US Military & Gov't Break Law, Buy Banned Dahua/Lorex, Congressional Committee Calls For Investigation
The House Armed Services Committee has called for an investigation after IPVM provided evidence that multiple federal agencies, including four military branches, illegally purchased relabeled Dahua surveillance equipment in 2021, even as Congress and the FCC were expanding the NDAA ban.
IPVM collaborated with Tech Crunch, which has published its own report, on this investigation.
Lorex Buyers - Army, Coast Guard, and More
Lorex is banned under NDAA Sec 889, both as a seller of Dahua OEMs and as a wholly-owned subsidiary of Dahua since 2018. The company agreed in a statement to IPVM, saying "Lorex products are designed for consumer and business use only and not for US federal government agencies, federally-funded projects or contractors subject to NDAA."
Lorex hides its Dahua ownership and NDAA non-compliance on its website, product materials, and on the products themselves. With no transparent disclosures, even if federal buyers research Lorex using its own materials, there is no way for them to determine that Lorex products violate the NDAA.
Government procurement records obtained by IPVM show several federal and military agencies purchased Lorex products in 2021. This includes the Department of Defense itself, and additionally the Navy and Army, the US Coast Guard, the Drug Enforcement Administration (DEA), and the US Department of Agriculture (USDA).
The devices, which the Federal government considers a threat to US networks, were delivered to highly sensitive locations, including Coast Guard Island, the DoD's Combined Task Force Horn of Africa, and the Norfolk Naval Shipyard.
House Armed Services Committee, Senate Intel Chair Call for Investigation
The House Armed Services Committee called for the DoD investigation after IPVM shared the evidence with them:
The Armed Services Committee expects the Department of Defense to take appropriate action to investigate these reports and, if substantiated, to take action to mitigate harm and prevent future problems. The Committee understands the scope of threats in this area. Our Members have devoted considerable time and attention to efforts that will improve our ability to assess beneficial ownership, enhance supply chain resilience, and promote cyber security. Addressing these threats requires close, mindful cooperation between Congress, the Administration, our allies and partners, and the industrial base. [emphasis added]
Senator Warner, the Chair of the Senate Intelligence Committee, provided a statement saying "If this allegation is true, we need to make sure it never happens again":
While I haven’t heard the specifics of this case, I believe that we need to get better at understanding the origin of commercial equipment purchased by government departments and agencies, and we need to ensure that those making these purchasing decisions are aware of the risks involved. This is the very reason Congress included these provisions in the 2019 legislation. Simply put, we should never use our federal purchasing power to support companies that may pose security risks, or that have been deemed to be actively engaging in human rights abuses, including facilitating the PRC’s campaign of repression against Uighurs and other minorities. If this allegation is true, we need to make sure it never happens again.
Department of Defense - Lorex Equipment "Removed"
The DoD's Defense Finance and Accounting Service (DFAS) purchased at least one Lorex product to monitor one of its sites. The agency now claims to have removed the equipment. In a statement, DFAS spokesperson Steve Lawson said they were aware of the NDAA ban but relied on the GSA and the supplier for compliance and "due diligence":
In July 2021, one of our DFAS sites identified a need for a security camera to monitor an isolated area in a building. Being aware of Section 889(a)(l)(A) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 and the restrictions associated with certain telecommunications and video surveillance services or equipment, we performed due diligence by utilizing a GSA contract. In addition, we requested the supplier provide information certifying that the product and/or components purchased was not restricted by the FY19 NDAA. Based on your communication, out of an abundance of caution, we have removed the camera and controller from service until further analysis can be performed. We appreciate you bringing this to our attention. [emphasis added]
USDA - "You should report that to DoJ"
The USDA bought Lorex products for the National Poultry Center in Athens, GA, in July 2021. A USDA spokesperson said we are "misunderstanding the law" because Lorex certified to the agency that its products were NDAA compliant. The spokesperson directed IPVM to contact the Department of Justice with information that Lorex had misrepresented its products' NDAA compliance.
(Note: IPVM/Tech Crunch are publishing this statement in full because we did not agree to any comments from USDA to be taken as off the record. USDA was informed in advance of IPVM's intent to publish.)
this required a ton of digging but from my understanding is you are misunderstanding the law. Off the record, here’s an explanation:
The first part is that we can’t buy covered equipment, the other is that we can’t enter into a contract with a company who uses covered equipment.
The way we manage this requirement for our buyers is by the company certifying that they are not providing us this equipment nor are they using this equipment.
All three companies he mentions below (including Lorax [sic]) have certified that they meet those conditions so we are able to purchase from them. If he has knowledge that they have misrepresented themselves you should report that to DoJ. This is the definition of “covered equipment”
This is the definition of “covered equipment”
As reported above, Lorex confirmed its products are not NDAA-compliant in a statement for this article.
US Army Blames Seller
The US Army bought Lorex surveillance in January and February, 2021, for Fort Hood and the Crane Army Ammunition Activity. A statement from Lt. Col. Brandon Kelley blamed contractors for breaking the law as sellers, while ignoring that the Army broke the law as the buyers:
On Aug. 13, 2020, the Department of Defense implemented the prohibitions for Section 889 of the National Defense Authorization Act for Fiscal Year 2019 and Public Law 115-232. Companies that propose on federal contracts are required to assert their compliance with various Federal Acquisition Regulation and Defense supplement provisions and clauses, including those required by P.L. 115-232 in the System for Award Management website. Title 18 of the United States Code, or civil liability under the False Claims Act, is applicable if a company misrepresents itself.
The Army's response points to NDAA Section 889 B, making it illegal to sell covered equipment to Federal agencies. However, NDAA Section 889 A also makes it illegal for Federal agencies to buy covered equipment. Therefore, both parties are breaking the law. (See: The Guide To The NDAA Video Surveillance Ban / Blacklists)
US Coast Guard
The US Coast Guard purchased Lorex products 3 times in 2021, according to records obtained by IPVM which explicitly named Lorex in the product descriptions and manufacturer field. A Coast Guard spokesperson, Lt. Commander Brittany Panetta, denied that the Coast Guard purchased any Lorex equipment, saying the purchases we identified were, in fact, Nikon camera lenses:
According to our purchasing records and the contract numbers provided, the items purchased were not associated with Lorex Surveillance equipment. They were various Nikon brand camera lenses purchased to support public affairs. There is no evidence these camera lenses are associated with Lorex surveillance equipment.
IPVM replied with detailed information on the contracts, including delivery details, and the name, email, and phone number of the USCG contracting officers. Lt. Commander Panetta responded:
I am working to get information on your new contract details provided this morning.
No further information was provided, and Lt. Commander Panetta has not responded to follow-up emails after more than a week.
US Navy - Denies
Purchasing records obtained by IPVM showed the US Navy purchased Lorex products once in 2021, and twice in 2020. A spokesperson from the Office of the Secretary of Defense (OSD), responding for the US Navy, denied that the purchases occurred. After IPVM provided additional information, the OSD stopped responding.
Lorex Statement
Lorex products are designed for consumer and business use only and not for US federal government agencies, federally-funded projects or contractors subject to NDAA. Lorex does not market directly to any person or organization subject to the NDAA and we encourage purchasers to familiarize themselves with and adhere to those regulations."
Conclusion
The evidence is clear that sellers often will not say or do not know if their products are NDAA-banned; some manufacturers even lie about compliance. And various examples of illegal federal purchases of NDAA-banned goods have now been reported.
The practice of relabeling banned equipment is a major reason that compliance continues to be difficult. Dozens of American companies relabel Dahua, including Honeywell, Carrier, and ADI. With no markings or transparent disclosures, federal buyers have little way to tell the true manufacturer of the relabeled products.
The government's relaxed approach to NDAA enforcement is also to blame, relying mainly on self-compliance and self-certification, with no proactive enforcement or consequences for violators.