North Carolina’s data center and energy debate has been framed as an economic development question. It is also a homeland security question — and the failure to treat it that way is creating real risk for investors, developers, public officials, and the communities that depend on both.
Data centers are the fastest-growing category of critical infrastructure in the United States. They are not simply large electricity consumers. They are the physical layer beneath cloud computing, AI systems, financial networks, government data operations, emergency communications platforms, healthcare information systems, and defense-related digital infrastructure. When a data center fails, goes offline, or is disrupted by a power event, a cyberattack, or a physical security breach, the consequences extend far beyond the facility itself.
North Carolina is competing aggressively for data center investment. Amazon’s $10 billion Richmond County campus, Jabil’s $500 million Rowan County facility supporting AI data center manufacturing, Google’s long-standing Triangle presence, and a pipeline of planned projects representing roughly 6.3 gigawatts of load are all signals of a state that has become a meaningful node in the national AI infrastructure buildout. Duke Energy’s load forecasts project total net electricity demand increasing between 16% and 60% over the next 15 years — driven significantly by data centers and advanced manufacturing.
The conversation about that growth has centered on power costs, incentive structures, moratoriums, ratepayer impacts, and permitting timelines. Those are legitimate and important issues. But they are not the whole picture. The grid that must power North Carolina’s data centers, and the data centers that must process the information the state’s emergency systems, government operations, and defense infrastructure depend on, are both targets in an expanding and increasingly sophisticated threat environment. North Carolina is not treating them that way. That is a problem — for public safety, for the state’s defense posture, and for every investor and developer who has committed capital based on assumptions about infrastructure continuity that have not been stress-tested against the actual threat environment.
Data Centers Are Critical Infrastructure — Not Just Consumers of It
The conventional framing treats data centers as large electricity consumers whose primary interaction with homeland security is through their grid demand. That framing misses half the picture. Data centers host the systems that make modern emergency response, government operations, and national security functions possible.
The AI systems being deployed across federal agencies for threat detection, border security, and intelligence analysis run on data center infrastructure. The cloud platforms supporting 911 systems, emergency management software, financial clearing, and healthcare information exchanges require continuous data center availability. The government contracting, logistics, and communications systems supporting the military installations that make North Carolina the state with the third-highest concentration of uniformed military personnel in the country depend on digital infrastructure whose physical security posture is rarely part of the economic development conversation.
A data center outage caused by a power disruption, a physical attack, a drone intrusion, or a cyberattack is not just a business continuity problem for its operators. Depending on what is running inside it and who depends on it, it can be an emergency management problem, a public safety problem, and a national security problem. North Carolina’s data center development is happening at scale. The homeland security implications of that scale are not being incorporated into the planning frameworks governing it.
The Threat Environment Targeting Both the Grid and the Data Centers on Top of It
On December 3, 2022, two Duke Energy substations in Moore County, North Carolina — in Carthage and West End — were targeted by gunfire in a coordinated, deliberate attack. Approximately 45,000 customers lost power. Some were without electricity for up to five days. A state of emergency was declared. One woman died — she depended on electricity for medical equipment. Moore County Sheriff Ronnie Fields confirmed that the perpetrators knew exactly what they were doing. The attack remains unsolved as of late 2025.
Moore County was not an anomaly. A Department of Energy analysis documented nearly 600 electric emergency incidents from physical attacks and vandalism on the US grid between 2014 and 2022 — with 2022 the first year to reach triple digits. In November 2024, a man was arrested for attempting to attack a Nashville substation using a drone armed with C-4 explosives. NERC’s own assessment is direct: utilities are “limited to engaging with UAS only after they are safely on the ground, which is often too late.” The FY2026 National Defense Authorization Act expanded domestic counter-UAS authorities specifically because the threat was real enough to require a statutory response. As security experts have stated plainly: the grid “was never designed with aerial threats in mind.”
The nation-state cyber threat operates simultaneously. A February 2024 joint advisory from CISA, the NSA, and the FBI assessed that PRC state-sponsored cyber actors known as Volt Typhoon are seeking to pre-position on US critical infrastructure networks for “disruptive or destructive cyberattacks against US critical infrastructure in the event of a major crisis or conflict.” Volt Typhoon was discovered dwelling undetected inside a small Massachusetts public utility’s network for over 300 days. Dragos, the operational technology security firm that has investigated multiple Volt Typhoon compromises, reported in February 2026 that the group remains actively mapping and embedding in US infrastructure. Dragos CEO Rob Lee told reporters there are compromised sites in the United States that “we will never find.”
AI-enabled cyberattacks have added a speed dimension that existing defenses were not built to manage. Most cyber defense architectures operate on human timelines — analysts review, teams escalate, leaders approve containment. Booz Allen Hamilton’s March 2026 analysis documented that AI-enabled attackers now operate in minutes. In August and September 2025, a threat actor exploited a critical vulnerability across more than 8,000 endpoints in under ten minutes. In September 2025, researchers documented the first fully autonomous AI-orchestrated cyberattack in which AI systems handled 80 to 90 percent of the operation without human direction. Twenty-six separate threat groups were actively targeting operational technology environments in 2025. The ODNI’s 2026 Annual Threat Assessment specifically warned that US critical infrastructure, including the energy sector, faces escalating cyber challenges.
