Electric vehicles, batteries, wind turbines and solar panels (PV) are no longer just mechanical assets—they are smart, connected systems. Their performance, safety and resilience depend on tightly integrated hardware and software designed together from the outset.
But the same connectivity that delivers efficiency in products, and benefits to consumers, also creates new exposures for governments. Control rooms are now partly in the cloud; updates arrive over the air; diagnostics flow through vendor portals. This makes them into systems that pose national security threats and vulnerabilities, ones that countries must treat with the same seriousness as they apply to more traditional forms of national security.
When China implemented its rare earth export ban on Japan in 2010, it was clear that this would be an issue down the line for other countries. China’s dominance in battery technology is waving the same flag, and we need to take note.
Why Hardware and Software Can’t Be Split Anymore
In past decades, engineers built hardware first and layered software on top. That model is obsolete. Today’s energy systems are co-designed: sensors, power electronics and mechanical structures are specified to enable algorithms that can track a product’s health, prevent failures and optimize output. Hardware–software fusion is the new operating model.
Take EV batteries. Their “brains” are Battery Management Systems (BMS): a combination of sensors and embedded software that decides how fast a car can charge, how much range is really left, and when to prevent overheating. Without accurate algorithms, and the sensor fidelity that feeds it, risks to batteries such as short circuits or battery overheating, catching fire or even exploding increase—and warranty costs soar.
Equally, even the best algorithms are useless if the battery pack lacks the necessary telemetry and computing headroom to act on them. That’s why leading battery programs are moving to predictive maintenance, where AI models trained on voltage, current, and temperature histories can forecast degradation and flag failures before they happen.
These models are already demonstrating high accuracy in spotting early-stage plating and improving charging safety. BYD has integrated artificial intelligence into its battery production lines and has reported significant improvements such as a 40 percent reduction in battery defects and a 20 percent increase in battery average lifespan.
In sum, hardware without intelligent software can underperform or become unsafe; software without adequate sensing and control hardware cannot operate safely and predictably, or exploit efficiency gains.
Most Chinese battery manufacturers (e.g., CATL, BYD) now do not just sell cells, they deliver the software that governs them. These systems are not generic; they embed proprietary algorithms for critical functions, such as
- State of Charge (SoC) and State of Health (SoH): Rather than copper wiring, algorithms estimate how much energy remains and how healthy the cells are, influencing range predictions and warranty decisions.
- Thermal Management: Software actively controls cooling and heating to prevent degradation and safety hazards.
- Predictive Maintenance: AI models forecast aging patterns and detect anomalies like lithium plating, enabling preventive action.
The table below shows this dual capability is standard practice in leading Chinese battery ecosystems.
Examples of Chinese Battery and BMS Manufacturers
| Company Name | Chinese Name | BMS/Energy Software |
|---|---|---|
| CATL (Contemporary Amperex Technology Co. Limited) | 宁德时代 | Yes |
| BYD (Build Your Dreams) | 比亚迪 | Yes |
| CALB (China Aviation Lithium Battery) | 中创新航等 | Yes |
| EVE Energy | 亿纬动力 | Yes |
| sVOLT | 蜂巢能源 | Yes |
| REPT BATTERO | 瑞浦兰钧 | Yes |
| Gotion (Hefei Gotion Photoelectric Technology) | 合肥国轩光电 | Yes |
| Sunwooda | 欣旺达 | Yes |
| Linshen Battery | 力神电池 | Unclear |
| ENVISION | 远景能源 | Yes |
This integration is deliberate: Hardware and software are co-evolving to maximize batteries’ efficiency, safety, and lifespan.
Why This is an Issue for Importing Countries
The deployment of these technologies, however, poses significant national security questions.
- Operational Dependence: Firmware updates, diagnostic tools, and performance tuning remain under the vendor’s control. If geopolitical tensions rise, access to updates or support could be restricted.
- Data Sovereignty: These systems collect granular operational data such as charging patterns, temperature profiles, even location data and data coming from sensors and cameras in EVs. If such data is processed or stored overseas, this raises privacy and security concerns.
- Cybersecurity Exposure: Proprietary code is opaque. Without full visibility or certification, vulnerabilities could persist undetected, creating potential attack vectors in grid-connected storage or EV fleets.
