Physical Security: The Key to Cybersecurity in the Digital Age? – By Sam Castor

After leaving the Office of Science and Technology Policy of the Executive Office of the President in 2009, I matriculated into an in-house legal and Executive VP career at www.Switch.com – the champion of the SUPERNAP and hundreds of patent claims revolutionizing how the internet operates – physically. With a security force of nearly 50 former marines, and “Jurassic Park” like walls surrounding the perimeters of its hyperscale environments, Switch was the most intense physical security environment in which I had ever worked: even more so than Capitol Hill or the White House. Hosting more than seven (7) layers of physical security and a confidential layer of digital safeguards including mitigation for denial of service (“DOS”) and distributed denial of service (“D-DOS”) attacks, working for Switch was like a science fiction candy land for the geek inside me.

Data Centers are those magical places where the internet physically exists. And the best data centers connect, power, cool, and protect the internet operations of all online business and activity- from Fortune 100 and 500 businesses, to local, state, and federal government agencies. Everything needs the internet in today’s day and age, and data centers are the heart, brains, lungs, and veins of the internet. A data center’s job is to make sure the internet servers never lose power or cooling while the servers connect to and make up the internet.

The data center industry, prompted by the U.S. Government, adopted a “tier” ranking protocol for physical reliability – with Tier 1 being the lowest, and Tier 4 the highest. To push the standards even higher, Switch invented the Tier 5 Platinum standards incorporating many other elements including physical security, connectivity and sustainability. I still feel the rush it was to develop that with the original inventors of data center standards, like Hank Seeder and Rob Roy, the founder of Switch. I was even quoted in the releases about it!¹ It was an incredible experience. One reason why was because with the rise of the internet, business minds focused on digital security and safety so much that there was almost a global myopia, a single-minded blindness to the need for physical security. When you are transacting billions of terabytes of data, most of it customer facing, maintaining a data center’s operations (an exercise known as “uptime”) can be a reputation making or destroying exercise.

As such, I spent twelve years of my early legal career alerting the world to the need for physical security standards – all of which are critical to the often-overlooked industry of data centers. And this is where the digital and physical foundational rules come into critical nexus. You see, if Google, Amazon, Sony, Nike, or a host of nearly a thousand other customers in the world’s data centers, experienced a physical security breach, it could be disastrous for their online operations, and their customers. Worse – the millionth degree – than CVS’s nightmare – when they were fined for employees destroyed personally identifiable information in a public dumpster.²

In the post-covid digital era, where cyber threats dominate the headlines, physical security remains a fundamental component of cybersecurity. The recent security breaches at TikTok’s Virginia data centers underscore the critical importance of robust physical security measures to protect sensitive digital assets.³ The problems here also showcase that the traditional physical torts of negligence, breach of contract, and indemnity obligations are just as critical in the digital world.

The TikTok Case: A Wake-Up Call

A detailed investigation revealed startling security lapses at TikTok’s Virginia data centers, operated by ByteDance. These facilities experienced significant physical security failures, including unescorted visitors, unmarked flash drives plugged into servers, and unattended boxes of hard drives in hallways. These vulnerabilities are not just theoretical risks but tangible threats to data integrity and security.⁴

TikTok’s rapid expansion and the pressure to increase storage capacity led to corners being cut, compromising physical security. Interviews with employees and internal documents highlighted how security protocols were often bypassed. Visitors, including delivery couriers and hardware vendors, frequently roamed the data centers unescorted, contrary to company policies. Additionally, degaussers meant to destroy old hard drives were often broken, forcing staff to transport drives to other locations, increasing the risk of theft.⁵

Physical Security’s Role in Cybersecurity

The breaches at TikTok’s data centers are just one more example of the unavoidable truth: you cannot escape the liabilities in breach of contract and negligence, or FTC scrutiny, posed by weak physical security. You may have the most sophisticated digital offering, with dual authentication, encryption, and other innovative digital barriers, but that digital world still requires a physical anchor. And if someone can walk into your data center and steal a hard drive, your digital safety protocols may be rendered useless. Thus, physical security is a critical line of defense in every cybersecurity plan, and data center service contracts, security protocols, and sensitive data protections are coming under the scrutiny of the FTC’s consumer protection oversight. In the TikTok case in April 2023, individuals were allowed into their Virginia Data Center, unescorted. They left with critical consumer data on hard drives, exposing TikTok consumers to dark web sales of their private data. Despite assurances that TikTok’s operations were not controlled by the Chinese Government, reports were critically suggested that the data was being manipulated or stolen by the Chinese owners. While not the only concern about Chinese manipulation of U.S. Data, the breach was just another reason to criticize Chinese control over the Beijing owned business. In the case of TikTok, the use of servers from Inspur, a company with ties to the Chinese military, added another layer of risk, raising concerns about the potential for data exfiltration by foreign entities.⁶

