Attacks on the Gulf during the war have been unprecedented in many ways, hitting countries that have for years been viewed as “safe havens” for wealth, for industries like finance and tech, for businesses, and for people.

The UAE has so far managed the crisis effectively by hammering on the message of business continuity, ensuring workarounds are in place to keep shelves stocked and business moving, and managing to intercept many of the missiles and drones targeting the country. However, the question of data security has become a major concern now that data centers are being treated as legitimate military targets.

Rewind to a few weeks back: Earlier this month, drone strikes caused “structural damage” and power failures at Amazon Web Services (AWS) data centers in Dubai and Bahrain. These unprecedented attacks have thrown into question how the region — which has spent years cultivating its reputation as a stable, high-tech hub — will navigate the massive risks now facing its critical data center infrastructure. The attack disrupted services for dozens of regional banks and businesses — from First Abu Dhabi Bank and Abu Dhabi Commercial Bank to the EnterpriseAM website.

This comes as the UAE is in the process of building infrastructure with the help of some of the biggest tech firms in the world, with massive projects like the 5 GW Stargate data center cluster currently under development in Abu Dhabi. Microsoft has also just recently committed to spending up to USD 7.9 bn through 2029 on AI and cloud infrastructure. This is in addition to projects in the pipeline from local firms like Khazna, which plans to bring over 1 GW of additional AI-ready capacity across the UAE, Saudi, and Italy.

How the war — and the risks it has exposed within the UAE’s data center infrastructure — will affect the country’s image as a data center hub remains to be seen. “It depends on how long the war will last,” renowned security professional and author Bruce Schneier tells EnterpriseAM. (Schneier is also a fellow at Harvard’s Berkman Klein Center and chief of Security Architecture at Inrupt. He has been named a “security guru” by the Economist.)

“There’s significant uncertainty, so it’s going to boil down to how risk-averse you are, and the risk is going up because so much is not known,” Schneier said. The uncertainty in and of itself is the problem: “Uncertainty is expensive and risky. Business doesn’t like uncertainty,” he added.

The long-term impact on the Emirates’ position could be “significant, and not in a positive direction,” cloud infrastructure and security specialist Jeff Cooper tells us. He noted how AWS has encouraged companies hosting data on their servers to migrate workloads out of the Middle East entirely and characterized the broader operating environment as unpredictable.

“Multinationals could quietly pull back in the long term,” Cooper added, noting they could pivot toward Europe.

The problem goes beyond just reputation: Data centers are notoriously capital-intensive, so the physical damage done by the attacks on AWS facilities won’t be cheap to fix, Cooper said. Data centers cost bns of USD to build, and that’s not to mention the massive economic costs associated with disruptions to companies’ digital services, costing them mns of USD in revenues.

Still, the factors that made the Emirates a draw — location, energy, and connectivity — are still there, but at a higher risk premium, Cooper added.

So, what can be done at this point when it comes to data?

As we’ve reported earlier, using edge locations and avoiding highly centralized clusters of compute infrastructure is something policymakers and firms will need to think about. Cooper echoed this, adding that geographic redundancy in lower-risk regions is another answer, though it doesn’t protect existing facilities — it “changes the calculus for future investment decisions significantly,” he noted.

The downside? Depending on a business’s needs and how much data or operational time it can afford to lose, “the engineering and operational overhead required to maintain

continuous synchronization between two active systems adds meaningful expense on

top of the hardware and hosting costs alone,” Cooper explained.

The more cost-effective solution is what’s called an “active-passive setup” — as opposed to an active-active one mentioned above — which maintains a primary system and a standby that might be fully powered down to reduce costs and brought online when needed, though some downtime would be expected, he said.

Edge computing can allow companies to run primary compute in a lower-risk region such as the EU and then deliver a fast, responsive experience to Gulf users through caching and lightweight local processing, offering another viable option for those in the UAE, because “if the edge location is disrupted, traffic can be routed back to the primary region with minimal impact to the end user,” he noted.

Where government data is involved, the case for data embassies is now stronger than ever. It’s “not just a good option, [it is] a prescient one” that can help protect against a government becoming “digitally paralyzed” if its physical, domestic infrastructure gets attacked, Cooper explained.

The Estonia blueprint: Back in 2017, Estonia backed up its tax registry and land borders in Luxembourg in a bid to protect itself against the threat of wars, cyberattacks, and natural disasters through the concept of a digital embassy.

Uh, Enterprise, is that like a physical embassy… but you get services done online? No. A digital embassy — or a data embassy — allows countries to host backups of their sovereign data in high-security facilities abroad while maintaining their own exclusive jurisdiction over that data. This ensures a state remains “digitally functional” — capable of running its tax registry, court systems, and treasury — even if its physical territory or domestic infrastructure is compromised.

The UAE has been eyeing the concept for a while now, with discussions with India in January for a potential arrangement to make digital embassies feasible.

The main challenge is in the timing, Cooper says. Digital embassy set-ups depend on bilateral agreements, which take time to hash out and ratify. Plus: The regulatory framework is still lacking in the UAE, and there are many regulatory implications associated with the concept.

Access to data is a key point: For a data center to provide access to a foreign subscriber’s data stored in that center, there needs to be a final binding order issued by a competent court or authority in the subscriber’s state, Al Tamimi & Co partner Andrew Fawcett tells us. The request would be vetted by the court or an equivalent in the hosting country, which acts as a gatekeeper function. Data can also be encrypted, giving flexibility in terms of who can access what, Cooper says. All of those details would need to be ironed out in a binding agreement — something that takes time to agree on.

While the embassy holds government data, it protects private commerce. If the UAE’s central bank data is backed up in a data embassy, the banking system stays “live” even if local servers are hit. A private bank can have the best backup in the world, but if the central clearing system is offline, it can’t move a single AED.

The recovery (and protection) of physical infrastructure is the bigger problem

“Data is easy […] there’s ways to protect data,” Schneier said, but protecting physical infrastructure during wartime is a different ballgame — and it’s something corporates can’t be responsible for on their own, he added.

“Industry has always been a legitimate target in wartime, but it’s on governments to protect industries — companies can’t fight wars and they can’t bear the burden of hardening their infrastructure against wars,” he said.

Backstopping by regional governments is “not a stretch […] particularly given how central digital infrastructure has become to their economic diversification strategies,” Cooper said. “That could take the form of government-backed ins., investment guarantees, or formal risk-sharing

agreements,” he explained. The principle here is what matters, Cooper said — major cloud companies will need assurances from the government to continue to invest in a region where this type of risk exists, he added.

The key thing moving forward? Classifying data centers as the critical infrastructure they are, Cooper said. “Data centers are now built to survive a drone strike,” according to Cooper. Options like structured hardening, which include underground construction, reinforced blast-resistant shells, overhead netting, and tensioned cable systems — all recommended by the Pentagon’s own counter-drone guidance, issued in January, he added. These are achievable, but they are expensive, he noted.

The second option is active defense, Cooper explained. That means electronic jamming, drone detection and intercept systems, kinetic countermeasures — measures often deployed at military installations. “This raises the immediate question: who authorizes them, who operates them, and under what [legislative] framework does a private company operate defensive weapons systems in a foreign country?”

Ins. is another part of the problem: “One key limitation is that many commercial ins. policies, including cyber policies, contain exclusions for war or war-like acts,” Associate Analyst at GlobalData Charlie Hutcherson told EnterpriseAM. That breeds further uncertainty, Hutcherson added, while Cooper noted that the government could need to step in one way or another. (Read: Today’s Planet Finance, detailing the global shortage of ins. for multi-bn USD mega data center projects.)

Tags: