For the first time in military history, private-sector commercial data centers have been deliberately targeted and damaged in an active armed conflict, and it could mark the beginning of a dangerous new precedent.
In March, Iranian drone strikes hit Amazon Web Services (AWS) facilities in the Gulf, two in the United Arab Emirates (UAE) and one in Bahrain, triggering widespread civilian service disruptions across the region. Later Iranian attacks further damaged AWS facilities in Bahrain in March and April. The full scope of the damage remains unclear, but Amazon says restoring services completely will likely take months. According to civil society reports, US and Israeli forces struck at least two data centres in Tehran, including one reportedly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC.).
At SMEX, we are investigating the legal and technical dimensions of this development in greater detail, and one thing has become clear: data centers are the latest example of the dangers of blurring the lines between military and civilian tech. That’s because these types of “dual-use” technologies also blur important lines between civilian and military targets.
Our position is that data centers should not be considered lawful targets under international humanitarian law. However, governments, data center operators, and the companies that lease from them must undertake precautions to ensure that going forward, data centers do not become lawful targets.
Ten days after the strikes on the AWS facilities, Iran’s Tasnim news agency issued a warning that US companies who have supplied technology to the Israeli military are legitimate targets, claiming that “as the scope of the regional war expands to infrastructure war, the scope of Iran’s legitimate targets expands.”
The warning included around 30 sites linked to Google, Microsoft, Palantir, IBM, Nvidia, and Oracle, calling them “enemy technology infrastructure.” According to Euronews, “most locations were selected due to their involvement in developing artificial intelligence (AI) systems or because they coordinate cloud computing services across the Middle East.” SMEX notes that these services could include, among other uses, AWS’s US military contracts, the use of AI for targeting, and satellite imagery support to the US military.
Given their role in daily life, the question of who is responsible for what happens inside data centers can no longer be deferred. Governments and operators must be transparent and there must be a clear firewall between military and civilian uses of these ubiquitous features of modern life. This article explains why, and what must change.
What are data centers?
A data center is a building or collection of buildings that houses the infrastructure powering apps, cloud services, and data storage for businesses, governments, and individuals. The core components include servers, networking equipment, power and cooling systems, and redundancy infrastructure (backups).
Data centers are organized into regions and availability zones. Cloud regions refer to geographic areas. For example, “me-south-1” refers to the location of Amazon Web Services (AWS) servers in Bahrain. Within regions, availability zones are geographically separated clusters of one or more physical buildings, designed with redundancy to reduce the risk that a single incident takes down all services simultaneously.
Typically, when someone says “the cloud” they are referring to the data stored on this infrastructure, and not the physical locations themselves. In order to understand why data centers are important, it’s necessary to emphasize what this infrastructure does. Microsoft’s FAQs for its cloud services note that “social media platforms like Facebook and WhatsApp use cloud computing,” as do “streaming services such as Netflix, Spotify, and Xbox Cloud Gaming.” More importantly, healthcare, education, and digitalized government services increasingly rely on cloud computing to provide essential services. These can all be disrupted for civilian populations when enough data centers are struck.
Who ‘runs’ and ‘owns’ datacenters?
Some data centers are owned and operated by one company. AWS is the most well known example of this, and is prevalent in the WANA region. AWS operates two cloud regions in the Gulf, Bahrain and the UAE. Each of these consist of multiple availability zones. Microsoft and Google operate data centres in Abu Dhabi, Dubai and Saudi Arabia.
Data centers can also be owned by third parties that rent out space to big tech companies. The Gulf market includes a significant layer of local and regional data center operators that provide colocation services by renting physical space, power, and connectivity to companies that operate their own servers.
The GCC states (UAE, KSA, Bahrain, Qatar, Kuwait and Oman) have invested aggressively in becoming a global hub for cloud computing and AI infrastructure. Currently, there are estimated to be over 200 data centres across the Middle East region. There are many human rights related concerns about this expansion, and now these strikes are threatening external investments in the Gulf as well.
