Wars are not won the way they used to be. The battlefield has moved into the systems that run modern life. Data centres, submarine cables, satellite links, AI infrastructure. What played out in early 2026 was not a regional flare-up. It was the first confirmed act of a new kind of war, one where the most powerful economic assets a country holds are also the ones hardest to defend.
For most of the internet’s life, nobody seriously thought about hitting a data centre. These were commercial buildings. Civilian infrastructure. The unwritten rules of conflict treated them as off-limits, too economically entangled with the rest of the world to be worth targeting. That thinking is finished.
In early March 2026, Iranian drones hit Amazon Web Services facilities in the UAE and Bahrain. Banks went offline. Payment apps stopped working. Ride-hailing platforms seized up. It was the first time a country had physically attacked commercial hyperscale cloud infrastructure during wartime. The Islamic Revolutionary Guard Corps (IRGC) then published a list of 18 American tech companies it intended to target next, including Microsoft, Google, Apple, Nvidia, Oracle, Meta, Palantir, IBM, Cisco, and Boeing.
Iran’s stated reason was that these companies were providing the digital backbone for US and Israeli military operations. That claim had real substance. Amazon and Google had jointly won a $1.2 billion contract to supply Israel with core cloud infrastructure under Project Nimbus. Anthropic’s Claude, running on AWS, was being used for US military intelligence work and battle simulations. Microsoft’s Azure had hosted Israeli military intelligence data until access was cut in October 2025. The line between commercial tech provider and military infrastructure partner had quietly disappeared. When it went, so did any protection it offered. The cloud is not abstract and untouchable. It has an address, and that address can be hit by a drone.
This is not a tactical shift. It is a doctrinal one. Twentieth century military thinking organised conflict around land, sea, and air. The twenty-first century added cyber and space. Now all five are fusing into a single battlespace where the old boundaries mean very little.
Three things define modern warfare and separate it from every conflict before it. The first is the cost gap. A Shahed-136 drone costs around $20,000 to build and fly. Taking a cloud availability zone offline for 24-four hours costs the surrounding economy hundreds of millions of dollars in banking disruptions, failed logistics, and lost commerce. The attacker spends thousands. The defender absorbs hundreds of millions. No military doctrine has solved that equation yet, and that asymmetry is why this model of warfare will keep spreading.
The second is that there is no front line anymore. In every previous form of war, civilians and commerce sat behind one. Today there is no behind. The 2021 Colonial Pipeline ransomware attack shut down 45% of the US East Coast’s fuel supply, affecting roughly 100 million people, and the attacker never left their desk. The 2022 disruption of Viasat’s KA-SAT satellite network, triggered at the start of Russia’s invasion of Ukraine, knocked out communications for wind farms in Germany and emergency services in Poland. Infrastructure in one country can be turned into a weapon against another through pathways that have nothing to do with physical borders.
The third is dual-use convergence. The wall between civilian and military technology is gone. The same AI model that suggests what you watch next can optimise targeting decisions. The same cloud platform that processes payroll can handle signals intelligence. The same submarine cable that carries a WhatsApp message carries encrypted government communications. When civilian and military infrastructure share the same physical layer, every major technology asset becomes what the Law of Armed Conflict calls a potential dual-use target. The Tallinn Manual acknowledged this for cyber operations years ago. March 2026 showed it now applies to drone strikes as well. You do not need to destroy cities to disrupt nations. You only need to disable their systems.
A data centre is not a factory or a bridge. A factory makes one thing. A bridge connects two points. A data centre at scale runs an entire economy in parallel. The AWS UAE region was simultaneously handling banking systems, government databases, AI workloads, logistics platforms, payment processors, and enterprise software for thousands of businesses. Disabling it did not destroy one asset. It degraded an entire digital economy in one move, with four drones.
Through most of the last century, the strategic map was drawn around oil. Nations went to war over fields and tanker routes. Foreign policy rotated around the Strait of Hormuz. Controlling energy meant controlling power in every sense of the word. That logic has not gone away. But sitting alongside it now is something just as consequential: control of data infrastructure.
The Gulf built its global significance on petroleum. Over the last decade it has been trying to build a second identity as the world’s hub for AI and hyperscale cloud. The scale of that ambition is hard to overstate. Stargate UAE is a $30 billion AI campus in Abu Dhabi, ten square miles, developed by G42, OpenAI, Oracle, Nvidia, Cisco, and SoftBank, with a planned compute capacity of five gigawatts. It is the largest AI infrastructure installation outside the US. Saudi Arabia is running a parallel build-out under Vision 2030, with Microsoft, Google, and AWS all committing billions to the region. Total hyperscale investment across the Gulf from 2021 to 2026 exceeds $100 billion. These are not commercial bets. They are the physical nodes of the most strategic resource of this century: Compute power. And they are now, provably, targets.
