Data centres and hyperscale cloud platforms have become strategic wartime targets because modern governments, militaries, banks, hospitals, and AI systems now depend on concentrated computing infrastructure that can be disrupted by missiles, drones, cyberattacks, sanctions, power failures, or intimidation. That is the blunt lesson behind Dr Fazal Ali’s warning: data is no longer merely something states regulate, store, or monetise. It is now part of the battlespace. The next phase of cloud policy will be shaped less by latency diagrams and procurement slogans than by deterrence, survivability, and the uncomfortable question of who is willing to defend the machines that defend the state.
For years, cloud computing has been marketed with the language of abstraction. Workloads float. Services scale. Regions and availability zones turn infrastructure into a kind of programmable atmosphere, available wherever a credit card, enterprise agreement, or government framework can reach.
War has a way of stripping metaphors back to steel, diesel, concrete, fibre, cooling systems, and substations. A data centre is not a cloud; it is a building with coordinates. A hyperscale region is not a neutral utility; it is a strategic concentration of compute, identity, storage, networking, and increasingly AI inference capacity.
That distinction matters because the defence of data has usually been framed as a cybersecurity problem. The language of risk registers still tilts toward ransomware, credential theft, insider threats, supply-chain compromise, and misconfigured buckets. Those risks remain real, but they now sit beside a harder category: physical coercion against the infrastructure that makes digital continuity possible.
Ali’s piece lands in that gap between cyber doctrine and military reality. His argument is not simply that cloud facilities can be attacked. It is that the political economy of AI has created richer targets, in fewer places, at exactly the moment when regional wars are expanding their definition of legitimate infrastructure.
That strategy has never been just about hosting websites closer to local users. The prize is to become a jurisdiction where data, models, chips, research partnerships, and government services compound into an AI ecosystem. National data libraries, sovereign identity systems, digital ministries, AI assistants, and autonomous agents all depend on durable compute foundations.
The trouble is that localisation changes the risk profile. If sensitive data must remain inside national borders, then the physical safety of domestic infrastructure becomes part of the security model. A state can mandate that citizen records stay local, but it cannot wish away the fact that local facilities may sit inside a missile and drone envelope.
This is the sovereign-data-and-AI localisation trap Ali identifies. Domestic hosting promises control, compliance, and sovereignty. But if the domestic environment is exposed to regional conflict, the promise of sovereignty can become a concentration of risk.
The point is not that every named facility is a battlefield asset. The point is that adversaries increasingly argue that AI, cloud, mapping, surveillance, targeting, analytics, and identity systems are part of how modern force is generated. Once that argument enters the conflict narrative, the offices and data centres of technology companies become easier to frame as strategic targets.
This is especially true for companies whose software is visibly entangled with defence work. Palantir is the obvious example because of its public association with military data integration and targeting-related systems. But the logic does not stop there. The same cloud region that hosts commercial workloads may also host government services, defence contractors, cybersecurity operations, or AI pipelines used by allied states.
That ambiguity is dangerous. Hyperscale providers are good at redundancy, access control, encryption, and operational continuity. They are not sovereign military actors. They do not operate air defence networks, command fighter patrols, or control escalation ladders in the Strait of Hormuz.
That decision was a triumph for cloud resilience. It showed that a state under attack could preserve institutional memory, citizen services, and administrative capacity by shifting critical systems beyond the immediate reach of the invader. The cloud did not make Ukraine invulnerable, but it made the state harder to decapitate digitally.
It also demonstrated that commercial technology companies had moved from the back office to the front line. Starlink connectivity, cloud hosting, cybersecurity support, facial recognition tools, satellite imagery, and battlefield analytics all became part of Ukraine’s survival architecture. The lesson was not that private tech won the war. The lesson was that no modern state can fight, govern, or recover without private digital infrastructure.
But Ukraine’s success also depended on a particular strategic geometry. Much of the critical data could be moved away from the physical theatre of war and into jurisdictions protected by NATO geography, Western legal systems, and large cloud operators. That option is less straightforward for countries insisting that sensitive datasets remain inside exposed regional borders.
