"The legality turns on whether the specific facility, at the specific moment, is genuinely serving the military operations of a party to the conflict."
— León Castellanos-Jankiewicz, Asser Institute for International and European Law, The Hague
A Threshold Has Been Crossed
On March 1, 2026, something happened that no one in the history of armed conflict had ever done before: a nation-state deliberately sent kamikaze drones into commercial data centers.
Within hours of the United States and Israel launching their joint strikes against Iran, the Islamic Revolutionary Guard Corps targeted three Amazon Web Services facilities in the United Arab Emirates and Bahrain. The attacks were not aimed at military installations in the conventional sense — no barracks, no runways, no munitions depots. They were aimed at server farms. At the same kind of infrastructure that hosts your email, processes your paycheck, and stores your health records. The fires that broke out inside those facilities disrupted banking services, payment processors, enterprise software, and cloud platforms across the entire Middle East region. Amazon advised customers to migrate their workloads to other regions immediately.
This was not an accident or a miscalculation. Iranian state television explained the motive directly: these data centers were struck because of their “role in supporting the enemy’s military and intelligence activities.” Iran then published a list of dozens of additional facilities — owned by Microsoft, Google, and others — formally designating them as “Enemy Technology Infrastructure” and eligible for future targeting.
A line that technology companies, legal scholars, and military planners had long theorized about had now been crossed in the real world. The cloud is no longer a neutral space.
Why Commercial Data Centers Became Military Targets
To understand why this happened, we need to understand how deeply the largest American technology companies have woven themselves into the apparatus of the United States military.
Amazon Web Services does not merely sell cloud storage to consumers. AWS holds a share of the Pentagon’s Joint Warfighter Cloud Capability (JWCC) contract, which the Department of Defense describes as providing “greater lethality.” Microsoft operates cloud regions explicitly labeled “US DoD Central” and “US DoD East,” reserved exclusively for classified Defense Department use. Oracle maintains Pentagon-specific data centers in Chicago, Phoenix, and Virginia. Google and Meta, though less prominently, are also active Pentagon partners in various capacities.
More immediately relevant to the 2026 conflict: multiple news organizations reported that the U.S. military used AI models — running on commercial cloud infrastructure — for intelligence assessments, target identification, and battle simulations during the Iran strikes. The cloud did not merely support logistics or payroll. It participated, in a meaningful sense, in the act of war itself.
International humanitarian law has a concept for what this creates: a dual-use facility. When a single physical building or network simultaneously serves civilian customers and active military operations, it occupies a legally ambiguous and physically dangerous space. Legal scholars quoted in coverage of the attacks were blunt about the implications. “A data center that is used solely or primarily for military applications is targetable,” said Ioannis Kalpouzos of Harvard Law School. The harder question — whether a data center that is partly used for military purposes is also targetable — has no clean answer under current law. And when the answer is unclear, adversaries will resolve the ambiguity in their favor.
This is the environment California’s public institutions, businesses, and residents now operate in. Our data lives in buildings that foreign militaries have formally designated as legitimate wartime targets.
The Concentration Problem Is the Security Problem
The events of March 2026 did not create this vulnerability. They simply made visible a risk that has been accumulating for years.
Over the past decade, California’s digital infrastructure has become extraordinarily concentrated. The vast majority of state agencies, public universities, hospitals, school districts, and private businesses run their operations on services provided by a handful of corporations — Amazon, Microsoft, Google, and Oracle — whose data centers are distributed globally but governed entirely by private, profit-driven decision-making. When AWS advised customers in the Middle East to migrate their workloads following the drone strikes, that was a corporation managing its own exposure. The thousands of businesses and institutions dependent on those services had no seat at the table and no advance warning.
This concentration creates compounding risks that operate on several levels simultaneously.
Geographic concentration places enormous amounts of critical data and compute capacity in a small number of physical locations. The UAE and Bahrain facilities that were struck represented a significant portion of AWS’s Middle East regional capacity. A coordinated attack on even two or three major U.S.-based hyperscale facilities — in Northern Virginia, where a substantial fraction of the American internet terminates, or in the Pacific Northwest, where several major cloud campuses operate — could produce cascading failures across healthcare systems, financial networks, and government services simultaneously.
Legal exposure by association means that the more the Pentagon integrates its operations with commercial cloud providers, the more those providers’ civilian infrastructure inherits military-target status. California institutions that have no relationship whatsoever with the U.S. military may nonetheless have their data co-located, in the same physical building, with workloads that do. Under international humanitarian law, that proximity matters. The obligation to warn before striking dual-use infrastructure exists in principle; in practice, in the middle of an active conflict, it is rarely observed.
Governance concentration means that decisions about where data is stored, how it is protected, and what military contracts are accepted are made by executives accountable to shareholders — not to the public, and not to the residents of California whose most sensitive information those decisions affect. There was no public debate before AWS accepted JWCC contracts. There was no notification to state agencies or public universities when their cloud provider became a designated military target.
The CalCompute Answer: Public Infrastructure for Public Purposes
This is precisely the context in which the CalCompute Initiative matters most urgently.
CalCompute’s foundational premise — that California should build and operate publicly governed, geographically distributed, non-corporate computing infrastructure — is not merely an argument about cost, equity, or AI access, though it is all of those things too. It is an argument about sovereignty and security. It is an argument that the digital infrastructure underpinning California’s public institutions should not be a subsidiary of the Pentagon’s cloud strategy.
