U.S. Data Centers Could Face Security Threats Amid AI Boom

WASHINGTON, March 6, 2025 – On January 14, 2025, just days before President Trump took office, the Biden Administration released a memo that was supposed to “enhance the reliability and resiliency of agency data centers” and build on previous data center security regulations.

The directive implemented Sen. Jacky Rosen’s, D-Nev., Federal Data Center Enhancement Act that Congress passed as a part of the National Defense Authorization Act of 2024, which identified cybersecurity as a top priority for data center security.

“[T]here is a growing need for federal agencies to use data centers and cloud applications that meet high standards for cybersecurity, resiliency, availability, and sustainability,” the bill read.

These massive facilities, operated by tech giants like Amazon, Microsoft, and Google, store and process vast amounts of sensitive information. Some believe they are prime targets for cyberattacks.

The Biden Administration’s memo did not specify any new cybersecurity requirements, so data centers may remain vulnerable to select attacks until future legislation ensures adequate protection.

Potential losses from cyberattacks against data centers

The financial toll could be staggering. A 2024 global study by Statista found that data breaches cost businesses an average of $4.88 million per incident between May 2020 and February 2024. In the U.S., the cross-industry average reached $9.36 million.

Cybercriminals employ various tactics to carry out such attacks against a range of businesses. These include ransomware, which encrypts files and demands payment for decryption, and Distributed Denial-of-Service (DDoS) attacks, which overwhelm systems and lock legitimate users out, are two common tactics used to disrupt servers.

These cyber attacks can come against a range of targets. Targeted attacks of data centers could lead to particular losses.

“During a ransomware attack, hackers encrypt a data center’s information and hold it hostage until a ransom is paid or the data is decrypted” if it can be, said Ray Zuckerman, Chairman and CEO of ServerLIFT, a firm focusing on product and technology development for the data center environment. “This is costly not just financially, but also in downtime and in the harm done to the reputation of the data center,” he said.

Attacks on physical infrastructure

Less common–but sometimes more detrimental–are network-based attacks that target data centers’ physical infrastructure.

For example, some cybercriminals target the software installed in heating, ventilation, and air conditioning systems because they are connected to an operator’s data center infrastructure management program via the Internet of Things. 

Cybercriminals could use IoT weak points–often accessible through unchanged default passwords–to overwhelm HVAC infrastructure, causing data centers to overheat and, sometimes, partially or fully shut down.

Similarly, in a study published by the New Jersey-based Institute of Electrical and Electronics Engineers, researchers found that cooling systems in many data centers are insufficient or intentionally throttled to save costs, which infiltrators can exploit by running computationally intensive workloads on targeted servers in a so-called “thermal attack.”

“[Our] results demonstrate that thermal attack can degrade the performance and reliability of victim servers, cause local hotspots [or overheated areas], increase the cooling cost, and even worse, lead to cooling failures, in which some servers are forced to shut down for overheat protection,” the IEEE researchers said.

The study also highlighted the difficulty of catching thermally targeted attacks before it’s too late, which the authors partially attributed to a lack of regulatory requirements for thermal sensors in data centers.

Heating and energy issues have plagued data centers in the past

The IEEE study was based on hypothetical scenarios, but heating issues have occasionally caused data center failures in the past. 

In 2013, for example, a firmware [or software embedded in hardware] issue caused a Microsoft data facility to overheat, rendering some of the company’s cloud services unusable for sixteen hours.

In another case, one of the three active U.S. data centers owned by X (then called Twitter) was temporarily shut down in 2022 when a heatwave passed through Sacramento, Calif., and overwhelmed the facility’s cooling system.

Carrie Fernandez, Twitter's Vice President of Engineering at the time, sent an email to company employees saying, “Twitter experienced the loss of its Sacramento (SMF) datacenter region due to extreme weather. The unprecedented event resulted in the total shutdown of physical equipment in SMF.”

HVAC systems are not the only IoT devices susceptible to cyber-attacks.

The U.S. Cybersecurity and Infrastructure Security Agency and the Department of Energy acknowledged similar IoT issues in 2022 involving uninterruptible power supplies, which attackers could exploit to connect to facility management software and cut power to facilities.

CISA and DOE provided guidelines on best practices for reducing the risk of such attacks, but companies were not required to follow them.

Legislation and presidential action on AI and data centers

Stricter regulations will be needed to accommodate for the increased U.S. reliance on data centers, which the National Telecommunications and Information Administration said will grow by 9 percent by 2030.

In a recent Hill article, Annie Chestnut Tutor and Wilson Beaver of the Heritage Foundation argued that future legislation must be more specific if Congress wants to minimize the risk of serious data breaches or facility interruptions. 

That said, congressional action is not the only variable. The Trump Administration will have a sizable influence over data center regulation, especially as the president upends many of the Biden administration policies he views as detrimental to AI.