US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns

By: John Honovich and Charles Rollet, Published on Oct 16, 2019

A senior DoD official said the US is "concerned" with the cybersecurity of Hikvision, Dahua, and Huawei due to "CCP" (China Communist Party) influence and the potential military/intelligence applications of their products, particularly in case of conflict.

The official is Randall Schriver, the Assistant Secretary of Defense for Indo-Pacific Security Affairs - i.e. the top China advisor to the Secretary of Defense.

Schriver's comments were made in response to a question IPVM asked during the Jamestown Foundation's China Defense and Security Conference in Washington, DC on Tuesday, October 15, 2019. Watch the Q&A below:

In this note, we examine the comments and broader meaning.

Comments Transcript

IPVM asked:

Can you talk a little bit about the Department of Defense's concerns about cybersecurity as it relates to the PRC? Last year in the NDAA there was a ban for Huawei, Hikvision, and Dahua. So is the Department of Defense concerned about companies and organizations that might have influence by the PRC government?

Schriver responded:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Again, we're concerned, given the nature of the relationship that these Chinese companies have with the CCP [China Communist Party] and the influence that the CCP may have on their decision-making and how they may be involved in state-sponsored goals such as theft of technology, intelligence, etc. So our first concern is the vulnerabilities that can be created by dealing with these companies, using their technologies, etc. The concerns in the cyber realm, of course, go beyond that, because we see that the Chinese are investing in cyber not just for the purpose of intellectual property theft, technology, and helping their own technological innovation base, but integrating it into military plans and contingency plans. And so understanding better how the Chinese may use cyber in their own future war fight is a growing interest and concern of ours. If you look at our cyber strategy report that the Department of Defense put out, it addresses both sides of the equations, the vulnerability and protection side as well as the war fighting side. [Emphasis Added]

Speaker Background

Randall Schriver was speaking on the heels of an official trip to China, stating that he "was last week in China, Vietnam, and Japan". Schriver has been serving in his current position since early 2018 and previously served as a senior State Department official overseeing East Asia. From 1994 to 1998 he worked for the Secretary of Defense overseeing US military relations with the armed forces of both the PRC and Taiwan.

PRC Government Influence Concerns

Schriver cited these PRC tech firms' government ties as a concern, with the "influence of the CCP on decision making" leading to "state-sponsored goals such as theft of technology, intelligence, etc".

As IPVM has reported, PRC tech firms are ultimately under CCP control - not just Hikvision which is a state-owned and controlled firm but also private firms like Dahua, which just released a video an expert told IPVM demonstrates its "total and unconditional fealty to the Party".

Overall, Schriver's comments undermine Hikvision's efforts to brand themselves as a trustworthy cybersecurity partner for US entities, particularly Chuck Davis' dismissal of Hikvision's PRC government control as "fearmongering".

Cyber Vulnerabilities A Threat to US Military

Schriver also raised the potential of PRC firm vulnerabilities being used for PRC intelligence/IP theft. This issue has been raised by the DoD before, with a declassified 2019 DoD report stating:

adversaries could exploit known cybersecurity vulnerabilities that exist in COTS items purchased by the DoD. If the DoD continues to purchase and use COTS information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised. The Department of State issued a warning in May 2017 against using Hangzhou Hikvision Digital Technology Company and Dahua Technology Company video surveillance equipment, citing cyberespionage concerns from China. [emphasis added]

For context, Huawei, Hikvision, and Dahua all have a long history of serious vulnerabilities:

Moreover, PRC law explicitly mandates China companies to cooperate with intelligence requests.

Harnessing Tech for Military Purposes

The final concern Schriver raised is of China potentially integrating these cyber capabilities "into military plans and contingency plans", hence the importance of "understanding better how the Chinese may use cyber in their own future war fight".

To the US military, this is an obvious concern in the case of a US-China military conflict. The rising authoritarianism of Xi Jinping and the increasing tensions between the countries underscores DoD's concerns about PRC made products being used as weapons in future conflict.

US Concerned About PRC China Control

Whether industry people agree or disagree with the DoD's position here, it is obvious that the US government sees cybersecurity as more than simply a technical issue but one of trust (or lack thereof) of China Communist Party.

Cybersecurity - Technical Only or Foreign Control?

Many in the industry have argued for evaluating cybersecurity solely based on technical criteria, without factoring in any concerns about the trustworthiness of the source / supply of products.

