Researchers from the University of Maryland and Sandia National Laboratory warn that massive AI data centers have turned national compute capabilities into physical targets for adversaries. These facilities draw hundreds of megawatts of electricity and vast amounts of cooling water to fixed, known locations, creating new operational vulnerabilities for critical infrastructure.
The physical footprint of AI compute
AI sovereignty depends on a nation's independent control over its technology stack. A new model treats agentic AI as an instrument of national strength, mapping the specific resources required to build and sustain it: accelerators, electricity, water, datasets, and a skilled workforce. Each resource presents a vulnerability point an adversary can exploit.
The model measures this capability in zettaFLOPS and tracks it down to individual server cabinets. A standard cabinet holds four AI servers with 32 graphics processors, producing about 128 petaFLOPS. Facilities like the Anthropic-Amazon Project Rainier site in Indiana run the equivalent of roughly 471,000 high-end processors, drawing an estimated 751 megawatts of electricity and 458,000 liters of cooling water. Racks holding AI accelerators consume between 30 and 250 kilowatts each, and any rack exceeding 100 kilowatts requires liquid cooling. Older data centers designed for lower densities cannot run this equipment without extensive rebuilding.
The researchers said the situation is similar to combat airpower, "where a nation that buys aircraft it cannot design or build stays dependent on a supplier that can cut off access."
Kinetic and cyber degradation levers
The model outlines symmetrical strategies where competing nations attempt to grow their own resources while degrading those of their rivals. Degradation methods fall into two categories: direct kinetic actions and indirect effects delivered through cyber operations, economic coercion, and information campaigns.
A recent kinetic example occurred in March 2026, when Iran targeted two Amazon data centers in the United Arab Emirates. Debris from a downed drone in Bahrain subsequently damaged a third facility, causing regional outages. Iran later named US technology firms as possible military targets and threatened a $30 billion data center in the UAE. The episode demonstrated that expensive buildings packed with sensitive hardware sit within range of low-cost drones and ballistic missiles.
Non-kinetic methods reach the same targets without physical strikes. Cyber intrusions and attacks on data center cooling and electrical controls can degrade a rival's compute capacity while leaving less forensic evidence. Furthermore, research on data poisoning attacks found that corrupting a large language model during training takes a near-constant number of poisoned samples, regardless of how large the training set is. This makes targeted contamination of a rival's training data a low-cost method of sabotage.
Why this matters for operations
Professionals pursuing the AI Learning Path for IT Managers will recognize that securing this infrastructure now requires defending physical utilities, supply chains, and cooling systems alongside traditional network perimeters. A nation's standing in AI rests on equipment, buildings, utilities, and software that span physical, logistical, and digital security simultaneously. Operations teams must treat supply chain dependencies and facility-level utility controls as critical attack surfaces, since adversaries will likely probe these domains first.
Your membership also unlocks:
