Shady Industry Association strikes again!
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds
Published Aug 05, 2020 16:35 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have failed to delay it, SIA is coaching sellers on workarounds to it.
In an August 4th SIA webinar, led by Jake Parker, Senior Director of Government Relations, and Lynn de Seve, SIA board member, joined by Dismas (Dis) Locaria, a partner in Venable's Government Contracts Group.
In this post, we cover key points & quotes from the webinar, including:
- Arguing that banned equipment is not touching critical systems
- Forcing contracting officers to give awards despite banned equipment
- Protests can lead to relief down the road
- How the government using the 'False Claims Act' for cybersecurity issues is a "worn out shtick"
- Shifting your assets to keep using banned equipment
- How reasonable inquiry does not require going back to your providers or vendors
Not Touching Critical Systems
The attorney argues that contractors can emphasize that banned equipment is 'not touching critical systems':
with that representation you’re supposed to provide explanation as to what your use is, and that’s an opportunity for contractors to explain that their use is not substantial, or essential, or critical. It’s not touching critical systems. [emphasis added]
While many contractors have argued for that distinction, e.g., when used in closed networks, nonetheless, the US government has not made such a distinction in this legislation or regulation.
Continuing, he contends that contracting officers may be forced to award with banned equipment:
And I think what you’re going to see is you're going to see contracting officers, which I have to imagine have zero desire to get into this analysis, but they're going to be forced to that are going to say “well, I agree it’s not substantial, essential, or critical", and they’re essentially going to award regardless of the representation. [emphasis added]
And, as contractors object to the blacklisting, the government will be motivated to provide 'relief down the road' from the ban:
My understanding is a lot of ordering agencies or buying agencies like GSA...have taken this stuff back to OMB and said, 'Look, our defense contractors can’t comply with this as written.' And my understanding is at the highest levels of GSA, they’ve gone back to OMB and said ‘Our community cannot deal with this.’ So what does this mean? You know, hopefully that means some relief down the road.
Worn Out Schtick
The attorney later complained about the government using the False Claims Act to seek damages from contractors making misrepresentations, saying that such tactics could be applied to Section 889 representations, calling it a 'worn-out schtick':
We’re starting to see False Claims Act cases coming against companies that are not meeting their cybersecurity obligations. The second to last bullet here says no new enforcement approach, but I guarantee you the government will use its worn-out schtick of the False Claims Act if there are folks that are misrepresenting under this. [emphasis added]
Shifting Assets
Another recommendation was to shift banned 'assets' to other parts of a conglomerate:
The regs are, I'll say, very open to the idea of interpreting [the applicability of the rules] more broadly, and applying it to parents and subsidiaries…in one case I have clients who are actually shifting their assets to other organizations who are not the offeror. Right, so then they can so well, 'we’re not using it, our downstream affiliate is using it.' So there are some prophylactics you can do to get around this.
Reselling Still An Open Question
However, they were indefinite about whether reselling was covered:
If you’re merely acquiring products to resell, and it might have prohibited technology embedded in it, is that use? Right. And I don't know. I wouldn’t think so. But use is not defined in the regulation. I think in those instances you might be able to take a more aggressive posture: that that is not use.
No Need to Go Back To Providers or Vendors
While many companies have been investigating their suppliers (e.g., via IPVM's Dahua OEM directory and Hikvision OEM directory), the attorney argued that the 'reasonable inquiry' standard in the FAR does not require that:
you're only you know, that reasonable inquiry under the regs is you only need to do kind of in internal analysis, you don't have to go back to your providers and your vendors and ask them whether they include Huawei or ZTE or any of the other prohibited technology [emphasis added]
Given the amount of historically hidden relabelling of Dahua and Hikvision and us of Huawei Hisilicon especially in low-cost products, it is quite common for users not to be aware of their true source and if they have a requirement to even ask or check on that source, this makes it easy to continue to use banned equipment so long as neither party asks nor tells.
Insightful Look At Seller Strategy / Risk To Security And Law
This SIA webinar provided an insightful look at how sellers may undermine this legislation and the government's national security stance. Undoubtedly, such tactics benefit sellers of banned China equipment in the short term though increases the risk to the US, as a whole, long term.
Comments (29)
U
Undisclosed #1
Aug 05, 2020U
Undisclosed #2
Aug 06, 2020I beg to differ, the webinar tried to help people stay in business despite irrational regulations. Not everyone can easily switch to another vendor, nor should they. I wouldn't install hikua cameras in a nuclear missile silo, but they are perfectly fine for a municipal library or intersection.
this article is one step shy of depicting SIA as communist traitors undermining national security.
JH
John Honovich
Aug 06, 2020but they are perfectly fine for a municipal library or intersection.
You are certainly entitled to your opinion but that's not US law.
help people stay in business
Please! Where were you when Hikua was driving various US companies out of business with their race to the bottom? Where were you when the PRC was blocking out all the other world video surveillance companies?
Most legislation has positive and negative impacts on businesses. Companies can 'stay in business' with or without Hikua but Hikua is the easy money.
U
Undisclosed #2
Aug 06, 2020"You are certainly entitled to your opinion but that's not US law."
Laws reflect the society you live in. 5 years ago smoking weed was illegal, now it's ok... Weed hasn't changed, society's perception of it changed. The current ban is based on politics and a little bit of xenophobia, not on rational decision making.
I doubt hikua ever had a sinister plan to take over the world, they made a cheap product because of people that wanted to buy it, it's not their fault they won.
JH
John Honovich
Aug 06, 2020The current ban is based on politics and a little bit of xenophobia, not on rational decision making.
The rational decision making is that we are faced with an authoritarian regime hostile to democracies. As for 'xenophobia' this has nothing to do with other countries generally or even Asians, the US has strong relations with many governments in Asia even Chinese led ones like Taiwan. This is a specific issue with a specific leader, Xi Jinping, of a specific organization, the China Communist Party.
And yes I agree with you that things changed. That change is Xi Jinping and the policies he has enacted.
Don't whine or dismiss what the US is doing as 'politics' without being fair that this is clearly a response to politics from Xi Jinping.
U
Undisclosed #2
Aug 06, 2020if Xi and the CCP are the problem, why ban only 3 companies ? ban them all. that would be the rational thing to do.
when you single out the top 3 competitors and leave the rest of the CN ones to do business as usual that doesnt make sense.
JH
John Honovich
Aug 06, 2020Because the "top 3 competitors" represent the overwhelming majority of business / offerings in the space.
Btw, I know you guys think this is a clever comeback but it's a bit like saying "Why did you only accomplish the 3 most important things today. Clearly, if you cared, you would have done everything."
Think about it. Literally, your contention is that it's irrational only to ban the largest 3 companies/risks.
CH
Conor Healy
Aug 06, 2020if Xi and the CCP are the problem, why ban only 3 companies ? ban them all. that would be the rational thing to do.
Section 889 B allows the Secretary of Defense to expand the list, a possibility that may well occur.
But to answer your question more directly:
- Because the US has direct concerns about these companies, they weren't picked at random;
- Because everything has to start somewhere (policies don't need to be all or nothing);
- Because, as Secretary of State Mike Pompeo stated in a speech last week, America's foreign policy goal here is to change the nature of China's participation in the world, not to end it. Banning all companies at once leaves you with no more moves to make.
- Because solving problems in one place can cause problems in others, and it is generally inadvisable (and, contrary to your assertion, not a rational move) to solve problems all-at-once before beta testing your solution.
Eric Taylor
Aug 06, 2020Laws reflect the society you live in. 5 years ago smoking weed was illegal, now it's ok... Weed hasn't changed, society's perception of it changed. The current ban is based on politics and a little bit of xenophobia, not on rational decision making.
You've got to be kidding, xenophobia? The government finds certain products manufactured by Chinese companies, some owned by the PRC, to be a risk to our national security and your response is "xenophobia". The Chinese government is not our friend, and pointing that out doesn't make someone a xenophobe.
Your analogy of "smoking weed" is equally obtuse. Society's perception of "weed" is based on its moral values. Laws can reflect the moral values of a group of people, but in this instance we are not talking about moral values. The NDAA is in place to protect our country from the threat of cyber-security, which is not a moral issues, it's a national defense issue.
You claim the law is not based on "rational decision making"; fine, make your argument. I would love to hear a "rational" argument about why NDAA is not necessary, or is politically motivated (which I think can be a legitimate reason). Throwing out words like xenophobia only weakens your argument and make you sound like a bitter denier who doesn't know how to adjust to the new regulations.
I painfully sat through the SIA webinar yesterday and I completely agree with John's assessment.