However, technology users need to trust their technology providers, since periodic firmware upgrades and cloud management (e.g., VSaaS) mean that increasingly users are highly susceptible to any issues, inadvertently or malicious, from one's technology providers, whether it be Japan / Sweden Axis or PRC / CCP Hikvision, etc.

Vote / Poll

Conclusion

The fact that a senior US defense official has raised these concerns shows that while PRC controlled firms like Hikvision want to be trusted partners for the US, the US government has serious concerns about their PRC government control.

Comments (32)

Only IPVM PRO Members may comment. Login or Join.

Harnessing Tech for Military Purposes

The final concern Schriver raised is of China potentially integrating these cyber capabilities "into military plans and contingency plans", hence the importance of "understanding better how the Chinese may use cyber in their own future war fight".

though Schriver seems to say as well that the U.S. strategy is similar:

...as I said in the previous comment if you if you really want to understand pillar one of the national defense strategy, pillar one of our Indo Pacific strategy, increasing the lethality of our force, look at where we're going to make investments for the future, where we're doing research and development, but where we're trying to acquire capabilities as quickly as we can and cyber is at the top of that list.

Once we acquire the greater capability, and also ourselves, we need to think about how it integrates into contingency planning. [Emphasis and commas added]

IPVM is so political. I mean it's not like politics relates to security. *wink* *wink*

not like politics relates to security

Lol, in fairness, most everyone now admits that politics relates to security. There was a time not too long ago (last year, the year before?) where many industry people either really thought they were not related or were hoping that it was not. Obviously, the events of the last year have made things very clear.

Ultimately, when the largest video surveillance manufacturer is owned by the PRC government, the industry is going to get political. Add cloud and AI to it and the politics get even steeper.

Theoretically speaking, it would make things much simpler in technology if it did not have political implications but that is not the world we are now in.

I bring it up all the time at my job, and some people roll their eyes, but I don't care, we're not buying China. I support your perspective. Part of my job is security and purchasing from insecure places isn't smart policy. I have ethical and moral reasons beyond that, but I don't feel what you guys do is off-topic. I appreciate it.

We have children of diplomats here, and many high profile children, I would be an idiot to run a system broadcasting to foreign governments such information.

It's probably not so far fetched to say that at least some of this is schadenfreude over seeing the company that helped drive down prices industry-wide has found itself in trouble. And I say this as an early convert to IPVM's alarm over Hikvision.

but the schadenfreude is all the industry has left :)

Of course...

If we know we would do it in the time of war we have to assume that our enemies would as well. It is a smart move to protect your home land. Just ask China, they have effectively banned foreign tech products as well.

The US SIA has provided a response to IPVM on the DoD's quote:

SIA trusts the U.S. government to make decisions (based on information available to U.S. intelligence and homeland security agencies) that will protect its networks from cyber-attacks. SIA also strongly supports efforts by federal agencies to protect supply chains. In fact, SIA supported the enactment last year of the Federal Acquisition Supply Chain Security Act of 2018.

This law, which I recommend IPVM review, created the Federal Acquisition Security Council. Criteria and procedures will be established for recommending exclusion from agency procurements and the removal of software and equipment from agency information systems when it determines that those items present a supply chain risk regardless of the source. The law permits any federal agency to exclude an item from procurement where it determines that the item poses a significant supply chain risk. We expect the implementing rules to be published by the end of the year.

Cybersecurity - Technical Only or Foreign Control?

Defiantly both

Defiantly both...

did you definitely mean defiantly?

of course, for our trusted allies, cyber security cooperation is to be expected ;)

Russia says it is starting to resume U.S. cyber cooperation: TASS

Politics and business should stay well apart, I know this is easier sad than done.

If security is a concern for China products, i would wonder about the implementation of the system, I run a large network of cameras from China, to ensure that there is no chance of hacking or unauthorized access the whole network is completely isolated from the internet on its own private fibre network. Simple solution if it is not plugged into public networks it cant be hacked.

Why is nobody asking why the network security is not up to scratch, like routers and access points? or at a basic level of has the equipment been installed properly.

Politicians hand pick scenarios that they can manipulate, banning a product that was used by a government that has abused human rights leaves the field wide open for many products, knowingly or unknowingly.

simple example, does the rest of the world ban the CCTV systems that were used at

Guantanamo Bay detention camp or in the Gaza strip?

All i know for certain is that when politics gets involved with business then business is on the losing end and so are the consumers.

