Technology

Iran declared AWS, Google, and Microsoft data centers military targets. The legal and strategic fallout is just beginning

In late March 2026, Iran’s military leadership formally declared that AWS, Google, and Microsoft data centers hosting U.S. defense workloads constitute legitimate military targets under international law, and the statement landed with a weight that most people in the cloud industry still haven’t fully absorbed. The declaration invoked the principle of distinction under the Geneva Conventions to argue that these facilities, which host classified Pentagon AI systems alongside civilian infrastructure, have forfeited their civilian status. What makes the claim so destabilizing is not that it comes from Iran, but that the legal logic underlying it is genuinely difficult to refute.

The U.S. Department of Defense awarded its JWCC contract, worth up to $9 billion, across Amazon Web Services, Microsoft Azure, Google Cloud, and Oracle, and those contracts place classified and unclassified military workloads, including AI-driven intelligence analysis, logistics planning, and battlefield communications, onto the same commercial cloud platforms that host consumer streaming services, banking applications, and hospital record systems. A single AWS availability zone in Northern Virginia might simultaneously process classified Pentagon data, run a major bank’s transaction systems, serve Netflix content, and host a hospital’s electronic health records. The mixing isn’t a bug. It’s the business model, and it’s what makes Iran’s legal argument land so uncomfortably close to the center of international humanitarian law.

I’ve been tracking the vulnerability of concentrated digital infrastructure for weeks now. In my recent piece on orbital data centers, I looked at how SpaceX, Amazon, and Google are exploring space-based computing partly as a hedge against terrestrial risk. But the terrestrial risks are moving faster than any of those moonshot projects. The risk isn’t theoretical anymore. It’s pricing itself into insurance premiums and co-tenancy agreements right now.

The contracts that created the problem

The conventional wisdom about data centers always treated them as civilian infrastructure, full stop. Neutral territory. The cloud, after all, was supposed to abstract away geography: you didn’t need to know where your data lived because it was everywhere and nowhere, replicated across regions, protected by the sheer logic of distributed systems. That framing was always a fiction, but it was a useful one. What’s becoming clear now is something more uncomfortable: by hosting Pentagon workloads alongside Netflix queues and banking platforms, AWS, Google, and Microsoft have turned their commercial data centers into something international humanitarian law never anticipated, facilities that are simultaneously civilian infrastructure and legitimate military objectives.

The CIA’s Commercial Cloud Enterprise (C2E) contract — awarded to AWS, Microsoft, Google, Oracle, and IBM — runs intelligence workloads on infrastructure that is, at the physical layer, intertwined with commercial operations. The NSA has similar arrangements. Palantir, which provides AI-driven intelligence platforms to the Pentagon and allied governments, depends on these same hyperscale data centers to run its systems.

I should note something about my own position here. I’ve written about Palantir’s surveillance operations before, and I’ve had to confront the fact that I owned Palantir stock while doing so. The company has long occupied the grey zone between civilian technology and military intelligence. What’s significant now is seeing Google and Amazon face similar scrutiny, companies whose consumer-facing brands are so dominant that most people forget they are also defense contractors.

The co-tenancy is structural, not incidental. The JWCC contracts were designed to distribute military workloads across multiple commercial providers, and that design choice, which was intended to prevent vendor lock-in and increase resilience, is precisely what spread the targeting problem across every major hyperscaler’s infrastructure. The Pentagon saved money on IT procurement and in doing so may have made every AWS data center in Virginia a legitimate military objective under the laws of armed conflict.

The legal framework that doesn’t work

Under international humanitarian law, specifically the principle of distinction codified in the Geneva Conventions and their Additional Protocols, parties to a conflict must distinguish between civilian objects and military objectives. A military objective is defined as any object which by its nature, location, purpose, or use makes an effective contribution to military action, and whose total or partial destruction offers a definite military advantage.

Here’s where the JWCC contracts create a genuine crisis. A data center running classified military AI workloads unambiguously makes an effective contribution to military action. Under IHL, an adversary could legally classify that facility as a military objective. The civilian data sitting on adjacent servers, your bank records, your medical files, the ride-hailing app routing your driver, doesn’t get its own protective bubble.

Legal experts have noted that intertwining civilian and military data in shared facilities could inadvertently strip these data centers of their civilian protections under the laws of armed conflict. The principle of proportionality still applies: an attacker must weigh the expected military advantage against anticipated civilian harm. But proportionality assessments are made by the attacker, in the fog of war, against targets whose internal workload distribution is opaque from the outside.

