Underground Data Fortresses: The Nuclear Bunkers, Mines and Mountains Being Transformed to Protect Our “New Gold” from Attack
Many abandoned mines and mountain caverns have also been re-engineered as digital data repositories, such as the Mount10 AG complex, which brands itself as the “Swiss Fort Knox” and has buried its operations within the Swiss Alps. Cold war-era information management company Iron Mountain operates an underground data center 10 minutes from downtown Kansas City and another in a former limestone mine in Boyers, Pennsylvania.
The National Library of Norway stores its digital databanks in mountain vaults just south of the Arctic Circle, while a Svalbard coal mine was transformed into a data storage site by the data preservation company Piql. Known as the Arctic World Archive (AWA), this subterranean data preservation facility is modelled on the nearby Global Seed Vault.
Just as the seeds preserved in the Global Seed Vault promise to help re-build biodiversity in the aftermath of future collapse, the digitized records stored in the AWA promise to help re-boot organizations after their collapse.
Bunkers are architectural reflections of cultural anxieties. If nuclear bunkers once mirrored existential fears about atomic warfare, then today’s data bunkers speak to the emergence of a new existential threat endemic to digital society: the terrifying prospect of data loss.
Data, the New Gold?
After parking my car, I show my ID to a large and muscular bald-headed guard squeezed into a security booth not much larger than a pay-phone box. He’s wearing a black fleece with “Cyberfort” embroidered on the left side of the chest. He checks my name against today’s visitor list, nods, then pushes a button to retract the electric gates.
I follow an open-air corridor constructed from steel grating to the door of the reception building and press a buzzer. The door opens on to the reception area: “Welcome to Cyberfort,” receptionist Laura Harper says cheerfully, sitting behind a desk in front of a bulletproof window which faces the car park. I hand her my passport, place my bag in one of the lockers, and take a seat in the waiting area.
Big-tech pundits have heralded data as the “new gold” – a metaphor made all the more vivid when data is stored in abandoned mines. And as the purported economic and cultural value of data continues to grow, so too does the impact of data loss.
For individuals, the loss of digital data can be a devastating experience. If a personal device should crash or be hacked or stolen with no recent back-ups having been made, it can mean the loss of valuable work or cherished memories. Most of us probably have a data-loss horror story we could tell.
For governments, corporations and businesses, a severe data loss event – whether through theft, erasure or network failure – can have a significant impact on operations or even result in their collapse. The online services of high-profile companies like Jaguar and Marks & Spencer have recently been impacted by large-scale cyber-attacks that have left them struggling to operate, with systems shutdown and supply chains disrupted. But these companies have been comparatively lucky: a number of organizations had to permanently close down after major data loss events, such as the TravelEx ransomware attack in 2020, and the MediSecure and National Public Data breaches, both in 2024.
With the economic and societal impact of data loss growing, some businesses are turning to bunkers with the hope of avoiding a data loss doomsday scenario.
The Concrete Cloud
One of the first things visitors to the Cyberfort bunker encounter in the waiting area is a 3ft cylinder of concrete inside a glass display cabinet, showcasing the thickness of the data center’s walls. The brute materiality of the bunkered data center stands in stark contrast to the fluffy metaphor of the “cloud”, which is often used to discuss online data storage.
Data centers, sometimes known as “server farms”, are the buildings where cloud data is stored. When we transfer our data into the cloud, we are transferring it on to servers in a data center (hence the meme “there is no cloud, just someone else’s computer”). Data centers typically take the form of windowless, warehouse-scale buildings containing hundreds of servers (pizza box-shaped computers) stored in cabinets that are arranged in aisles.
Data centers are responsible for running many of the services that underpin the systems we interact with every day. Transportation, logistics, energy, finance, national security, health systems and other lifeline services all rely on up-to-the-second data stored in and accessed through data centers. Everyday activities such as debit and credit card payments, sending emails, booking tickets, receiving text messages, using social media, search engines and AI chatbots, streaming TV, making video calls and storing digital photos all rely on data centers.