Security installers should disclose risks to clients, in reality any device connected to a public network could be hacked, this is not limited to Chinese products. If my client understands the risk they can make an informed decision whether to have their system on a public or private network.

All i know for certain is that when politics gets involved with business then business is on the losing end and so are the consumers.

agree.

these days you can’t buy a single rhino horn, or some decent yellowcake ore, or just a matching kidney. not even on eBay!

Why is nobody asking why the network security is not up to scratch, like routers and access points? or at a basic level of has the equipment been installed properly.

A couple of reasons A) Hikvision will sell to anyone including end-users who don't understand network security. B) Most of the alarm company's installing Hikvision don't understand IP or network security C) Customers shopping at this price point don't want to pay for proper network security. D) Large enterprise systems with multiple locations make it harder to keep the cameras on an air gaped network.

banning a product that was used by a government that has abused human rights

#4, thanks for the detailed feedback. I agree with you if these products were simply 'used' by a government there should be no objection towards the product manufacturer.

However, Dahua and Hikvision directly sold more than a billion dollars worth of projects (including installation and even operation in some cases) in Xinjiang where these human rights abuses are taking place.

Google has also been implicated in providing private data to the the Chinese government also making them complicent in the human rights abuses, will Google be banned too?

banning company's for providing tools to governments that commit human rights abuses opens up a huge spiders nest, there are many company's, western and eastern that would be caught up in the web, it would make more sense to sanction the government than the private company's.

Google has also been implicated in providing private data to the the Chinese government also making them complicent in the human rights abuses, will Google be banned too?

What is your source for this?

Google's search is banned in China since 2010. Please clarify your allegation here. What private data are you saying Google has provided?

UI#4, you said this video somehow shows that:

Google has also been implicated in providing private data to the the Chinese government

But the video you posted makes no such claim. The video has a lot of commentary, but concretely, it only references two facts about Google:

  1. In 2018, Google said it would invest $500 million in JD.com, China's second-largest e-commerce firm.
  2. Google opened up a China AI lab in Beijing in 2017.

The video then raises concerns about these decisions "indirectly" supporting the Chinese military. But there's not a single reference to Google "providing private data to the the Chinese government". There's also no such proof or even allegation of that happening elsewhere.

Regarding your broader point that:

Politicians hand pick scenarios that they can manipulate, banning a product that was used by a government that has abused human rights leaves the field wide open for many products, knowingly or unknowingly. simple example, does the rest of the world ban the CCTV systems that were used at Guantanamo Bay detention camp or in the Gaza strip?

The key difference is that Hikvision itself was contracted to directly build and operate surveillance systems in Xinjiang, including in re-education camps and mosques. It was not a mere "product supplier" as we have debunked many times. Xinjiang is at the center of one of the world's most serious human rights crisis, with over a million civilians locked up in so-called re-education camps. Video surveillance has been referenced many times as a core part of Xinjiang's repressive apparatus, which is why IPVM decided to look into PRC manufacturers' huge deals there in the first place. I don't think Western tech firms are angels, but the level of direct involvement/complicity here has no direct analogue.

Any system on the network open or closed can be hacked. It is just a matter of time before the bad actors locate and find the door.

To assume you are safe because a system is closed is just not a sound policy.

Just ask the former CIO of Target corporation. They got hacked and it was not through an open network. It was through a secure VPN network with venders for the transmission of invoices.

Unfortunately one can never assume a system is 100% secure.

Any system on the network open or closed can be hacked.

1) integrators don’t write firmware

2) integrators configure and commission networks

since integrators can’t count on manufacturers to secure their devices, they count on themselves to secure the network.

since integrators can’t count on manufacturers to secure their devices, they count on themselves to secure the network.

And what about the vast number of integrators who port forward? Are they securing their networks? :)

And what about You recommending port forward few years backs? :)

You recommending port forward

Source for that?

They have been delete it by you a long time ago:(

They have been delete it by you a long time ago:(

Source for that?

Are they securing their networks? :)

only if they write firmware ;)

i’ll gladly amend my statement to:

since integrators can’t count on manufacturers to secure their devices, they *can only* count on themselves to secure the network.

Any system connected to the public networks can be hacked.

If remote viewing is enabled, be it via a dedicated IP and ports opened on the firewall, or via a cloud host that keeps ports open for the remote user, this allows a bad actor to access the system and load firmware that compromises the system.

VPN technology can resolve this in most cases, but there are workarounds known to the hacker community (and if not by them, to governments) for VPN solutions.

