Ban of Dahua and Hikvision Is Now US Gov Law
By: John Honovich, Published on Aug 13, 2018The US President has signed the 2019 NDAA into law, banning the use of Dahua and Hikvision (and their OEMs) for the US government, for US government-funded contracts and possibly for 'critical infrastructure' and 'national security' usage.
This completes the legal process that started in May with the US House passing the bill with the ban and the August 1st Senate passing of the bill.
Direct Impact - Stop Purchasing and Removals
The ban technically starts one year after signing into law, which will be August 13, 2019. However, since the ban includes both purchasing and using existing equipment, it effectively starts immediately since it would make little practical sense to buy equipment today to have to remove it in 12 months.
The removal of Dahua and Hikvision branded equipment will be relatively straightforward since US government agencies can simply read the label on the devices. However, OEMs, which are included under the 'produced' for 'affiliates' clause, will also have to be removed.
For help, see our Dahua OEM Directory and Hikvision OEM Directory.
Broader Indirect Impact - Branding
Since the US government is effectively blacklisting Dahua and Hikvsion products, this will have a severe branding and consequentially purchasing impact. Many buyers will be concerned about:
- What security risks those products pose for them
- What problems might occur if they want to integrate with public / government systems
- What future legislation at the state or local level might ban usage of such systems
Indeed, one prominent Hikvision partner has acknowledged the impact even before the bill became law:
One of my top 10s said that one of his bank jobs said that they cant do hikvision because they were put on a watch list. He is also concerned about a hospital job he has coming.
The impact outside of the US could be significant as well since many countries and organizations will see this as a negative signal about the security and trustworthiness of these products.
Background
The following reports provide background about Hikvision and Dahua:
- Hikvision Chinese Government Origin And Control
- Hikvision: Chinese Government "Exert Significant Influence Over Our Business"
- Hikvision Chairman Joins China National Government (NPC)
- Hikvision Backdoor Exploit
- Dahua Ban Response: Not Chinese Government Owned
- Dahua Backdoor Uncovered
Update: Podcast Released
IPVM has released a podcast discussion on this. Download the 28 minute podcast here or listen to it embedded below:
58 reports cite this report:
Comments (55)
Note: I left out some screencaps / details of the law since we covered it 2 weeks ago here. However, for completeness, they are copied below:
The full text of the bill is here (note: it is 1,360 pages long with the relevant sections of page 322 - 323).
The ADI 60% off “Banned by the Government” sale starts tomorrow.
Make video surveillance great again.... okay it doesn't have the same ring, but this is definitely helping the industry, especially the premium brands with high end products. This will really hit home when local integrators who have been fiercely loyal to Hik begin to switch.
Get your popcorn ready.
Although federally illegal, at least Hikua is still legal recreationally in every state. Cannabis, on the other hand, might very well become legal federally with some type of federal policy or regulation mandated. I know there is a ton of Hikua and their OEMs in that space.
What about government housing, etc? Hikua needs to do major damage control so concern doesnt spill into SLED.
Interesting point about the marijuana market segment. We will check about any impact there.
For others, SLED stands for "U.S. State, Local, and Education market". In the US, the federal government does not run typical schools but it does provide funding, including funding for security projects, which likely will be impacted, e.g., $25 Million US COPS SVPP School Security Funding Examined
I wonder if this will have impact beyond what is immediately visible. We do a lot of energy utility projects which fall under several federal regulatory bodies. We also do work along the border on a project that is far from a border security related project - nonetheless DHS and others are involved and funding part of it as there is a border tangentially involved. Oddly, even a stadium project has TSA involved (players get checked at the stadium) and paying for a very small portion. Those are just the projects that have government agencies involved that I know about. I see very few of our non-SMB projects that do not have some level of federal involvement/funding.
i would have to imagine that "any" project (school, housing, local gov., etc.) that is using Federal funds or federal grants would have to follow the Federal guidelines for purchasing.
From the FB discussion of this post:
Could it be that Nelly's (Surplus) is going to win both ways? ;)
In all seriousness, it is an interesting questioning of what becomes of the gear. We will check for any government recommendations.
Used Cameras used to be our specialty but that was many years ago. This would be a very killer deal for someone who wanted to do this though. Check the government auctions, i am sure they will be listed for sale there.
But I have a feeling that only a partial segment of the US government that had Hikua will remove their installs. Perhaps the military brances. Everyone else will drag their feet as long as possible at this mindless requirement. The other question is are they going to get new free funds to replace these? Perhaps they can now buy a much more legal Longse or XM. SMH
I was onsite with a client who has advised that local and state governments are also adopting the same position in several instances that if the Federal government deems it unsafe for their projects, it's not safe for theirs either and removing from future consideration and reviewing previous projects. I guess the upside is that any removals may constitute new sales opportunities? Soon the message will be to commercial customers, "those products are illegal." Everyone is scrambling!
One of the best bills in modern history. As security professionals we have a duty to take our nation's security serious. This is NOT just a 'Red Scare'.
Some judge in New York will sue to get them allowed just because.
Related to that, Huawei has called the ban 'unconstitutional', which is minimally ironic given the PRC's lack of 'rule of law' (no independent judiciary, etc.) and that American companies like Google, Cisco, Axis, etc. are effectively blocked from selling to the Chinese government.
It would be interesting to see on what grounds they sue on if they choose to sue. And it would be quite a gambit because the resulting publicity of such a lawsuit could make the branding impact even worse as well as disclosing more negative information about those companies.
Does IPVM have a list of manufacturers (or by item) that meet made in america? and meet the government treaty guidelines for purchases?
What do you mean by 'government treaty guideline'?
Note: IP cameras lost 'Buy America' protection status last year based on lobbying by SIA.
Does anyone have any thoughts/ideas on what will happen to Dahua and Hikvision DIY OEM's (LaView, Amcrest, Qsee, Night Owl and competitors) mainly in the consumer space?
Will they continue to purchase from Dahua and Hik?
Will these businesses be impacted from this law?
Are they allowed to continue to purchase and import goods from these companies?
Yes, OEMs are allowed to continue to purchase and import goods from Dahua and Hikvision. They are not allowed to sell those goods to US government agencies, US government-funded projects, etc.
In terms of the consumer space, I would think the impact would be low as most consumer suppliers are not super worried that their equipment would be used in such cases.
The tougher case is those who provide businesses - UTC, Honeywell, ADT, etc.
Update: IPVM has released a podcast discussion on this. Download the 28 minute podcast here or listen to it embedded below:
First trade magazine with coverage, SSI, is out: U.S. Defense Bill Signed Into Law Bans Dahua, Hikvision Products. Interesting quote from Lynn de Seve, a government contracting specialist:
State and local agencies usually go the way of the Feds. Soon it becomes a trend even with commercial customers.
[Update: SSI has removed this quote with no notice to why it was removed.]
We have already had a local government that completely changed their bid and disallowed HIK and HIK OEM products from being used (they were the previous standard) after just a simple mention of this new bill (and IPVM article) during an RFI
Here comes the price increases.
IPVM could have been a little clearer in stating they forged the photo from an original that related to a $1.5m tax overhaul package and has absolutely nothing to do with the ban.
Putting "IPVM illustration" on the bottom right corner doesn't cut it and just demonstrates how tacky and cheap IPVM has become. Tabloid really is the correct description of this type of "journalism".
Anyone who cannot look at that picture and immediately realize it is a photoshopped image has clearly not been following the details of the bill, and its potential to impact the industry, closely enough. Additionally, photoshopped images of Trump holding up various declarations, bans, executive orders, and similar things has become one of the most common memes floating around the internet.
If you cannot apply basic reasoning and logic here, and your biggest concern is that the graphic is misleading, you really should not be advising people on equipment that involves the safety and security of their lives, businesses, loved one, possessions and so forth. Perhaps a job as a Walmart greeter would be more your speed.
Your response typifies the "anti-Hik" lobby in personalising an individual attack - sanctioned by IPVM.
IPVM does not provide unbiased reporting of Hikvision and Dahua and distorts every story with their names in, to a degree that is detrimental. We saw this with Johns pathetic story regarding Hik camera's in toilets' for which he refused to retract even though it was blatantly wrong - with most agreeing it was wrong. More recently, Axis and genetic vulnerabilities are airbrushed to see them in some kind of positive light whereby anything at all by HIK/Dahua is trashed into anti-China rhetoric.
As IPVM is seeking wider publicity to push its stories out there - they also have a journalistic responsibility to report accurately and honestly. Not everyone reading the article is from the IPVM community and will indeed believe what they have published in the context of the story.
