Channel experts and UK technology secretary on the designation of datacentres as CNI
UK datacentres are now classed as CNI, putting them on an equal footing as water, energy and emergency services systems
On 12 September, datacentres in the UK were officially designated as critical national infrastructure (CNI).
This new classification means that they should get extra government help during major incidents, such as cyberattacks, IT outage, sabotage, the list goes on.
Nine years after the space and defense sectors were designated as CNI, datacentres are the 14th addition to the list, joining other invaluable sectors and services like water, health, and energy.
CRN approached Peter Kyle MP, technology secretary, who has been instrumental to the decision, to get his take on what makes this a key milestone for the UK tech sector.
Kyle shared that the new designation reflects the importance of datacentres, as they “ power our every-day lives”
“Whenever we make a card transaction, a Google search or schedule an appointment at the doctor’s, we come into contact with a datacentre,” he added.
He insisted that the classification of the datacentre sector as CNI will allow “better coordination between the government and industry to safeguard against cyber criminals and unexpected incidents.”
For Kyle, the move intends to make the “nation’s date safer”, ensuring that there are stronger links to monitor, identify and respond to potential threats, to protect the data people use every day.
This announcement came one day after chancellor Rachel Reeves announced an £8bn investment from AWS into the UK.
In July 2024, Kyle became the third incumbent of this new role, created in February 2023.
The new technology secretary is confident that this change will “encourage investment in the UK as a stable market to set up business, helping the country’s economy to thrive and create wealth for all.”
To find out more about this announcement and how it will impact the British IT channel, CRN sat down with Performanta, Trustmarque, and TD SYNNEX.
CRN: How is the new designation likely to impact the work of UK partner firms, specifically MSSPs, if at all?
Guy Golan, co-founder, executive chairman & CEO of Performanta: The vetting process might be more stringent initially.
I also presume there will be further regulation that will uplift the standard.
I find this to be a very welcome call. Once that is done, the operations will become seamless.
Chris Jones, head of public sector at Trustmarque: It will represent both an opportunity and a challenge - the change will drive both higher standards and require more coordination across CNI operators, and the new NCSC data infrastructure team.
But for those who get on the front foot and use this as an opportunity to offer a sustainable and robust datacentre offering, they will see growth to their bottom line.
Our customer base is predominantly the public sector, and this will give our central and local government clients further confidence in seeking our support in datacentre upgrades.
Scott Rogers, senior business unit director, security, UK at TD SYNNEX: Datacentres being considered as CNI is a reflection of their growing importance to businesses and to the economy as a whole.
From a partner or MSSP perspective, protection of core servers and infrastructure is absolutely critical.
This announcement underlines the importance of providing effective and robust security for all datacentres.
In this respect, it will heighten awareness of the need to fully secure and protect datacentres.
CRN: Will a national cybersecurity centre be in competition with cybersecurity companies, or will the government seek out further collaboration with private companies? Why?
Guy Golan: Competition - I don't think so.
Collaboration? Definitely.
They've already been collaborating with the private sector, and I envisage that collaboration to grow even more.
Chris Jones: There's untapped potential.
We see it as an exciting opportunity to drive higher standards with collaboration, with the extra layer of assurance from the NCSC Data infrastructure team.
The endgame is better monitoring of threat groups and slicker flows of information from local SOC's through targeted threat intelligence, resulting in better bolstering of a provider's own IR capabilities.
Scott Rogers: Specialist security partners and MSSPs are keenly focused on offering comprehensive and up-to-date protection to their customers and increasingly, they are supported by an ecosystem of trusted specialist and aggregator partners who provide additional skills and capabilities.
As the cybersecurity market matures, we’d expect to see further expansion of this ecosystem, and even more collaboration between channel partners and, potentially, government agencies as well.
CRN: This decision follows the £3.75bn investment in Hertsmere's datacentre. Will this combination help the UK data industry compete with other big players such as Germany and the US?
Guy Golan: Hmm... I’m not sure about that.
I believe we already are competitive enough.
It’s not about being safer, it is about having more capability in the UK.
That will definitely be consumed just as any other major datacentre in a regulated market would be.
Chris Jones: Absolutely, we see this as significantly boosting business confidence in the UK and all eyes will be on the country as we ramp up to fulfil this ‘trusted market' status.
A decade since the last CNI designation was granted, last week's news sends a strong signal about the strategic importance the UK places on infrastructure.
The news will increase the attractiveness of the United Kingdom as a destination for global datacentres but also provides reassurance to Trustmarque's investors and customers, that datacentres will be well-protected against both physical and cyber threats.