However, in the majority of cases it comes down to the humans that operate these networks. We find this to be the biggest vulnerability, and the hardest to control.

Once the camera or NVR/DVR is compromised, the hacker has root privilege's with admin access on your network, with a working Linux (or other) device to which he can send very damaging commands.

If for no other purpose, this access to your network can be used to observe the workings of secured areas, such a laboratories, industrial plants, water treatment facilities, utility installations, cell towers, and more.

Related Reports on China

ISC East 2019 Show Report Day 2 on Nov 21, 2019
IPVM has finished in New York City covering both days of the ISC East 2019 show. Inside this report, we cover: Day 2 Traffic Centaur...
The Cowardly, Greedy "Leaders" of Video Surveillance - SIA on Nov 19, 2019
The video surveillance industry suffers from cowardly, greedy 'leaders' focused on maximizing easy money while undermining public trust. The...
Top Manufacturers Gaining and Losing 2019 on Nov 18, 2019
2019 has been an explosive year for video surveillance, with the world's two largest manufacturers, Dahua and Hikvision, being sanctioned for human...
Hikvision CEO And Vice-Chair Under PRC Government Investigation on Nov 14, 2019
In a surprising and globally covered move, Hikvision CEO Hu Yangzhong and Vice-Chairman Gong Hongjia are being investigated by China's securities...
Hikvision Global News Reports Directory on Nov 11, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Hikvision Markets Uyghur Ethnicity Analytics, Now Covers Up on Nov 11, 2019
Hikvision has marketed an AI camera that automatically identifies Uyghurs, on its China website, only covering it up days ago after IPVM questioned...
US Issues Criminal Charges For Fraudulently Selling Hikvision And Other China Products on Nov 07, 2019
The US government has made an unprecedented move on the video surveillance supply chain, charging a US company, Aventura for "having conspired with...
Senator Vitter Becomes "Proud Member Of The Hikvision Team", Calls Out "Anti-China" Rubio on Oct 29, 2019
Senator turned China lobbyist David Vitter has become a self-proclaimed 'proud member of the Hikvision team', a China (PRC) government-owned...
Dahua Co-Founder Says Human Rights Sanctions Shows Strong Dahua Technology on Oct 29, 2019
Despite Dahua doing nearly a billion dollars of projects in Xinjiang, including building and operating police stations, Dahua not only denies 'any...
Covert Elevator Face Recognition on Oct 24, 2019
Covert elevator facial recognition has the potential to solve the cost and complexity of elevator surveillance while engendering immense privacy...

Most Recent Industry Reports

Axis "Best Of The Best" 4K Camera Tested (Q1798-LE) on Nov 21, 2019
Axis has released their "best of the best" Q1798-LE bullet camera, touting "4K without compromise" with a large Micro 4/3" image sensor, custom...
Glass Doors and Access Control Tutorial on Nov 21, 2019
One of the biggest access challenges are locking and securing glass doors. Unlike wood or steel doors that can be modified to work with...
Avigilon H4 Intercom Tested on Nov 20, 2019
Avigilon is well-known for video surveillance and access, but how well does the company's intercom work? We purchased and tested Avigilon's H4...
The Cowardly, Greedy "Leaders" of Video Surveillance - SIA on Nov 19, 2019
The video surveillance industry suffers from cowardly, greedy 'leaders' focused on maximizing easy money while undermining public trust. The...
Hikvision Dual Lens Face Recognition Camera Tested on Nov 19, 2019
Hikvision's Dual Lens Facial Recognition camera, claims that it "adopts advanced deep learning algorithm and powerful GPU to realize instant face...
Top Manufacturers Gaining and Losing 2019 on Nov 18, 2019
2019 has been an explosive year for video surveillance, with the world's two largest manufacturers, Dahua and Hikvision, being sanctioned for human...
Hidden Camera Detectors Tested on Nov 18, 2019
Hidden cameras are a growing problem as cameras become smaller, cheaper and easier to access. However, some companies claim to be able to detect...
Wyze Fires Back at JCI - Your Patents Are Invalid, Pay All Of Our Costs on Nov 18, 2019
Goliath JCI targeted startup Wyze this summer alleging the fast-growing consumer startup was violating a slew of JCI's patents. Now, Wyze has...
ADT Stock Surges - "Leading The Commercial Space" on Nov 15, 2019
Don't call it comeback... but maybe call it a commercial provider. ADT, whose stock dropped by as much as 2/3rds since IPOing in 2018, has now...