The concept now deserves a broader hearing. If data sovereignty is defined only as domestic storage, then sovereignty can become brittle. If it is defined as lawful control, cryptographic assurance, jurisdictional clarity, and continuity under attack, then offshore resilience may actually strengthen sovereignty rather than weaken it.
That will be a difficult sell in many capitals. Governments prefer the political optics of saying sensitive data stays at home. Regulators like borders because borders are legible. Procurement frameworks can audit local facilities more easily than diplomatic cloud enclaves scattered across allied territory.
Yet the battlefield is forcing a more mature definition. A national identity database that is perfectly compliant but physically destroyed is not sovereign in any meaningful operational sense. A health registry that remains legally controlled by the state but can fail over to an allied jurisdiction during wartime may be more sovereign because it remains usable.
That changes how adversaries think about disruption. Destroying or disabling a compute cluster may slow model training, interrupt inference services, break government automation, degrade surveillance and targeting systems, and frighten insurers and lenders. The physical attack need not permanently destroy all data to achieve strategic effect. It may only need to prove that the infrastructure is not politically or financially safe.
This is why the insurance point matters. The future of AI infrastructure will not be decided only by where electricity is cheap or tax incentives are generous. It will be decided by where interruption risk can be priced, where sovereign guarantees are credible, and where military protection is assumed rather than improvised.
The capital markets will notice. A region can subsidise land, power, and construction, but it cannot easily subsidise away the perception that facilities might become targets during regional escalation. Once that perception sets in, every financing model becomes more conservative.
That is the part of the cloud story ordinary users rarely see. An availability zone is only as available as its grid connections, backup generators, cooling capacity, network paths, and human operators. Cybersecurity teams can defend identity systems and monitor intrusions, but they cannot patch a transformer destroyed by a missile.
The same logic applies in the Gulf. Even if a data centre is hardened, it relies on airports, ports, fuel supply, subsea cables, satellite links, water systems, and regional airspace stability. Modern infrastructure is resilient in layers, but it also fails in layers.
That means data defence must become a civil-defence and national-security problem, not just a cloud architecture problem. The sysadmin’s runbook and the general’s contingency plan now overlap more than either profession may like.
This mismatch creates a governance gap. Governments increasingly rely on private infrastructure for essential functions, then treat resilience as a vendor-management issue. That may work for service-level agreements. It does not work for wartime targeting.
If a cloud region hosts critical public services, then the host state and customer governments need to define who defends it, who pays for its hardening, who gets priority during a crisis, and what legal protections apply when the facility is supporting both civilian and defence-adjacent workloads. Those answers cannot be buried in procurement annexes.
The alternative is strategic confusion. A provider may believe it operates commercial infrastructure. An adversary may believe it is attacking military-enabling infrastructure. A government may claim the facility is critical national infrastructure only after the smoke clears.
Enterprise IT has spent years being told to move from local fragility to cloud resilience. That advice still makes sense, but it needs a wartime addendum. Cloud concentration can reduce one class of risk while creating another. A company that has excellent ransomware recovery but no plan for regional cloud unavailability has not finished the job.
The practical response is not panic or a retreat to basement servers. It is architecture with geopolitical awareness. That means knowing which regions your workloads actually use, where backups are stored, whether identity dependencies can survive regional disruption, and whether your vendor’s continuity promises are meaningful under armed conflict.
It also means revisiting assumptions about data residency. Some organisations are legally required to keep data in country. Others choose local residency out of habit, politics, or sales pressure. The distinction matters because optional localisation may become a liability when the local threat environment changes.
This does not mean every customer needs a classified threat assessment. It means enterprises should stop pretending that cloud geography is merely a compliance variable. Region selection is now a strategic risk decision.
For global companies, the answer may be multi-region and multi-cloud resilience. For governments, it may be allied data embassies, classified sovereign clouds, or hardened domestic facilities with credible military protection. For smaller organisations, it may be as simple as ensuring backups and identity recovery mechanisms are not trapped in the same geopolitical basket as production.