At least one data center operator from the UK, Pure DC, has “paused all investments” in the region following damage to one of its UAE facilities.
The attacks
When a drone strikes a building, the damage to the servers and other systems inside are what disrupts “the cloud.” The drones that struck multiple AWS facilities in the UAE in March caused sufficient damage to cause outages.
The attacks disrupted the services of popular delivery and taxi platform Careem, payment companies Alaan and Hubpay, and enterprise software provider Snowflake.
AWS confirmed: “These strikes have caused structural damage, disrupted power delivery to our infrastructure, and in some cases required fire suppression activities that resulted in additional water damage.” The company warned that recovery would be “prolonged given the scale of damage” and advised customers to migrate workloads out of the Middle East regions.
Civilian impact
Data centers form the backbone of modern digital infrastructure. The full impact of their destruction on everyday lives is difficult to assess, partially because a lot of the information available about them focuses on their environmental impact or are written from a commercial perspective.
Nearly all mobile apps depend on data centers to function, as does payment processing. As the WANA region rushes towards digitization, from digital ID to AI-powered citizen services, the impact could be even greater in the future. Widespread outages could affect government services, including schools, and hospitals that are increasingly relying on data centers. Schools could lose access to online exams, businesses could be unable to take payments, social media platforms could become nonfunctional, and even messaging apps like WhatsApp could cease to function. Hospitals could lose access to patient records and make mistakes with medications or miss surgeries, potentially leading to fatal consequences.
Impacts of physical attacks on data infrastructure can cascade across the entire digital ecosystem that civilian populations depend on daily.
International Humanitarian Law and targeting data centers
Warfare is governed by a set of legal principles known as “international humanitarian law” (IHL) or the “law of war.” IHL is a patchwork made up of treaties, customary international law and general principles of law. This article is not a legal treatise, but it is important to understand that striking purely civilian targets is not allowed under IHL; this is the principle of “distinction,” i.e. distinguishing between civilian and military targets.
Targets that are arguably both civilian and military present a challenge under this framework. For such “dual-use” targets, IHL analysis considers “precautions” and “proportionality.” The former refers to whether any precautions can be taken to minimize the impact on civilians. The latter considers these precautions and then asks if the military advantage expected is greater than the collateral damage anticipated.
Data centers present a “dual-use infrastructure” challenge. They can simultaneously host civilian applications (banking, healthcare, education, governmental services, etc.) and military workloads. Analysis from Just Security argues that “data centers supporting military intelligence processing, AI-enabled applications, or operational planning may become lawful targets if their destruction provides a definite military advantage. Yet their simultaneous support for extensive civilian services […]makes assessing the expected collateral damage and the need for, and feasibility of, precautions in attack particularly difficult.”
What next
Globally, the militarization of technology is moving forward at a breakneck speed, and the line between civilian and military is blurring. While the destruction of data centers at this point likely causes far more civilian damage than military advantage, this may not always be the case. It’s time for every player in the data center ecosystem to commit to a more rigorous separation of civilian and military data center uses; that can take the form of government regulation and data center operator policies. This must also include sustained pressure on big tech companies like Google when it comes to both explicitly taking on military contracts and implicitly providing support to militaries worldwide.
As SMEX’s Executive Director Mohamad Najem points out, “Any strike targeting data centers is a strike against our civic spaces. Data centers are now as strategic as the electric grid or sewage systems. Targeting them threatens public lives. Countries must de-escalate these kinds of attacks from all parties. When data centers go dark, essential services and economies could follow.”
Many thanks to international humanitarian law expert Mina Radončić for her invaluable insights for this article.
If you are a tech worker and you are interested in being part of tech worker organizing on this issue, please check out the Tech Workers Coalition.
If you want to learn more about the militarization of tech, please check out Privacy International’s Militarization of Tech project page, and keep your eyes out for more upcoming research on the militarization of tech from SMEX.