Scott Rogers: Any new investment will certainly draw further attention to the UK as a potential location for datacentres and create additional opportunities – wherever a datacentre is located, it will need to be protected.
CRN: How will the designation of UK datacentres as CNI impact the role and responsibilities of MSSPs in safeguarding these critical assets, especially in terms of regulatory compliance and coordination with government agencies?
Guy Golan: This is a tricky one.
If the datacentres are classed as CNIs it means the infrastructure and setting should be at a high standard.
However, the hosted companies can install and configure their tools in their own way which can pose a risk to them.
It will be up to the regulator to define the Chinese walls (pardon the pun) to ensure companies are accountable for their own while the datacentres remain protected.
As a food for thought: I would have assumed that Azure, AWS and GCP are already considered CNI. If not, I'd start there.
Chris Jones: We see this as combined step-change - MSSPs working with large datacentres will also have to abide by the new regulations and higher standards.
Those providing critical services like cybersecurity under the new designation also have to work hard to achieve those higher standards.
Scott Rogers: All providers of security services to datacentres – whether they are co-location or dedicated – need to be fully aware of the compliance and regulatory requirements that apply to those specific locations.
MSSPs providing protection for datacentres that are seen as critical assets at a national level, will already be meeting all the necessary compliance and regulatory controls.
CRN: What specific steps should MSSPs take to enhance their cyber resilience strategies, now that datacentres are on an equal footing with water, energy, and emergency services, to prevent or mitigate the risks of cyberattacks or outages?
Guy Golan: Regardless, it is about going back to basics and getting those done right, drinking their own champagne, ensuring their level of resilience is strong and satisfactory.
Elements such as identity, data protection, active directory, MDR, early detection and risk management are pivotal.
Chris Jones: Due to the nature of the beast, datacentre providers, and MSSPs typically have a high bar of security and compliance.
But with recent DDoS attacks, and more cybercriminals seeking to manipulate AI, the bar doesn't stay still.
Our advice would be to quickly understand the impact and start to build plans that address the change.
Achieving new standards always takes time and effort, but these are pivotal to maintaining civilian services and life across the UK.
Scott Rogers: MSSPs will already have extremely robust strategies and strong resilience to all forms of cyberattacks.
The designation of key datacentres as CNI underlines how important these resources are to every organisation and individual.
We have always encouraged security services providers to re-evaluate their own posture and approach on a regular basis, to ensure that they have the appropriately strong measures in place to fully safeguard their own operations, those of their clients, and the facilities they protect.
CRN: With the government's prioritised access to the National Cyber Security Centre (NCSC) and emergency services for datacentres, how can MSSPs align their incident response protocols to ensure smooth cooperation during critical incidents affecting their clients?
Guy Golan: These are early days, but I would suggest for every MSSP to read the NCSC's IR documentation and processes.
They are good and provide incredible insights.
One thing to bear in mind: most MSSPs do not provide IR capabilities.
As such, I'd advise them to partner with renowned IR providers in the market.
Scott Rogers: All MSSPs will have detailed incident response plans and processes in place, and these should be re-examined and reassessed on a frequent basis to ensure that they are fully up-to-date, compliant and meeting customer needs.
Where relevant, any potential for engagement and cooperation with the NCSC should be part of that incident response plan.
CRN: Given the upcoming Cyber Security and Resilience Bill and its mandate to protect supply chains, how should MSSPs evaluate and strengthen the security of third-party vendors and partners connected to their clients' datacentre operations?
Guy Golan: Start with third party risk management assessment. Understanding the suppliers.
Audit their security levels and more importantly understand what cannot be trusted and what can be trusted but verified.
One thing is certain: anything that is blindly trusted must stop.
Chris Jones: Start with visibility and mapping, we'd expected confidence and transparency in supply chain dependencies.
Then good risk management across that supply chain, flowing into technical, business continuity planning and contractual commitments from your suppliers.
Scott Rogers: MSSPs and indeed all partners providing security services are – to some degree – dependent on an ecosystem of suppliers, aggregators and specialist partners who provide additional skills, capabilities and services.
Like their policies, processes and security posture, these relationships need to be re-evaluated on an almost constant basis.
The threat landscape, regulatory frameworks, and the needs of customers are all constantly changing.
At the same time, new solutions, services and methodologies are also being brought forward.
Partners need to work with trusted advisors who can help them understand and contextualise developments in their market and adapt their own services and value proposition to meet changing customer requirements.