The drone strikes on Amazon Web Services data centers in the Persian Gulf, and Iran’s threats to target tech firms for their involvement in U.S. attacks, underline the growing risks that artificial intelligence infrastructure faces in conflicts.Iran named 18 companies including Amazon, Google, Microsoft, Nvidia, Palantir, and G42, the lead AI firm in the United Arab Emirates, as “legitimate targets.” For AI companies with data centers in the Gulf, risk mitigation could mean shifting away from easily identifiable hyperscalers, picking safer locations, or separating military systems from civilian systems.
None of these options is easy.
Global data center capacity could reach 200 gigawatts by 2030, doubling capacity, to meet growing demand for AI. While more than half the capacity is being added in the U.S., data centers are also being built in Asia, Latin America, and the Gulf. AI data centers alone will require a total capital expenditure of more than $5 trillion, according to consulting firm McKinsey.
Some of that investment is going into hyperscalers, or large data centers that can host more than 5,000 servers and span more than 900 square meters (10,000 sq. ft.) Their size makes them easy targets, so firms may pick resilience over the efficiency that hyperscalers offer, Viktor Mayer-Schoenberger, a professor of internet governance and regulation at the University of Oxford, told Rest of World.
“It’s very possible that we see a move away from hyperscalers to small data centers for greater safety,” he said. “Lots of small data centers with randomly distributed backup copies of data are more resilient – but harder and more complex to build, more costly to maintain, and less effective, as data needs to be kept up to date not just in one or two centers, but in many.”
Intertwining civilian and military data … inadvertently strips these facilities of their civilian protections under the laws of armed conflict.” Mahmoud Abuwasel, disputes partner at law firm Wasel & Wasel
The strikes will force countries, particularly the Gulf nations, to treat data centers as “critical national infrastructure deserving of the same protective frameworks as energy assets and desalination plants,” Nada Ilhab, an associate director of AI practice at consultancy Access Partnership in London, told Rest of World. Such frameworks may no longer favor data localization – or requirements to keep certain data within national borders – and instead shift toward “geographic diversification and multi-region redundancy to ensure business continuity.”
That makes so-called data embassies a potential solution. These are data centers in a foreign country that store another nation’s data under home-country law and sovereignty protections. The main objective of a data embassy is to ensure a guest country’s digital continuity in case of disruptions from a natural disaster, a cyber attack, a power failure, or the snapping of an undersea cable.
Estonia and Monaco have data embassies in Luxembourg, and Saudi Arabia’s draft AI law has a provision for hosting data embassies. The Gulf strikes will be “a catalyst for the data embassy model to go mainstream,” Mahmoud Abuwasel, disputes partner at law firm Wasel & Wasel, told Rest of World. “It solves the physical peril of localizing data in an active conflict zone.”
Yet with worsening geopolitical tensions, conflict-free zones are scarce. Dozens of nations are experiencing internal conflicts, and more than 80 countries were involved in conflicts beyond their borders last year, according to a global index.
Getting data embassies up and running is also complicated by the need for bilateral agreements, and there is currently no global legal framework or multilateral treaty to support them. The concept is “elegant in theory but highly complex in practice,” Ilhab said. “For most states, the cost-benefit calculation has not yet tipped” to favor data embassies, she said.
Yet as more militaries come to rely on AI technologies from the private sector, the more they will depend on privately owned data centers, raising new concerns, Klaudia Klonowska, a post-doctoral researcher in law and AI at Sciences Po Paris, told Rest of World.
Iran said it attacked the AWS data centers because they supported the “enemy’s military and intelligence activities.” AWS did not respond to a question from Rest of World on whether its Gulf facilities processed such data.
The outages affected banks, food delivery services, mobile payments, and other businesses in the region and beyond – and that is the risk enterprises will have to contend with when militaries place their operations in the same data centers where civilians’ information is stored. In doing so, “they are exposing their citizens to attacks that may damage their access to critical elements of their infrastructure, significantly undermining civilian life,” Klonowska said.
“Countries can – and legally are obliged to – ensure that their military activities do not endanger the aspects of civilian life that rely on data centers,” she said. “The most effective way is to clearly separate their use of the data centers from those that are used by the military.”
That is not easily done. Co-tenancy agreements are the norm, which means that civilian enterprise applications, like banks and ride-hailing platforms, “are sitting on the same physical servers as AI systems used for military intelligence and war simulations,” Abuwasel said.
“Intertwining civilian and military data … inadvertently strips these facilities of their civilian protections under the laws of armed conflict,” he said. That raises risks and costs for businesses, as they are “forced to pay hefty premiums for multi-region disaster recovery, hardened infrastructure, and complex war-risk insurance,” he said.
Businesses can insist on transparency about other tenants, including the military, but with demand for data center capacity outstripping supply, operators have the upper hand, as do militaries that can insist on access for national security purposes.
The Gulf strikes demonstrate “where AI-era conflict is heading,” Miah Hammond-Errey, founding chief executive of Strat Futures, a risk consultancy, wrote in a blog post for The Lowy Institute. “Governments have integrated classified military and intelligence systems so deeply into commercial infrastructure that shifting becomes impossible under fire … this is a supply chain and operational continuity risk of the highest order.”
Businesses are bracing for the impact.
“Costs will increase, and quite sharply,” Prabhakar Posam, chief information officer at shipping and logistics company Transworld Group in Dubai, an AWS client, told Rest of World.
“These increases will not stay contained; they will cascade across customers, vendors, and financial structures, eventually being pushed down to end customers … many businesses simply won’t be able to sustain this kind of pressure,” he said.
