How Do I, As A Security Professional, Justify Using A Product Banned From Being Used By My Own Government? I Don't.

I made this its own topic since I think this is a reasonable representation of the type of risk that Dahua and Hikvision face.

Agreed. Of course plenty of people will keep selling them, but some of the more reputable resellers/integrators are likely to phase them out. I'm assuming a decline in sales would present itself over a period of years rather than months/quarters though.

It may be hard for reseller A to switch to a different - maybe more expensive product, until reseller B does the same. Until then, A will not want to be undercut by B, so they will quote the customer on HikVision/Dahua with a comment that the products are considered insecure by the US government and they'd prefer to sell X which is considered more secure but costs a bit more.

If the price difference is steep enough, many customers will go with the cheaper product and a fraction of them might consider taking measures to implement them as securely as possible.

Product is not banned.

The bill, which has passed the House only, is designed to punish ZTE.

Trump seems to want to let ZTE off easy.

Therefore, it seems uncertain that this particular bill will become law.

Though the congressional sentiment is encouraging.

Your point is valid nonetheless, but some people are likely to read the headline and spread the notion that they are currently banned, which helps no one.

As long as you do not try to hide potential security risks and mitigate what you can, I do not see an issue with giving the customer the option the make an informed decision that could allow them to save $$.

While I understand these risks, the fact the government will not allow something to be used by it's agemcies will never be a sole deciding factor in any product I use, otherwise I would throw away all my USB storage devices, all  but the black box branded KVM switch, and I am sure I could go on...

Once people heard that the Corviar was "unsafe at any speed" and the Pinto would explode if you touched the back bumper, those cars began to disappear.  Were those claim exaggerated?  Arguably, yes.  Were people safer if they bought different cars?  Again, yes.  My hope is that the same trend will happen with HIK.  Integrator and end-users both will begin to see the risk, and move to a safer product.

A security professional's job is to reduce risk. As those professionals become aware of the US government's stance, they will not want Hikvision. Hikvision will stay in homes and small businesses. They will not see growth into the enterprise level organizations. They will be #1 on Amazon. 

Business is business and in our business "cut-throat" is not going away.  I like to think that most of us integrators learn from our mistakes, but know its not the way the world works.  Two of my largest account up-setters are the fore-mentioned manufacturers.  You can hold one product in your left hand and the other in your right being able to clearly tell the difference in quality. (heavier is better right?)  Explain why you will not offer the light hand until your blue in the face and many under-educated board members refuse to see why paying more in some cases might actually be better.

We have consumerized <<<<-sp   ourselves so bad in the last 6-10 years its scary. When BEST Buy has a place in the professional security world with Nest and Arlo, how should we move forward?  We refuse to take a step back and sell less than secure hardware, after all isn't the whole point to make the site more secure?

As an end-user security professional, I say . . . it depends.  It depends on the industry, the application, the organization's risk tolerance levels, cost/benefit analyses, perceptions/PR (perhaps especially important for gov't contractors), network resources, etc.

I have used some Hikvision products in the past, but tend to not install them now.  Not because of real or perceived security risks from their use, but because they do not fully integrate with the VMS we use.  (I will refrain from lamenting on why is it that "ONVIF compliant" seems to mean something different to every manufacturer and VMS software provider I've come across.)

In my opinion, if an end user has a well-segmented and isolated - be it air-gapped, secure VLANs, etc. - network infrastructure and security controls in place for security camera use, it makes the issue far less relevant than for a user who hangs the devices on their general network and leaves the password at the default setting.

The real key to secure security systems is in their implementation:  design, planning, administration, policies, procedures, oversight, use of security best practices, etc.  Any poorly designed, poorly implemented IT system (and that's what camera systems are these days) is a huge security risk - it doesn't matter if you install [insert any "well-respected" camera brand] or Hikvision.

Does equipment specification play a role in securing a networked system?  Certainly.  But if the network is properly done and isolated, the camera selection plays a much smaller role in the bigger picture.  I'm not saying it has no importance, just a much smaller significance.

As an FYI to the more avid Hikvision detractors - I am neither supporting nor defending Hikvision or its products.  Neither am I willing to bash them when many of their security related issues can be avoided by properly designed, implemented, and maintained networks and security best practices (did I mention . . . change the default password!!).  I would love to use more of their products because of budgetary constraints - they offer decent to very good product lines at very competitive prices. 

So again, my response is . . . it depends.  Everyone's mileage will vary.  Everyone's opinions will vary.

I would let my customer know what is going on, and provide details on alternatives.

But - I am wondering what impact this will have in Canada. Will our government follow suit?

What if, for example, a Canadian airport is using a Hik or Dahua video solution to monitor an area where there is US Customs pre-clearance?

Will Hik and Dahua try to "dump" excess product into Canada and further erode pricing?

Will OEMs make North America wide changes or have separate Canada/US product lines?

Probably too much to worry about until this becomes a final law, but just thinking...

I’m glad to see you not use their products. They keep me competitive. 

Any product has security flaws and your delusional if you don’t think so or don’t know how to secure a network. if you think that Mr government says so that you shouldn’t do something. 

Take medical marijuana, it’s illegal to the federal government yet its legal at the state level and your sure as shit I’m going to work for this brand new industry. 

Best of luck

No one has banned Hikvison or Dahua, the idea has been brought to the table but there is no ban. Mr. Trump plays strategy games well, he has signed nothing, Hikvision will remain #1, increase their footprint on the american market and become a more formidable opponent than ever before.

NOTICE: This comment has been moved to its own discussion: No One Has Banned Hikvison Or Dahua. Hikvision Will Remain #1, Increase Their Footprint On The American Market And Become A More Formidable Opponent Than Ever Before.

This isn't black and white IMO. I wish it was. We used to sell a lot of Hikvision up until just over two years ago when we started to cut back due to learning they were owned by the Chinese government. As we saw more hacks we were happy we made that decision to back off. Hikvision is like a drug, they are good and inexpensive. We all know Hikvision sells quality products, Hikvisions problem is they're owned by the Chinese government and there's risk associated with that. Hikvisions problem ISNT their products quality. That's what has made it difficult to leave them. For months after making the decision to leave Hikvision I felt I was selling inferior products that cost more, I felt like I wasn't providing my customers with a great end product. It took me a year to find a product that was both reasonably priced and almost the quality of Hikvision. We finally have a solid solution of a VMS and camera line that is not made in China. Price is about 10% higher and the quality of the camera is almost what the Hikvision was. Only downfall is the bitrate, Hikvisions bitrate is a fraction of this other companies, but I am willing to eat that cost of additional storage. 

At this point, I'm more surprised that no one has brought up the fact that about 65/70% of Dahua's US biz is through OEM'ing to other manufacturers.

Panasonic, Bosch, FLIR - the list goes on and on.  My point?  What happens to Dahua (and HIK) when their OEM partners go looking for someone not on the "bad manufacturers gov't watch list" to produce the camera's they OEM and resell?  Dahua takes a massive hit.

I read it earlier on this thread and agree - I could very well see HIK being the new #1 on Amazon for consumer-based security applications in the near future.