NDAA Ban of Dahua and Hikvision Is Now US Gov Law
By John Honovich, Published Aug 13, 2018, 05:24pm EDTThe US President has signed the 2019 NDAA into law, banning the use of Dahua and Hikvision (and their OEMs) for the US government, for US government-funded contracts and possibly for 'critical infrastructure' and 'national security' usage.
This completes the legal process that started in May with the US House passing the bill with the ban and the August 1st Senate passing of the bill.
Direct Impact - Stop Purchasing and Removals
The ban technically starts one year after signing into law, which will be August 13, 2019. However, since the ban includes both purchasing and using existing equipment, it effectively starts immediately since it would make little practical sense to buy equipment today to have to remove it in 12 months.
The removal of Dahua and Hikvision branded equipment will be relatively straightforward since US government agencies can simply read the label on the devices. However, OEMs, which are included under the 'produced' for 'affiliates' clause, will also have to be removed.
For help, see our Dahua OEM Directory and Hikvision OEM Directory.
Broader Indirect Impact - Branding
Since the US government is effectively blacklisting Dahua and Hikvsion products, this will have a severe branding and consequentially purchasing impact. Many buyers will be concerned about:
- What security risks those products pose for them
- What problems might occur if they want to integrate with public / government systems
- What future legislation at the state or local level might ban usage of such systems
Indeed, one prominent Hikvision partner has acknowledged the impact even before the bill became law:
One of my top 10s said that one of his bank jobs said that they cant do hikvision because they were put on a watch list. He is also concerned about a hospital job he has coming.
The impact outside of the US could be significant as well since many countries and organizations will see this as a negative signal about the security and trustworthiness of these products.
Background
The following reports provide background about Hikvision and Dahua:
- Hikvision Chinese Government Origin And Control
- Hikvision: Chinese Government "Exert Significant Influence Over Our Business"
- Hikvision Chairman Joins China National Government (NPC)
- Hikvision Backdoor Exploit
- Dahua Ban Response: Not Chinese Government Owned
- Dahua Backdoor Uncovered
Update: Podcast Released
IPVM has released a podcast discussion on this. Download the 28 minute podcast here or listen to it embedded below:
80 reports cite this report:
.jpg)
Comments (58)
Note: I left out some screencaps / details of the law since we covered it 2 weeks ago here. However, for completeness, they are copied below:
The full text of the bill is here (note: it is 1,360 pages long with the relevant sections of page 322 - 323).
Has the Trump been photo shopped?
The ADI 60% off “Banned by the Government” sale starts tomorrow.
Make video surveillance great again.... okay it doesn't have the same ring, but this is definitely helping the industry, especially the premium brands with high end products. This will really hit home when local integrators who have been fiercely loyal to Hik begin to switch.
Get your popcorn ready.
Although federally illegal, at least Hikua is still legal recreationally in every state. Cannabis, on the other hand, might very well become legal federally with some type of federal policy or regulation mandated. I know there is a ton of Hikua and their OEMs in that space.
What about government housing, etc? Hikua needs to do major damage control so concern doesnt spill into SLED.
Interesting point about the marijuana market segment. We will check about any impact there.
For others, SLED stands for "U.S. State, Local, and Education market". In the US, the federal government does not run typical schools but it does provide funding, including funding for security projects, which likely will be impacted, e.g., $25 Million US COPS SVPP School Security Funding Examined
i would have to imagine that "any" project (school, housing, local gov., etc.) that is using Federal funds or federal grants would have to follow the Federal guidelines for purchasing.
From the FB discussion of this post:
Could it be that Nelly's (Surplus) is going to win both ways? ;)
In all seriousness, it is an interesting questioning of what becomes of the gear. We will check for any government recommendations.
| 08/14/18 03:24pm
Used Cameras used to be our specialty but that was many years ago. This would be a very killer deal for someone who wanted to do this though. Check the government auctions, i am sure they will be listed for sale there.
But I have a feeling that only a partial segment of the US government that had Hikua will remove their installs. Perhaps the military brances. Everyone else will drag their feet as long as possible at this mindless requirement. The other question is are they going to get new free funds to replace these? Perhaps they can now buy a much more legal Longse or XM. SMH
I was onsite with a client who has advised that local and state governments are also adopting the same position in several instances that if the Federal government deems it unsafe for their projects, it's not safe for theirs either and removing from future consideration and reviewing previous projects. I guess the upside is that any removals may constitute new sales opportunities? Soon the message will be to commercial customers, "those products are illegal." Everyone is scrambling!
