In a move that seeks to allay cybersecurity concerns surrounding the government’s use of technologies manufactured by Chinese companies, the U.S. House of Representatives last week passed a bill that prohibits federal agencies from purchasing video surveillance equipment from several China-based firms, including Hikvision, Dahua and Hytera Communications.
In a statement provided to SecurityInfoWatch.com, Jeffrey He, president of Hikvision USA Inc., and Hikvision Canada Inc., said their products “adhere to global cybersecurity standards” and that they would “vigorously defend” the company against “unproven accusations.” Dahua also pushed back against the proposed ban on Tuesday, saying in a statement on its website that they are a company with a "high level of business integrity" and that they are committed to complying with "all applicable laws and regulations" of the countries in which they operate.
The ban would not only impact branded products from the companies named but also any other manufacturers that use Hikvision, Dahua and Hytera OEM solutions. According to the bill: “By not later than 180 days after the date of the enactment of this Act, each agency shall develop a plan…(that) shall include, but not be limited to, how the agency plans to deal with the impact of white label technology on its supply chain whereby the original manufacturer of technology is not readily apparent to a purchaser or user.”
The ban was included as part of an amendment to the National Defense Authorization Act proposed by Rep. Vicky Hartzler (R-Mo.) that had originally only been limited to the government’s use of technologies and services from Chinese telecom giants Huawei and ZTE. Earlier this month, the Pentagon announced that it was banning the sale of Huawei and ZTE phones on U.S. military bases around the globe over security concerns. The heads of the U.S intelligence and law enforcement community had previously warned consumers against the use of devices manufactured by these companies in February.
“We must face the reality that the Chinese-government is using every avenue at its disposal to target the United States, including expanding the role of Chinese companies in the U.S. domestic communications and public safety sectors,” Hartzler said in a statement. “Video surveillance and security equipment sold by Chinese companies exposes the U.S. government to significant vulnerabilities, and my amendment will ensure that China cannot create a video surveillance network within federal agencies.”
For its part, Hikvision is not ducking away from the issue – both for public and private-sector deployments. “We are actively working to assure our North American stakeholders that Hikvision strictly abides by the laws and regulations of each country in which it operates,” He said in the statement. “We also reaffirm the fact that we hold our products to the industry’s global cybersecurity standards, including North America.”
He’s statement continues: “As we continue to monitor and further deploy the necessary resources to address this matter over the coming weeks and months, please know that we will vigorously defend Hikvision from dangerous and unproven accusations about the cybersecurity of our products and solutions. We remain fully focused on providing quality service to our valued partners…we invite you to contact your Hikvision sales representative, who would be happy to answer any of your inquiries.”
Dahua, whose products were recently certified by TÜV Rheinland as meeting the TÜV Rheinland 2PfG 2624/06.17 standard, which was derived from GDPR, said that it devotes 10 percent of its revenue annually to R&D efforts and that they are positioning the company as a “cybersecurity leader” in the industry.
“Dahua takes cybersecurity seriously and has designated it as a top priority,” the company's statement reads. “The Company takes a comprehensive and systemic approach to cybersecurity, with complementary and redundant safeguards built into its technology, services and organizational practices.”
Hytera, which has over 70 U.S. employees and offices in Chicago, Miramar, Fla., and Irvine, Calif., told SIW in a statement that it was “disappointed to learn” about the inclusion of the language in the House bill that would prohibit the sale of their products, as well as those from other Chinese brands, to federal government end-users.
“Our objective is the same as that of our customers and business partners: to help empower and protect local businesses and communities. We believe in innovation, we are dedicated to our customers, and we believe in free and fair competition in the marketplace,” the company said in the statement. “Hytera seeks not only to contribute to the communities in which we live and work, but also to uphold the highest standard of business ethics in the United States and around the world.”
The bill will now move to the Senate for further consideration.
Hikvision, Dahua Taking Steps to Reassure Stakeholders
The cybersecurity of Hikvision and Dahua products were also brought up during a hearing held earlier this year by the House Committee on Small Business focused on combating foreign cyber threats with discussion centered on the Small Business Advanced Cybersecurity Enhancements Act of 2017.
Before opening the floor for questioning by other House committee members, committee chairman Steve Chabot (R-Ohio) set the tone for the hearing’s examination of network vulnerabilities by citing separate incidents attributed to the companies in 2014.
Late in 2014, technology researchers detected three major buffer overflow vulnerabilities in Hikvision DVRs; this after finding that those same DVRs contained bitcoin mining malware in April 2014. That same year, researchers found Dahua cameras and DVRs contained backdoors. Both companies were quick to address these issues.
“As I have mentioned before, many cyber threats towards small businesses come at the hands of bad actors, sometimes foreign governments in an attempt to undermine the country’s national security and economy,” Chabot said in his Congressional testimony. “Hikvision, one of the top five largest manufacturers of security cameras worldwide, is 42-percent owned by the Chinese government, and in 2017, the Department of Homeland Security learned that many of its cameras were able to be hacked and remotely controlled.”
Hikvison has since worked with DHS to fix that flaw; and in fact, cybersecurity reassurance of Hikvision products for both public and private sector users and channel partners has been one of the company’s primary messages for nearly a year. In addition to its publishing of an extensive “cybersecurity center” on its website that includes advice for best practices, as well as patches, firmware updates and security notices, the company has launched a “cybersecurity hotline” as well as a cybersecurity roadshow for its channel partners and hired cybersecurity expert Chuck Davis as its Director of Cybersecurity. In addition, Hikvision opened a Source Code Transparency Center to provide an opportunity for government agencies in both the United States and Canada to review the source code of a number of IP cameras, NVRs and other products sold by the company.
As for Dahua, it has also responded quickly and publicly to cybersecurity concerns regarding its products. The company outlined its cybersecurity initiatives in a release published at the ASIS Conference last year, and responded quickly to fix a critical vulnerability in the firmware of Dahua IP cameras in November. In an interview following the firmware vulnerability’s discovery and fix, Janet Fenner, the company’s director of business development, issued the following statement to SecurityInfoWatch:
“We are taking cybersecurity seriously and putting in significant resources. Dahua is committed to ensuring the cybersecurity of our related products and solutions. We are also getting support from experts in this field. Dahua is taking a proactive approach of consulting with esteemed authoritative partners such as Synopsys Technology and DBAPP Security to learn from the experience of other industries to speed up our maturity. Additionally, we are taking action to improve support to customers in terms of security vulnerability reporting, announcements/notices and cybersecurity knowledge sharing. Customers can reach local Dahua technical support teams and/or the DHCC for support at email@example.com.”
SecurityInfoWatch could not find any similar cybersecurity-related news, releases or sections on the Hytera website.
Jim McHale, director of UK-based research firm Memoori, does not think that sales of Hikvision and Dahua products in the U.S. will be greatly impacted by this bill if it does become law; however, the same cannot be said of manufacturers who white label devices from these companies.
“In the short term, I don't think it will have too much impact on the direct trade of Hikvision and Dahua cameras in the USA. However this ruling could have a significant impact on indirect sales through OEM products sold by (U.S.-based manufacturers),” McHale said. “These operations are major U.S-owned companies and loss of esteem by dealing with companies banned by the U.S. government could have wider implications for them.”
About the Author:
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at firstname.lastname@example.org.