The important shift is mental. Data is not safe because it is “in the cloud.” It is safe only if the cloud architecture survives the particular threats likely to be applied against it.
But the pitch has changed. The next generation of Gulf AI projects will have to sell not just scale but survivability. Investors, insurers, customers, and foreign partners will want to know how facilities are protected, how workloads fail over, how data is replicated, and whether political risk has been priced honestly.
That may favour larger players and deeper state involvement. Hyperscale infrastructure was already expensive; hardened hyperscale infrastructure is more expensive still. Smaller providers may struggle to meet the new expectations, while the biggest cloud and AI firms will push for government guarantees, special protections, and clearer rules about wartime liability.
The result could be a more securitised cloud market. The language of innovation zones and AI campuses will remain, but behind it will sit questions usually associated with ports, pipelines, semiconductor fabs, and military bases. Who protects it? Who can attack it? Who absorbs the loss?
The deeper lesson is that AI has made data-centre policy a national-security discipline. Compute is becoming a form of power, and power attracts targeting. Governments that want AI sovereignty must therefore answer the defence question with the same seriousness they bring to chips, energy, and military procurement.
A few concrete conclusions follow.
The Cloud Was Sold as Weightless, but War Has Found Its Address
For years, cloud computing has been marketed with the language of abstraction. Workloads float. Services scale. Regions and availability zones turn infrastructure into a kind of programmable atmosphere, available wherever a credit card, enterprise agreement, or government framework can reach.War has a way of stripping metaphors back to steel, diesel, concrete, fibre, cooling systems, and substations. A data centre is not a cloud; it is a building with coordinates. A hyperscale region is not a neutral utility; it is a strategic concentration of compute, identity, storage, networking, and increasingly AI inference capacity.
That distinction matters because the defence of data has usually been framed as a cybersecurity problem. The language of risk registers still tilts toward ransomware, credential theft, insider threats, supply-chain compromise, and misconfigured buckets. Those risks remain real, but they now sit beside a harder category: physical coercion against the infrastructure that makes digital continuity possible.
Ali’s piece lands in that gap between cyber doctrine and military reality. His argument is not simply that cloud facilities can be attacked. It is that the political economy of AI has created richer targets, in fewer places, at exactly the moment when regional wars are expanding their definition of legitimate infrastructure.
The Gulf Bet Was Always About More Than Cheap Power
The Gulf’s AI infrastructure boom has been driven by a persuasive package: capital, energy, land, sovereign ambition, and geopolitical positioning. For cloud providers and AI companies, the region offers a chance to sell capacity into governments determined to leapfrog into the next industrial platform. For Gulf states, hyperscale infrastructure is not a side project; it is part of a post-oil statecraft strategy.That strategy has never been just about hosting websites closer to local users. The prize is to become a jurisdiction where data, models, chips, research partnerships, and government services compound into an AI ecosystem. National data libraries, sovereign identity systems, digital ministries, AI assistants, and autonomous agents all depend on durable compute foundations.
The trouble is that localisation changes the risk profile. If sensitive data must remain inside national borders, then the physical safety of domestic infrastructure becomes part of the security model. A state can mandate that citizen records stay local, but it cannot wish away the fact that local facilities may sit inside a missile and drone envelope.
This is the sovereign-data-and-AI localisation trap Ali identifies. Domestic hosting promises control, compliance, and sovereignty. But if the domestic environment is exposed to regional conflict, the promise of sovereignty can become a concentration of risk.
Hyperscale Has Become a Deterrence Problem
The reported Iranian threats against major American technology companies in the Middle East sharpen the issue. When facilities associated with Amazon, Microsoft, Google, IBM, Nvidia, Oracle, and Palantir are named as potential or legitimate targets, the cloud stops looking like neutral commercial infrastructure and starts looking like part of a contested military-industrial stack.The point is not that every named facility is a battlefield asset. The point is that adversaries increasingly argue that AI, cloud, mapping, surveillance, targeting, analytics, and identity systems are part of how modern force is generated. Once that argument enters the conflict narrative, the offices and data centres of technology companies become easier to frame as strategic targets.