One of the best bills in modern history. As security professionals we have a duty to take our nation's security serious. This is NOT just a 'Red Scare'.
Some judge in New York will sue to get them allowed just because.
Does IPVM have a list of manufacturers (or by item) that meet made in america? and meet the government treaty guidelines for purchases?
Does anyone have any thoughts/ideas on what will happen to Dahua and Hikvision DIY OEM's (LaView, Amcrest, Qsee, Night Owl and competitors) mainly in the consumer space?
Will they continue to purchase from Dahua and Hik?
Will these businesses be impacted from this law?
Are they allowed to continue to purchase and import goods from these companies?
Update: IPVM has released a podcast discussion on this. Download the 28 minute podcast here or listen to it embedded below:
First trade magazine with coverage, SSI, is out: U.S. Defense Bill Signed Into Law Bans Dahua, Hikvision Products. Interesting quote from Lynn de Seve, a government contracting specialist:
State and local agencies usually go the way of the Feds. Soon it becomes a trend even with commercial customers.
[Update: SSI has removed this quote with no notice to why it was removed.]
We have already had a local government that completely changed their bid and disallowed HIK and HIK OEM products from being used (they were the previous standard) after just a simple mention of this new bill (and IPVM article) during an RFI
IPVM could have been a little clearer in stating they forged the photo from an original that related to a $1.5m tax overhaul package and has absolutely nothing to do with the ban.
Putting "IPVM illustration" on the bottom right corner doesn't cut it and just demonstrates how tacky and cheap IPVM has become. Tabloid really is the correct description of this type of "journalism".
Anyone who cannot look at that picture and immediately realize it is a photoshopped image has clearly not been following the details of the bill, and its potential to impact the industry, closely enough. Additionally, photoshopped images of Trump holding up various declarations, bans, executive orders, and similar things has become one of the most common memes floating around the internet.
If you cannot apply basic reasoning and logic here, and your biggest concern is that the graphic is misleading, you really should not be advising people on equipment that involves the safety and security of their lives, businesses, loved one, possessions and so forth. Perhaps a job as a Walmart greeter would be more your speed.
Your response typifies the "anti-Hik" lobby in personalising an individual attack - sanctioned by IPVM.
IPVM does not provide unbiased reporting of Hikvision and Dahua and distorts every story with their names in, to a degree that is detrimental. We saw this with Johns pathetic story regarding Hik camera's in toilets' for which he refused to retract even though it was blatantly wrong - with most agreeing it was wrong. More recently, Axis and genetic vulnerabilities are airbrushed to see them in some kind of positive light whereby anything at all by HIK/Dahua is trashed into anti-China rhetoric.
As IPVM is seeking wider publicity to push its stories out there - they also have a journalistic responsibility to report accurately and honestly. Not everyone reading the article is from the IPVM community and will indeed believe what they have published in the context of the story.
The graphic being misleading is indicative of Johns mission to exaggerate all things Hik, to a point where people like you jump on the tribal bandwagon, with the stars and stripes in one hand and schoolyard insults in the other. It's all ok with John because you are supporting him and IPVM - so that's just fine. It does not however, reflect reasoned, intelligent, unbiased accurate debate and just lowers it to a base level.
The facts are that outside of the US the NDAA is meaningless, trivial and entirely irrelevant. However, most tabloid media outlets jump on this type of sensationalism endorsed by a forged image to sell tat - and that is just what IPVM is endorsing. Clearly, John is trying to take his personal issue with the Chinese state to a new level, detracting from the day to day good work that other contributors put into IPVM.
Simply jumping on Johns bandwagon to get "likes" and earn click dollars isn't particular clever, but it is the easy thing to do. What is harder to do is to enter into reasoned debate from a global perspective of a complex issue. But hey - if school yard insults is your thing - then so be it.
#10, thanks for the feedback.
Reasonable people can disagree. You feel that the "IPVM could have been a little clearer" with the graphic disclaimer. That's fine. However, we both agree that it is there stamped on the image, which is standard for disclaimers.
As for:
absolutely nothing to do with the ban.
That's unfair. The graphic illustrates what legitimately happened. Trump has signed a bill into law (the NDAA) that bans Dahua and Hikvision.
The facts are that outside of the US the NDAA is meaningless, trivial and entirely irrelevant.
Talk about bias :) Again, reasonable people can disagree about the impact of the US ban outside of the US but to call it 'entirely irrelevant' is just silly. The ultimate impact remains to be seen but the US is the most powerful country in the world (for better or worse) so to say the US action's would be 'entirely irrelevant' is obviously false.
