WATCH: Inside Cold War bunkers that host UK’s hyper-secure data centres
With new EU data protection regulations coming into effect next year, companies scramble to find secure hosts. But why choose a nuclear bunker?
“Did you take photos from outside the fence?”
“Yes.”
“Delete them, we can’t allow photos from the street.”
“Are you aware that your location shows up on Google Earth anyway?”
“Yes, but we’ve removed photos from Street View. Delete those photos.”
I am greeted at the entrance of the Bunker Secure Hosting by an unhappy former Marine twice my size, who proceeds to confiscate my camera and delete the shots of the entrance to the Cold War-era bunker in Ash. Two weeks of liaising and security vetting later, I was given access to film inside the de-commissioned Ministry of Defence nuclear bunker, which along with the one in Newbury, hosts some of UK’s most secure data centres. An hour of negotiations and an NDA later, I am finally allowed to film only selected areas of the facility, accompanied by my guide and two security escorts monitoring my camera and movements.
In 1949, with increasing international tension following the Truman Doctrine post-WW2, the Air Ministry commissioned a chain of radar stations for UK defense, code-named ROTOR. The Ash bunker was chosen, as part of this, to be an R3 grade (nuclear blast-proof) bunker in 1951. It was then re-engineered halfway through construction to withstand a 22 kiloton thermonuclear bomb, with electro-magnetic pulse shield and Faraday cages (which are still in use). In 1993, the Ash bunker went from being an RAF Control and Reporting Centre to a testing ground for new equipment, labelled “Ground Environment Operational Evaluation Unit”, before closing operations in 1995.
The late ’90s set the stage for the crypto wars between cypherpunks and the government. In the cypherpunk manifesto, Eric Hughes argues for the need for secure and private information systems in an open society: “We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence. It is to their advantage to speak of us, and we should expect that they will speak…We must defend our own privacy if we expect to have any. We must come together and create systems which allow anonymous transactions to take place.” In the aftermath of the Snowden leaks, which exposed mass surveillance operations by US and UK governments aided by data gathered by corporations, his observations seem more relevant now than ever.
Soon after its de-commissioning, notable cypherpunk Ben Laurie, and his brother Adam bought the bunker from the RAF, setting up a hyper-secure web hosting service ALD Ltd. Ben had been one of the founding directors of the Apache Software Foundation; he is a core member of the OpenSSL project, which emerged in 1998 to create and provide free encryption tools for webpages on the internet. In Apache: The Definitive Guide, Ben and Peter Laurie describe the internet as, “like the real world, peopled by a lot of lambs and a few wolves. The wolves like to get into the lambs’ folds (of which your computer is one) and, when there, raven and tear in the usual wolfish way. [We generally follow the convention of calling these people the Bad Guys. This avoids debate about “hackers,” which, to many people, simply refers to good programmers, but to some means Bad Guys].”
Around the same time, in Sweden, Oscar Swartz had set up Bahnhof, an ultra-secure data hosting facility inside the Pionen nuclear bunker. Commissioned in 1943 by the Swedish government to protect against a nuclear strike, the Pionen bunker, embedded deep in the White Mountains, was built to withstand a hydrogen bomb. This, incidentally, was where Wikileaks was hosted in 2010, when it came under attack for releasing the Afghan war logs.
In 2004, the Laurie brothers sold ALD Ltd to Jean-Loup Brousse de Gersigny, Peregrine Newton and Steven Joseph, who set up the Bunker Secure Hosting in Ash and Newbury bunkers. At present, it offers cloud and physical storage facilities, digital security and data recovery services, with colocation to prevent data from being lost. In short, it hosts, manages, processes and secures data, i.e. the currency of the digital age, in a bunker built to survive nuclear winter.
Having never visited a nuclear bunker before, I’d spent the previous evening watching UK public infomercials on nuclear war preparation for civilians. “Protect and Survive” had done a pretty good job of covering all grounds: from nuclear fall-out and refuge to even, bizarrely and perhaps pragmatically, how to label and dispose of bodies. I’d almost stopped worrying and was beginning to love the Bomb, but I wondered why I’d want my data to survive nuclear winter. What would necessitate the need for the use of a nuclear bunker to host data, and how sensitive would that data be?
“Our customers are those that really value security or those that work in a rigorous compliance or heavily regulated space, like the payment card industry, banking, or government bodies like the NHS,” says Chris Scott, Programme Director and Data Protection Officer of The Bunker. “But the landscape of security is changing now. With the new EU data protection laws coming into effect next year, everyone dealing with EU citizens’ data has to provide guarantees that information is processed securely.”
The EU-sanctioned GDPR, or General Data Protection Regulations come into effect in the UK from 25 May 2018, unaffected by UK’s exit from the EU. The Regulations aim to ensure secure transmission and processing of EU citizens’ data, which includes general personal data (such as IP addresses and registry information) and sensitive personal data (biometric data, genetic data, etc). The accountability process for breaches is stricter, so non-compliance would cost companies heavily: a fine of 20,000,000 EUR, or up to 4% of the previous financial year’s turnover, whichever is greater.
With an annual turnover of 9.6 million pounds, the Bunker spends “millions” on security with 63% of its clients coming from the financial sector. “If you’re doing business with or taking people’s private information, then the security awareness of your whole business needs to be aligned. It’s not just IT services or the security man at the door that needs to worry about security, it’s up to your Board level,” explains Chris.
The security offered by the bunkers is layered: physical, digital and human. Apart from advanced encryption and an impenetrable compound resembling an Orwellian nightmare, the bunkers also host anti-terror and fire drills. Chris assures me they’ve had no history of physical breaches, and insists that the weakest points of any security system are its people. So unsurprisingly, there is a strict vetting process involved, and handling of data by employees is monitored closely. “It’s not really about nuclear winter, it’s about how easily you get access to this data,” he says. “What’s more secure than a nuclear bunker?”
He’s right about the risks of physical availability and access to data; the past decade has provided instances of some remarkable heists where equipment, sometimes entire servers have been stolen. In December 2007, men dressed in police uniforms talked their way into a Verizon data center in London, and stole $4 million worth of equipment. In August of 2007, Forensic Telecommunications Services reported a server theft: the server in question had hosted phone data relating to criminal proceedings.
The cost of breaches of this nature is great: not only with regards to cybercrime, but because metadata of any scale carries a “surveillance selfie”, i.e., it can be represented to disclose details of one’s life in breach of privacy. Will Ockenden, an ABC reporter, acquired his telecommunications metadata, namely phone records, and made them public to see how much of his habits and movements could be gathered from it. The responses were fairly accurate: predicting his work route, associations, and patterns of movement.
Under the Investigatory Powers Act, the UK government has authorised the bulk collection of metadata which will be made available to 48 different organisations: from police forces to NHS trusts that provide ambulance services. However, in the aftermath of the NHS ransomware attack which crippled major parts of the NHS digital network and caused emergency services to be shut down in many hospitals, the UK government’s digital infrastructure seems ill-equipped to securely handle citizens’ metadata.
The new EU regulations affect all entities that handle EU citizens’ data, which includes governmental bodies. Jim Killock, Executive Director of Open Rights Group said: “As the Safe Harbour case brought by Max Schrems showed, the surveillance powers given to GCHQ, the police and government departments under the Investigatory Powers Act could mean that UK companies cannot guarantee that they will meet European privacy standards.” In the meantime, the ICO has released a set of data protection directives for UK entities processing personal data who will be affected by the new GDPR framework. However, whether citizens’ vital metadata will ever be granted bunker-level security afforded by the financial sector, remains to be seen.
Follow @manisha_bot on Twitter
