IoT Privacy and National Security
By Ipek Kara | 8 October 2025
Summary
The Internet of Things (IoT) ecosystems have expanded across sectors and brought a higher risk of cyberattacks. Recent advisories from international and national organisations highlight the risks of IoT systems through the exposure of devices and data flows.
The growing adoption of Chinese-based IoT technologies raises national security concerns worldwide due to the potential for access to sensitive data through Chinese intelligence services.
States are likely to tighten their IoT and data flow security standards in the next year, creating a further divergence between Chinese and Western IoT bases to minimise the leak of sensitive data to unauthorised parties.
The Internet of Things (IoT) is the network of connected devices with sensors, software, and communication technologies which collects and exchanges data. IoT systems are used in a wide range of sectors from consumer products such as smart home devices to the defense sector for automation, logistics, and battlefield sensors. It has been rapidly expanding into other critical sectors like healthcare, energy, and smart cities. At the strategic level, IoT privacy has become a determinant of international competitiveness and national resilience, and democratic trust, creating both technical and societal risks.
In August 2025, global cybersecurity agencies from the United States, Australia, Canada, New Zealand, the United Kingdom, Japan, and several European agencies published a joint advisory statement on the ongoing activity of China’s state-sponsored Advanced Persistent Threat (APT) actors, disclosing China’s worldwide operations through APT actors starting from 2021. Acquired data provides Chinese intelligence agencies the ability to monitor global communications and movements, providing economic and industrial espionage for the country's advantage. Various commercial entities including Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology are believed to be working with the Chinese government.
Some of the main struggles in the EU on IoT and cybersecurity is the harmonization process of national laws and different interpretation of mandates. Regulatory complexity creates various security systems, thus weakening the EU’s general security. Based on Hungary's cybersecurity plan for 2025-2030, cybersecurity is recognized as a key component in national security and alignment of the national law with the EU and NATO frameworks will become a priority. Together, Hungary’s alignment efforts and NÚKIB’s targeted warnings highlight the urgency of harmonized EU action and the growing role of Central European states in shaping Europe’s cybersecurity resilience.
In September, Czech company NÚKIB shared a warning against the transfer of data to entities potentially based in China or its Special Administrative Regions. NÚKIB reports identify the security threat from confirmed malicious activities linked to China directed against the EU and NATO countries led by APT31, a group associated with the Chinese intelligence service. The increasing market of Chinese technologies such as personal devices, connected vehicles (electric cars), and large language models also transfer data and can be accessed by the Chinese government through remote administration. Although the warning does not represent a ban on use of Chinese technologies, NÚKIB recommends careful assessment of the information put and what activities are done on potentially related devices as the threat is assessed to be from likely to very likely.
In June 2025, China-backed LapDogs hijacked over 1000 IoT hardware and SOHO routers and transformed them into Operational Relay Boxes (ORBs) to blend into the legitimate traffic, potentially used as gateways to home routers across companies in the US, Japan, South Korea, Taiwan, and Hong Kong. These ORB’s can potentially stay undetectable for months since they use the home routers, increasing the espionage risks due to decentralized devices such as cloud storage of information.
While remaining silent for the moment, Western cybersecurity alliances (Five Eyes, EU, NATO) are expected to play a central role in the future of IoT and cybersecurity. The EU’s Cyber Resilience Act is to be fully in force by December 2027 which will contribute to the unification of law and practices in the EU. Thus it is likely to strengthen the EU’s overall security systems. In essence, while being the centerpiece for almost every technological innovation and the global economy, IoT technologies pose great risks of espionage. therefore pushing countries and international organizations to reconsider their security systems in order to balance the economic promises of the sector and security risks.
NASA/Unsplash
Forecast
Short-term (Now - 3 months)
It is likely that Western cybersecurity alliances will encourage countries to take cautious measures and actions to prevent the exploitation of IoT devices.
It is highly likely that countries will use the example of NÚKIB to issue sector-specific guidelines on using Chinese tech, without implementing any outright bans.
Medium-term (3-12 months)
In the global scheme, states are likely to publish baseline IoT security standards. Focusing on security through centralised design standards.
Western and Chinese IoT ecosystems are likely to further diverge and create separate blocs, as seen in the 5G case.
Long-term (>1 year)
IoT supply chains are highly likely to become a core component of national security policies with stricter rules.
Data sovereignty and privacy-preserving requirements are likely to expand worldwide especially in sensitive sectors such as healthcare databases.