Listen, Hikvision thinks that winning a UK trade magazine award is an exciting and important event so the US banning them is likely to be more than 'entirely irrelevant' in the UK and elsewhere.
As for the toilet issue, others can decide themselves - Hikvision Cameras Installed In UK School Bathroom
Pedantic John, but the statement that the original image used has no relevance to story you are printing is entirely true and based on undisputed fact - so hardly unfair. Unfair is linking a separate story to a photoshopped image to create a perception that is factually incorrect.
On the toilet issue - you are just wrong. Printing it again only underlines the point and demonstrates your opportunism.
At this moment in time - the bill, its repercussions and its very relevance is not being discussed at any level that would be considered meaningful outside of the US. Obviously you live and breathe it - just don't assume that the rest of the world does. The talk of the US elsewhere is directed at the unjustified unilateral trade tariffs, alienation of NATO allies and the sucking up to Putin and Kim Jong-Un - not an NDAA document.
The comment regarding Hikvision benchmark award is also wide of the mark. Of course they are more interested in this as it is more relevant than the NDAA within the context in which it was published - a UK trade magazine.
Unfair is linking a separate story to a photoshopped image to create a perception that is factually incorrect.
Factually incorrect? He did sign it into law.
Here is an image of the NDAA 2019 signing with Trump holding the same ceremonial bill:
Our graphics person will apply the same Dahua and Hikvision graphic to this and the same illustration disclaimer. When he has done so, I will update. This will not change anything fundamentally but if you prefer this graphic, I am happy to do so.
On the toilet issue - you are just wrong. Printing it again only underlines the point and demonstrates your opportunism.
Opportunism? You called me out on our site. I let it stand, only providing a link to the actual discussion so readers can understand the context and make up their own minds.
News graphic has been updated with the NDAA 2019 signing image:
The comment regarding Hikvision benchmark award is also wide of the mark. Of course they are more interested in this as it is more relevant than the NDAA within the context in which it was published - a UK trade magazine.
The link I provided was to a Hikvision Corporate / China HQ LinkedIn post:
So if Hikvision China thinks that a trade magazine award is relevant, it is fair to conclude that the US government 'awarding' (if you will) Hikvision with a government blacklist is relevant around the world.
I'm sorry, I am a little confused by your argument here. Are you saying that John or IPVM has the ability to pass bills into law through our congress and senate? Are you saying that there are no vulnerabilities with Hikvision and Dahua? Are you saying that John or IPVM posting reviews of products and articles on security vulnerabilities, should be anonymous with regard to naming the brands they review? I would agree with you that John does not seem to like the Hikvision brand, however his articles on this subject always have a clear method of fair and consistent testing. Perhaps his dislike for these cameras is less about the company being Chinese and more about the shortfalls and problems with the cameras. It seems to me that the supporters of Hikvision are more interested in having a cheap product to sell, than they are about the potential risks it imposes on their customers. After all if you sell the cheap, its an easier sale, because you are removing the biggest objection a customer has, and you leave yourself a lot more room for higher margins.
The image is just there to quickly draw attention to the biggest piece of this law as it relates to our industry. Its obvious that a bill being signed into law from the US government would not have the logos of companies with a big "Banned" stamp on them. It is supposed to pique your interest so you then can read the article for the details.
Your response typifies the "anti-Hik" lobby in personalising an individual attack - sanctioned by IPVM.
I'm not "anti-Hik", per se, I just happen to believe their products are so severely flawed in terms of cyber security that they are not suitable for use in most commercial deployments. Further, I think that Hik has gone to great lengths to convince people, through blatantly deceptive and fraudulent presentations, that their products are not more or less secure than those of other companies. This is evidenced when I see claims like your following statement:
More recently, Axis and genetic vulnerabilities are airbrushed to see them in some kind of positive light whereby anything at all by HIK/Dahua is trashed into anti-China rhetoric.
My opinion is that you lack the ability to properly evaluate common vulnerabilities and their potential to be exploited and impact a user or their network. My comments are not "personal", but they are in response to your specific statements. If you want to call that some kind of "individual attack", I guess you can, but I would also say you have pretty thin skin.
Not everyone reading the article is from the IPVM community and will indeed believe what they have published in the context of the story.
I would say the average reasonable person reading this would have seen enough Trump photoshops of him holding up altered signs and declarations to recognize the parody/satire element. If not, well, IPVM is catering to an audience that is overall informed and moderately skeptical, they can't dumb and disclaimer every image down to the lowest common denominator. If you read the text under the image, I feel that you get sufficient detail to evaluate the image properly. If you only "read" pictures, well, that is an entirely different issue.
