A senior DoD official said the US is "concerned" with the cybersecurity of Hikvision, Dahua, and Huawei due to "CCP" (China Communist Party) influence and the potential military/intelligence applications of their products, particularly in case of conflict.
The official is Randall Schriver, the Assistant Secretary of Defense for Indo-Pacific Security Affairs - i.e. the top China advisor to the Secretary of Defense.
Schriver's comments were made in response to a question IPVM asked during the Jamestown Foundation's China Defense and Security Conference in Washington, DC on Tuesday, October 15, 2019. Watch the Q&A below:
In this note, we examine the comments and broader meaning.
Can you talk a little bit about the Department of Defense's concerns about cybersecurity as it relates to the PRC? Last year in the NDAA there was a ban for Huawei, Hikvision, and Dahua. So is the Department of Defense concerned about companies and organizations that might have influence by the PRC government?
Again, we're concerned, given the nature of the relationship that these Chinese companies have with the CCP [China Communist Party] and the influence that the CCP may have on their decision-making and how they may be involved in state-sponsored goals such as theft of technology, intelligence, etc. So our first concern is the vulnerabilities that can be created by dealing with these companies, using their technologies, etc. The concerns in the cyber realm, of course, go beyond that, because we see that the Chinese are investing in cyber not just for the purpose of intellectual property theft, technology, and helping their own technological innovation base, but integrating it into military plans and contingency plans. And so understanding better how the Chinese may use cyber in their own future war fight is a growing interest and concern of ours. If you look at our cyber strategy report that the Department of Defense put out, it addresses both sides of the equations, the vulnerability and protection side as well as the war fighting side. [Emphasis Added]
Randall Schriver was speaking on the heels of an official trip to China, stating that he "was last week in China, Vietnam, and Japan". Schriver has been serving in his current position since early 2018 and previously served as a senior State Department official overseeing East Asia. From 1994 to 1998 he worked for the Secretary of Defense overseeing US military relations with the armed forces of both the PRC and Taiwan.
PRC Government Influence Concerns
Schriver cited these PRC tech firms' government ties as a concern, with the "influence of the CCP on decision making" leading to "state-sponsored goals such as theft of technology, intelligence, etc".
As IPVM has reported, PRC tech firms are ultimately under CCP control - not just Hikvision which is a state-owned and controlled firm but also private firms like Dahua, which just released a video an expert told IPVM demonstrates its "total and unconditional fealty to the Party".
Overall, Schriver's comments undermine Hikvision's efforts to brand themselves as a trustworthy cybersecurity partner for US entities, particularly Chuck Davis' dismissal of Hikvision's PRC government control as "fearmongering".
Cyber Vulnerabilities A Threat to US Military
Schriver also raised the potential of PRC firm vulnerabilities being used for PRC intelligence/IP theft. This issue has been raised by the DoD before, with a declassified 2019 DoD report stating:
adversaries could exploit known cybersecurity vulnerabilities that exist in COTS items purchased by the DoD. If the DoD continues to purchase and use COTS information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised. The Department of State issued a warning in May 2017 against using Hangzhou Hikvision Digital Technology Company and Dahua Technology Company video surveillance equipment, citing cyberespionage concerns from China. [emphasis added]
For context, Huawei, Hikvision, and Dahua all have a long history of serious vulnerabilities:
Moreover, PRC law explicitly mandates China companies to cooperate with intelligence requests.
Harnessing Tech for Military Purposes
The final concern Schriver raised is of China potentially integrating these cyber capabilities "into military plans and contingency plans", hence the importance of "understanding better how the Chinese may use cyber in their own future war fight".
To the US military, this is an obvious concern in the case of a US-China military conflict. The rising authoritarianism of Xi Jinping and the increasing tensions between the countries underscores DoD's concerns about PRC made products being used as weapons in future conflict.
US Concerned About PRC China Control
Whether industry people agree or disagree with the DoD's position here, it is obvious that the US government sees cybersecurity as more than simply a technical issue but one of trust (or lack thereof) of China Communist Party.
Cybersecurity - Technical Only or Foreign Control?
Many in the industry have argued for evaluating cybersecurity solely based on technical criteria, without factoring in any concerns about the trustworthiness of the source / supply of products.
However, technology users need to trust their technology providers, since periodic firmware upgrades and cloud management (e.g., VSaaS) mean that increasingly users are highly susceptible to any issues, inadvertently or malicious, from one's technology providers, whether it be Japan / Sweden Axis or PRC / CCP Hikvision, etc.
Vote / Poll
The fact that a senior US defense official has raised these concerns shows that while PRC controlled firms like Hikvision want to be trusted partners for the US, the US government has serious concerns about their PRC government control.