The strategic map also runs underwater. Seventeen submarine cables pass through the Red Sea, carrying most of the internet traffic between Europe, Asia, and Africa. These cables move financial transactions, cloud data, military communications, and everything in between. They are almost entirely undefended. In 2024, three of them were cut during Houthi activity near Yemen. Similar cuts happened near Taiwan in 2023 and 2025, and near Norway’s Arctic infrastructure in 2021. Kentik’s director of internet analysis said that simultaneously closing both the Strait of Hormuz and the Red Sea data corridor would be globally disruptive in a way the internet has never seen before. In early 2026, both were under threat at the same time.
Strategic infrastructure no longer announces itself with smokestacks or oil derricks. It announces itself with a cooling fan, a server rack, a fibre optic cable on the seabed. The strategic map has been redrawn. Any country that has not updated its security doctrine to reflect that is working from an old map.
Every strategic rupture reshapes who wins and who loses. The targeting of digital infrastructure is already moving investment flows, rewriting foreign policy thinking, and forcing national security frameworks to catch up at a pace most governments have not matched.
The most immediate shift is a repricing of risk across the cloud infrastructure market. The Gulf spent a decade as the growth story of the data centre industry: cheap energy, tax incentives, sovereign wealth fund money, and a geography that made it a natural EMEA hub. That proposition now carries a military risk premium that institutional investors and corporate boards had never modelled before. The question companies are asking today is not what latency advantage a UAE availability zone offers. It is what happens to their business if a drone hits it.
The clear beneficiaries are stable jurisdictions with low conflict exposure and predictable legal systems. The Nordic countries have always offered cold ambient temperatures that cut cooling costs by up to 40%. Now they offer distance from the front too. Singapore, Canada, and interior US regions are all seeing stronger interest from operators rethinking their geographic footprint. Underground facilities are no longer a niche product. A purpose-built underground data centre in Kansas, modelled on Cold War Atlas-F missile silos and engineered to withstand a blast at a 1,000-foot radius, was recently quoted to a corporate buyer at $64 million. Twelve months ago, that conversation would not have taken place.
The harder consequence is fragmentation. For 30 years the world built toward a borderless global cloud, optimised entirely for performance and cost. That model rested on the assumption that infrastructure was neutral. It is not. What is taking shape instead is sovereign cloud architecture: Facilities inside national borders, under national law, insulated as far as possible from foreign geopolitical risk. China built this by design. Russia was pushed into it by sanctions. Everyone else is arriving at it through conflict. Cross-border data flows contribute more to global GDP than the physical trade of goods, according to McKinsey Global Institute research. As digital infrastructure fractures along sovereign lines, the friction costs of the global economy rise with it. The era of a seamlessly global cloud is giving way to a more fractured, security-driven architecture, and the economics of digital globalisation are shifting with it.
India does not usually appear in conversations about digital warfare. It should. India is one of the three largest digital economies in the world, one of the fastest-growing cloud markets anywhere, and one of the few major democracies that has made a serious early attempt at sovereign digital architecture. But it has not yet connected those facts into a coherent national security position. That needs to change now.
The vulnerability is real and immediate. UPI processed over 18 billion transactions worth roughly $380 billion in December 2024 alone. Aadhaar covers 1.4 billion people. Government platforms handling taxation, land records, and public services all run on foreign-controlled hyperscale infrastructure. AWS, Microsoft Azure, and Google Cloud collectively dominate the Indian enterprise and government cloud market. In peacetime that dependency is manageable. In a conflict involving any of those companies’ home nations, or in a scenario where India’s own geopolitical friction with a capable adversary intensifies, it becomes a sovereign risk with no easy exit.
India’s cable exposure compounds this. Mumbai and Chennai handle the vast majority of India’s international internet traffic as the primary submarine cable landing points. Those cables run through the Red Sea, the Arabian Sea, and the Strait of Malacca, three of the most contested maritime corridors on the planet right now. Cutting two of those systems simultaneously would not slow Indian internet. It would impair financial clearing, trade logistics, and the government’s ability to communicate and coordinate during a crisis.
But India’s position is not only one of exposure. Handled correctly, this moment is also an opening. India sits outside the most immediately contested conflict zones. Its democratic legal system gives it credibility on data sovereignty commitments that authoritarian alternatives cannot match. Its domestic technical base is capable of building and operating infrastructure at national scale. Through the India Stack and the Digital Public Infrastructure framework, India has built national-scale digital systems that no other comparable economy has replicated. And as the world’s largest democracy navigating a multipolar world, India has both the incentive and the standing to offer itself as a neutral, trusted hub for sovereign AI and cloud infrastructure.
That means building genuine domestic hyperscale capacity, not just data localisation rules, but infrastructure that can serve other nations looking to move workloads out of conflict-adjacent regions. The National Data Governance Framework and the India AI Mission need to model kinetic attack scenarios, not just cyber intrusions. Physical security standards for data centres classified as critical national infrastructure need to be rewritten around drone threat assessment and anti-UAS requirements. None of those standards existed anywhere two years ago.
India’s defence establishment also needs to face a question the March 2026 strikes put on the table directly: At what point does a technology company supporting India’s military or intelligence operations become a legitimate target for a state adversary? The answer shapes where data gets stored, with whom it is shared, under what constraints, and with what backup. This is not a question for the CTO. It is a question for the National Security Council.