U
Undisclosed #2
Aug 06, 2020the ban is not rational because it is a blanket ban, but this blanket is full of holes:
1. it doesn't solve the china risk,how do you know TVT or Uniview aren't in cahoots with the CCP? you dont right? if china is a risk, ban all chinese products, or switch back to analog if you are afraid of cyberattacks :)
2. it conveniently singles out the biggest competition, the bottom feeders and second tier manufacturers can still sell to the government, again, no sense. you allow inferior quality products but ban the good ones (maybe not best in breed, but best for what you pay for)
3. security is based on rational risk assessment, but this is a blanket ban treating a camera in a national park the same as a camera in a military base... it's not and you know it. the risks are different.
CH
Corbin Hambrick
Aug 06, 2020"bottom feeders"
I thought those who sell HIK and Dahua WERE the bottom feeders!
U
Undisclosed #2
Aug 06, 2020U
Undisclosed #3
Aug 06, 2020LOL. True.
Had you ever stepped into the Asia section at ISC West? That was just a fraction of them.
I did it once.
Once.
Never again.
Eric Taylor
Aug 06, 20201. it doesn't solve the china risk,how do you know TVT or Uniview aren't in cahoots with the CCP? you dont right? if china is a risk, ban all chinese products, or switch back to analog if you are afraid of cyberattacks :)
"These prohibitions reflect the Government’s increased concerns that Chinese intelligence services could use Chinese telecommunications companies to exploit U.S. technological data. This comes after the heads of six U.S. intelligence agencies recommended, during a Senate Intelligence Committee hearing in February 2018" FBI Director Chris Wray.
The intelligence community seems to have reason to believe that Huawei Technologies and ZTE pose a risk to national security. If I'm not mistaken, the ban isn't necessarily a Hikvision and Dahua ban; it's a ban on any company that uses telecommunication devices manufactured by Huawei or ZTE.
2. it conveniently singles out the biggest competition, the bottom feeders and second tier manufacturers can still sell to the government, again, no sense. you allow inferior quality products but ban the good ones (maybe not best in breed, but best for what you pay for)
The biggest competition are using devices manufactured by Huawei and ZTE.
3. security is based on rational risk assessment, but this is a blanket ban treating a camera in a national park the same as a camera in a military base... it's not and you know it. the risks are different.
It depends on what you consider a risk. Are you familiar with the Mirai botnet in 2016, a DDoS attack that shutdown part of the internet. IP cameras played an important role in that cyber attack.
CH
Conor Healy
Aug 06, 20205 years ago smoking weed was illegal, now it's ok... Weed hasn't changed, society's perception of it changed.
Using your framework: "5 years ago selling/using technology from China was completely legal, now it's illegal to sell/use some of it in some cases...China technology hasn't changed, society's perception of it changed."
Really? There's nothing in the last five years that's changed on the China side? It's all just the blowing winds of American politics and American xenophobia?
I could give you a dozen examples only to do with Xi Jinping that speak to changes on the China side of the equation that have taken us to where we are. Yes, of course, there are many relevant US developments too.
On another note:
Laws reflect the society you live in.
Speaking from direct personal experience, the nation's top political scientists have relatively little idea what laws do or should "reflect".
U
Undisclosed #3
Aug 06, 2020You're really oversimplifying the reasons for the U.S. Government ban. It was more than the potential risk of providing China with back doors into American private business networks.
- A 2012 Congressional report stated that Chinese companies were stealing intellectual property form U.S. businesses.
- Internal documents supplied to the U.S. that showed that companies like Huawei supplied services to a cyber-warfare unit of the PLA.
- The U.S. uncovered evidence of economic espionage countless times.
And if none of that changes your mind, there's always:
- Forced labor camps
- Execution of innocent people
- And organ harvesting
But hey, who care's right? Your margins are much more important.
Anthony Jones
Aug 06, 2020I wonder how many Hikvision trips they went on.
U
Undisclosed #4
Aug 06, 2020However, they were indefinite about whether reselling was covered:
If you’re merely acquiring products to resell, and it might have prohibited technology embedded in it, is that use? Right. And I don't know. I wouldn’t think so. But use is not defined in the regulation. I think in those instances you might be able to take a more aggressive posture: that that is not use.
the lawyer is arguing that the definition of USE is not definitive and could be challenged because reselling doesn't mean USE?
reading this comment made my eyes roll so far back in my head I could see my scalp.
