In August 2018, a US National Defense Authorization Act (NDAA) amendment was passed identifying various Chinese technology companies and products that are banned for sale to US federal agencies. This extends to any US company receiving federal grant money. Specifically named are Chinese made CCTV cameras and systems, which are used extensively in maritime and port operations. It is highly recommended these cameras be replaced.
The NDAA originally include Chinese tech companies Huawei and ZTE, which have received much media publicity. But the Act amendments now include video surveillance equipment and systems from several China-based firms that including Hikvision, Dahua and Hytera Communications.
The ban was included as part of an amendment to the NDAA that originally only was limited to the US government’s use of technologies and services from Chinese telecom giants Huawei and ZTE. According to the bill: “By not later than 180 days after the date of the enactment of this Act, each agency shall develop a plan…(that) shall include, but not be limited to, how the agency plans to deal with the impact of white label technology on its supply chain whereby the original manufacturer of technology is not readily apparent to a purchaser or user.”[1]
A reliable source to Wapack Labs has indicated that the “plan” inside the US federal government is to replace all these cameras and associated systems by August 2019. All three Chinese companies have vehemently denied any issues with their products.
In 2014, technology researchers detected three major buffer overflow vulnerabilities in Hikvision DVRs; this after finding that those same DVRs contained Bitcoin mining malware. That same year, researchers found Dahua cameras and DVRs contained backdoors. A US Congressional statement was issued in 2018 explaining, “Hikvision, one of the top five largest manufacturers of security cameras worldwide, is 42 percent owned by the Chinese government, and in 2017, the Department of Homeland Security learned that many of its cameras were able to be hacked and remotely controlled.” Hikvison is reported to have since worked with DHS to fix that flaw.
Recently many US universities are replacing telecom equipment made by Huawei and other Chinese companies to avoid losing federal funding under the NDAA. US officials allege Chinese technology manufacturers are producing equipment that permits China to spy on users abroad. This includes western university researchers working on leading-edge technologies. China continues denied these claims.[2]
On 20 February 2019, the State of Vermont’s Chief Information Officer (CIO) instructed the entire state government to determine if it uses any hardware or software made by certain companies believed to have ties to the Russian and Chinese governments.[3] In a CIO memorandum an order was issued for the removal of products sold by Kaspersky Lab (a cybersecurity software firm suspected by US officials of having ties to Russia) and devices manufactured by Chinese firms which the US has accused of conducting espionage on behalf of China.
Under the US, FEMA - Port Security Grant Program (PSGP), or for that matter any US federal funded grant program, would prohibit any US maritime industry to meet NDAA guidelines remain compliant for future federal grants. This would mean replacement of Chinese surveillance equipment named in the NDAA.
Of note, and quite interesting, British Intelligence issued a recent report stating the cybersecurity risks of using Huawei’s equipment in 5G networks - is “manageable.” Media sources familiar with the contents of this intelligence report, authored by the UK’s National Cyber Security Centre (NCSC), explain there are ways to mitigate security threats posed by Huawei’s equipment.
The details of this intelligence report stand in stark contrast to the attitudes and policies of other members of the Five Eyes intelligence alliance (Australia, Canada, New Zealand, the UK and the US). Last year, Australia banned the use of Huawei’s equipment in its 5G networks. Meanwhile, New Zealand’s Government Communications Security Bureau blocked a proposal to use the firm’s tech over national security concerns.[4] The fifth member, Canada, is yet to make a decision about use of Huawei equipment, though some experts have suggested this delay is due to the ongoing detention of three Canadian citizens in China. Our Asia Desk, Subject Matter Expert, believes this British move is due to heavily investing in Chinese equipment, they the Brits are publicly stating they can work around these issues.
Though replacement of this equipment is time consuming and costly, it is highly recommended to the maritime sector to replace Chinese cameras and associated systems named under the NDAA amendment.
About Wapack Labs
Wapack Labs, located in New Boston, NH, is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual corporations.. For questions or comments regarding this report, please contact the lab directly by at 1-844-492-7225, or feedback@wapacklabs.com.
[1] https://techcrunch.com/2018/08/13/new-defense-bill-bans-the-u-s-government-from-using-huawei-and-zte-tech/
[2] https://www.cnbc.com/2019/01/24/reuters-america-insight-u-s-universities-unplug-from-chinas-huawei-under-pressure-from-trump.html
[3] https://statescoop.com/vermont-cio-orders-purge-of-kaspersky-huawei-and-zte-products/
[4] https://www.theverge.com/2019/2/18/18229111/uk-huawei-5g-security-risk-concerns-ncsc-gchq
Comments