A Consumer Gadget Becomes a Wartime Sensor
On July 10, 2026, the Netherlands' General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD) published a joint cyber advisory stating that at least one Russian intelligence service has been systematically compromising internet-connected security cameras across the Netherlands, other NATO and EU member states, and Ukraine. The method was not sophisticated. Attackers used public device scanners to find cameras still running on default passwords or outdated firmware, then applied image-recognition software to the resulting video feeds to track military transport routes and weapons shipments bound for Ukraine. In Ukraine itself, the advisory states, hacked cameras have in some cases helped locate Ukrainian military personnel, feeding into lethal targeting. The Dutch services identified a small number of compromised cameras along their own domestic military logistics routes.
The response was immediate and unusually public. Dutch Foreign Minister Tom Berendsen summoned Russian ambassador Vladimir Tarabrin on July 14, saying the diplomatic step was meant to send "a clear signal that such cyber activities are unacceptable," and framing the Netherlands' role as a European logistics hub as precisely why it is an attractive espionage target. The Netherlands' national cyber authority, NCSC-NL, followed with a companion alert urging device inventories, VLAN segmentation to isolate IoT traffic, disabling of unencrypted protocols like Telnet and RTSP, and immediate replacement of default credentials.
The Case for Tougher Rules
There is a real argument here for regulation, and it deserves to be stated plainly rather than waved away. A consumer doorbell camera bought for £40 was never designed with a threat model that includes a foreign intelligence service correlating its feed with troop movements. Manufacturers compete on price and shipping speed, not on patch cadence, and the market has historically had almost no mechanism to punish a vendor for shipping a device with admin/admin baked in. When the externality of that shortcut is a Russian intelligence service watching NATO supply routes, the case that unregulated device markets under-price security risk is strong. Advisories alone rely on voluntary uptake by exactly the small businesses and homeowners least likely to read a government cybersecurity bulletin.
Why the Fix Should Still Be Narrow
Even granting that case, the answer is not a blanket new IoT statute — the EU has already legislated one, and the more useful move now is enforcing it well rather than layering on more. The Cyber Resilience Act, which entered into force in December 2024, already requires manufacturers of "products with digital elements" to build in security by design and by default and to handle vulnerabilities across a product's lifecycle. Its first hard deadline lands September 11, 2026 — eight weeks from now — when manufacturers must start reporting actively exploited vulnerabilities and severe incidents. Full compliance, including the default-security obligations that would have made this camera-hacking campaign far harder to execute, is not required until December 11, 2027.
That gap matters more than a new law would. The AIVD/MIVD advisory is not evidence that Europe lacks rules for insecure IoT devices — it is evidence that the rules already on the books have an 18-month runway before they bind, and that the installed base of cameras sold before then will keep running on factory-default credentials regardless of what Brussels legislates next. A faster, more targeted fix sits closer to what NCSC-NL is actually recommending: network segmentation and patch discipline that any operator can implement this week, not a new compliance regime that would not have prevented this specific campaign even if it existed today.
The Proportionality Test
- Don't legislate the device category. Banning or heavily restricting consumer IP cameras would punish innovation and price out small installers to solve a problem that is really about credential hygiene and network architecture.
- Do enforce the CRA's existing deadlines rigorously. The reporting obligation starting in September gives regulators early visibility into exactly the kind of mass-exploitation pattern AIVD just documented — that's the lever worth pulling, not a new one.
- Do treat this as a liability and procurement question, not just an intelligence one. Public bodies and critical-logistics operators along military routes are the actors best positioned to demand better defaults from vendors, and cheapest to regulate directly.
Russia's camera campaign is a genuine escalation — using civilian infrastructure to support lethal targeting in Ukraine crosses a line international law already treats seriously, and the diplomatic summons was the right response. But the policy lesson is narrower than "regulate IoT harder." It is that Europe already wrote the rule; the job now is making sure it actually lands in December 2027, and that operators don't wait that long to fix what a stronger password would solve today.