On 1 March, three data centres in the Gulf belonging to Amazon Web Services were the target of drone strikes amid ongoing hostilities in the Middle East. This marked the first documented time that such commercial data centres have been deliberately targeted as part of a military operation. This has far-reaching implications for international peace and security, digital governance, artificial intelligence (AI) in the military domain, and international humanitarian law.
It highlights the importance of data centres and of access to computing power (“compute” for short) as enablers of AI-driven capabilities. It also points to a clear step up in the steadily growing role and responsibility of private technology actors in 21st century warfare.
The role of the commercial cloud in warfare
It is first worth setting out why commercial data centres may be seen as targets, and what role they – and cloud computing more generally – play in modern military operations. Data centres are the physical backbone of the digital infrastructure that enables much of the digital capabilities now required by military operations.
Cloud computing enables access to the vast quantities of compute needed to train and deploy AI algorithms as well as to store, move and analyse data. Data centres are therefore a key element in the ability of modern militaries to leverage AI for autonomous capabilities, decision-support systems, data-fusion, intelligence, surveillance and reconnaissance capabilities and targeting. No public information, however, exists to ascertain whether these specific data centres were directly contributing to ongoing military operations.
The role of AI in military operations is continuing to expand as battlefields produce ever more sensor data and require more compute. Operations are thus becoming increasingly reliant on ever more – and faster – collection, fusion and analysis of data. With these changes, the role of commercial cloud service providers (CSPs) – the only ones currently capable of managing such scale – is only likely to grow.
Security implications of targeting data centres
Targeting data centres has clear security implications.
- First, the reliance by armed forces on commercial CSPs intertwines military applications with the infrastructure that supports civilian digital applications. As the same data centres support both military and civilian workloads, strikes against them carry a dual risk: they elevate the threat to civilian infrastructure and they lead to cascading effects across civilian life, triggering service outages and possible material effects.
- Second, the targeting of data centres raises questions about how to defend such infrastructure. Hyperscalers – the companies operating the largest data centres – boast advanced cybersecurity capabilities and contingency plans for natural disasters that enable them to ensure service continuity. However, these data centres are built for and considered as commercial enterprises. They are not equipped – or even conceptualized – to deal with military threats. Often the size of small cities, data centres are both difficult to hide and extremely costly to secure against kinetic threats.
- Third, as a globally distributed network, data centres need not reside within a State’s borders to serve their purpose. The free flow of data and workloads across borders is, in many respects, a defining feature of modern cloud architecture. Yet, this means that the digital backbone underpinning military capabilities may be distributed geographically across the territory of neutral States. This carries profound implications for conflict should data centres increasingly become targets. A belligerent may, theoretically, be compelled to target infrastructure well beyond the theatre of active hostilities to deny its adversaries access to their cloud enabled-capabilities. Such strikes risk expanding the borders of a conflict, and so may contribute to escalation dynamics and negatively affect regional security.
Legal ramifications of targeting data centres
The legal implications that stem from these strikes relate in particular to international humanitarian law and the extent to which the private sector may be affected. While States remain the primary subjects of international humanitarian law, a host of implications emerge for industry.
First, a data centre that serves both civilian and military purposes may constitute a legitimate target as a consequence of its potential status as a military objective if it is found to
“make an effective contribution to military action and [if its] total or partial destruction . . . in the circumstances ruling at the time, offers a definite military advantage”
as a result of its nature, location, purpose or use. In the context of data centres and, more generally, digital infrastructure, the crux lies in the extent to which their destruction would offer “definite military advantage”. The assessment of this advantage must be independent of the existence of redundancy measures in the event of damage to this particular facility.
Second, the destruction of digital infrastructure in war points to States’ obligation to take
“all feasible precautions to protect the civilian population and civilian objects under their control against the effects of attacks”.
This issue is of particular importance given the potential second- and third-order effects that their destruction may have on civilian life and the humanitarian sector, where connectivity may constitute a critical enabler. Whether feasible precautions would require the strict, physical separation of civilian data centres from the military or even added measures (either by the States hosting or benefitting from a data centre or by the technology provider) to secure and protect these facilities. Regardless of which actor takes which steps, the importance of clarifying these questions and the expected distribution of roles and responsibilities is further emphasized by the “increased meshing” of civilian and military cloud technologies.
Third, in addition to destruction of the physical hardware, another question arises as to whether the data hosted in dual-use data centres could, itself, constitute a lawful military objective. If this is the case, then the data could be subject to attack by way of (partial) destruction of the infrastructure that hosts it. This issue is of particular relevance due to the increased integration of AI into military systems – and the dependence of these technologies on data throughout their life cycle.
Beyond the technology, the possible targetability of staff working at these data centres arises. While civilians are, in principle, protected from attacks under international humanitarian law, they may lose their protection if they are found to be directly participating in hostilities. Independently of whether contributing to the operation of a dual-use data centre could constitute direct participation in hostilities, this question is of particular importance in the light of today’s technology-heavy defence landscape.
This trend may, subsequently, require the presence of technical personnel, such as engineers, in or near the frontlines for maintenance and other operational functions critical to the deployment and use of military capabilities. There is precedent of such maintenance workshops being established by governmental armed forces. However, States’ dependence on the private sector for military capabilities – extending beyond weapon systems to data centres and other technological infrastructure – is growing. This may lead in the foreseeable future to the deployment in the battlefield of civilian engineers and technicians from technology suppliers to ensure the continued operation and maintenance of that infrastructure.
The need for structured engagement between the public and private sectors
These observations ultimately attest to two realities.
The foremost of these is that risk assessments and mitigation measures for both the public and the private sectors will inevitably evolve from traditional structures. While the destruction of military factories is far from being a novel strategy, the increased reliance on dual-use digital infrastructures such as data centres further emphasizes the need for both States and technology suppliers to re-evaluate their risk assessments.
The large prime contractors in the defence industry may already have established structures and processes for such risk assessments. To the extent that their facilities may be military objectives, technology companies should follow suit if they are to supply, even remotely, capabilities to the military. To this end, States and the private sector should clarify expectations with respect to the distribution of roles and responsibilities, including in the context of risk assessments and mitigation.
The other, equally significant, reality is that the need for structured engagement between the public and the private sectors is now more evident than ever. Beyond risks assessments and clarity on the distribution of roles and responsibilities, establishing shared expectations could ultimately foster predictability, mutual trust and accountability and could contribute positively to international peace and security. States and non-state actors (including industry) have engaged extensively since 2018 on information and communications technologies (ICTs) in the context of international security as part of two United Nations open-ended working groups. The upcoming Global Mechanism on ICT in the context of international security subsequently provides an opportunity to deepen the multi-stakeholder dialogue on, among other things, voluntary norms and international law, particularly the protection of dual-use infrastructure and data.
Specifically on AI, UNIDIR in partnership with the Office of the United Nations High Commissioner for Human Rights launched an initiative dedicated to the development of a Framework of Responsible Industry Behaviour for AI in the Military Domain. The framework seeks to provide a practical and actionable set of voluntary guidelines firmly grounded in international law and norms, to be co-developed in collaboration with industry actors and governments.
As the boundary between commercial cloud computing and the military domain continues to blur, the strikes on the data centres in the Gulf confirm that digital infrastructure is not only the backbone of our society, but that it also lies on the frontline of modern conflict. The engagement of the international, multi-stakeholder community with governance processes, including within the United Nations, is now more critical than ever to ensure that current and future infrastructure fosters international peace and security, and does not become the catalyst for escalation and conflict.
