Dateline Ashburn: How to Break the Internet
An analysis of the security threats facing Ashburn’s data centers
ASHBURN, Va., Sept 5, 2025 – This former bedroom community is home to the world’s densest cluster of data centers. But U.S. officials warn that concentrating so much of the world’s digital infrastructure in one place has created a tempting target for attack.
Broadband Breakfast
Congressman Suhas Subramanyam, D-Va., whose district includes Ashburn, warned in April that putting so many data centers so close together was a “huge problem.”
“You look at the Ukraine war, when Russia failed to hack Ukraine’s telecom networks, what did they target? They targeted the data centers,” he said. “And so, Northern Virginia is becoming more of a target than Washington D.C. itself.”
But while scenarios of nuclear strikes or other doomsday attacks make for striking headlines, the immediate risks facing Ashburn’s data centers have so far been far less dramatic. In practice, running a data center requires countering a variety of threats.
Cyberattacks and sabotage are often top of mind, but physical breaches - from break-ins to equipment tampering - remain a persistent risk. Environmental pressures such as heat waves or natural disasters can be just as disruptive, and human factors like social engineering continue to exploit vulnerabilities in training and trust. In the rarest cases, operators also prepare for extreme scenarios, from terrorism to malicious physical attacks.
Data centers already prime targets of cyberattacks
Data centers have increasingly been in the crosshairs of cyberattacks – a risk that experts say will only intensify in the years ahead.
The Russo-Ukraine war has proven an excellent testing ground for hackers to test their skills. In January 2024 a Ukrainian data center was the subject of a cyberattack disrupting operations for a state-owned energy company, state television channel, state railway, national postal service provider, and a government agency.
Ukraine responded in April by reportedly hacking a data center used by the Russian military industry, destroying more than 300 terabytes of data in the process.
Cyberattacks aren’t just limited to warzones in eastern Europe. At the end of 2019, CyrusOne confirmed that its New York data center was the victim of a ransomware attack affecting six customers.
Perhaps at greater risk of exposure to hacks than data center servers are the systems that keep those servers running, such as cooling and power controls. Many of these systems are often accessible via public search engine websites. Worse, passwords for these systems are often set to the manufacturer’s default, in some cases, available online for any bored computer enthusiast to see.
In 2021 the cybersecurity firm Phobos Group revealed that more than 98,000 industrial control systems globally were exposed to attacks via public search engine websites, including systems used in data centers.
Cooling units seem to be at particular risk. Phobos was able to use a default login to gain access to cooling units from a popular data center equipment vendor. According to the report, “if this exercise were carried out by a genuine intruder, they would be able to change setpoint temperatures and alarms [for these systems].”
The rise in remote work has only made these centers more exposed. A remote desktop with access to data center control systems is a particularly attractive target. The Phobos Group found that over 86,700 remote desktops were exposed in Ashburn alone, including desktops for a major global data center wholesale capacity provider.
Structuring a cyberattack
An attacker that has gained access to a data center’s systems has a variety of tools at their disposal. One of the most common types of attacks used to bring down a center’s systems are distributed denial-of-service (DDoS) attacks.
DDoS attacks target a center’s systems by overwhelming them with traffic from multiple sources. This sudden increase in traffic brings systems to a crawl, or shuts down them entirely.
These attacks can be monumental. In May of this year, the cybersecurity firm Cloudflare blocked a massive DDoS attack that sent 7.3 terabits of information per second to a hosting provider. That’s more than an entire household’s internet usage for an entire month, sent to a single network every second.
Data centers can employ tactics to mitigate against these attacks. One of the most effective methods is network segmentation: physically or logically separating networks from one another so that a breach in one doesn’t impact the others. However, network segmentation is costly, and data centers are under no obligation to segment their networks.
Indeed, a lack of uniform security standards may be the Achilles’ heel of the industry. Private ratings agencies, such as the Uptime Institute, award different security designations to different facilities, though only a fraction of Ashburn’s centers have rankings information publicly available online. Thus even if a particular data center has strong cybersecurity measures, it could still be breached via a connection it has with a less secure center.
Physical breaches: Two men and a power saw
Still, attackers don’t need advanced cybersecurity skills, a nuclear device or the blessing of mother nature to disrupt data centers. All it may take is an $8 packet of cigarettes.
“Some of the newer data centers, they'll have things that will look cool from a security perspective, but then you'll see people smoking outside the fire escape and you could have just walked in with a packet of cigarettes,” Andrew Barratt, principal consultant, adversary ops, at security firm Coalfire told Data Center Dynamics. He went on to say that he had “lost track” of the number of times he was able to walk into a data center just by wearing a striped suit.
Barratt was referring to social engineering – an infiltration method that involves leveraging people’s natural trust to gain access to secure facilities. Penetration testers like Barratt have sounded the alarm about weak data center security for years – noting that they’ve been able to gain access to these facilities by wearing construction jackets, sporting fake crutches, or posing as a delivery driver. One tester even gained access to the secure area of a data center by walking through a maintenance tunnel.
