Your Cloud App Shares a Server With the Military

Your food delivery app went down. So did mobile banking across the Gulf. The cause wasn't a software bug — it was a drone strike on an Amazon Web Services data center. And the reason it was a target? The same servers processing your dinner order were reportedly running military AI systems.

What Happened

Iran struck AWS data centers in the Persian Gulf, citing their role in supporting U.S. "military and intelligence activities." Tehran then named 18 tech companies — including Amazon, Google, Microsoft, Nvidia, Palantir, and UAE-based AI firm G42 — as "legitimate targets." AWS declined to confirm whether its Gulf facilities processed military data.

The outages cascaded immediately: banks offline, food delivery halted, mobile payments frozen — not just in the Gulf but in markets well beyond. The disruption was a live demonstration of how deeply AI infrastructure has been woven into the fabric of daily civilian life.

This wasn't a random act of cyber warfare. It was a calculated signal about where AI-era conflict is heading.

The Structural Problem Nobody Wants to Fix

The root cause isn't geopolitics. It's a business model.

Co-tenancy agreements are standard practice in cloud computing. That means a regional bank's transaction data, a hospital's patient records, and a military AI system running targeting simulations can all live on the same physical server rack. It's efficient. It's cheap. And it's now a liability.

Mahmoud Abuwasel, disputes partner at law firm Wasel & Wasel, put it plainly: "Intertwining civilian and military data inadvertently strips these facilities of their civilian protections under the laws of armed conflict."

The legal implication is significant. Under international humanitarian law, a facility loses its protected civilian status when it makes an "effective contribution to military action." Once that threshold is crossed, it becomes a lawful target — regardless of how many civilian applications share its infrastructure.

AWS didn't create this problem alone. As Miah Hammond-Errey, founding CEO of risk consultancy Strat Futures, wrote: "Governments have integrated classified military and intelligence systems so deeply into commercial infrastructure that shifting becomes impossible under fire."

Sponsored

Advertise with Us

[email protected]

Sponsored

Three Fixes, Three Problems

The industry is weighing its options. None are clean.

Option 1: Ditch the hyperscaler. Data centers hosting more than 5,000 servers across 900+ square meters are efficient precisely because of their scale — and visible precisely for the same reason. Oxford professor Viktor Mayer-Schoenberger sees a potential shift toward smaller, geographically distributed facilities. "Lots of small data centers with randomly distributed backup copies are more resilient," he said — but also "harder to build, more costly to maintain, and less effective."

Option 2: Data embassies. The concept: a data center on foreign soil that operates under the host country's law but the guest country's sovereignty. Estonia and Monaco already run data embassies in Luxembourg. Saudi Arabia's draft AI law includes a provision for them. Nada Ilhab of Access Partnership calls the model "elegant in theory but highly complex in practice" — requiring bilateral treaties, with no global legal framework to backstop them.

Option 3: Separate military from civilian systems. The most legally sound approach. Also the hardest to enforce. With data center demand outpacing supply, operators hold the leverage — and militaries can invoke national security to demand access. Businesses can ask for transparency about co-tenants, but in a seller's market, they rarely get it.

The Cost Is Already Cascading

Prabhakar Posam, CIO of Dubai-based logistics firm Transworld Group and an AWS client, didn't mince words: "Costs will increase, and quite sharply. These increases will not stay contained — they will cascade across customers, vendors, and financial structures, eventually being pushed down to end customers. Many businesses simply won't be able to sustain this kind of pressure."

Consulting firm McKinsey estimates AI data centers alone will require more than $5 trillion in total capital expenditure. Global data center capacity is projected to reach 200 gigawatts by 2030 — double current levels. That investment was priced assuming relative physical security. The Gulf strikes have just changed that assumption.

For enterprises, the new math includes multi-region disaster recovery, hardened infrastructure, and war-risk insurance premiums. For consumers, it means higher prices for services they assumed were purely civilian in nature.

Who's Responsible — and Who's Liable?

The legal and political accountability here is genuinely murky.

Klaudia Klonowska, a post-doctoral researcher in law and AI at Sciences Po Paris, argues that states bear an obligation: "Countries can — and legally are obliged to — ensure that their military activities do not endanger the aspects of civilian life that rely on data centers. The most effective way is to clearly separate their use of data centers from those used by the military."

But that obligation sits with governments, not cloud providers. And governments — particularly those racing to integrate commercial AI into defense systems — have little incentive to slow down voluntarily.

For tech companies, the calculus is equally uncomfortable. Accepting military contracts is lucrative. Disclosing those contracts to civilian co-tenants is not required. And the reputational and physical risk of being named a military target is, until recently, something most firms hadn't priced into their Gulf expansion plans.