These buildings now connect such an incredible range of activities and utilities across government, business and society that any downtime can have major consequences. The UK government has officially classified data centers as forming part of the country’s critical national infrastructure – a move that also conveniently enables the government to justify building many more of these energy-guzzling facilities.
As I sit pondering the concrete reality of the cloud in Cyberfort’s waiting area, the company’s chief digital officer, Rob Arnold, emerges from a corridor. It was Arnold who arranged my visit, and we head for his office – through a security door with a biometric fingerprint lock – where he talks me through the logic of the bunkered data center.
“The problem with most above-ground data centers is they are often constructed quickly, and not built to withstand physical threats like strong winds, car bombs or server theft from breaking and entering.” Arnold says that “most people tend to think of the cyber-side of data security – hackers, viruses and cyber-attacks – which dangerously overlooks the physical side”.
Amid increasing geopolitical tension, internet infrastructure is now a high-value target as “hybrid” or “cyber-physical” sabotage (when cyber-attacks are combined with physical attacks) becomes increasingly common.
The importance of physical internet security has been highlighted by the war in Ukraine, where drone strikes and other attacks on digital infrastructure have led to internet shutdowns. While precise details about the number of data centers destroyed in the conflict remain scant, it has been observed that Russian attacks on local data centers in Ukraine have led many organizations to migrate their data to cloud facilities located outside of the conflict zone.
Bunkers appeal to what Arnold calls “security-conscious” clients. He says: “It’s difficult to find a structure more secure than a bunker” – before adding drily: “The client might not survive the apocalypse, but their data will.”
Cyberfort specializes in serving regulated industries. Its customer base includes companies working in defense, healthcare, finance and critical infrastructure. “Our core offering focuses on providing secure, sovereign and compliant cloud and data-center services,” Arnold explains in a well-rehearsed sales routine. “We do more for our customers than just host systems – we protect their reputations.”
Arnold’s pitch is disrupted by a knock at the door. The head of security (who I’m calling Richard Thomas here) enters – a 6ft-tall ex-royal marine wearing black cargo trousers, black combat boots and a black Cyberfort-branded polo shirt. Thomas is going to show me around the facility today.
The entrance to the bunker is located up a short access road. Engineered to withstand the blast and radiation effects of megaton-level thermonuclear detonations, this cloud storage bunker promises its clients that their data will survive any eventuality.
At the armor-plated entrance door, Thomas taps a passcode into the electronic lock and swipes his card through the access control system. Inside, the air is cool and musty. Another security guard sits in a small room behind bulletproof plexiglass. He buzzes us through a metal mantrap and we descend into the depths of the facility via a steel staircase, our footsteps echoing in this cavernous space.
The heavy blast doors and concrete walls of the bunker appear strangely at odds with the virtual “walls” we typically associate with data security: firewalls, anti-virus vaults, and spyware and spam filters. Similarly, the bunker’s military logics of enclosure and isolation seem somewhat outdated when faced with the transgressive digital “flows” of networked data.
However, to dismiss the bunkered data center as merely an outmoded piece of security theatre is to overlook the importance of physical security – today and in the future.
We often think of the internet as an immaterial or ethereal realm that exists in an electronic non-place. Metaphors like the now retro-sounding cyberspace and, more recently, the cloud perpetuate this way of thinking.
But the cloud is a material infrastructure composed of thousands of miles of cables and rows upon rows of computing equipment. It always “touches the ground” somewhere, making it vulnerable to a range of non-cyber threats – from thieves breaking into data centers and stealing servers, to solar storms disrupting electrical supplies, and even to squirrels chewing through cables.
If data center services should go down, even for a few seconds, the economic and societal impact can be calamitous. In recent years we have seen this first-hand.
