not generated the attention of government in terms of public spending demands.
Secondly, the primary function of data infrastructure is to ensure business continuity and to date, the type of catastrophic failure seen in other sectors has been absent: 350,000 people without fresh water or electricity for two weeks stimulates some difficult conversations with government and a lot of public attention. The fact that data centers have managed their own risks adequately has perhaps encouraged people (policymakers included!) to take Internet resilience for granted.
Thirdly, the sector has tended to maintain a low profile. This is a necessary attribute: if you are providing the disaster recovery function for the stock exchange you don’t trumpet your location or operating procedures. Located in obscure corners of trading estates and industrial parks, data centers have largely gone unnoticed until recently.
The catalyst was Covid-19. Back in early 2020, with lockdown looking likely, I, as an erstwhile sector representative, approached DCMS asking for verification that staff in data centers would qualify for key worker status. The response was a request for more information about the sector – which in reality meant “er, no.” A period of frenzied back-and-forth followed, during which I explained in no uncertain terms why key worker status was essential if our supermarkets were to remain stocked, our hospitals and transport and government to function.
The response was impressive: within a week a dedicated team had been established at DCMS and data centers were indeed added to the key workers list. Rumor has it that we had the privilege of being the only sector to be inserted in biro on the final submission to Number Ten.
Since then, this data infrastructure team has worked hard to understand the market and operational characteristics of data centers and has established itself as the sector’s central node within Whitehall.
Although in reality, we interact with multiple government entities, it is this team that joins the dots for us, educates other departments, and advocates internally on our behalf. It provides data centers, albeit belatedly, with the designated “home” within government that all sectors should have.
But, as night follows day, recognition that data centers are indispensable goes hand in hand with greater scrutiny. No self-respecting government can, once alerted to the existence of a critical activity that wasn’t on their radar, sit back and do nothing.
At the very least they need to kick the tires to ensure that resilience to date is not attributable to luck or a series of miraculous near misses. Ideally, they also need to demonstrate that they have put protective measures in place, both preventative and responsive, to ensure that the sector remains both secure and resilient.
So it will come as no surprise that today’s announcement will be accompanied by greater scrutiny: new regulatory measures to be introduced under the Cyber Security and Resilience Bill will be required bedtime reading for operators and consultants.
These are likely to follow the direction of travel set out in DSIT’s recent consultation on Data Centre Security and Resilience: colocation providers will be required to meet minimum security standards to protect their value chains.
Operators may find some of the provisions burdensome and may also be anxious that a team with relatively short experience of a highly complex sector is designing policy for it. Our experience is that our civil service colleagues are quick learners, but without further examination it is hard to say more – watch this space!
On a broader level, however, it is probably safe to opine that operators are likely to be more sanguine about the implications in 2024 than they would have been in 2018. The squeeze on supply chains and restrictions on movement during Covid were instructive, as is the difficulty we currently experience getting large data infrastructure development projects off the ground here.
This is despite huge pent-up demand for capacity and government ambitions to position the UK as a center of excellence for digital services and AI. Something has to give – either we relinquish our ambition to be a destination of choice for inward investment and technology innovation, or someone has to acknowledge that data centers are of strategic importance to the UK and are a necessary part of our critical national infrastructure.
Fortunately, as a country, it looks as though we have made the right choice.