“I could probably count on one hand how many [data centers] are well thought-out,” Barratt said. “It gets forgotten because it’s a presumed commodity.”
Attacks haven’t been limited to penetration testing firms. A 2007 attack on a London data center saw thieves impersonate police officers to gain access to the facility. They got away with more than $4 million in equipment. A year earlier, two thieves stole equipment from a data center under the watchful eye of at least two security guards, who assumed that the thieves’ possession of legitimate swipe cards meant they too were legitimate.
Some data centers have implemented measures to prevent social engineering. Amazon told Broadband Breakfast that it requires its employees to request approval before being given access to the facility. Once approval is granted, employees are only allowed to access certain parts of the center, and only for a specified period of time, after which access is revoked.
Multi-factor authentication is required to enter the center and its server rooms, and server room doors are equipped with alarms that will trigger if a door is forced or even held open – a potential safeguard against social engineering techniques such as “tailgating.”
If social engineering fails, attackers can always turn to more traditional methods. A Texas man in 2021 sought to “kill off about 70 percent of the internet,” by blowing up an Amazon data center in Ashburn.
He was arrested after attempting to obtain an explosive device from an undercover federal agent. Similarly, members of Al-Qaeda sought to disrupt the internet in the United Kingdom by attacking the Telehouse Europe facility. They too had their plan foiled by law enforcement.
Other attacks have been more successful. One Chicago data center was the target of four breaches between 2005-2007, including a successful burglary involving little more than two masked intruders with a power saw. Though these robberies occurred 20 years ago, data center robberies are far from a thing of the past. On August 13, an Idaho data center was burglarized, though fortunately the equipment stolen was outdated and slated for replacement.
A more destructive attack occurred on Christmas day in 2020 when a man detonated a bomb near an AT&T regional telecom hub, killing himself and disrupting telecom services across the region. Though the building wasn’t a data center, the bombing demonstrated the damage a single individual could do to the telecommunications network.
The nuclear (bomb) option
Concentrating data centers together only amplifies these threats. For example, congressional and government reports cited by The Hill indicate that most data centers are vulnerable to electromagnetic pulses, such as the ones produced by a nuclear device.
Consider a 10 kiloton improvised nuclear device, the kind a non-state actor might use, detonated at ground level. Only buildings within a mile of the device’s detonation site would be at risk of moderate to severe damage—buildings further out would mostly experience nothing more than shattered windows and disrupted landscaping.
In contrast, the damage from the electromagnetic pulse delivered by that same device could impact buildings two to five miles from the detonation site, knocking out data centers still standing from the blast. Thus, a well-placed IND detonated in Ashburn, say at the intersection of Farmwell and Waxpool Rd., could potentially knock out over 90 data centers.
Though detonating a nuclear device may be the most conspicuous way to destroy a data center, a simple heat wave may be all that it takes.
Threats from heat and other disasters
In 2022, senior grid strategist for Idaho National Laboratory’s National and Homeland Security directorate Andy Bochman warned that a prolonged heat wave, or a “heat dome,” could overwhelm Ashburn’s data center cooling systems, forcing operators offline and disrupting major parts of the internet.
In Bochman’s scenario, close to 100 operators face the same decision. Some decide to shut their servers down, others hold out hope that their cooling systems will prevail. What they decide to do doesn’t really matter – the end result is the same. Several dozen data centers go offline, and with them much of the internet. Stock exchanges plunge, global telecommunication systems go dark, and whole supply chains disappear.
Though fictional, the scenario highlights how something as ordinary as extreme heat could trigger cascading global outages. Should Bochman’s heat dome scenario occur it would be devastating—but not unprecedented. In 2022, a California heatwave was enough to knock a Twitter data center offline.
Of course, other natural disasters, such as an earthquake or hurricane, could severely damage centers just as much as a heatwave could. Fortunately, there is some good news on this front. Ashburn is one of the safest places in the U.S. Loudoun county, where it resides, was rated the safest county in the U.S. for natural disasters by the Federal Emergency Management Agency in 2021, and though it has since slipped from that top spot, the agency still ranks Loudoun as at a "relatively low” risk of natural disasters.
This is only a sampling of the security concerns that data centers face. Listing all the possible ways a data center could be compromised would be a herculean task. Other methods, including attacking a center’s uninterruptible power supply, sabotage by disgruntled employees, or attacks from competing operators sharing a facility, are very real concerns.
First Dateline Ashburn story: How to Break the Internet
Second Dateline Ashburn story: How do IXPs contribute to infrastructure resiliency?
Third Dateline Ashburn story: What is the energy impact of data centers?
Fourth Dateline Ashburn story: What is the water impact of data centers?
Resilient Critical Infrastructure Summit
A one-day conference on securing America's vulnerable digital infrastructure
Learn About for Resilient Critical Infrastructure
Member discussion