This creates a perverse dynamic. The U.S. government integrates classified systems into commercial cloud infrastructure because it’s cheaper and more capable than building separate military networks. But by doing so, it transforms nominally civilian buildings into valid targets, exposing its own citizens to the very attacks it’s trying to project elsewhere. And that dynamic connects directly to the co-tenancy structure I described earlier: the same architectural choice that makes hyperscale cloud computing so efficient is the one that makes it legally indefensible under IHL.

data center security — Photo by panumas nikhomkhai on Pexels

The scale of what’s exposed

The numbers here are staggering and they explain why this problem won’t resolve itself through market forces alone. According to McKinsey, global data center investment represents a multi-trillion dollar race to scale computing infrastructure. Much of this new capacity is being built in the United States, particularly in Northern Virginia, which hosts the densest concentration of data centers on Earth and also sits within striking distance of the Pentagon’s most sensitive cloud workloads.

Much of that investment is going into hyperscalers: massive facilities hosting thousands of servers. These are marvels of engineering and efficiency. They are also, from a military perspective, extraordinarily easy to identify and extraordinarily easy to hit. A single campus-style hyperscale facility in Ashburn, Virginia might concentrate more critical economic and military computing power than any single building in human history.

Miah Hammond-Errey, writing for the Lowy Institute have assessed that potential strikes on data infrastructure demonstrate the direction of AI-era conflict. The assessment is stark: governments have integrated classified military and intelligence systems so deeply into commercial infrastructure that separating them becomes impossible under fire.

That phrase, impossible under fire, deserves emphasis. The time to separate civilian and military infrastructure is before a conflict. Once hostilities begin, the architecture is locked in place. You can’t unmix co-tenanted servers while missiles are inbound.

Experts have noted that the threat of strikes may force a structural rethink toward smaller, distributed data centers for greater resilience. Lots of small data centers with randomly distributed backup copies of data are more survivable, but they are also harder and more complex to build, more costly to maintain, and less effective, as data needs to be kept synchronized not just in one or two centers, but in many.

That tradeoff is the core dilemma. Concentration is efficient but fragile. Distribution is resilient but expensive. And the costs don’t stay abstract. Industry observers note that costs would increase quite sharply in forced-distribution scenarios. These increases would not stay contained; they would cascade across customers, vendors, and financial structures, eventually being pushed down to end customers.

Many businesses simply won’t survive the pressure.

The separation mandate nobody is following

Legal experts are clear about the obligation: countries can, and legally are obliged to, ensure that their military activities do not endanger the aspects of civilian life that rely on data centers. The most effective way is to clearly separate military use of data centers from civilian use.

Separation sounds logical. In practice, it barely exists. Demand for data center capacity already outstrips supply. Operators have the upper hand in negotiations. And militaries that can invoke national security to insist on access are not going to politely accept being told to find their own servers.

The JWCC contract structure actually makes separation harder, not easier. By design, it distributes military workloads across multiple commercial cloud providers. This was intended to prevent vendor lock-in and increase resilience. Instead, it has spread the targeting problem across every major hyperscaler’s infrastructure. Before JWCC, you could at least argue that only AWS facilities hosting the CIA’s C2E contract were implicated. Now the military footprint spans AWS, Azure, Google Cloud, and Oracle simultaneously.

Researchers have noted that as more militaries rely on AI technologies from the private sector, they become more dependent on privately owned data centers. The implications cut both ways. Governments get access to world-class computing power without building it themselves. But their citizens’ critical services, including banking, healthcare, logistics, and communications, become collateral in any conflict that targets the military workloads running on the same machines.

The U.S. is not alone in this. Allied nations participating in intelligence-sharing arrangements like Five Eyes increasingly rely on American hyperscaler infrastructure for their own defense computing. A strike on an AWS facility in Virginia wouldn’t just disrupt U.S. military operations; it could cascade across allied intelligence networks, civilian financial systems in multiple countries, and healthcare platforms serving millions.

server room infrastructure — Photo by Sergei Starostin on Pexels

What this means for where the money flows

I’ve been thinking about this through the lens of capital allocation and incentive structures, which is usually where the real story sits. The trillions being invested in AI data centers over the coming years will be shaped by the legal vulnerability of co-tenanted military-civilian infrastructure whether investors acknowledge it or not.