There is a larger play here too. The world is actively looking for a major power that can offer sovereign AI infrastructure without the imperial baggage of US hyper-scalers or the adversarial reputation of Chinese technology. Countries across Africa, Southeast Asia, and the Global South want an alternative to choosing between Washington and Beijing. India, with its democratic track record, its technical depth, its neutral positioning in the US-China rivalry, and its proven DPI architecture, is the most credible candidate for that role. But that window does not stay open indefinitely. India has the architecture, the credibility, and the geopolitical positioning to become the world’s most trusted sovereign AI hub. But only if it moves now.
Reactive is not good enough anymore. Hardening buildings after they have been struck, diversifying cloud regions after a disruption, reclassifying data centres as critical infrastructure after a nation-state has already proven them legitimate targets: this is an industry and a governance system that is always one conflict behind. The threat has a doctrine. The defence needs one too.
Start with the fundamental reality that commercial data infrastructure and military security infrastructure are no longer two separate things. The same building that processes a bank’s payments may be running a government’s AI logistics system. The same cable carrying a streaming platform carries encrypted military traffic. Operating digital infrastructure as though those functions can be kept separate is a fiction. The events of 2026 ended it.
Physical hardening has to be rebuilt from scratch with the rigour the energy sector brought to offshore platforms in the 1970s, or that the financial sector brought to trading floors after 9/11. That means reinforced structures rated against blast and fragmentation from loitering munitions. It means active counter-UAS systems around facility perimeters: RF jamming, electro-optical detection, kinetic interceptors where law permits. It means routing power and cooling underground so aerial reconnaissance cannot map the targeting vectors on the surface. It means backup power reserves sized for a 21-day conflict scenario, not a 48-hour IT outage. The US DoD’s Joint Counter-UAS Office published guidance in January 2026 calling for exactly this kind of layered physical hardening at critical infrastructure sites. Commercial operators in or near conflict-adjacent regions need to pick that up and run with it.
Geographic strategy needs to shift from cost optimisation to risk-adjusted design. The industry’s instinct to build close to demand centres produces a concentration that makes commercial sense and strategic none. A risk-adjusted architecture spreads compute across multiple jurisdictions with different geopolitical exposures. It keeps warm standby capacity in stable regions outside the main operational footprint. It builds active-active multi-region failover that needs no human decision in the first 72 hours of a crisis. A 99.99% uptime SLA written on the assumption that no drone will ever hit the facility is not a continuity plan. It is a liability.
Governments need to reclassify commercial data centres as critical national infrastructure, placing them alongside power generation, water systems, and financial market infrastructure in terms of mandatory security standards and emergency response obligations. That reclassification unlocks the policy tools that matter: Shared air defence coordination, mandatory security investment floors, government-to-industry threat intelligence sharing, and a legal basis for private operators to work directly with national defence establishments on physical protection. Without it, technology companies are defending assets of national strategic importance using corporate risk budgets. That mismatch does not get fixed by better perimeter fencing.
The international legal framework is also broken in ways that will cause serious harm if left unaddressed. The laws of armed conflict were not written for a world where commercial cloud runs military operations. The Tallinn Manual covers cyber operations but its application to physical strikes on dual-use digital facilities is still contested. The Cuba Submarine precedent from 1898, where a US military tribunal ruled that private infrastructure supporting enemy military functions could be struck without compensation, is already appearing in legal analyses of the 2026 strikes. Every cloud operator hosting government or military data in a conflict-adjacent region has a liability exposure it has not yet priced. These questions need resolution in international forums before the next conflict.
There is always pressure, after a shock, to call it an anomaly. A specific conflict, specific parties, specific grievances. Something that can be filed under regional instability by executives whose data centres sit in Virginia or Frankfurt and who figure the problem belongs to someone else. That reading is wrong.
What happened in the Gulf was a demonstration. A proof of concept, executed by a state actor at scale, with a public declaration of intent to repeat it. The IRGC’s list of 18 target companies was not impulsive. It was a strategic assessment that reached a correct conclusion: These companies are critical nodes in western military and economic infrastructure, they are physically exposed, they are poorly defended, and hitting them produces outsized effect at low cost. Other state actors are watching. So are non-State actors. They are drawing their own conclusions.
The choice now is not complicated, even if acting on it is. The world can keep treating digital infrastructure as a commercial ecosystem governed by market logic and SLA contracts, and absorb whatever vulnerability that brings. Or it can treat it as what it actually is: the central nervous system of modern power, which deserves the same sovereign protection as a power grid, a port, or a military base.
The engineers who build these systems, the executives who run them, the investors who back them, the policymakers who regulate them, and the military planners who depend on them are all operating inside the same new reality. The infrastructure of the digital age is visible to adversaries now. It is targeted. It is vulnerable. The window for building the doctrine and the defences that can protect it closes a little more with each conflict that confirms the precedent.
The next war will not open with a missile strike alone. It will open the way this one did: A server going dark, a payment system failing, an AI model going quiet. The question is not whether that happens again. The question is whether anyone is ready for it when it does.
This article is authored by Major Akash Mor (retd), strategic management consultant and Sumit Kaushik, social impact and public policy consultant.
