Last week, the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection heard witness testimony from industry experts on whether artificial intelligence (AI) data centers should receive a designation as a critical infrastructure sector.
Lawmakers have noted the significance of these operations, which are increasingly playing a role in our daily lives.
“If a major data center is attacked, disrupted, or taken offline, the consequences can reach far beyond one company or one sector,” Rep. Andy Ogles, R-Tenn., said in prepared opening remarks. “Yet our current framework does not provide a clear, unified approach to data center security. It does not clearly answer which federal agency is responsible for understanding the risk, coordinating with industry, or leading the response when this infrastructure is targeted.”
As Cyberscoop reported, one issue is that just three main providers – Amazon Web Services, Microsoft Azure, and Google Cloud Platform – now account for 63% of data center market share in the United States.
“There is no denying that data centers are becoming more critical to the functioning of our existing critical infrastructure, including healthcare, communications, energy, and financial services,” explained Doc McConnell, head of policy and compliance at Finite State.
He told ClearanceJobs in an email that there is likely value in closer coordination among data center owners to share risks and respond to incidents collectively.
However, designating data centers as critical infrastructure may not solve the problem.
“The 2024 National Security Memorandum on critical infrastructure established a shared responsibility model between the public sector and private owners and operators,” suggested McConnell. “Building that collaboration, collectively identifying risks, pooling resources to address them systematically – that’s where the real value comes from.”
By Any Other Name
One issue is that data centers aren’t seen as anything more than buildings housing many servers. Data centers don’t exude the same level of significance, at least not visually, as power plants, water treatment facilities, or other physical buildings we may equate with critical infrastructure.
That has resulted in data centers being underappreciated, at least until there is an Internet outage or data can’t be accessed. As we increase our reliance on AI, the significance of those buildings needs to change.
“Data centers are no longer just IT facilities — they are strategic infrastructure underpinning AI, cloud services, financial systems, healthcare, communications, and national security. Treating them as critical infrastructure makes sense, but the designation itself is only the starting point,” added Matt Wyckhouse. founder and CEO at Internet security provider Finite State.
Wychokhouse told ClearanceJobs that recent conflict-linked attacks on data center infrastructure in the Middle East, including reported Iranian drone strikes on cloud facilities in the UAE and Bahrain, have already demonstrated that this is no longer a theoretical risk.
“Data centers are becoming part of the modern battlespace, where cyber operations, physical attacks, supply-chain compromise, and geopolitical coercion can converge,” Wyckhouse warned.
Yet the bigger issue is that data center risk extends beyond physical security and perimeter cyber defenses.
“These environments depend on an enormous technology supply chain: servers, networking equipment, firmware, cooling systems, access-control systems, operational technology, cloud software, and the vendors who build and maintain all of it,” Wyckhouse continued. “A serious compromise may not begin with a front-door attack on a hyperscaler; it may begin much earlier in the lifecycle, through a vulnerable component, manipulated firmware, insecure update mechanism, or opaque supplier relationship.”
The Factories of the AI Economy
Just as power plants, water treatment facilities, and even the electrical grid became critical infrastructure, so did they, gradually, from a luxury to a convenience, and finally a key part of daily life. Data centers are now taking a similar course.
“Data centers are already critical infrastructure in practice,” said Jacob Krell, senior director for secure AI solutions and cybersecurity at Suzu Labs.
“The policy debate is just catching up to operational reality,” Krell told ClearanceJobs. “These facilities are no longer passive real estate where servers happen to sit. They have become part of the operating layer of the modern economy.”
To this end, data centers need to be seen for what they are, added Wyckhouse.
“They are becoming the factories of the AI economy,” he emphasized. “If we are going to depend on them for national-scale compute, we should secure them with the same seriousness we apply to energy, telecommunications, defense, and financial infrastructure.”
We already see what happens during an outage. It can be as crippling to modern life as a power outage, bringing some industries to a literal standstill.
“When a major facility or shared dependency fails, the impact does not stay neatly inside one company’s environment,” said Krell. “It can become a broader continuity problem very quickly. A standalone designation can help, but only if it turns vague concern into clear ownership and a response model that works when the incident has outgrown a customer support ticket.”
AI Build Out
Krell also told ClearanceJobs that the AI build-out makes this harder to ignore. More ominously, the threat model is no longer just cyber, either. Physical disruption, geopolitical pressure, operational technology compromise, and cloud outages increasingly converge at the same layer.
That may not be the best way to address the potential threats.
“The recurring theme in Washington is naming something critical without building the machinery needed to protect it,” said Krell. A sector label only matters if it comes with practical coordination and federal partners that operators trust during a crisis. If agencies like CISA lose capacity while data centers become more strategically important, policymakers trade substance for ceremony.”
Lawmakers need to do more than just designate a data center as critical infrastructure.
“If policymakers move toward a standalone data center critical infrastructure sector, the focus should be on measurable assurance: knowing what technology is inside these environments, where it came from, how it was developed, whether it contains known vulnerabilities or exploitable weaknesses, and whether operators can produce defensible evidence of security and resilience,” suggested Wyckhouse. “We need to move beyond voluntary checklists and toward continuous, evidence-based assurance across the full supply chain.”
Risk Management
By contrast, John Carberry, solution sleuth at cybersecurity provider Xcape, Inc., took another approach to the matter, suggesting that “The move by Congress to designate data centers as a standalone critical infrastructure sector marks a long-overdue transition in federal risk management.”
He explained to ClearanceJobs how Internet-based services have evolved from business conveniences into safety-critical utilities. Yet, the current regulatory framework remains bifurcated between the IT and Communications sectors.
“This oversight gap is increasingly untenable given that three hyperscalers – AWS, Azure, and Google Cloud – now control 63% of the market,” said Carberry. “This concentration creates a systemic single point of failure where a coordinated cyber campaign or physical sabotage could trigger cascading collapses across healthcare, finance, and government operations.”
Instead, we need to shift data center availability from a localized operational concern to a prerequisite for national security and public safety.
“In 2026, treating data centers as ‘non-critical’ is like calling the power grid an optional hobby for people who enjoy light bulbs,” warned Crarberry.
“If the federal government moves to make this designation, they must follow up by leading a national effort with clear outcomes, action plans, and resource commitments from both the public and private sectors,” said McConnell. “Otherwise, this won’t lead to the strengthened security and resilience that we need.”