It said the additional protections resulting from the CNI designation will mean data stored in the UK is less likely to be compromised during outages, cyberattacks, and adverse weather events. But while it might indeed discourage cyberattacks on low-value targets, if a data center has data of interest to state actors or even high-value information for phishing or ransomware attacks, it’s unlikely to make a major difference.
Eric O’Neill, a founding partner of cybersecurity consulting firm The Georgetown Group and a former FBI agent, said that it is unlikely that the UK designation and its supporting services would reduce the number of cyberattacks, and “it is not likely to reduce the likelihood of attacks. Designation doesn’t do anything to discourage an attack.”
Indeed, O’Neill argued that it is just as likely to have the opposite impact by all but daring the attackers to attack. Attackers are sometimes “about how awesome they are and are thumbing their nose at the west and making a splash with all of their friends online. They have pride,” O’Neill said.
Brian Levine, a former government attorney who today serves as a managing director at Ernst & Young, said that he thought the UK declaration was a good thing, but “the devil is in the details” because the UK government didn’t specify the particulars of the support they will be delivering.
Overused term
“The term ‘critical infrastructure’ is often overused by governments. The definition of critical infrastructure is usually somewhat vague. In this case, including data centers is not unreasonable and may make sense, but it depends on what the government will actually be doing,” Levine said.
The US, for example, lists a wide range of critical infrastructure sectors but doesn’t specify data centers. But it doesspecify various sectors — including information technology, healthcare, and financial services — that would absolutely impact almost every major cloud environment.