AI sovereignty makes data centers strategic targets for cyber operations

Data centers built for frontier AI draw hundreds of megawatts of electricity and large volumes of cooling water from fixed locations with known addresses. Each one concentrates tens of thousands of graphics processors, liquid cooling systems, and high-density power equipment inside a single building. This physical footprint turns a nation’s AI capability into something an adversary can locate, measure, and degrade.

Mechanisms determining AI sovereignty at the micro, meso, and macro levels

AI sovereignty is the extent to which a nation independently controls its AI technologies. Researchers from the University of Maryland and Sandia National Laboratory use that definition in a model that treats agentic AI as an instrument of national power.

The model maps the resources a country needs to build and sustain that capability: accelerators, electricity, water, data sets, and a skilled workforce. Each resource becomes a point an adversary can pull on. The authors compare the situation to combat airpower, where a nation that buys aircraft it cannot design or build stays dependent on a supplier that can cut off access.

A capability with a physical footprint

The model measures AI capability in zettaFLOPS, a unit of compute performance, and tracks it down to server cabinets and racks. A standard cabinet holds four AI servers with 32 graphics processors that together produce about 128 petaFLOPS. Estimates for eleven frontier AI data centers in the United States and China cover power, water, and floor space.

The Anthropic-Amazon Project Rainier site in New Carlisle, Indiana, runs the equivalent of about 471,000 high-end processors, draws an estimated 751 megawatts of direct power, and uses an estimated 458,000 liters of cooling water. The OpenAI-Oracle Stargate site in Abilene, Texas, draws about 295 megawatts. Racks holding AI accelerators consume between 30 and 250 kilowatts each, and any rack above 100 kilowatts requires liquid cooling. Older data centers designed for lower densities cannot run this equipment without rebuilding.

The levers of degradation

The model is symmetrical between two competing nations. Each one works to grow its own compute, power, water, data, and workforce, and each one can work to degrade the same resources held by the other. The levers connect to physical equipment and data center sites, and pulling them changes a rival’s national power in AI. The methods fall into two groups: direct kinetic actions and indirect effects delivered through cyber operations, space, information campaigns, economic coercion, and diplomacy.

Data poisoning and the supply chain

Two of the degradation levers sit inside the cyber domain. Research on poisoning attacks found that corrupting a large language model during training takes a near-constant number of poisoned samples, regardless of how large the training set is. That finding makes targeted contamination of a rival’s training data a low-cost method of sabotage. Compromising the supply chain for AI accelerators forms a second lever, because a nation that cannot design or build its own chips depends on foreign suppliers who can cut off access. The researchers place both methods outside the current model and list them for later work.

Drones, denial, and public sentiment

One kinetic example comes from 2026. Iran targeted two Amazon data centers in the United Arab Emirates on March 1, and debris from a downed drone in Bahrain damaged a third, causing regional outages. About a month later, Iran named US technology firms including Microsoft, Google, Apple, Meta, and Nvidia as possible military targets in the Gulf, listing them alongside the defense contractors Boeing and GE and the software firm Palantir. Iran then threatened a $30 billion Stargate data center in the UAE. The threatened strike did not occur. The episode showed that costly buildings packed with sensitive hardware sit within range of low-cost drones and ballistic missiles.

Non-kinetic methods reach the same targets without a physical strike. Cyber intrusions, attacks on data center cooling and power controls, and disruption of the supply chain degrade a rival’s compute and leave less evidence of who acted. Information operations form another method. Public opposition to AI and to data center construction gives an adversary material to amplify, including resentment of the electrical and water projects that supply the sites. Because agentic AI serves both military and commercial uses, these operations can target research in fields such as quantum computing, biochemistry, and materials science.

What the model leaves for later

The model is qualitative. It maps relationships and feedback loops without numerical simulation, and the researchers describe their forecasts as notional and directional. Some values come from assumption, including the count of five frontier models needed to reach a new generation of capability and a ten percent gap between theoretical and delivered compute. A quantitative simulation that supports scenario analysis and sensitivity testing remains planned work.

The combined picture gives defenders a wide perimeter. A nation’s standing in AI rests on equipment, buildings, utilities, supply chains, and software that span physical, logistical, and digital security at the same time. A country that sources models, chips, or hosting from abroad carries that dependency as a supply chain risk. The methods an adversary would reach for first sit largely in the cyber domain.

Download: The IT and security field guide to AI adoption