When Iranian drones struck hyperscale cloud data-centre facilities in the United Arab Emirates and damaged infrastructure near Bahrain on 1 March, they did not just target military bases. They also targeted server farms. That distinction matters more than it might appear.
For decades, data centres were treated as oversized commercial warehouses. Today they underpin government identity systems, financial networks, logistics chains and the AI-enabled targeting and intelligence platforms that define modern military advantage. The integration of companies such as Anthropic and Palantir into US and allied defence applications—fusing large-language-model reasoning with operational data to accelerate targeting cycles and intelligence synthesis—runs on exactly this infrastructure. And that infrastructure is physical. It appears on satellite imagery. It has addresses, power feeds, cooling systems and fibre runs. It can be hit.
The Gulf strikes caused structural damage, power disruption and water damage from suppression systems. Some computing tasks went offline. What is more instructive is what didn’t collapse. That is because hyperscale cloud architecture is engineered around anticipated failure: workloads are distributed across availability zones, data is automatically replicated and services are reconstituted when nodes go dark. The systems that kept running were not the most heavily fortified; they were the most intelligently distributed. That is a central strategic lesson.
Incident reporting from the affected Gulf facilities illustrates the point. Even where an individual data centre was disrupted, traffic was rerouted and workloads shifted to other availability zones and regions. This showed that while service levels may degrade temporarily, the alternative in a single-site architecture would be far worse: total outage and no rapid path to recovery.
Even if Iran failed to cause lasting disruption to the data centres this time, it understands something Western infrastructure planners are now absorbing: you do not need to destroy a system to degrade it. Economic dislocation, operational delay and the signalling value of demonstrated reach into critical infrastructure are ends in themselves. A strike that triggers a 48-hour cloud outage in a Gulf financial hub achieves effects disproportionate to its cost. As AI-enabled capabilities become more deeply embedded in allied operational and intelligence workflows, the physical infrastructure beneath them becomes a more attractive target still—not despite its criticality, but because of it.
This reframes the cloud-sovereignty debate in ways that Washington, Whitehall, Canberra and Brussels are now grappling with. The argument for national self-reliance in cloud services has long centred on jurisdiction—who owns the infrastructure, where data sits, which courts govern access. Those questions remain legitimate, but relying solely on a nationally owned data centre that goes dark when struck offers little strategic autonomy. A distributed architecture that maintains continuity under attack does.
That’s because self-reliance, in an operational sense, is a function of resilience.
Domestic capability therefore matters—but in combination with trusted allied networks that keep systems running when individual nodes fail.
That is where the engineering logic of hyperscale cloud providers now intersects directly with national security. The tens of billions spent by commercial platforms on global redundancy were not defence investments. But they have produced infrastructure that behaves under pressure more like a survivable military network than any traditional government IT facility. The policy questions this creates are, at root, engineering questions: how many regions can a critical workload fail over to, how quickly can services reconstitute, and how independent are the power, network and software layers beneath them?
Russia’s campaign against Ukraine has already demonstrated that digital infrastructure is not immune from physical targeting. The recent strikes in the Gulf should therefore not be treated as anomalous; rather, they reinforce a pattern that has been visible since 2022. They mark the further embedding of a targeting policy that state and non-state adversaries should be expected to apply with increasing sophistication. Digital infrastructure has a physical presence that can be struck like any bridge, port or power station, and adversaries capable of reading a satellite image are entirely capable of reading a data centre campus map.
Governments and defence organisations that continue to treat cloud architecture as a procurement question rather than a strategic one may risk misreading a shift in conflict that is already playing out. The systems that will endure aren’t necessarily the most tightly controlled or the most heavily guarded; they are the ones designed, from the ground up, to absorb disruption and keep running. In the most literal sense, the cloud has come to ground.