Data Centres : Critical National Infrastructure ?
As COVID-19 infection spread, governments, businesses and individuals increasingly turned to online alternatives for communicating messages, delivering services and interacting. We have seen unprecedented levels of traffic through internet exchanges and the demand for remote conferencing and collaboration platforms has exploded: uptake of Zoom, for instance, increased over 20-fold within a few weeks. Similarly, online shopping and delivery services have been at – or well beyond - capacity.
At the same time the virus has ruthlessly exposed weaknesses in organisations, in business models, in processes and in policy. Retailers without an online offering struggled to trade, supply chains were compromised, inadequacies in governance structures and emergency planning were laid bare.
Dependency on Data Centres
Suddenly, our dependence on data infrastructure became apparent to policy makers who had not given much thought to how our digital services are delivered in practice. There was rapid acknowledgement that digital communications, the internet, and all the economic activity that they underpin, depend on data centres. Data centre staff were quickly designated key workers and a specialist team was established almost overnight within DCMS (Department for Digital, Culture, Media and Sport). For the first time, the UK’s data centre sector had a dedicated home within government.
So, a new conversation started, but what was it about? The first priority was to ensure business continuity was not compromised by restrictions on movement and to accommodate data centres in the policy decisions being made at unprecedented speed, across government. So far so good, and government is learning fast.
The task of the new team in DCMS is to help protect the sector’s future competitiveness and resilience. Most emphasis will be on the latter. Now that the importance of data centres has been recognised, the sector will inevitably be under greater scrutiny. Government is acutely aware that unlike most sectors deemed critical, data centres are unregulated (which does not mean they are free of regulation, quite the contrary, but that they do not operate under a regulatory body like Ofcom or Ofgem). Moreover, very few of our data centre facilities are formally deemed Critical National Infrastructure (CNI).
There has been commentary by industry stakeholders and in some parts of the media about the possibility that, as a result of COVID-19, all UK data centres will be designated Critical National Infrastructure. Some people have erroneously claimed that it has already happened. It has not, but are they just one step ahead of the inevitable or are they jumping a gun that may never be fired?
Trade body TechUK has been closely engaged in the dialogue between operators and government and also worked with other European associations to compare the CNI status of data centres internationally. Emma Fryer, who represents the UK sector in these discussions, commented that the UK is largely in line with practices elsewhere, but that CNI status is not a binary decision, and certainly not a simple process.
“CNI designation in the UK is bespoke, based on function. It is led by Cabinet Office who trace the potential for single points of failure to impact activities of national importance and then instigate one-to-one dialogues with individual organisations to identify how best to mitigate the risk. So it is very unlikely that a whole sector would be deemed CNI. It looks more likely that those conversations will continue and, informed by the lessons of COVID-19, that perhaps the small minority of sites so designated may increase slightly”.
That is not to say that larger scale changes cannot happen – in Germany for instance, data centres over 5MW are designated CNI and in some countries, particularly in Scandinavia, data centres have the equivalent of CNI status by default. However, there are usually country-specific reasons behind these decisions. There have also been some useful learning outcomes, not just the impact of associated regulatory burdens on operators, but how CNI designation has worked in practice – for instance over the last three months.
Inevitably, CNI designation for the sector will continue to be a discussion point, with the pros and cons argued as though this is a decision that we must consider. But this is misleading for two reasons: firstly, it is not something we opt in or out of: operators deemed CNI will not have a choice in the matter. Secondly, a binary view is misleading; the debate should not be around CNI status because CNI status is not an objective in itself: it is only one way to help us achieve part of a broader objective. Our top priority is to ensure that the UK continues to have world class digital infrastructure, and to achieve this, the UK’s data centre sector must continue to be both resilient and competitive.
This imperative should be guiding the dialogue between the sector and Whitehall. How can government best support our operational resilience as individual operators? Should policy makers be putting measures in places like green routing to protect critical aspects of our supply chain? Are current structures adequate? In the light of COVID-19, are additional policy measures now needed? How important is it for us to have a world class data infrastructure here in the UK? What critical national functions depend on data centres? Is the sector being accommodated in relevant policy decisions? Is government doing enough to ensure the future competitiveness of UK operators and the sector at large?
So, to be or not to be CNI is not really the question, it is part of one of the questions, and getting to the answers will be a prolonged process.