The graphic being misleading is indicative of Johns mission to exaggerate all things Hik
What is truly misleading about the image? Did Trump not in fact sign a bill that bans use of Hytera, Hikvision, and Dahua in government applications?
The facts are that outside of the US the NDAA is meaningless, trivial and entirely irrelevant.
Disagree. Outside of China (where Hik enjoys government preferences and similar bans severely limiting use of foreign surveillance products) North America is the largest market in the security industry. Many manufacturers fund their overseas expansions off of their NA business. Banning Hik and Dahua in the US will make those companies weaker here, and simultaneously strengthen others. That can easily have rolling global impact.
Simply jumping on Johns bandwagon to get "likes" and earn click dollars
I give two shits about who "likes" me, and you can upvote all my comments to infinity and it won't alter my net worth by more than a rounding error. My motivation is not at all related to either of those goals, I am simply trying to share insight and information.
What is harder to do is to enter into reasoned debate
Just so I can keep track, are you the pot or the kettle in the above statement?
But hey - if school yard insults is your thing - then so be it.
At least you are consistent, taking a throw-away image or a throw-away statement and somehow coming away with the understanding that is the whole story.
I was at an ADI expo yesterday and couldn’t help but overhear a Hik employee on the phone (talking quite loud) to who I would assume was his boss, talking about, ‘losing orders for five military bases due to the ban’. Thought it was interesting. Their booth still had quite a bit of traffic, as you might imagine. They had quite the setup.
Just read an entire article on the NDAA 2019. I find the following exert funny as Hik nor Dahua are mentioned.
Section 889 of the NDAA would also prohibit executive-branch agencies from procuring or contracting for certain covered telecommunications equipment or services from companies that are associated with or believed to be owned or controlled by the People’s Republic of China. This includes ZTE and Huawei, two companies whose activities in the United States have been the subject of great scrutiny in recent months. This prohibition would begin for executive-branch agencies one year after enactment of the NDAA and would extend to the beneficiaries of any grants, loans or subsidies from such agencies two years after enactment. Under this provision, the head of any federal agency may issue a onetime waiver for up to two years, while only the director of national intelligence may issue subsequent waivers. Notably, however, the NDAA does not include a provision from the Senate version of the NDAA that would have reimposed the penalties against ZTE that the Commerce Department controversially revoked earlier this year.
The following link is the entire article https://www.lawfareblog.com/whats-new-ndaa
Would this affect US government projects outside of the US?
ie, US customs preclearance at airports in Canada?
Yes, the legislation covers US government projects / funding and there is no exception for where the facilities are. Moreover, it would not make sense to prohibit equipment in, e.g., a US military base in Georgia but not a US military base in, e.g. Germany.
Do you know of any specific examples of where the US government is using now prohibited equipment in Canada?
What about the 2 year waiver stated in the bill? Can a Hik or Dahua installer be issued a waiver for such equipment?
Matthew, the waiver is for government agencies, not private companies like installers. To get a waiver the government agency needs approval, providing 'compelling justification', and the head of that agency needs to submit a plan to a congressional committee about the plan to eliminate such equipment's use as explained on page 322:
Given that, it does not sound to be an easy process to pursue.
Hi John,
Would this ban include clients that are leasing airport properties from the City as well?
The NDAA ban directly impacts federal agencies and federal funds. The federal government cannot buy banned equipment (Hikvision/Dahua/Huawei HiSilicon-based cameras) and cannot do business with anyone that "uses" banned equipment. Additionally, federal funds themselves cannot be spent to procure banned equipment, e.g. a church using a DHS grant to expand security cannot purchase Hikvision cameras with that grant.
All this is to say, if you have clients leasing airport property from city authorities, the situation depends:
- If your clients are not federal government agencies, and the airport is not federally-run, then they can likely use banned equipment like Hikvision cameras.
- If the airport is federally-run, you may want to check with them because federal agencies cannot procure banned equipment.
- If your clients are not federal government agencies but are using federal funds to expand security, and you are seeking to sell them banned equipment that they will purchase with those federal funds, then that is prohibited.
Keep in mind that if you install and maintain banned equipment, you will not be able to be a prime contractor for any federal government projects.
Hope this helps!
IPVM is working on an NDAA compliance guide to be published soon, once it's up I will let you know.
Thank you, Charles. Much appreciated!
This airport I mentioned above received 9M in federal grants. I have not heard anything about them using any federal money for this project. I did reach out to the city to see if they have anything in place that would prohibit some of this banned equipment being placed on their leased property.