U
Undisclosed #5
Aug 06, 2020I was surprised by what was presented in this webinar. As you stated, it really seemed to be all about ways around, and not addressing the massive risk involved. Sure, as with all restrictions/laws there is a good chance that they won't be discovered, but if they are, the costs and damage to your reputation could be immense. Let alone putting our infrastrucure at risk, which is the main point of all this. Seems that SIA would've better served their members to focus on the best ways to be compliant, rather than how to dodge it...for now.
JH
John Honovich
Aug 06, 2020I was surprised by what was presented in this webinar. ... Seems that SIA would've better served their members to focus on the best ways to be compliant, rather than how to dodge it...for now.
The few times we've talked to SIA about the NDAA, they expressed surprise that anyone would support it. It was as if I asked them to fund me building a hotel on Pluto. They were just incredulous.
Another problem is a complete lack of transparency. There is no explanation of how they come to their decision or who has been lobbying them.
Upleveling, the general principle I have found with SIA is that they oppose anything that would threaten to decrease revenue for the security industry as a whole, regardless of ethics or, in this case, the law. As such, I was only surprised they made this public but not that they would attempt these tactics.
UD
Undisclosed Distributor #6
Aug 09, 2020the general principle I have found with SIA is that they oppose anything that would threaten to decrease revenue for the security industry as a whole,
As we all know many of the products banned are at the bottom or lower end of the price scale. Logically then, if the industry is being compliant wouldn't that then increase revenue for the security industry. Items could be sold on the basis of being a bit more expensive as they are compliant.
JH
John Honovich
Aug 09, 2020Logically then, if the industry is being compliant wouldn't that then increase revenue for the security industry
Maybe, maybe not. What SIA knows clearly is that many large members who make good money right now selling those banned products would lose revenue immediately.
SIA does not show much of a long term sense of perspective, e.g., they missed the pushback to China very badly, e.g. China Is Not A Security Megatrend, Says SIA
CH
Corbin Hambrick
Aug 10, 2020Logically yes, but I'm guessing SIA's main funding comes from large integrators so that's who they are working for rather than for the "industry".
JH
John Honovich
Aug 11, 2020I'm guessing SIA's main funding
SIA's main funding is from manufacturers. For background, here is SIA's 2019 financial filings, breakdown screencap below:
Sponsorships is primarily the money Reed pays SIA for 'sponsoring' ISC West and that money is, of course, primarily from manufacturers.
Btw, in terms of large integrators, my understanding is that ADT, JCI, Convergint are not selling much, if any, Hikua now.
Daniel S-T
Aug 06, 2020I thought organizations like SIA were supposed to help move the industry forward. The way I see this whole debacle is basically SIA saying Electronic Security Professionals don't really need to care about Security. Are we just product movers now? Sell and install and that's it? No thoughts about the ramifications of installing software or devices with vulnerabilities? "Who cares, not my network!"
Why learn anything for ourselves, or try to educate the public/customers, when we can just keep selling stuff and making $$$.
JH
John Honovich
Aug 06, 2020basically SIA saying Electronic Security Professionals don't really need to care about Security
Keep in mind, SIA invited an NSA director to speak at their cybersecurity conference which they had Dahua and Hikvision sponsor... in 2019. SIA defended it and, I kid you not, by declaring:
nothing under Section 889 of the NDAA restricts the ability of affected companies to participate in any educational conferences as sponsors. We welcome the participation of SIA members and businesses which support the goal of educating the industry about cybersecurity.
UI
Undisclosed Integrator #7
Aug 10, 2020I may have just lost a $175,000 PO because I learned that the mask/temperature unit I sold has a Hauwei Hisilicon chip in it. When I started the process with this sale I honestly didn’t know this unit had one. Didn’t even think about it. Then I asked the distributor to look into it after IPVM released some clarification on NDAA. So I alerted the company who placed the order. I explained to them I found a unit that was NDAA compliant but don’t know much about it. I’d rather lose the money now before we do the install then look like an idiot after everything is installed and someone discovers it.
CH
Corbin Hambrick
Aug 10, 2020...or you could go the way some in the industry seem to be going...continue with the job and ask for forgiveness or assume lobbying attorney's will have something to stand on so you can stand behind them.
...but why do you think you may have lost it? If you found a replacement can you not:- get any info on it here at IPVM- get one in ASAP and test it to make sure it meets your needs.
Anthony Jones
Aug 11, 2020On the heels of this they release principles of facial recognition. So, is it ethical for a manufacturer target ethnic groups?