CybersecurityInfrastructure

US Weighs Critical Infrastructure Status for Data Centers

Analyst 207||Source: CyberScoop
Large data center interior with rows of computer servers and technicians in the background under bright daylight.

“Finding a way to regard them as part of our critical infrastructure and protect them accordingly is sine qua non, absolutely necessary,” said Samuel Visner, chair of the board of directors of the Space Information Sharing and Analysis Center.

House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection

Lawmakers and industry witnesses met Wednesday at a hearing of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection to consider whether the federal government has the right posture for defending data centers. The panel explored whether data centers should receive a standalone designation as a critical infrastructure sector, and whether existing federal roles clearly assign responsibility for understanding risk, coordinating with industry, or leading response when those facilities are targeted.

Recent attacks and the growth driving scrutiny

Panelists framed the debate against two connected developments reported at the hearing: a surge in building of data centers across the United States tied to artificial intelligence, and recent kinetic attacks against facilities. The hearing record notes that “last month, Iranian drones targeted two Amazon data centers in response to the U.S.-Israel bombing campaign on Iran,” and that a third data center in Bahrain “was struck as well.”

Market concentration: Amazon Web Services, Microsoft Azure and Google Cloud Platform

Witnesses emphasized the implications of market concentration. The hearing cited that three providers — Amazon Web Services, Microsoft Azure and Google Cloud Platform — account for 63 percent of the market share of data centers. That concentration, lawmakers and witnesses argued, magnifies the systemic consequences when a major data center is disrupted.

“If a major data center is attacked, disrupted, or taken offline, the consequences can reach far beyond one company or one sector,” Rep. Andy Ogles, R-Tenn., said in prepared opening remarks, a line the panel used to frame the need for clearer federal strategy.

Competing policy proposals from industry and experts

Witnesses at the hearing offered differing structural remedies. Robert Mayer, senior vice president for cybersecurity and innovation at USTelecom, suggested data centers would benefit from “work[ing] together as a unique coordinating council,” framing the need for a sector-specific coordinating body. The Foundation for Defense of Democracies’ Mark Montgomery proposed an alternative: a combined sector that includes both data centers and cloud providers, reflecting overlapping ownership and service delivery.

Panel testimony also noted international precedent: the United Kingdom has already designated data centers as a standalone critical infrastructure sector. Several witnesses said they were disappointed that a 2024 rewrite of a White House national security memo did not designate cloud computing as a critical infrastructure sector.

Not all witnesses urged a standalone designation. Scott Algeier, executive director of Information Technology Information Sharing and Analysis Center, said his organization had created a “special interest group” for data center providers and that “the data centers are integrated already into the critical infrastructure discussions.” One witness on the panel declined to weigh in on the need for a separate designation.

What this means for policymakers, data center operators, and military and economic dependencies

  • Policymakers and regulators: Lawmakers face a binary policy choice pressed at the hearing — create a standalone critical infrastructure sector for data centers, or adopt a combined sector covering data centers and cloud providers. The record leaves open which federal agency would be responsible for leading coordination and response; Rep. Andy Ogles said the current framework “does not clearly answer” that question.
  • Data center operators and cloud providers: With three firms holding 63 percent of market share, operators face increased scrutiny over resilience and coordinated information-sharing. Industry groups are already forming specialized forums: USTelecom urged a dedicated coordinating council, and IT-ISAC has launched a special interest group for data center providers.
  • Military and economic dependencies: Witnesses tied the question of designation to broader national dependencies. Samuel Visner framed protection of data centers as essential to the U.S. economy, the military and “other dependencies,” signaling that decisions on sector treatment will be evaluated against those cross-cutting stakes.

The hearing left a clear contrast in approaches: tighten coordination inside existing critical infrastructure frameworks, or create a distinct sector (or a combined sector with cloud computing) with its own lines of federal responsibility. The line from Rep. Ogles — that the current framework “does not provide a clear, unified approach to data center security” — underscores the practical dilemma lawmakers face as AI-driven demand and recent attacks put data centers squarely in view. How Congress and agencies resolve who leads, and whether they adopt the U.K.’s standalone model or a combined sector, will determine the next phase of policy and industry coordination.

https://cyberscoop.com/congress-industry-ponder-government-posture-for-protecting-data-centers/

Critical InfrastructureEmerging ThreatsHomeland SecurityUs GovernmentInfrastructure ProtectionData Centers
Related Intelligence

Continue Reading

Close-up of a smartphone's circuit board with blurred background, components out of focus.

BootROM Exploit Targets Millions of iPhones

Millions of iPhones are vulnerable to a newly discovered BootROM exploit, known as "usbliter8", that can't be fixed with software updates because it's embedded in the device's hardware. This means iPhones with A12 and A13 processors will be at risk for the rest of their lifespan.

Analyst 207
Blurred laptop screen on office table surrounded by coworkers.

AI Agents Emerge as Unchecked Identities in Enterprise Security

The equation for enterprise security is no longer simple: with AI agents now connected to critical business services, controlling identities is no longer enough to control risk. These emerging insiders have quietly become privileged - and potentially invisible - attack paths that security and identity programs must urgently address.

Analyst 207
Security analysts work at computer workstations and a large wall screen in a brightly-lit operations center.

AI Shifts Threat Management from Reactive to Proactive Stance

With a sprawling security stack of 40+ tools, enterprise teams are drowning in overlapping alerts and manual handoffs, leaving gaping holes for adversaries to exploit. This disjointed approach leaves teams scrambling to respond to threats, with attackers enjoying a lengthy 43-day window to wreak havoc.

Analyst 207
Windows desktop with Recycle Bin open, showing a file and a confirmation dialog with a partially obscured filename.

Microsoft Updates Trigger Recycle Bin Filename Glitch

Microsoft just revealed a frustrating glitch in the Recycle Bin that displays a confusing filename when you permanently delete an item, showing a cryptic code instead of the file's original name. Luckily, the issue only affects the deletion confirmation dialog and doesn't change the file's name in the Recycle Bin or when it's restored.

Analyst 207