Federal Law Enforcement Has Formally Entered the Conversation
The homeland security implications of data center growth are no longer being discussed only in utility boardrooms, regulatory proceedings, and infrastructure security circles. They have formally entered the federal law enforcement and intelligence apparatus — from a direction that few people anticipated.
Wired reported on May 27, 2026, based on more than 1,000 pages of unpublished DHS, FBI, and fusion center documents obtained through FOIA requests, that federal intelligence agencies and domestic law enforcement are actively surveilling a new designated threat category: “anti-technology extremists.” The reporting documents a nationwide effort to monitor protest movements targeting data centers, track individuals critical of AI development, and connect domestic opposition to technology infrastructure to potential extremist threats. The effort follows attacks on technology executives — including the December 2024 killing of UnitedHealth CEO Brian Thompson — and a nationwide protest movement targeting data center development. A January 2025 DHS Office of Intelligence and Analysis report attempted to connect the Thompson case to the ideology of Ted Kaczynski, the Unabomber, under the anti-technology extremism framing.
The development confirms something directly relevant to this article’s argument: the federal government has formally recognized that data centers are operating inside a homeland security environment — one that encompasses not just nation-state cyber threats and grid attacks, but a domestic threat landscape that is evolving and being actively monitored at the highest levels of the intelligence community. The data center security environment is no longer being treated by federal law enforcement as a utility planning matter. It is being treated as a national security matter. The question is whether the private sector, investors, developers, and public officials responsible for that infrastructure are treating it the same way.
Electrification Compounds Every Dimension of the Risk
Data centers are not the only driver of North Carolina’s load growth, and the homeland security implications of electrification extend beyond the data center question. Transportation electrification, industrial electrification, building electrification, and advanced manufacturing are all adding electricity dependence to systems — vehicles, production lines, buildings, hospitals, water pumping stations — that previously had alternative energy sources or lower power dependencies.
The practical effect is that an extended power disruption in North Carolina in 2030 will have more severe and more widespread consequences than an equivalent disruption in 2020. More electric vehicles unable to charge means reduced mobility for emergency response and evacuation. More electrically dependent manufacturing means more industrial processes halted. More electrically dependent buildings means more vulnerable populations. NERC’s 2025 Long-Term Reliability Assessment found compound annual growth rates for summer and winter peak demand at the highest levels since NERC began tracking in 1995 — and assessed that over half of North America faces risk of energy shortfalls in the next ten years. North Carolina sits inside that risk environment.
This Is an Investment Risk — Not Just a Policy Conversation
The failure to treat grid security, data center resilience, and energy reliability as a unified homeland security issue is not only a public policy failure. It is a diligence failure with direct financial consequences.
A data center developer that has secured land, permits, incentives, and financing but has not evaluated the physical security posture of the substations serving its site, the cyber threat environment facing its grid operator, the counter-UAS capability available to protect its interconnection infrastructure, or the emergency management protocols governing a sustained outage in that jurisdiction has made a series of undisclosed assumptions. Hurricane Helene demonstrated what those assumptions look like when they fail: more than 230,000 North Carolina cooperative members lost power at peak, with restoration taking weeks in the hardest-hit areas. The storm was a natural disaster. The operational consequences — collapsed communications, disrupted emergency coordination, sustained infrastructure failure — are structurally identical to what a coordinated physical or cyber attack is designed to produce.
Grid hardening requires sustained capital investment. NERC’s Critical Infrastructure Protection standards establish minimum security requirements for bulk power system assets, but those standards are being tested by drone threats and AI-enabled cyberattacks that were not the primary design basis when the standards were developed. North Carolina enacted legislation in December 2023 increasing criminal penalties for attacks on energy facilities — a direct response to Moore County. Federal regulatory attention to grid security is intensifying. How the costs of enhanced monitoring, physical hardening, and cyber resilience investment are allocated among shareholders, ratepayers, and large-load customers is an active regulatory question. For investors in energy-intensive facilities, the resolution of that question directly affects project economics in ways that current financial models often do not capture.
The liability landscape is also evolving. A developer or investor that fails to conduct adequate diligence on the security posture of the infrastructure their project depends on — and whose facility subsequently experiences disruption attributable to a known and documented threat — faces both financial and reputational exposure that the current generation of investment frameworks was not designed to evaluate.
North Carolina does not have to choose between attracting data centers and protecting critical infrastructure. Done right, those goals reinforce each other. But they require public officials, utilities, regulators, economic development leaders, developers, and investors to stop treating them as separate conversations. The grid that powers North Carolina’s data centers and the data centers that process what North Carolina’s emergency systems depend on are part of the same infrastructure — and they are both targets. Treating them as anything less is a risk that is already being tested.