The graphic being misleading is indicative of Johns mission to exaggerate all things Hik, to a point where people like you jump on the tribal bandwagon, with the stars and stripes in one hand and schoolyard insults in the other. It's all ok with John because you are supporting him and IPVM - so that's just fine. It does not however, reflect reasoned, intelligent, unbiased accurate debate and just lowers it to a base level.
The facts are that outside of the US the NDAA is meaningless, trivial and entirely irrelevant. However, most tabloid media outlets jump on this type of sensationalism endorsed by a forged image to sell tat - and that is just what IPVM is endorsing. Clearly, John is trying to take his personal issue with the Chinese state to a new level, detracting from the day to day good work that other contributors put into IPVM.
Simply jumping on Johns bandwagon to get "likes" and earn click dollars isn't particular clever, but it is the easy thing to do. What is harder to do is to enter into reasoned debate from a global perspective of a complex issue. But hey - if school yard insults is your thing - then so be it.
#10, thanks for the feedback.
Reasonable people can disagree. You feel that the "IPVM could have been a little clearer" with the graphic disclaimer. That's fine. However, we both agree that it is there stamped on the image, which is standard for disclaimers.
As for:
absolutely nothing to do with the ban.
That's unfair. The graphic illustrates what legitimately happened. Trump has signed a bill into law (the NDAA) that bans Dahua and Hikvision.
The facts are that outside of the US the NDAA is meaningless, trivial and entirely irrelevant.
Talk about bias :) Again, reasonable people can disagree about the impact of the US ban outside of the US but to call it 'entirely irrelevant' is just silly. The ultimate impact remains to be seen but the US is the most powerful country in the world (for better or worse) so to say the US action's would be 'entirely irrelevant' is obviously false.
Listen, Hikvision thinks that winning a UK trade magazine award is an exciting and important event so the US banning them is likely to be more than 'entirely irrelevant' in the UK and elsewhere.
As for the toilet issue, others can decide themselves - Hikvision Cameras Installed In UK School Bathroom
Pedantic John, but the statement that the original image used has no relevance to story you are printing is entirely true and based on undisputed fact - so hardly unfair. Unfair is linking a separate story to a photoshopped image to create a perception that is factually incorrect.
On the toilet issue - you are just wrong. Printing it again only underlines the point and demonstrates your opportunism.
At this moment in time - the bill, its repercussions and its very relevance is not being discussed at any level that would be considered meaningful outside of the US. Obviously you live and breathe it - just don't assume that the rest of the world does. The talk of the US elsewhere is directed at the unjustified unilateral trade tariffs, alienation of NATO allies and the sucking up to Putin and Kim Jong-Un - not an NDAA document.
The comment regarding Hikvision benchmark award is also wide of the mark. Of course they are more interested in this as it is more relevant than the NDAA within the context in which it was published - a UK trade magazine.
Unfair is linking a separate story to a photoshopped image to create a perception that is factually incorrect.
Factually incorrect? He did sign it into law.
Here is an image of the NDAA 2019 signing with Trump holding the same ceremonial bill:
Our graphics person will apply the same Dahua and Hikvision graphic to this and the same illustration disclaimer. When he has done so, I will update. This will not change anything fundamentally but if you prefer this graphic, I am happy to do so.
On the toilet issue - you are just wrong. Printing it again only underlines the point and demonstrates your opportunism.
Opportunism? You called me out on our site. I let it stand, only providing a link to the actual discussion so readers can understand the context and make up their own minds.
The comment regarding Hikvision benchmark award is also wide of the mark. Of course they are more interested in this as it is more relevant than the NDAA within the context in which it was published - a UK trade magazine.
The link I provided was to a Hikvision Corporate / China HQ LinkedIn post:
So if Hikvision China thinks that a trade magazine award is relevant, it is fair to conclude that the US government 'awarding' (if you will) Hikvision with a government blacklist is relevant around the world.
The Hikvision article is just the same as every manufacturer pushes out all the time and is obviously relevant. For installers in the EMEA, the NDAA is irrelevant as it has no bearing on them whatsoever. As I said, its seen as a blunt tool that has only been passed on the basis of National Security to which, few dare to challenge for fear of being "un-patriotic", without any real consideration of the issue. At this moment, absolutely any trade tariff can be passed - with a "National Security" ticket - so to anyone outside of the US - this is just embellishment of the unilateral trade war Trump has embarked upon. Much as you would like us all to think that those in power have spent hours reading your article and Pen Testing massive amounts of hardware at NSA - I think we all know this is just an excuse to further enhance a trade tariff war rather than seeking to resolve a perceived state hacking threat from China.
