In what seems like just months, data centers have flipped from economy-revving darlings to high-value targets.
Drones hit
Data centers snagged more than $178 billion in credit deals last year, pledging to create jobs as they power the biggest US platforms developing artificial intelligence. But concerns are growing about just how secure the facilities are—and what companies can do to protect their data and operations.
The FBI has increased its outreach to data center owners and operators about physical and digital threats, cyber professionals say. A vendor for data center operators said he’s seen “an incredible uptick” in inquiries about security services; some sites have even enlisted robot security dogs. And other countries, including the UK, are weighing rules to bring new cybersecurity requirements to the facilities.
On Wednesday, experts told a House Homeland Security subcommittee that the federal government needs to do more to recognize the potential impact of such an attack and take steps to prevent them.
“The explosion of AI innovation has catapulted debates about the construction of data centers into the national spotlight,” said Retired Rear Adm. Mark Montgomery, a onetime National Security Council staffer who now serves as Senior Director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation. “But I believe the cyber and physical resilience of those data centers merits an equal level of attention.”
Heightened pressure also means it’s time for companies to rehearse worst-case scenarios, review existing security protections, and perhaps push facilities closer to the same level of security as nuclear plants, say other former government officials, industry insiders and lawyers.
Sophisticated cyberattacks against data centers could be “catastrophic” because of the massive amounts of data they hold and the number of customers they serve, said Hannah Levin, a partner at Morgan Lewis who advises clients on data security incident response.
“The impact if there were to be an IT outage or one of these attacks would be much more widespread than maybe what we’ve seen historically with these supply-chain incidents,” Levin said.
Wave of New Questions
Data centers are full of Achilles’ heels.
The targets aren’t just the thousands, if not millions, of servers that power the facilities. There’s also the layer of less complex operational technology that makes them run: things like cooling technology, fire-suppression mechanisms, and access control systems.
“People aren’t thinking about that,” said Anthony Ferrante, global head of cybersecurity at FTI Consulting and former White House cyber official. “If you can effectively compromise that, you could essentially shut down all those computers.”
As companies dump billions of dollars into building and running the next data centers, they’re also considering how best to secure their investments, said David Britt, a senior executive at Salute, a provider of services for 80% of data center operators globally.
The company’s first foray into the data center market was via physical security services. The firm now offers data center operators security personnel and technology from the initial construction stages through the day-to-day running of facilities.
Salute’s Britt said he saw a wave of new inquiries about security offerings in the last few weeks; which he called “an incredible uptick.” Security solutions extend beyond fences, cameras and robot guard dogs to include biometric security checkpoints. To make sure data centers are girding against potential threats across the supply chain, some are even opting to build their own substations.
Security principles “have always been there,” said Greg Parker, who oversees the Data Center Construction, Projects & Assets unit at FTI. “It’s just no one really worried about big boxes sitting in the middle of nowhere until they started worrying about it.”
Going Dark
Companies reliant on data center operations might hope that if one location goes dark, they can automatically switch to another facility with little to no interruption.
But real-world opportunities to practice what’s known as “failovers” have been few and far between. And some scenarios, like the damage to facilities in the Middle East, are nearly impossible to prepare for.
“There’s a minimal number of things that data centers can do to protect themselves from a bomb being dropped by an F-16,” said Brian Levine, founder of Former Gov and former cybercrime prosecutor at the Justice Department.
Even the slightest disruption to an AI data center can have long-term consequences on the training of AI models.
Because AI is being integrated into almost every platform or apps consumers interact with on a daily basis, “it’s hard to understand how many things might become unusable, for short periods of time at least, if an AI data center goes down,” Levine added.
Most companies are on alert for these risks and are accounting for them as they pick the sites to build their centers, the vendors they’ll work with, or the list of requirements they’ll give their facility operators.
But heightened risks should prompt them to ramp up their training and pressure-test their disaster management plans if data centers were to go down, industry insiders said.
Some are already doing that, reviewing security and continuity plans and taking another look at their facilities’ threat posture, in part based on where they’re located, for example, industry professionals said in interviews. For others, this could serve as a reminder to be familiar with the people and firms keeping data centers, and their own operations, online—especially as AI supply chains get more intertwined.
“An attack on a water system or an electric grid or substation or whatever could take down that IT data center AI capability, which itself is relied on by all of the other critical infrastructure sectors,” said Dave Wulf, co-founder of the Center for Cross-Sector Coordination, a nonprofit group that seeks to bolster the security of critical infrastructure, and a former Department of Homeland Security official. “So does it ruin the day for the banking system or the pipelines or hospitals and health services or critical manufacturing or the defense industrial base?”
The Data Center Coalition, the membership association for the data center industry which counts Google, AWS, and Microsoft among its members, didn’t respond to requests for comment. AWS declined to comment but a spokesperson pointed to its health dashboard, where it posts updates on service disruptions, fixes and improvements.
Who’s Requiring What
Like the individual companies working with data, data center owners and operators can be subject to data privacy and security laws, in addition to any specific contractual requirements. They could be required to disclose some security incidents under more than 50 state breach notification laws or federal requirements set up by agencies like the US Securities and Exchange Commission.
But to this point, security requirements for the facilities have been largely driven by data center owners—many of whom are Silicon Valley giants. They dictate the physical security protections they want for their assets. Meanwhile, they’re the ones responsible for protecting the data, largely through methods like encryption.
“We build the road. We don’t control what vehicles are actually traveling on the road,” Salute’s CEO Erich Sanchack said.
And while some companies get to occupy entire data centers, known as hyperscalers, others have to share with roommates. That means sharing the facility, and responsibility, when things go wrong.
“It further complicates the relationship,” FTI’s Ferrante said.
The Department of Homeland Security’s cyber agency, the Cybersecurity and Infrastructure Security Agency, had sought to investigate the interdependencies of data centers and how failures could cascade into sectors like healthcare. But that work came to a halt with the partial government shutdown, now in its third month.
Since then, CISA—a key partner for critical infrastructure entities like data centers to defend against physical and digital threats—has largely been silent, according to Scott Algeier, executive director of the Information Technology - Information Sharing and Analysis Center.
Still, he said data center members of the IT-ISAC—a group of IT sector organizations, including data centers, that shares cyber threat intelligence with each other—are regularly engaging with the FBI’s field office in Northern Virginia.
CISA didn’t respond to a request for comment during the shutdown.
The Trump administration hasn’t indicated it wants new security requirements specific to data centers—meaning tech giants would continue to shape security best practices.
As the value of AI infrastructure continues to climb, data center development spreads, and threat actors increasingly go after supply-chains to reach their targets, security threats to data centers are unlikely to die down.
More than half of data center professionals cited human threats—internal or external—as the biggest security risk to their infrastructure in a 2026 survey by AFCOM, an association of data center and IT infrastructure professionals.
“Bank robbers go rob banks, because that’s where the money is, right? Data centers, that’s where the data is,” said Algeier, who was among the witnesses to brief House members on Wednesday. “They recognize that they’re a high value target.”
To contact the reporter on this story:
To contact the editors responsible for this story: