US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns
Harnessing Tech for Military Purposes
The final concern Schriver raised is of China potentially integrating these cyber capabilities "into military plans and contingency plans", hence the importance of "understanding better how the Chinese may use cyber in their own future war fight".
though Schriver seems to say as well that the U.S. strategy is similar:
...as I said in the previous comment if you if you really want to understand pillar one of the national defense strategy, pillar one of our Indo Pacific strategy, increasing the lethality of our force, look at where we're going to make investments for the future, where we're doing research and development, but where we're trying to acquire capabilities as quickly as we can and cyber is at the top of that list.
Once we acquire the greater capability, and also ourselves, we need to think about how it integrates into contingency planning. [Emphasis and commas added]
IPVM is so political. I mean it's not like politics relates to security. *wink* *wink*
not like politics relates to security
Lol, in fairness, most everyone now admits that politics relates to security. There was a time not too long ago (last year, the year before?) where many industry people either really thought they were not related or were hoping that it was not. Obviously, the events of the last year have made things very clear.
Ultimately, when the largest video surveillance manufacturer is owned by the PRC government, the industry is going to get political. Add cloud and AI to it and the politics get even steeper.
Theoretically speaking, it would make things much simpler in technology if it did not have political implications but that is not the world we are now in.
I bring it up all the time at my job, and some people roll their eyes, but I don't care, we're not buying China. I support your perspective. Part of my job is security and purchasing from insecure places isn't smart policy. I have ethical and moral reasons beyond that, but I don't feel what you guys do is off-topic. I appreciate it.
We have children of diplomats here, and many high profile children, I would be an idiot to run a system broadcasting to foreign governments such information.
It's probably not so far fetched to say that at least some of this is schadenfreude over seeing the company that helped drive down prices industry-wide has found itself in trouble. And I say this as an early convert to IPVM's alarm over Hikvision.
Right schadenfreude
Right buying from China comes cheap at the cost of other people's misfortune. It's all Hikvision has left, exploiting people and selling cheap to small businesses that depend off of slave driven prices to stay alive.
Of course...
If we know we would do it in the time of war we have to assume that our enemies would as well. It is a smart move to protect your home land. Just ask China, they have effectively banned foreign tech products as well.
The US SIA has provided a response to IPVM on the DoD's quote:
SIA trusts the U.S. government to make decisions (based on information available to U.S. intelligence and homeland security agencies) that will protect its networks from cyber-attacks. SIA also strongly supports efforts by federal agencies to protect supply chains. In fact, SIA supported the enactment last year of the Federal Acquisition Supply Chain Security Act of 2018.
This law, which I recommend IPVM review, created the Federal Acquisition Security Council. Criteria and procedures will be established for recommending exclusion from agency procurements and the removal of software and equipment from agency information systems when it determines that those items present a supply chain risk regardless of the source. The law permits any federal agency to exclude an item from procurement where it determines that the item poses a significant supply chain risk. We expect the implementing rules to be published by the end of the year.
Cybersecurity - Technical Only or Foreign Control?
Defiantly both
of course, for our trusted allies, cyber security cooperation is to be expected ;)
Russia says it is starting to resume U.S. cyber cooperation: TASS
Politics and business should stay well apart, I know this is easier sad than done.
If security is a concern for China products, i would wonder about the implementation of the system, I run a large network of cameras from China, to ensure that there is no chance of hacking or unauthorized access the whole network is completely isolated from the internet on its own private fibre network. Simple solution if it is not plugged into public networks it cant be hacked.
Why is nobody asking why the network security is not up to scratch, like routers and access points? or at a basic level of has the equipment been installed properly.
Politicians hand pick scenarios that they can manipulate, banning a product that was used by a government that has abused human rights leaves the field wide open for many products, knowingly or unknowingly.
simple example, does the rest of the world ban the CCTV systems that were used at
Guantanamo Bay detention camp or in the Gaza strip?
All i know for certain is that when politics gets involved with business then business is on the losing end and so are the consumers.
Security installers should disclose risks to clients, in reality any device connected to a public network could be hacked, this is not limited to Chinese products. If my client understands the risk they can make an informed decision whether to have their system on a public or private network.
All i know for certain is that when politics gets involved with business then business is on the losing end and so are the consumers.
agree.
these days you can’t buy a single rhino horn, or some decent yellowcake ore, or just a matching kidney. not even on eBay!
Why is nobody asking why the network security is not up to scratch, like routers and access points? or at a basic level of has the equipment been installed properly.
A couple of reasons A) Hikvision will sell to anyone including end-users who don't understand network security. B) Most of the alarm company's installing Hikvision don't understand IP or network security C) Customers shopping at this price point don't want to pay for proper network security. D) Large enterprise systems with multiple locations make it harder to keep the cameras on an air gaped network.
banning a product that was used by a government that has abused human rights
#4, thanks for the detailed feedback. I agree with you if these products were simply 'used' by a government there should be no objection towards the product manufacturer.
However, Dahua and Hikvision directly sold more than a billion dollars worth of projects (including installation and even operation in some cases) in Xinjiang where these human rights abuses are taking place.
Google has also been implicated in providing private data to the the Chinese government also making them complicent in the human rights abuses, will Google be banned too?
banning company's for providing tools to governments that commit human rights abuses opens up a huge spiders nest, there are many company's, western and eastern that would be caught up in the web, it would make more sense to sanction the government than the private company's.
Google has also been implicated in providing private data to the the Chinese government also making them complicent in the human rights abuses, will Google be banned too?
What is your source for this?
Google's search is banned in China since 2010. Please clarify your allegation here. What private data are you saying Google has provided?
UI#4, you said this video somehow shows that:
Google has also been implicated in providing private data to the the Chinese government
But the video you posted makes no such claim. The video has a lot of commentary, but concretely, it only references two facts about Google:
- In 2018, Google said it would invest $500 million in JD.com, China's second-largest e-commerce firm.
- Google opened up a China AI lab in Beijing in 2017.
The video then raises concerns about these decisions "indirectly" supporting the Chinese military. But there's not a single reference to Google "providing private data to the the Chinese government". There's also no such proof or even allegation of that happening elsewhere.
Regarding your broader point that:
Politicians hand pick scenarios that they can manipulate, banning a product that was used by a government that has abused human rights leaves the field wide open for many products, knowingly or unknowingly. simple example, does the rest of the world ban the CCTV systems that were used at Guantanamo Bay detention camp or in the Gaza strip?
The key difference is that Hikvision itself was contracted to directly build and operate surveillance systems in Xinjiang, including in re-education camps and mosques. It was not a mere "product supplier" as we have debunked many times. Xinjiang is at the center of one of the world's most serious human rights crisis, with over a million civilians locked up in so-called re-education camps. Video surveillance has been referenced many times as a core part of Xinjiang's repressive apparatus, which is why IPVM decided to look into PRC manufacturers' huge deals there in the first place. I don't think Western tech firms are angels, but the level of direct involvement/complicity here has no direct analogue.
Yeah, Google has a... rocky relationship with China.
However, UI#4 might have a point if they used Apple instead of Google, though it's not an open-shut case. Nothing quite as clear as what Hikvision has done.
- Apple Safari browser sends some user IP addresses to Chinese conglomerate Tencent by default
- Apple sending user browsing data to Chinese company Tencent - 9to5Mac
- Apple Defends Sharing Browser Data With Google, Tencent 10/15/2019
- Apple Under Fire Over Sending Some Users Browsing Data to China's Tencent
There's also the alleged poor working conditions at Chinese factories and the mass suicides at Foxconn.
Any system on the network open or closed can be hacked. It is just a matter of time before the bad actors locate and find the door.
To assume you are safe because a system is closed is just not a sound policy.
Just ask the former CIO of Target corporation. They got hacked and it was not through an open network. It was through a secure VPN network with venders for the transmission of invoices.
Unfortunately one can never assume a system is 100% secure.
Any system on the network open or closed can be hacked.
1) integrators don’t write firmware
2) integrators configure and commission networks
since integrators can’t count on manufacturers to secure their devices, they count on themselves to secure the network.
since integrators can’t count on manufacturers to secure their devices, they count on themselves to secure the network.
And what about the vast number of integrators who port forward? Are they securing their networks? :)
Are they securing their networks? :)
only if they write firmware ;)
i’ll gladly amend my statement to:
since integrators can’t count on manufacturers to secure their devices, they *can only* count on themselves to secure the network.
Any system connected to the public networks can be hacked.
If remote viewing is enabled, be it via a dedicated IP and ports opened on the firewall, or via a cloud host that keeps ports open for the remote user, this allows a bad actor to access the system and load firmware that compromises the system.
VPN technology can resolve this in most cases, but there are workarounds known to the hacker community (and if not by them, to governments) for VPN solutions.
However, in the majority of cases it comes down to the humans that operate these networks. We find this to be the biggest vulnerability, and the hardest to control.
Once the camera or NVR/DVR is compromised, the hacker has root privilege's with admin access on your network, with a working Linux (or other) device to which he can send very damaging commands.
If for no other purpose, this access to your network can be used to observe the workings of secured areas, such a laboratories, industrial plants, water treatment facilities, utility installations, cell towers, and more.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.