A publicly governed CalCompute network, distributed across California’s public university campuses and state facilities rather than concentrated in privately owned hyperscale campuses, addresses the military-targeting vulnerability in several interconnected ways.
Civilian-purpose clarity. The legal test for whether a facility may be targeted in armed conflict centers on whether it is “serving the military operations of a party to the conflict.” Public computing infrastructure dedicated exclusively to research, education, healthcare, and civic services — governed by statute, with transparent use policies — presents a fundamentally different legal and political profile than infrastructure operated by corporations with active Pentagon contracts. This does not make public infrastructure invulnerable, but it removes the primary legal pretext for treating it as a military objective.
Geographic distribution as resilience. A CalCompute network anchored at UC campuses in San Diego, Los Angeles, Davis, Berkeley, Santa Cruz, and elsewhere — supplemented by California State University sites and community college nodes — distributes risk across dozens of locations. No single strike, whether kinetic or cyber, can produce the cascading regional failure that the AWS attacks demonstrated. Resilience is not a feature to be added to distributed public infrastructure; it is intrinsic to its architecture.
Democratic accountability over military entanglement. The decisions that led to commercial data centers being painted as enemy targets were not made democratically. They were made in boardrooms. CalCompute, governed under the framework established by SB 53 and subject to ongoing legislative oversight, cannot quietly accept a DoD contract that transforms its facilities into dual-use military infrastructure without public deliberation. That accountability is not a bureaucratic inconvenience. In the current environment, it is a security feature.
Sovereignty over sensitive public data. California operates some of the most sensitive data systems in the world: DMV records, Medi-Cal health records, public school systems, university research on everything from climate modeling to infectious disease. None of that data’s security posture should be contingent on the geopolitical decisions of a private corporation headquartered in Seattle or Redmond. SB 53’s vision of California-controlled public compute infrastructure restores democratic governance over data that belongs, in every meaningful sense, to Californians.
The Cyber Dimension: A Parallel Front
The physical drone strikes on AWS facilities were the most visible dimension of the conflict’s digital warfare, but they were not the only one. Within hours of the opening strikes on Iran, more than sixty pro-Iranian hacktivist groups mobilized. Cybercrime surged by 245% in the conflict’s opening weeks. Pro-Russian groups coordinated with Iranian actors to target Israeli and Gulf infrastructure. Iranian military officials promised a “sweeping wave of digital disruption” extending into the United States itself, with explicit mentions of AI data centers as priority targets.
Cybersecurity analysts noted a stark shift in the character of these attacks: ransomware, the traditional tool of financially motivated hackers, was largely absent. The goal was not extortion. The goal was destruction — wiping data across healthcare networks, financial systems, educational institutions, and AI infrastructure to maximize civilian disruption and demonstrate the cost of American military action.
California, as the home of the global technology industry and the world’s fifth-largest economy, is a natural focal point for this kind of campaign. The concentration of critical AI infrastructure — including xAI’s Memphis data centers, which hold a $200 million DoD contract, and the dense cluster of hyperscale facilities in the Bay Area and Southern California — makes the state both a high-value target and a potential chokepoint whose disruption would reverberate globally.
Distributed public infrastructure is harder to attack effectively for the same reasons it is more resilient to physical strikes. There is no single point of failure to find, no single institution whose compromise cascades across everything else, no single corporation whose entanglement with the military makes the whole network a target.
The Moment Requires Action
The events of March 2026 have compressed a theoretical policy debate into an urgent practical question. California cannot wait for the next conflict, or the next set of drone strikes, to discover that its public institutions’ data lives in a building that a foreign military has formally designated as an enemy target.
SB 53 and the CalCompute Initiative represent California’s most serious attempt to answer that question on behalf of its residents. The argument for CalCompute has always rested on multiple foundations: democratic access to AI, support for public research, cost efficiency for state agencies, equity for communities underserved by private cloud providers. Every one of those arguments remains valid. But the events of this month add a foundation that was previously theoretical and is now empirically demonstrated: in a world where commercial data centers are military targets, California’s public data belongs in California’s public infrastructure.
The cloud is no longer a neutral space. It is time to build one that is.
What You Can Do
Stay informed. Follow the CalCompute Initiative’s public updates as the infrastructure buildout proceeds under the SB 53 framework. Understand which state services are transitioning to CalCompute and what that means for data you interact with.
Engage your representatives. Contact your state legislators in support of full funding for CalCompute’s distributed infrastructure expansion. The security case for public compute infrastructure is now concrete, not abstract.
Ask your institution. If you work at a UC or CSU campus, a public hospital, a school district, or a state agency, ask your IT leadership what their CalCompute migration timeline looks like and what data remains on commercial cloud services with active military contracts.
Spread this understanding. The connection between geopolitical conflict, commercial cloud entanglement, and public infrastructure security is not yet widely understood. Share this analysis with colleagues, neighbors, and community members who care about California’s digital future.
CalCompute Initiative Public Education Series · Published March 2026 · CalCompute is California's publicly governed, distributed computing infrastructure program, established under Senate Bill 53.
Sources: The Intercept, Palo Alto Networks Unit 42 Threat Intelligence, AWS Health Dashboard (March 2026), Holistic Resilience conflict infrastructure mapping, Center for Strategic and International Studies, Asser Institute for International and European Law.