Confronting Data Centre Cybersecurity ‘Blind Spots’
As corporations rush to roll out AI, it is important for third-party AI data centres to start seriously thinking about their cybersecurity measures.
A money-making target for hackers, these facilities are potentially being exposed to cyberattack risk. Following the June 2024 ransomware attack on an Indonesian national data centre, with malicious actors threatening to extort US$8m as a ransom, cybersecurity experts are urging data centre leaders to exercise extreme caution.
A data centre cyberattack has the potential to be catastrophic, with implications that could hurt the operator, consumers and investors alike.
To gain greater insights, Data Centre Magazine speaks exclusively with Michael Marcotte, co-founder of the National Cybersecurity Center (NCC) about the impact of cyber threats to the data centre sector. As chairman of the organisation’s Rapid Response Center, Michael has been instrumental in shaping national cybersecurity policies in the United States.
He is also a senior advisor for several heads of state and US Senators, in addition to founding cybersecurity and identity company, artius.ID. In this interview, he tells us how third-party data centres are emerging as somewhat of a ‘blind spot’ within corporate cybersecurity and how operators can mitigate growing digital threats.
What would you say is the most pressing cybersecurity threat facing data centre operators today?
Although deepfakes are getting all the headlines, one threat that’s slipped under the radar is how most large corporations are now reliant on third-party data centres.
CEOs often know little about cybersecurity under their own roof – let alone around highly complex digital infrastructure like external AI data centres. However, with enterprises rushing to roll out AI systems, these data centres are now comprehensively integrated into the architecture of these multinationals – and CEOs need to understand them as new vulnerabilities.
It’s an issue of visibility. These data centres and their operations are often pretty opaque from their customers’ point of view, and it’s very difficult for executives at large corporations to peek under the hood of their operations and understand just what security measures are in place and where there are potential exposures.
What was the impact of the Indonesian national data centre breach?
Whilst it didn’t affect a large corporation, the Indonesian national data centre was successfully breached with a new variant of existing malicious software, leading to severe disruption, especially at airport immigration desks. In the end, the Indonesian government was held to ransom for US$8m.
For executives, this attack should have been a shot across the bow. It’s highlighted that data centres are very much now on the front lines of the cyber war, and businesses that rely on their services need to step up their vigilance. In my mind, it won’t be long before we see a high-profile corporation hit in a similar fashion. It’s a question of when, not if.
Data centres have fallen under the spotlight. Why do you think that is?
Data centres are an increasingly central part of most large corporations' operations, making them a deeply lucrative target for malicious actors.
They’re a centralised data repository, often storing vast amounts of data for multiple clients – meaning that one breach can lead to cascading disruptions. The data itself is highly sensitive, including proprietary algorithms, customer information, and client lists.
Hackers will exploit the trust relationship between the two parties, either selling the sensitive data on the dark web for a quick profit or using it for further blackmail attempts. Particularly sophisticated criminals can even use this sensitive corporate data for market manipulation, shorting, and buying stocks before releasing reputationally and financially damaging information.
What’s at stake for corporate leaders?
A whole array of threats and damages. There’s the obvious financial hit from being extorted and blackmailed for sensitive data as the Indonesian government faced. And then there’s also the long-term reputational fallout that can hurt consumer and investor confidence for years afterward. These harms absolutely have the potential to sink a company.
One risk from these breaches that’s often not recognised, though, is the raft of expensive litigation that a corporation faces after a breach. In my mind, this is potentially an even more acute threat than the direct financial damages after a breach. These lawsuits can be prohibitively expensive and soak up executives’ time for years as they become bogged down, fending off legal challenges from all the affected parties, whether it’s consumers, other companies, or investors.
Combined together, these three threats should be enough to keep CEOs awake at night – which is why it’s shocking to have seen such a relative lack of action on this front.
What can data centre executives do to bolster their cyber defences?
Although third-party data centres currently represent a significant vulnerability, there are plenty of steps that executives can take to step up their vigilance and defences here.
The first is to rapidly expand their vendor due diligence with robust vendor risk management frameworks that continuously monitor the data centre throughout the relationship rather than just at onboarding. Equally, comprehensive security audits can serve to increase transparency and highlight potential upstream vulnerabilities before they’re exploited by bad actors.
These are just some of the immediate options available, but there’s also a more systemic issue at play here with regard to general practices around data storage. To truly insulate themselves, corporates must decentralise their data storage, and start pushing users’ data to the edge and away from the cloud.
Moving data away from centralised repositories and towards the edge is vital. If the individuals, be they consumers or clients, are sovereign over their own data, CEOs will find that their firms are far less exposed to these new types of attacks.
******
Make sure you check out the latest edition of Data Centre Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Data Centre Magazine is a BizClik brand