The UK Department for Digital, Culture, Media & Sport (DCMS) recently extended the deadline for responses to a policy paper issued on May 26, 2022, calling for views on UK data storage and processing infrastructure, security, and resilience (the Call for Views). The Call for Views invites contributions from data center operators, cloud platform providers, managed service providers, data center customers, security and equipment suppliers, and cybersecurity experts to better understand the risks associated with data storage and processing services.
In particular, DCMS is hoping to engage players who store or process data for multiple organizations, seeking input on what steps they are already taking to address concerns regarding the security and resilience of data center and cloud platform infrastructure. Based on the evidence received as part of the Call for Views, DCMS will decide whether any additional government support or other measures are required to minimize the risks currently facing data storage and processing infrastructure in the United Kingdom.
The Call for Views is set out in a questionnaire format and is broken into three sections.
Part 1: Risks to UK Data Storage and Processing Infrastructure
The Call for Views seeks to identify both existing and future risks to the UK data storage and processing infrastructure. Examples of risks identified by DCMS include sensitive access risks, concentration risks, and state threats. In putting forward its understanding of the key risks affecting the sector, DCMS acknowledges that market players will have a better understanding of the everyday impact of these risks and is seeking feedback on whether it should reprioritize its approach to risk.
Part 2: Security and Resilience of Data Centers
The second part is limited to data centers and business interactions with data center providers on the basis that data center security and resilience is a largely unregulated sector in the United Kingdom (e.g., data center operators are not directly in scope of the Networks and Information Systems Regulations 2018), and so specific questions are required in respect of this area.
The Call for Views asks participants to provide examples of regulations in place in other countries that may inform any future regulations introduced in the United Kingdom. The Call for Views lists several government-led initiatives deployed in other sectors or countries, which DCMS may be considering in respect of management of data center risks:
- Continuity of service requirements
- Security and resilience requirements
- Incident response information-sharing and cooperation requirements
- Accountability at board or security committee level
- Security penetration testing by government or third-party competent authorities
- Increased government information-gathering powers
Part 3: Mapping the Impacts of Risks
To understand what impact the risks identified in Part 1 have on businesses, DCMS specifically seeks feedback from those actors they have identified as most critical: data center operators, cloud platform providers, and managed service providers. The intention is to use the responses provided to model who is impacted by compromised data centers and the extent to which they are impacted.
The Call for Views forms part of the UK government’s overall National Data Strategy and National Cyber Strategy, working to ensure a stronger risk management framework to improve protection from cybersecurity disruption, ensure continuity of service of data storage and processing infrastructures, and protect the UK economy.
The UK government’s recent focus on risk in the context of data and cybersecurity stems from two important considerations: (1) data is strategically important, both at a national and a global level; and (2) the United Kingdom is highly reliant on data storage and processing, including for the proper delivery of essential services and the operation of the UK economy. It is anticipated that, in line with the existing strategies, DCMS will continue to focus on data security and resilience over the next few years.
The Call for Views now closes on August 7, 2022, and DCMS will subsequently publish a summary of the evidence gathered.