Modern societies do not just use data—they depend on it. Banking systems, hospitals, logistics networks, and governments all rely on continuous access to digital infrastructure. Yet recent attacks on data centres in the Middle East point to a growing vulnerability: the systems that sustain everyday life are not only digital, but physical—and increasingly exposed to conflict.
Policy debates have largely focused on who controls data. Advocates of data sovereignty argue that keeping data within national borders strengthens legal authority and reduces reliance on foreign actors. Others emphasise the advantages of globally distributed cloud infrastructure, including efficiency, scalability, and redundancy. But both approaches overlook a more fundamental issue. In conflict, control over data matters less than whether it remains accessible at all. Data sovereignty, on its own, does not guarantee protection.
Databases concentrated within national borders become points of failure
In fact, it can create new vulnerabilities. When critical systems—financial services, healthcare records, government databases—are concentrated within national borders, they may become single points of failure. In a conflict scenario, targeted disruption could disable essential services. Keeping data ‘at home’ may strengthen legal control, but it can also make it easier to disrupt.
At the same time, reliance on global cloud providers introduces a different kind of risk. Infrastructure operated by companies such as Amazon or Microsoft offers resilience through distribution, but it places critical data beyond full national control. During crises, access to data stored across jurisdictions may be shaped by foreign laws, corporate decisions, or geopolitical pressures. What appears resilient in technical terms may prove uncertain in political ones.
Both models are largely optimized for peacetime. They prioritise efficiency, scale, and control—but not resilience under conditions of disruption.
Shift focus from control to resilience
A more useful starting point is to shift the focus from control to resilience. The question is not simply where data is stored or who governs it, but whether systems can continue to function when infrastructure is degraded, fragmented, or under attack.
One proposed approach is to separate military and civilian data systems. This aligns with long-standing principles under the Geneva Conventions, which seek to limit harm to civilian infrastructure. Clear separation could, in theory, reduce the likelihood that civilian data centres are treated as legitimate targets.
However, this distinction is difficult to sustain in practice. Digital systems are deeply interconnected. Civilian infrastructure supports logistics, communication, and other functions with military relevance. Many systems are therefore ‘dual-use’, making them difficult to classify and potentially vulnerable regardless of formal designation.
Civilian or military infrastructure?
There is also a legal gap. Existing international humanitarian law was developed in a context where infrastructure could be more clearly categorized as civilian or military. Data centres do not fit easily into this framework, particularly when they are privately operated and globally integrated. As a result, the systems that underpin hospitals, financial networks, and public services occupy a grey zone—essential to civilian life but not clearly protected as such. The rise of AI will only deepen this ambiguity. Systems that power everyday services—routing deliveries, managing traffic, analysing data—can be repurposed in real time for military logistics or strategic decision-making.
These challenges are especially pronounced for smaller and developing countries. In many such contexts, digital systems are already constrained by limited infrastructure and institutional capacity. Full data localization may be impractical, while complete reliance on external providers creates exposure to external disruptions. Here, resilience is less about asserting control over data location and more about ensuring continuity under stress.
A more feasible approach is diversification: maintaining limited domestic capacity for essential services, while securing reliable backup arrangements across trusted partners. In this context, sovereignty is not defined solely by where data resides, but by whether access can be maintained when it is most needed.
Private technology companies also play a central role. As operators of critical infrastructure, they are increasingly part of national resilience. This raises questions about their responsibilities in ensuring continuity, transparency, and equitable access during crises—particularly when their operations span multiple jurisdictions.
Strengthening resilience requires rethinking system design
From a technical perspective, strengthening resilience requires rethinking system design. While the internet was originally built with redundancy in mind, contemporary cloud architectures often prioritize efficiency and centralization. Highly interconnected systems can amplify failures rather than contain them. Building resilience means distributing infrastructure across diverse locations, reducing hidden dependencies, and enabling systems to operate in degraded conditions when necessary.
The implications extend beyond data policy. As dependence on digital systems grows, decisions about data storage, infrastructure providers, and jurisdictional control increasingly intersect with foreign policy, trade, and security strategy. Data governance is no longer only about regulation—it is part of how states manage risk. When the internet first developed, security and privacy were treated as secondary concerns, addressed gradually as new risks emerged. A similar lag is now visible in how we govern data infrastructure in conflict.
Data systems are now as critical—and as vulnerable—as physical supply chains. The central question is no longer simply who controls data, but whether societies can still function when access to it is disrupted. In the end, data that cannot be accessed is data that cannot be governed.
Leave a comment