This is especially true for companies whose software is visibly entangled with defence work. Palantir is the obvious example because of its public association with military data integration and targeting-related systems. But the logic does not stop there. The same cloud region that hosts commercial workloads may also host government services, defence contractors, cybersecurity operations, or AI pipelines used by allied states.
That ambiguity is dangerous. Hyperscale providers are good at redundancy, access control, encryption, and operational continuity. They are not sovereign military actors. They do not operate air defence networks, command fighter patrols, or control escalation ladders in the Strait of Hormuz.
Ukraine Proved the Cloud Can Save a State
Ukraine’s experience offers the counterpoint. When Russia launched its full-scale invasion in February 2022, Ukraine’s rapid migration of government data and public services into Western cloud platforms became one of the most important continuity moves of the war. Registries, ministry systems, and public-sector data could survive because they were no longer trapped inside buildings Russian missiles could easily destroy.That decision was a triumph for cloud resilience. It showed that a state under attack could preserve institutional memory, citizen services, and administrative capacity by shifting critical systems beyond the immediate reach of the invader. The cloud did not make Ukraine invulnerable, but it made the state harder to decapitate digitally.
It also demonstrated that commercial technology companies had moved from the back office to the front line. Starlink connectivity, cloud hosting, cybersecurity support, facial recognition tools, satellite imagery, and battlefield analytics all became part of Ukraine’s survival architecture. The lesson was not that private tech won the war. The lesson was that no modern state can fight, govern, or recover without private digital infrastructure.
But Ukraine’s success also depended on a particular strategic geometry. Much of the critical data could be moved away from the physical theatre of war and into jurisdictions protected by NATO geography, Western legal systems, and large cloud operators. That option is less straightforward for countries insisting that sensitive datasets remain inside exposed regional borders.
The Data Embassy Idea Looks Better After Every Missile Strike
The phrase data embassy used to sound like a Baltic policy curiosity. Estonia pioneered the concept after absorbing the implications of Russian cyber aggression: if a small state’s digital systems are essential to sovereignty, some of those systems should be protected abroad under special legal and diplomatic arrangements.The concept now deserves a broader hearing. If data sovereignty is defined only as domestic storage, then sovereignty can become brittle. If it is defined as lawful control, cryptographic assurance, jurisdictional clarity, and continuity under attack, then offshore resilience may actually strengthen sovereignty rather than weaken it.
That will be a difficult sell in many capitals. Governments prefer the political optics of saying sensitive data stays at home. Regulators like borders because borders are legible. Procurement frameworks can audit local facilities more easily than diplomatic cloud enclaves scattered across allied territory.
Yet the battlefield is forcing a more mature definition. A national identity database that is perfectly compliant but physically destroyed is not sovereign in any meaningful operational sense. A health registry that remains legally controlled by the state but can fail over to an allied jurisdiction during wartime may be more sovereign because it remains usable.
AI Makes the Target Richer and the Blast Radius Wider
Traditional cloud workloads were already important. AI workloads make the stakes larger because they concentrate scarce inputs: accelerators, datasets, model weights, power, cooling, and specialised talent. A major AI campus is not merely a hosting site; it is a factory for state capability and commercial advantage.That changes how adversaries think about disruption. Destroying or disabling a compute cluster may slow model training, interrupt inference services, break government automation, degrade surveillance and targeting systems, and frighten insurers and lenders. The physical attack need not permanently destroy all data to achieve strategic effect. It may only need to prove that the infrastructure is not politically or financially safe.
This is why the insurance point matters. The future of AI infrastructure will not be decided only by where electricity is cheap or tax incentives are generous. It will be decided by where interruption risk can be priced, where sovereign guarantees are credible, and where military protection is assumed rather than improvised.
The capital markets will notice. A region can subsidise land, power, and construction, but it cannot easily subsidise away the perception that facilities might become targets during regional escalation. Once that perception sets in, every financing model becomes more conservative.
