On October 20, 2025, a single AWS substation failed in Northern Virginia. The result? A widespread outage that shut down Zoom classrooms, banking portals, and critical enterprise platforms across multiple continents¹. The fragility exposed by that one-point failure highlights a deeper problem: data centers are the beating heart of our economy, but they are not treated like it.
Despite their essential role in storing and delivering digital services across sectors, data centers are not explicitly designated by the Department of Homeland Security (DHS) as critical infrastructure. Instead, they are broadly grouped under the Information Technology (IT) and Communications sectors². The Department of Homeland Security’s failure to explicitly classify data centers as critical infrastructure is a blind spot with enormous national-security and economic consequences.
The Department of Homeland Security Doesn’t Call Out Data Centers
DHS recognizes 16 critical infrastructure sectors under Presidential Policy Directive 21. While the IT sector encompasses “physical and virtual systems and networks,” data centers themselves are not called out by name³. In contrast, the United Kingdom formally recognized data centers as Critical National Infrastructure in 2024, a move that spurred dedicated coordination and standards⁴.
Analysts argue that the U.S. lacks this focus. The 2025 National Defense Authorization Act, for example, addressed cyber readiness, AI, and cloud services, but failed to mention data centers at all⁵. This lack of explicit designation may cause dangerous blind spots in federal oversight and crisis response⁶.
Data Centers Lack Physical Security
Beyond policy, many data centers suffer from alarmingly weak physical defenses. While some hyperscale facilities employ military-grade protections, many others, especially colocation or commercial data centers, rely on little more than gates and guard shacks⁷.
Common vulnerabilities include:
-
Minimal perimeter fencing and unsupervised entry points⁷
-
Understaffed or untrained 24/7 security personnel⁸
-
Outdated access control technologies (e.g., PIN pads and swipe cards)¹⁰
-
Lack of hardening against explosives, EMPs, or natural disasters⁵
Security consultants have warned that physical breaches are “much easier than most people think”, especially using social engineering tactics or insider credentials⁷. As the threat of coordinated attacks increases, these gaps pose a significant national risk.
Past Failures with Cascading Impacts
Several real-world events underscore the danger of undersecured facilities:
-
In 2021, a fire at OVHcloud’s Strasbourg data center destroyed servers hosting 3.6 million websites, including critical government services¹².
-
In 2025, Ukrainian hackers wiped Russian energy databases in a large-scale attack tied to Gazprom, crippling operations across multiple sectors¹³.
-
In 2017, North Korean hackers stole classified U.S.–South Korean war plans after breaching Seoul’s military data center¹⁴.
-
In the U.S., AWS’s Northern Virginia region has experienced repeated outages (2012, 2021, 2023, 2025), each disrupting millions of users globally¹⁵.
These incidents weren’t isolated; they were systemic failures with ripple effects. As dependency on cloud infrastructure deepens, the consequences of such outages escalate exponentially.
The Department of Homeland Security has a Security Paradox
Despite being mission-critical, data centers are subject to fragmented oversight. While DHS and CISA encourage collaboration through Sector Coordinating Councils, there are no federal mandates for physical security standards in privately owned data centers³.
Compare this to the energy or transportation sectors, which have federal regulators and minimum compliance thresholds. Without similar enforcement, many data centers lack resilience standards for backup power, fire suppression, or redundant cooling even though downtime in such facilities could freeze entire economic sectors⁵.
Even more concerning is the power dependency. A single substation outage, like the one that triggered the AWS event, demonstrated how one local failure can cascade globally¹. If an attacker disabled or exploited power infrastructure supporting a major data center, it could destabilize both digital and physical infrastructure simultaneously.
The Argument for National Recognition
A growing number of experts, think tanks, and federal advisors are calling for action. Proposals include:
-
Creating a specific “Critical Digital Infrastructure” designation for data centers⁵
-
Establishing resilience benchmarks for backup power, multi-region redundancy, and access control⁶
-
Requiring hardening against EMPs, vehicle-borne attacks, and sabotage⁵
-
Funding partnerships between DHS, CISA, and major cloud operators to improve standards⁶
The Heritage Foundation, among others, has argued that data centers should be treated with the same urgency as ports, pipelines, and airports⁵. The cost of inaction, they argue, will be paid in outages, economic shocks, and national vulnerability.
Build for the Threat You Face
We live in an economy where everything from banking to healthcare and from education to logistics, flows through racks of servers inside buildings with little physical protection. When those buildings go dark, so does the economy and country.
It’s time we stopped treating data centers as private-sector IT problems and recognized them for what they are: foundational infrastructure that underpins modern civilization. If terrorists, adversaries, or even extreme weather were to take down multiple hubs at once, the consequences would not just be digital. They’d be economic, civic, and national in scale.
Protecting our future means protecting the buildings that power it.
¹ Reuters. (2025, October 20). Amazon’s AWS struggles to recover after major outage disrupts apps, services worldwide.
² U.S. Department of Homeland Security. (2022). Critical Infrastructure Sectors.
³ U.S. Department of Homeland Security. (2022). Information Technology Sector-Specific Plan.
⁴ UK Cabinet Office. (2024, January). National Infrastructure Review 2024.
⁵ Heritage Foundation. (2025, February). Congress should stop researching data center threats and start protecting them.
⁶ Center for Strategic and International Studies. (2024). Securing Cloud Infrastructure.
⁷ DatacenterDynamics. (2023). Why physical security at data centers is still weak.
⁸ SecureWorld News. (2022, November). Pen-testers reveal how easy it is to breach data center security.
¹⁰ Verizon. (2023). Data Breach Investigations Report.
¹² Netcraft. (2021, March 11). 3.6 million websites taken offline after fire at OVH datacenters.
¹³ Kyiv Independent. (2025, February 18). Ukrainian hackers wipe databases at Russia’s Gazprom in major cyberattack, intelligence source says.
¹⁴ BBC News. (2017, October 10). North Korea ‘hackers steal US-South Korea war plans’
¹⁵ The Verge. (2023). AWS outage again hits US-East-1 region.
