Hikvision Corrects False Cybersecurity AnnouncementBy IPVM Team, Published on Jun 18, 2018
Hikvision has corrected a false cybersecurity announcement that claimed a British government-sponsored program endorsed the cybersecurity of Hikvision's products.
Below, highlighted, are the specific false assertions:
After IPVM raised concerns to Hikvision corporate, Hikvision acknowledged this, adding the following correction:
An earlier version of the press release suggested that the Cyber Essentials Plus status relates to products and has caused some confusion. To clarify, Hikvision has been awarded ‘Cyber Essentials Plus’ accreditation, which directly relates to the security and robustness of our own infrastructure within the UK operation. It was never our intention to mislead the reader with inference that the accreditation related in any way to our products. We sincerely apologise for the unclear statement about the award.
Cyber Essentials Plus Explained
Cyber Essentials is a UK sponsored government program that aims to help organizations protect against cyber attacks. The requirements of the program list the scope of this certification as IT infrastructure, not products manufactured:
Assessment and certification can cover the whole of the Applicant's IT infrastructure, or a sub-set. Either way, the boundary of the scope must be clearly defined in terms of the business unit managing it, the network boundary and physical location. [emphasis added]
Hikvision received the Cyber Essentials 'Plus' certification, which consists of an auditor doing a vulnerability assessment of their UK office. The certification costs 1,999 GBP (~$2,655 USD).
History of Misrepresenting Cybersecurity
Hikvision has repeatedly misrepresented the cybersecurity of their products, starting with claiming their backdoor was simply a 'privilege escalation vulnerability', misleading their dealers on the backdoor, hiring Cisco and issuing a press release with them the day after the backdoor was confirmed, announcing a 'dedicated' cybersecurity 'hotline' that has since been demoted to generic technical support, opening a 'source code transparency center' that is neither particularly open nor transparent, and now deceptively turning an IT infrastructure certification into a false endorsement of their products.
Hikvision has no excuse here. Hikvision took the certification so they clearly know it is not about a company's products yet Hikvision's announcement over and over again emphasized products. It is either a question or competence or ethics.
Commend The Correction
That noted, we certainly commend Hikvision and, in particular, their new Global PR lead, Karl Erik Traberg, for quickly and responsibly issuing a correction. It is a small step in the greater scheme of things but indisputably positive that Hikvision is willing to acknowledge mistakes and focus on improvement rather than disparaging critics.
Poll / Vote