Cyber Resilience Is Not Enough When the Power Grid Is Burning
Ukraine also shows that data-centre risk is not limited to direct strikes on servers. Russia’s attacks on Ukraine’s energy infrastructure caused widespread downstream failures because data centres depend on power systems, fuel logistics, telecoms, and repair crews. Digital resilience rests on physical systems that are themselves vulnerable.That is the part of the cloud story ordinary users rarely see. An availability zone is only as available as its grid connections, backup generators, cooling capacity, network paths, and human operators. Cybersecurity teams can defend identity systems and monitor intrusions, but they cannot patch a transformer destroyed by a missile.
The same logic applies in the Gulf. Even if a data centre is hardened, it relies on airports, ports, fuel supply, subsea cables, satellite links, water systems, and regional airspace stability. Modern infrastructure is resilient in layers, but it also fails in layers.
That means data defence must become a civil-defence and national-security problem, not just a cloud architecture problem. The sysadmin’s runbook and the general’s contingency plan now overlap more than either profession may like.
The Private Sector Cannot Be the Shield of Last Resort
One of the more uncomfortable implications of Ali’s argument is that private technology companies are being pulled into deterrence without the powers of sovereign actors. Cloud providers can design resilient systems, but they cannot credibly threaten retaliation. They can suspend service, encrypt data, and shift workloads, but they cannot patrol the skies over Abu Dhabi, Bahrain, Tel Aviv, Doha, or Riyadh.This mismatch creates a governance gap. Governments increasingly rely on private infrastructure for essential functions, then treat resilience as a vendor-management issue. That may work for service-level agreements. It does not work for wartime targeting.
If a cloud region hosts critical public services, then the host state and customer governments need to define who defends it, who pays for its hardening, who gets priority during a crisis, and what legal protections apply when the facility is supporting both civilian and defence-adjacent workloads. Those answers cannot be buried in procurement annexes.
The alternative is strategic confusion. A provider may believe it operates commercial infrastructure. An adversary may believe it is attacking military-enabling infrastructure. A government may claim the facility is critical national infrastructure only after the smoke clears.
Windows Shops Should Not Treat This as Someone Else’s War
For WindowsForum readers, the issue may seem distant until it lands in familiar tools: Azure regions, Microsoft 365 tenants, Entra ID, Intune, Defender, GitHub, Windows 365, backup vaults, and line-of-business applications that quietly depend on hyperscale services. The defence of data is not an abstract geopolitical debate if your identity provider, endpoint management platform, or disaster recovery site lives in the affected region.Enterprise IT has spent years being told to move from local fragility to cloud resilience. That advice still makes sense, but it needs a wartime addendum. Cloud concentration can reduce one class of risk while creating another. A company that has excellent ransomware recovery but no plan for regional cloud unavailability has not finished the job.
The practical response is not panic or a retreat to basement servers. It is architecture with geopolitical awareness. That means knowing which regions your workloads actually use, where backups are stored, whether identity dependencies can survive regional disruption, and whether your vendor’s continuity promises are meaningful under armed conflict.
It also means revisiting assumptions about data residency. Some organisations are legally required to keep data in country. Others choose local residency out of habit, politics, or sales pressure. The distinction matters because optional localisation may become a liability when the local threat environment changes.
The New Cloud Checklist Starts With Geography
The old cloud checklist asked whether a provider had certifications, encryption, role-based access control, backup policies, and uptime guarantees. The new checklist must ask where the facility sits in relation to conflict zones, military bases, contested waterways, drone ranges, cable landing stations, and fragile grids.This does not mean every customer needs a classified threat assessment. It means enterprises should stop pretending that cloud geography is merely a compliance variable. Region selection is now a strategic risk decision.
For global companies, the answer may be multi-region and multi-cloud resilience. For governments, it may be allied data embassies, classified sovereign clouds, or hardened domestic facilities with credible military protection. For smaller organisations, it may be as simple as ensuring backups and identity recovery mechanisms are not trapped in the same geopolitical basket as production.