In July 2020, the 27-minute Cloudflare outage led to a 50% collapse in traffic across the globe, disrupting major platforms like Discord, Shopify, Feedly and Politico. In June 2021, the Fastly outage left some of the world’s most visited websites completely inaccessible, including Amazon, PayPal, Reddit, and the New York Times. In October 2021, Meta, which owns Facebook, WhatsApp and Instagram, experienced an outage for several hours that affected millions of social media users as well as hundreds of businesses.
Perhaps the largest internet outage yet occurred in July 2024 when the CrowdStrike outage left supermarkets, doctors’ surgeries, pharmacies, airports, train providers and banks (among other critical services) unable to operate. This was described by some in the industry as “one of the largest mass outages in IT history”.
Internet architecture now relies on such a complex and fragile ecosystem of interdependencies that major outages are getting bigger and occurring more often. Downtime events can have a lasting financial and reputational impact on data center providers. Some attempts to quantify the average cost of an unplanned data center outage range from US$9,000 to US$17,000 (about £12,500) per minute.
The geographic location of a data center is also hugely important for data protection regulations, Thomas explains, as we make our way down a brightly lit corridor. “Cyberfort’s facilities are all located in the UK, which gives our clients peace of mind, knowing they comply with data sovereignty laws.”
Data sovereignty regulations subject data to the legal and privacy standards of the country in which it is stored. This means businesses and organizations must be careful about where in the world their data is being relocated when they move it into the cloud. For example, if a UK business opts to store its data with a cloud provider that uses data centers based in the US, then that data will be subject to US privacy standards which do not fully comply with UK standards.
In contrast to early perceptions of the internet as transcending space, eradicating national borders and geopolitics, data sovereignty regulations endow locality with renewed significance in the cloud era.
The Survival of Data at All Costs
Towards the end of the corridor, Thomas opens a large red blast-proof door – beyond which is a smaller air-tight door. Thomas waves his card in front of an e-reader, initiating an unlocking process: we’re about to enter one of the server rooms.
“Get ready” he says, smiling, “it’s going to be cold and loud!” The door opens, releasing a rush of cold air. The server room is configured and calibrated for the sole purpose of providing optimal conditions for data storage.
Like any computer, servers generate a huge amount of heat when they are running, and must be stored in constantly air-conditioned rooms to ensure they do not overheat. If for any reason a server should crash or fail, it can lead to the loss of a client’s valuable data. Data center technicians work in high-pressure conditions where any unexpected server downtime could mean the end of their job.
To try and make sure the servers run optimally, data centers rely on huge amounts of water and energy, which can significantly limit the availability of these resources for the people who live in the vicinity of the buildings.
An average data center consumes an estimated 200-terawatt hours of electricity each year. That’s around 1% of total global electricity demand, which is more than the national energy consumption of some countries. Many of these facilities are powered by non-renewable energy sources, and the data center industry is expected to emit 2.5 billion tons of carbon dioxide by 2030.
In addition, to meet expectations for “uninterruptible” service levels, data centers rely on an array of fossil fuel-based back-up infrastructure – primarily diesel generators. For this reason, the Green Web Foundation – a non-profit organization working to decarbonize the internet – has described the internet as the world’s largest coal-powered machine. Data centers are also noisy and have become sites of protest for local residents concerned about noise pollution.
Amid hype and speculation about the rise of AI, which is leading to a boom in the construction of energy-hungry data centers, the carbon footprint of the industry is under increasing scrutiny. Keen to highlight Cyberfort’s efforts to address these issues, Thomas informs me that “environmental impact is a key consideration for Cyberfort, and we take our commitment to these issues very seriously”.
As we walk down a cold aisle of whirring servers, he explains that Cyberfort actively sources electricity from renewable energy supply chains, and uses what he calls a “closed loop” cooling infrastructure which consumes minimal fresh water.