While I sympathize with your argument that the US is applying sanctions to Hikvision rather arbitrarily and that it is more or less tied to the tariff situation and has more to do with trade than national security, your arguments are all over the place and just seem to follow the standard "Hikvision / all things China-related are the best and anything that challenges that is purely a smear campaign aimed at destroying our beautiful country" montage that I hear frequently in political circles from the paid internet trolls.
TL;DR You sound a bit like a paid Chinese troll.
Irrelevant? Many other countries are using this as an opportunity to take a hard look at similar Chinese companies and look in to similar bans. Australia, UK, Germany and others are seeing this as important.
For installers in the EMEA, the NDAA is irrelevant as it has no bearing on them whatsoever.
Evidently not, IFSEC Report: US Ban Hurting Hikvision In Europe
I'm sorry, I am a little confused by your argument here. Are you saying that John or IPVM has the ability to pass bills into law through our congress and senate? Are you saying that there are no vulnerabilities with Hikvision and Dahua? Are you saying that John or IPVM posting reviews of products and articles on security vulnerabilities, should be anonymous with regard to naming the brands they review? I would agree with you that John does not seem to like the Hikvision brand, however his articles on this subject always have a clear method of fair and consistent testing. Perhaps his dislike for these cameras is less about the company being Chinese and more about the shortfalls and problems with the cameras. It seems to me that the supporters of Hikvision are more interested in having a cheap product to sell, than they are about the potential risks it imposes on their customers. After all if you sell the cheap, its an easier sale, because you are removing the biggest objection a customer has, and you leave yourself a lot more room for higher margins.
The image is just there to quickly draw attention to the biggest piece of this law as it relates to our industry. Its obvious that a bill being signed into law from the US government would not have the logos of companies with a big "Banned" stamp on them. It is supposed to pique your interest so you then can read the article for the details.
Your response typifies the "anti-Hik" lobby in personalising an individual attack - sanctioned by IPVM.
I'm not "anti-Hik", per se, I just happen to believe their products are so severely flawed in terms of cyber security that they are not suitable for use in most commercial deployments. Further, I think that Hik has gone to great lengths to convince people, through blatantly deceptive and fraudulent presentations, that their products are not more or less secure than those of other companies. This is evidenced when I see claims like your following statement:
More recently, Axis and genetic vulnerabilities are airbrushed to see them in some kind of positive light whereby anything at all by HIK/Dahua is trashed into anti-China rhetoric.
My opinion is that you lack the ability to properly evaluate common vulnerabilities and their potential to be exploited and impact a user or their network. My comments are not "personal", but they are in response to your specific statements. If you want to call that some kind of "individual attack", I guess you can, but I would also say you have pretty thin skin.
Not everyone reading the article is from the IPVM community and will indeed believe what they have published in the context of the story.
I would say the average reasonable person reading this would have seen enough Trump photoshops of him holding up altered signs and declarations to recognize the parody/satire element. If not, well, IPVM is catering to an audience that is overall informed and moderately skeptical, they can't dumb and disclaimer every image down to the lowest common denominator. If you read the text under the image, I feel that you get sufficient detail to evaluate the image properly. If you only "read" pictures, well, that is an entirely different issue.
The graphic being misleading is indicative of Johns mission to exaggerate all things Hik
What is truly misleading about the image? Did Trump not in fact sign a bill that bans use of Hytera, Hikvision, and Dahua in government applications?
The facts are that outside of the US the NDAA is meaningless, trivial and entirely irrelevant.
Disagree. Outside of China (where Hik enjoys government preferences and similar bans severely limiting use of foreign surveillance products) North America is the largest market in the security industry. Many manufacturers fund their overseas expansions off of their NA business. Banning Hik and Dahua in the US will make those companies weaker here, and simultaneously strengthen others. That can easily have rolling global impact.
Simply jumping on Johns bandwagon to get "likes" and earn click dollars
I give two shits about who "likes" me, and you can upvote all my comments to infinity and it won't alter my net worth by more than a rounding error. My motivation is not at all related to either of those goals, I am simply trying to share insight and information.