The important shift is mental. Data is not safe because it is “in the cloud.” It is safe only if the cloud architecture survives the particular threats likely to be applied against it.
The Gulf Will Still Build, but the Pitch Has Changed
None of this means the Gulf’s AI ambitions are finished. Capital, energy, and state direction remain powerful advantages. The region will continue to attract cloud and AI investment because the demand is real and the strategic ambition is not going away.But the pitch has changed. The next generation of Gulf AI projects will have to sell not just scale but survivability. Investors, insurers, customers, and foreign partners will want to know how facilities are protected, how workloads fail over, how data is replicated, and whether political risk has been priced honestly.
That may favour larger players and deeper state involvement. Hyperscale infrastructure was already expensive; hardened hyperscale infrastructure is more expensive still. Smaller providers may struggle to meet the new expectations, while the biggest cloud and AI firms will push for government guarantees, special protections, and clearer rules about wartime liability.
The result could be a more securitised cloud market. The language of innovation zones and AI campuses will remain, but behind it will sit questions usually associated with ports, pipelines, semiconductor fabs, and military bases. Who protects it? Who can attack it? Who absorbs the loss?
The AI Boom Has Discovered Its Blast Radius
The immediate lesson is not that cloud computing failed. In Ukraine, cloud migration helped preserve a state under attack. In the Gulf, the concern is that cloud and AI infrastructure may become too valuable, too visible, and too politically entangled to remain outside the logic of conflict.The deeper lesson is that AI has made data-centre policy a national-security discipline. Compute is becoming a form of power, and power attracts targeting. Governments that want AI sovereignty must therefore answer the defence question with the same seriousness they bring to chips, energy, and military procurement.
A few concrete conclusions follow.
- Data residency rules should distinguish between legal control of data and physical concentration of risk.
- Critical government systems should be designed to survive the loss of a domestic cloud region, not merely a single server or availability zone.
- Cloud procurement should include geopolitical exposure, energy resilience, cable diversity, and wartime continuity as explicit evaluation criteria.
- AI campuses in exposed regions will need stronger hardening, clearer state protection, and more credible insurance structures than ordinary enterprise data centres.
- Enterprises should test whether identity, backup, endpoint management, and recovery systems can function if a preferred cloud region is degraded for days or weeks.
- Private cloud operators cannot substitute for sovereign deterrence, even when their platforms host sovereign functions.
References
- Primary source: Trinidad Guardian
Published: 2026-06-22T00:30:09.165262
The defence of data in the age of AI
Data centres and hyperscale cloud infrastructure are the new victims of war. Hyperscale cloud infrastructure offers unparalleled, rapid scalability for immense computing, storage, and networking demands. Managed by industry leaders such as AWS, Microsoft...
www.guardian.co.tt
- Related coverage: datacenterdynamics.com
Ukrainian hackers claim takedown of Russian data center - DCD
300TB of data allegedly destroyedwww.datacenterdynamics.com - Related coverage: cafe-dc.com
ウクライナのハッカーがロシアのデータセンターを破壊したと主張 | Data Center Café
300TBのデータが破壊された可能性ウクライナのハッカーが、ロシアの何千もの企業や軍が使用するデータセンターを破壊したと主張しています。cafe-dc.com - Related coverage: techradar.com
Iran state media claims strikes on AWS data centers were deliberate, due to its support for US | TechRadar
More unverified claims from Iran media on AWS outageswww.techradar.com - Related coverage: tomsguide.com
‘Complete and utter annihilation’: Iran issues warning over OpenAI's Stargate AI data center in Abu Dhabi worth $30 billion | Tom's Guide
In a video message released by Iran's Islamic Revolutionary Guard Corps (IRGC), the military group threatens to strike OpenAI’s $30B Stargate data center in Abu Dhabiwww.tomsguide.com - Related coverage: theweek.com
Data centers: The new casualties of war | The Week
Expect both hacking and physical attacks during conflictstheweek.com