‘Like the Pyramids’
After our walk through the server room, we begin to make our way out of the bunker, heading through another heavy-duty blast door. As we walk down the corridor, Thomas promotes the durability of bunkers as a further security selling point. Patting the cold concrete wall with the palm of his hand, he says: “Bunkers are built to last, like the pyramids.”
To try and make sure the servers run optimally, data centers rely on huge amounts of water and energy, which can significantly limit the availability of these resources for the people who live in the vicinity of the buildings.
An average data center consumes an estimated 200-terawatt hours of electricity each year. That’s around 1% of total global electricity demand, which is more than the national energy consumption of some countries. Many of these facilities are powered by non-renewable energy sources, and the data center industry is expected to emit 2.5 billion tons of carbon dioxide by 2030.
In addition, to meet expectations for “uninterruptible” service levels, data centers rely on an array of fossil fuel-based back-up infrastructure – primarily diesel generators. For this reason, the Green Web Foundation – a non-profit organization working to decarbonize the internet – has described the internet as the world’s largest coal-powered machine. Data centers are also noisy and have become sites of protest for local residents concerned about noise pollution.
Amid hype and speculation about the rise of AI, which is leading to a boom in the construction of energy-hungry data centers, the carbon footprint of the industry is under increasing scrutiny. Keen to highlight Cyberfort’s efforts to address these issues, Thomas informs me that “environmental impact is a key consideration for Cyberfort, and we take our commitment to these issues very seriously”.
As we walk down a cold aisle of whirring servers, he explains that Cyberfort actively sources electricity from renewable energy supply chains, and uses what he calls a “closed loop” cooling infrastructure which consumes minimal fresh water.
‘Like the Pyramids’
After our walk through the server room, we begin to make our way out of the bunker, heading through another heavy-duty blast door. As we walk down the corridor, Thomas promotes the durability of bunkers as a further security selling point. Patting the cold concrete wall with the palm of his hand, he says: “Bunkers are built to last, like the pyramids.”
In 2013, bank reforms in the UK introduced a switching service which enabled consumers to easily move their money and payments to different banks, in order to access more favorable rates. Cloud migration services are available for businesses, but until a cloud storage equivalent of the bank switching service is developed for the general public, many of us are essentially locked into whichever cloud provider we have been using. If our data really is the new gold, perhaps we should require cloud providers to offer incentives to deposit it with them.
Some providers now offer “lifetime” cloud packages with no monthly or yearly payments and no inactivity clause. However, the cloud market is volatile, defined by cycles of boom-and-bust, with providers and their data centers constantly rebranding, closing and relocating. In this landscape of mergers and acquisitions, there is no guarantee that lifetime cloud providers will be around long enough to honor these promises.
In addition, the majority of consumer cloud providers currently only offer a maximum of a few terabytes of storage. In the future, most of us will probably need a lot more than this, which could mean a lot more data centers (roughly 100 new data centers are set to be constructed in the UK alone within the next five years). We may also see more bunkers being repurposed as data centers – while some providers, such as Florida-based Data Shelter, are considering building entirely new bunker structures from scratch to house digital data.
Resurfacing
Thomas and I arrive at the steel staircase leading back up to the outside world. The guard buzzes us back through the turnstile, and Thomas unlocks and opens the door. The sunlight stings my eyes.
Back in the reception area, I thank Arnold and Thomas for my surreal trip into the depths of subterranean data storage. The Cyberfort data center is a site of extreme contrasts, where the ethereal promise of the cloud jars with the concrete reality of the bunker.
Sitting in my car, I add to my fieldnotes that the survival of data – whether entombed in bunkers or stored in “lifetime” cloud accounts – is bound to the churn of markets, and depends upon the durability of the infrastructure and organizations behind it.
Permanence, in the digital age, is always provisional. One can’t help but imagine future archaeologists discovering this bunker and rummaging through the unreadable remains of our lost digital civilization.
A.R.E. Taylor is Senior Lecturer in Communications, University of Exeter. This article is published courtesy of The Conversation.