In short, supply chain risk is no longer just about access to raw materials like lithium or graphite, it’s about algorithms and firmware that define how a country’s energy infrastructure operates. Foreign automakers and energy operators relying on Chinese batteries are not just importing physical components; they are importing foreign-controlled code that dictates how critical assets operate, and that may be updated based on a vendor’s schedules, through vendor platforms, and under vendor policies.
In turn, this means the conversation around economic security needs to shift from a focus on trade dependency, to one that takes digital sovereignty more seriously.
The Expanding Attack Surface
The fact that battery vendors have this much control is changing the risk calculus for countries where Chinese EVs are sold, as the same pathways used for diagnostics and updates can be abused.
Over the last several years, national labs and standards bodies have detailed the expanding scope for attack across renewables and distributed energy resources more broadly: insecure remote access, weak authentication, and vulnerable vendor clouds.
The U.S. National Institute of Standards and Technology (NIST) has issued specific guidance for smart inverter cybersecurity, and the U.S. Department of Energy and Idaho National Laboratory has catalogued real incidents, from a denial-of-service attack that cut visibility to roughly 500 megawatts of wind and solar sites to ransomware that disrupted wind OEM operations and maintenance.
While many of these events did not directly trip energy generation, they impaired monitoring and response—a reminder that blinding operators can be nearly as dangerous as flipping a switch.
How to Manage the Risks
We are not making a call to decouple from Chinese technology across the board; this is instead a call to govern interdependence on the host country’s terms. Clean tech is too important to be naïve about.
Host countries should expect that vendors, whether Chinese or otherwise, meet common, verifiable security baselines and that remote control over essential functions be constrained by domestic policy, not left to the default settings of a vendor cloud. In cases where those conditions cannot be met, the answer is straightforward: do not connect critical assets in ways that create one-way dependencies.
The alternative is to discover, at speed, how software can be used as leverage in a crisis. Discussion over the need to diversify critical minerals dependencies has skyrocketed amidst China’s recent adoption and implementation of export controls.
The risk of dependencies, however, is not only that materials become scarce or expensive, but also that firmware updates slow, diagnostic access narrows, or remote commands behave unpredictably. This alone would be highly damaging without even talking about the dramatic “off” switch. Delays and uncertainty alone can raise financing costs, stall deployments, and weaken public confidence in electrification. That is not a technical quibble; it is a strategic vulnerability.
If countries outside China can get this right, they won’t just defend themselves against worst case scenarios. They will also unlock what integrated, software-defined energy does best: higher efficiency, longer asset life, smarter operations, and faster innovation.
The threat of connected technologies is not new, notably in the case of cellular IoT modules (CIMs), the small wireless components that connect physical assets such as vehicles, construction equipment, payment terminals, and critical infrastructure to other devices or digital systems. China dominates this market, accounting for roughly 69 percent of global CIM shipments, and maintains control over the software that services them.
The issue has clearly drawn the ear of the national security apparatus, with the United States adding China’s largest CIM producer, Quectel, to its Entity List (PDF) in January 2025.
Policymakers should draw a clear line and learn from our lessons on CIMs and rare earths: connected energy systems are part of national security architecture. Treat them that way. Set procurement rules that favor products with verified security and clear, traceable software origins. Invest in large-scale cybersecurity training and drills for energy systems, similar to how we fund military exercises. When dealing with all suppliers, including major Chinese firms, negotiate firmly on where data is stored, who controls software updates, and how emergency overrides work.
If countries outside China can get this right, they won’t just defend themselves against worst-case scenarios. They will also unlock what integrated, software-defined energy does best: higher efficiency, longer asset life, smarter operations, and faster innovation.
But that upside depends on being able to say, with confidence, who writes the code, who holds the keys, and who has the final say when something goes wrong. That is what sovereignty looks like in the energy system we are building. It is time to legislate, procure, and invest accordingly.
– Francesca Ghiretti is director of the RAND Europe China Initiative and a research leader at RAND Europe. Conlan Ellis is a junior analyst in RAND Europe’s defense, security and justice research group. Published courtesy of RAND.
