Cisco: Hikvision Hired Us
The day after Hikvision's backdoor was confirmed by the US Department of Homeland Security, Hikvision issued a press release about a 'cybersecurity collaboration' [link no longer available] with Cisco inside China, with Hikvision USA touting that Hikvision was 'adding cybersecurity credentials.'
The release was atypical for Cisco, which normally includes their own contact person and quote. The Hikvision release had neither, just statements from Hikvision.
In this note, we share a statement from Cisco about Hikvision and examine the potential impact of this move.
Cisco's security public relations team responded to IPVM, making clear that Hikvision was a customer of theirs:
Cisco’s secure product development, lifecycle management and supply chain security practices are all industry-leading examples of our commitment to security. As such, Cisco often works with many global customers to help assess and identify opportunities to reinforce the security of their own business. Our top priority is the satisfaction and support of our customers, and we are supporting Hikvision to provide the support their business requires. That said, we do not publicly disclose confidential customer account information, and have to direct you to Hikvision for further information.
Given Cisco's overall brand and status as one of America's largest technology companies, Hikvision hiring Cisco is a strong public relations move and money well spent. While Cisco has been unsuccessful inside video surveillance, Cisco is clearly one of the most well-known technology companies worldwide so associating themselves with Cisco helps to counter the damage to Hikvision's reputation from the backdoor.
Beyond the public relations benefit, depending on what information or help Cisco provides, this could improve Hikvision's software development process, assuming the backdoor was an engineering error, rather than intentionally placed. However, Hikvision's press release [link no longer available] is so vague (meeting, phases, collaboration, etc.) that is impossible to assess how much real engineering improvements are being made.
Second Attempt / Also Rapid7
This is not the first time Hikvision has hired outside help for cybersecurity. In 2014, cybersecurity specialist Rapid7 discovered multiple vulnerabilities in Hikvision products. Following Hikvision's first major cybersecurity crisis in 2015, Hikvision hired Rapid7 [link no longer available] to "to perform a penetration test and vulnerability assessment of [their] products."
Rapid7's benefits to Hikvision appeared limit. In addition to not being widely known outside of the cybersecurity segment, evidently Rapid7 did not discover the backdoor that was not fixed for more than 18 months after Hikvision said Rapid7 was assessing their products (whether Rapid7 missed it or Hikvision restrained their efforts is unknown).
Hikvision / Cisco Impact
Hikvision hiring Cisco is a smart move, though framing it as a 'collaboration' and/or an endorsement from Cisco is debatable, since Hikvision hired Cisco. The plus side remains that Hikvision can tout the Cisco brand as a rejoinder to their poor cybersecurity track record and may benefit on the development side if they incorporate guidance from Cisco.