Artificial intelligence is making countries around the world more capable and more vulnerable. The urgency and complexity of addressing this paradox are growing rapidly.
In Iran’s first waves of retaliatory attacks after US and Israeli strikes on the country on 28 February, its drones struck two Amazon Web Services (AWS) data centres in the United Arab Emirates. This was not just an attack on infrastructure. It was a demonstration of how easily AI-dependent systems can be disrupted – and at little cost. The drone’s damage to AI facilities worth hundreds of millions of dollars caused banking apps to go dark across the UAE. A ride-hailing platform went down; payment companies reported failures; banks scrambled to restore services as customers found themselves unable to access their accounts. A month later, Iran’s inexpensive drones struck another AWS facility in Bahrain while the Islamic Revolutionary Guard Corps claimed that same day it had targeted an Oracle facility in the UAE. In between those strikes, Iran declared 18 technology companies to be legitimate targets, for their empowerment of US military capabilities – including AI providers Microsoft, Google, Oracle and Nvidia.
The attacks raised alarm bells, with some urging better protection of data centres in the Middle East. That response doesn’t go far enough. Data centres are vulnerable in every region to a wide range of potential disruptions. The attacks in the Middle East were kinetic in nature, having direct physical impact, but cyber-attacks, natural disasters or geopolitical intervention could also force a data centre offline or disrupt its supply of AI compute to customers – and they could happen anywhere. An accidental fire in a South Korean data centre brought down AI applications there, for example, while some data centres are in areas vulnerable to natural disaster.
What’s at Risk for Gulf States?
Even though the risks to data centres are not limited to drone strikes or the Middle East, the war with Iran has focused attention on the threat of strikes on data centres in the Gulf. That is partly because Gulf states aim not just to use AI but to become global AI providers. AI companies are poised to invest billions more to partner with them to do so. Oracle, OpenAI and Nvidia have agreed to partner with UAE companies to construct a data-centre facility in Abu Dhabi that is set to cost an estimated $30 billion. AWS, Google and xAI are among several companies planning to invest billions in the construction of AI facilities in Saudi Arabia.
Now that Iran has demonstrated the power of asymmetric attacks aimed at valuable economic outputs, it is unlikely these threats will end when the war does. It is more likely they will proliferate. Cheap drones and increasingly accessible AI tools mean even weak actors can inflict costly damage. The weaker are made potent; the fading gain new relevance.
And even if the ongoing threats are less intense, Gulf states will still need to establish and sustain impressively layered, cutting-edge defence systems to successfully defeat them. Countries depending on Gulf states to provide AI compute need to trust Gulf states’ strategies and capabilities for securing the critical infrastructure that generates and sustains it.
To meet this challenge, Gulf governments will benefit from partners with experience preparing for and defending against asymmetric attacks – and many of those countries are in Europe. Last month, Saudi Arabia, the UAE and Qatar all made new defence cooperation agreements with Ukraine, impressed by its battlefield experience and innovative defence-tech sector. Other European states – especially those along the Baltic Sea and in Eastern Europe – have spent years under the shadow of Russia’s potential attacks and occasional asymmetric probing. Their experience integrating defence innovations into national-security ecosystems and working with NATO could also bring much-needed capacity to the Gulf.
Data Centres Are Just One Layer of the AI Stack
Better defences that protect data centres are needed – and attainable – but what is required to keep AI-enabled applications running is much broader than data centres. So are the vulnerabilities.
Data centres are merely the most visible link in a chain of AI dependencies. They rely on chips from companies like Nvidia to produce AI compute. Nvidia depends on Taiwan-based TSMC to manufacture its chips. AI data centres and AI clouds, hosted by companies like AWS and Oracle, provide AI compute for the operation of AI models, from companies such as OpenAI and Anthropic. Those AI models enable the evolution of AI platforms, from companies like Palantir and Anduril. And those AI platforms in turn enable the AI applications defence companies use in their systems.
National defence in the AI era relies on this entire “AI compute stack” – from chip to data centre to cloud to model to platform to application. Iran struck at one layer in the stack but disrupting any layer could affect defence capabilities, while limiting or degrading any layer could compromise national security. Key AI-compute-stack providers could be knocked offline with cyber-attacks. Governments could ban certain foreign partnerships with private-sector AI providers or apply trade restrictions to limit the private sector’s contributions to foreign AI capabilities at various layers of the AI compute stack.
As governments scramble to acquire better systems to defend against these drones, which have inflicted heavy economic costs, their effectiveness will only be as innovative and reliable as the AI applications that operate them, which are only as good and trusted as the AI platforms, models, data centres and chips that underpin them. Ensuring defence systems remain operational – and more capable than the AI-powered threats of adversaries – requires assurance of the resilience, continuity and competitiveness of the entire AI stack on which those systems depend.
AI Alliances Are the Answer
National security in the AI era relies not just on having the latest and most potent systems but also on an AI compute stack that is more reliable, resilient and innovative at every layer than those of adversaries. No defence company can provide the entire AI compute stack its systems require, but very few countries can either. Therefore the push to acquire new defence systems must evolve to include comprehensive AI partnerships.
Many governments are yet to realise that the “sovereign AI” challenge is much greater than simply ensuring state control over critical AI data and keeping its classified content secret. Rather, states must have assured access to AI supply, AI competitiveness and AI security. As governments grasp the complexities of AI supply chains and their potential vulnerabilities, they will rightly scrutinise their assured access to an entire AI compute stack.
Ensuring the continuity and performance of the AI applications that run and defend a state means ensuring the continuity and performance of the entire AI compute stack on which those applications depend. For most countries, this will require the collaboration of multiple partners, ushering in an era in which states will be as concerned about partnerships with AI companies as they are about partnerships with other nations. What AI companies provide will not only be foundational to the defence of the state but to all its vital operations – economic, civil, social and safety.
Without adequate redundancies and alternatives to ensure continuity, taking out just one piece of the AI compute stack – like a game of Jenga – could bring down an entire set of critical capabilities. Governments and AI companies should pursue several lines of effort to prevent that. First, where there are kinetic threats from states such as Iran, Russia, or non-state actors, states should deploy robustly layered defences capable of readily and sustainably defeating them. Second, many countries should consider holding some contingency AI-compute capability outside their borders in sovereignly controlled “AI embassies” or clouds. (TBI’s recent paper, Digital Embassies and AI Sovereignty: Building Resilient States Beyond Borders, set out a guide for policymakers on the potential benefits of digital embassies and how they should be designed.) Third, major providers of AI compute should enter into mutual-assistance agreements in which they agree to provide each other with compute capacity in the event one suffers a severe disruption. Fourth, states should assess the geopolitical resilience of every layer of the AI compute stack on which their critical functions depend.
Finally, governments need to convene or participate in multinational collaborations with AI experts in the public, private and security sectors to come up with new initiatives and partnerships for protecting the continuity of their AI compute. Collaborative partnerships between states and AI companies could produce resilient AI-compute-stack architecture that will not fail even if one layer in the stack is disrupted – whether by attack, accident or geopolitics.
The imperatives for new collaboration start with a simple recognition: AI and national security are now inseparable. New partnerships can help ensure that the symbiotic relationship adds strength, not vulnerability.
Hans Wechsel is Senior Advisor for Peace & Security at the Tony Blair Institute. Previously a senior US diplomat, his assignments included serving as Policy Advisor to the Commander of US Central Command and the Director of the State Department’s counterterrorism coordination in the Middle East.