‘A core part of national infrastructure’ – ministers consider regulating to make the cloud safer
Consultation launched seeking feedback on risks and mitigations for systems that now underpin a wide range of ‘essential services’
The government is considering introducing new regulatory measures for cloud and datacentre environments which now constitute a “core part of our national infrastructure”, according to ministers.
A consultation has been launched seeking guidance on the main risks faced by IT hosting facilities and how these can be best mitigated against. One of the main aims of the exercise is to explore whether regulatory interventions in other industries could and should be introduced for a datacentre sector the government believes is “relatively unregulated for security and resilience”.
The feedback process will be led by the Department for Digital, Culture, Media and Sport, which said that the exercise is being undertaken as the “UK’s essential services and wider economy are becoming ever more reliant on large-scale data storage”.
The consultation first seeks to better understand the major risks posed to the computing infrastructure that supports the storage and processing of data. Expert views are sought on a variety of potential dangers, ranging from cyber breaches to extreme weather.
- Departments to undergo independent audits of cyber resilience
- Home Office keeps 250 sets of applications in AWS or Azure
- ‘The prospect of a category-one cyberattack is not receding’
The second part of the consultation examines current measures in place to mitigate these risks and their impacts – as well additional safeguards that could be introduced by replicating regulation applied in other countries or industries.
Suggestions proposed include legal requirements for infrastructure operators to ensure security, resilience and continuity of service, as well as mandatory security penetration testing conducted by a government-appointed agency. DCMS has also mooted the possibility of obligating datacentre providers to notify a regulatory body about any incidents that impact service delivery.
The appointment of a named, board-level individual who is “fully accountable for security and resilience” is another measure under consideration, as is the empowerment of authorities to demand more information from any firms subject to investigation by regulators.
The third and final part of the consultation is dedicated to the impact of datacentre failure or compromise – including potential disruption to public services, as well as communications and the financial sector.
Julia Lopez, minister for media, data, and digital infrastructure, said: “Datacentres and cloud platforms are a core part of our national infrastructure. They power the technology which makes our everyday lives easier and delivers essential services like banking and energy. We legislated to better protect our telecoms networks and the internet-connected devices in our homes from cyberattacks and we are now looking at new ways to boost the security of our data infrastructure to prevent sensitive data ending up in the wrong hands.”
Submissions are open until 24 July. The government is hoping to receive contributions from datacentre and cloud providers and their customers, and security industry companies or individual cyber experts.
New measures prohibit supply of any tech used for ‘internal repression’
Public spending watchdog points to issues with controls on fraud and error
Online notice reveals controversial trials are to be expanded into a national service – about which government, law enforcement, watchdogs and all the UK’s major ISPs declined to answer questions...
Steve Barclay urges greater reporting of attacks