As Silicon Canals reported on infrastructure vulnerabilities, the concentration of digital assets in a handful of hyperscale facilities creates systemic risk that looks a lot like the financial system’s too-big-to-fail problem before 2008. The difference is that a bank failure cascades through balance sheets. A data center strike cascades through the physical systems that societies run on: payments, logistics, healthcare, food supply chains.

Insurance is already adjusting. Businesses operating in geopolitically sensitive regions are now being forced to pay hefty premiums for multi-region disaster recovery, hardened infrastructure, and complex war-risk insurance. These costs are real and they’re compounding. A company that was paying X for cloud services last year may be paying 2X or 3X next year once insurance, redundancy, and geographic diversification are priced in.

We have the Global Peace Index telling us that 78 countries were involved in conflicts beyond their borders last year. Dozens of nations are experiencing internal conflicts. Policy experts suggest that protective frameworks may no longer favor data localization requirements and instead shift toward geographic diversification and multi-region redundancy to ensure business continuity. That’s a significant policy shift. For years, data sovereignty advocates pushed for localization. The co-tenancy problem has shown that localization in a target zone is a liability, not a protection.

As I wrote last week about the Iran oil shock, the current geopolitical situation has fewer buffers and less institutional room for maneuvering than people assume. The same is true for digital infrastructure. The buffers we thought existed, including geographic distribution, legal protections, and the assumption that data centers would be treated as civilian, are thinner than anyone priced in.

What has to change

The structural problem is clear: the U.S. government has merged its military computing with civilian infrastructure to save money, and in doing so has created a legal and strategic vulnerability that no existing framework can address. Three things need to happen, and none of them will happen fast enough.

First, the Department of Defense needs to conduct a genuine assessment of which JWCC workloads can be physically isolated from civilian cloud infrastructure, and begin the expensive process of separation. This will cost billions and degrade some capabilities. It is still cheaper than the alternative.

Second, Congress needs to update the legal framework governing cloud procurement for defense and intelligence. Current acquisition rules optimize for cost and capability. They do not account for the collateral risk imposed on civilian co-tenants. This is a regulatory failure with potentially catastrophic consequences.

Third, the hyperscalers themselves, AWS, Google, Microsoft, and Oracle, need to disclose to their commercial customers whether their facilities host military workloads. Right now, a bank or hospital using AWS has no way of knowing whether their data sits in a facility that could be classified as a military objective under international humanitarian law. That information asymmetry is unconscionable.

Silicon Canals has covered how Ukraine is dealing with digital infrastructure threats from Russian drone attacks, and the pattern is instructive. The people defending Ukrainian digital systems are not relying on legal frameworks or sovereignty claims. They’re relying on redundancy, distribution, and operational security. The law of armed conflict provides very little protection when the attacker has already decided your infrastructure is a valid target.

The trillions being invested in new data centers over the next few years will either repeat this mistake at greater scale or begin correcting it. I’m not optimistic that market forces alone will produce the right outcome. The incentives still favor concentration. Hyperscalers are cheaper to build and operate. Redundancy is expensive. Insurance costs are opaque. And the entities making the investment decisions are not the same entities bearing the risk when a strike materializes.

The people bearing that risk are the ones whose banking apps could stop working in a crisis, whose food deliveries might not arrive, whose medical records could become temporarily inaccessible. They didn’t choose to co-locate with a military AI system. They just chose the cheapest cloud provider. The cost of that choice is no longer just financial. It’s existential.

Feature image by panumas nikhomkhai on Pexels

Written by

Justin Brown

Justin Brown is Silicon Canals' Chief Publisher. He holds a Master of Science in Global Economic History from the London School of Economics (Erasmus Mundus Joint Master in Global Studies) and a Master of Arts in International Relations from the Australian National University, where he was awarded the Hedley Bull Scholarship and graduated with First Class Honours. His writing focuses on power structures, institutional incentives, and the gap between corporate narrative and corporate behaviour — applied across regulation, capital flows, surveillance, and the politics of innovation. He co-founded Brown Brothers Media, the parent company that publishes Silicon Canals, and is based in Singapore. As Chief Publisher, Justin carries editorial responsibility for everything that ships on Silicon Canals. He reviews columns and writers' work before publication and stands behind the standards on this site.