Just a few months later, the U.S. government began aggressively pursuing a divestiture of the TikTok from its parent ByteDance, and now has ordered a full divorce from the Chinese controlled parent.⁷ The U.S. law came as “[l]awmakers in numerous countries have expressed concerns that TikTok, which is owned by the Chinese company ByteDance, may expose sensitive user data.⁸”

This is just one example of how unrestricted physical access to data centers can lead to unauthorized data access, theft, and even sabotage. Other threats include injecting flash drives into servers to introduce malware or steal sensitive information, bypassing digital and physical defenses.

Consequently, the physical security measures, such as perimeter fencing, man-traps, biometric scanners, controlled access points, surveillance, and proper disposal of hardware, are presumed fundamental requirements to prevent unauthorized access and data breaches. And I suspect eventually, the FTC will begin evaluating data center security protocols, and whether companies have properly sourced their data center service partners, with proper security protocols in mind.

Lessons from TikTok:

To address physical vulnerabilities, adopting rigorous physical security standards, with proper contractual remedies, is imperative. All businesses with an online presence should evaluate their data center providers security measures, (not just their SSAE-21 or other auditing protocols) by evaluating how a data center protects the data it hosts or collocates, including by evaluating whether the data center has the following:

1. Multi-Layered Security Protocols: Implementing multiple layers of physical security, from biometric access controls to continuous video surveillance.
2. Strict Visitor Management: Ensuring all visitors are escorted and logged, preventing unauthorized access.
3. Regular Security Audits: Conducting frequent audits and assessments to identify and rectify potential security gaps.
4. Secure Hardware Disposal: Using reliable degaussing equipment and secure destruction processes to prevent data leakage from discarded hardware.

As I cautioned, almost a decade ago, the digital wave has crested. It’s time for businesses to ride it – or they will be crushed by it. By adhering to such high standards and working with experienced professionals who understand the critical nature of telecom, power, cooling, and physical security, organizations can significantly mitigate the risks posed by physical security breaches – and the potential FTC oversight. The integration of physical and cyber security strategies creates a more robust defense mechanism against the multifaceted threats in today’s inescapable digital land scape.

If you have questions, need to better understand your data center framework, or want to explore your business can ride the digital wave, please contact www.LexTecnica.com today.

—

1. See https://www.switch.com/tier-5/, noting “The original data center standards were created for legacy data centers in the early 1990s,” said Samuel Castor, who helped formalize Switch’s new Tier 5 standards in partnership with Switch’s engineers and under the direction of Rob Roy. “The spectrum of data center options has greatly expanded since their creation. Customers can now choose between a broad array of options, from in-house, to carrier, to colocation, cloud or managed service offerings. The common core of each of these offerings needs to be much more than just power and cooling. The underlying infrastructure must contemplate security, connectivity, sustainability, optionality and independence. To be helpful and relevant, our industry standards must be expanded as well… A tidal wave of technological change has been cresting. When the original data center standards were developed by Hank Seader and Ken Brille back in the early days, no one envisioned the world would evolve as much as it has. It is now more critical than ever for customers to have transparency into the sustainability and reliability of their data center service providers. Switch’s Tier 5 standard focuses on improving the transparency and accountability of such an important and mission-critical part of all of our daily lives, the infrastructure that supports the Internet of Absolutely Everything.” 

2. See https://www.ftc.gov/news-events/news/press-releases/2009/02/cvs-caremark-settles-ftc-chargesfailed-protect-medical-financial-privacy-customers-employeescvs 

3. See https://www.forbes.com/sites/emilybaker-white/2023/04/21/security-failures-tiktok-virginia-data-centers-unescorted-visitors-flash-drives/ 

4.  See “Security failures, building safety issues plague TikTok’s Virginia data centers”, Rappler, available at https://www.rappler.com/technology/security-failures-building-safety-issues-plague-tiktok-virginia-data-centers/; see also Data Center Dynamics “TikTok’s Virginia data centers allowed unescorted visitors…”  https://www.datacenterdynamics.com/en/news/tiktoks-virginia-data-centers-allowed-unescorted-visitors-unmarked-flash-drives-in-servers-and-unattended-boxes-of-hard-drives/ 

5.  See id.

6.  See id.

7.  See “Why the U.S. Is Forcing TikTok to Be Sold or Banned”, NY Times, May 8, 2024, available at https://www.nytimes.com/article/tiktok-ban.html (last visited June 7, 2024). 

8.  Id.