What is harder to do is to enter into reasoned debate
Just so I can keep track, are you the pot or the kettle in the above statement?
But hey - if school yard insults is your thing - then so be it.
At least you are consistent, taking a throw-away image or a throw-away statement and somehow coming away with the understanding that is the whole story.
Whilst ignoring the majority of your rant, I do share one comment with you - I too, am simply trying to share insight and information. There is a perspective outside of the US that pretty well discounts anything that comes out of Trumps mouth or those endorsing him. Whilst this may be a major news item in the US, it really isn't anywhere else in the world. It will find its way into LinkedIn and other outlets because of the way IPVM has chosen to articulate the story and will no doubt want to take the associated credit.
You say you are not anti-HIK. Really? I think we probably both know that isn't true. There is a hardcore on IPVM who will always support anything that is published and assumes anyone who dares to disagree or present an alternate view is wrong and a pro-Hik installer.
Despite what you may think - I work for a company who does not install Hikvision. We use Flir, DVTel, Avigilon, IndigoVision and Hanwha. I do however have experience of Hikvision going back over 10 years and can confidently say the level of criticism aimed at them by IPVM is disproportionate to the issues highlighted and heavily biased again them - bearing in mind every manufacturer has vulnerabilities - they just don't have the inconvenience of everyone and their dog looking for them - which is a shame, because if they did - they would discover that Hik is far from being alone.
Even if Hik were perfect in every way - technically and the only manufacturer not to have a vulnerability - IPVM would print weekly stories about Chinese ownership, low pricing, working conditions and anything else that would grab a headline.
There is little point on continuing as your viewpoint is diametrically apposed to mine, in believing that the false representation by IPVM is justified and the bill it self really is important outside of the US.
#10, your viewpoint is welcome here. I think there is value in you sharing your perspective so people can see various sides of the issue.
There is a perspective outside of the US that pretty well discounts anything that comes out of Trumps mouth or those endorsing him
Hey, there's a significant percentage inside the US that pretty well discounts anything that Trump says as well. I don't disagree with you there. The issue here is that this is not just about Trump, this is US government law and there are many outside the US that care about the implications and signaling of US government law, especially when many in the EU, for example, have similar concerns about the Chinese government.
All that said, I still value your viewpoint and keep it coming and keep us on our toes!
I was at an ADI expo yesterday and couldn’t help but overhear a Hik employee on the phone (talking quite loud) to who I would assume was his boss, talking about, ‘losing orders for five military bases due to the ban’. Thought it was interesting. Their booth still had quite a bit of traffic, as you might imagine. They had quite the setup.
Just read an entire article on the NDAA 2019. I find the following exert funny as Hik nor Dahua are mentioned.
Section 889 of the NDAA would also prohibit executive-branch agencies from procuring or contracting for certain covered telecommunications equipment or services from companies that are associated with or believed to be owned or controlled by the People’s Republic of China. This includes ZTE and Huawei, two companies whose activities in the United States have been the subject of great scrutiny in recent months. This prohibition would begin for executive-branch agencies one year after enactment of the NDAA and would extend to the beneficiaries of any grants, loans or subsidies from such agencies two years after enactment. Under this provision, the head of any federal agency may issue a onetime waiver for up to two years, while only the director of national intelligence may issue subsequent waivers. Notably, however, the NDAA does not include a provision from the Senate version of the NDAA that would have reimposed the penalties against ZTE that the Commerce Department controversially revoked earlier this year.
The following link is the entire article https://www.lawfareblog.com/whats-new-ndaa
Would this affect US government projects outside of the US?
ie, US customs preclearance at airports in Canada?
Yes, the legislation covers US government projects / funding and there is no exception for where the facilities are. Moreover, it would not make sense to prohibit equipment in, e.g., a US military base in Georgia but not a US military base in, e.g. Germany.
Do you know of any specific examples of where the US government is using now prohibited equipment in Canada?
What about the 2 year waiver stated in the bill? Can a Hik or Dahua installer be issued a waiver for such equipment?
Matthew, the waiver is for government agencies, not private companies like installers. To get a waiver the government agency needs approval, providing 'compelling justification', and the head of that agency needs to submit a plan to a congressional committee about the plan to eliminate such equipment's use as explained on page 322:
Given that, it does not sound to be an easy process to pursue.
Related Reports
Most Recent Industry Reports
