US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns
By John Honovich and Charles Rollet, Published Oct 16, 2019, 12:50pm EDTA senior DoD official said the US is "concerned" with the cybersecurity of Hikvision, Dahua, and Huawei due to "CCP" (China Communist Party) influence and the potential military/intelligence applications of their products, particularly in case of conflict.
The official is Randall Schriver, the Assistant Secretary of Defense for Indo-Pacific Security Affairs - i.e. the top China advisor to the Secretary of Defense.
Schriver's comments were made in response to a question IPVM asked during the Jamestown Foundation's China Defense and Security Conference in Washington, DC on Tuesday, October 15, 2019. Watch the Q&A below:
In this note, we examine the comments and broader meaning.
Comments Transcript
IPVM asked:
Can you talk a little bit about the Department of Defense's concerns about cybersecurity as it relates to the PRC? Last year in the NDAA there was a ban for Huawei, Hikvision, and Dahua. So is the Department of Defense concerned about companies and organizations that might have influence by the PRC government?
Schriver responded:
Again, we're concerned, given the nature of the relationship that these Chinese companies have with the CCP [China Communist Party] and the influence that the CCP may have on their decision-making and how they may be involved in state-sponsored goals such as theft of technology, intelligence, etc. So our first concern is the vulnerabilities that can be created by dealing with these companies, using their technologies, etc. The concerns in the cyber realm, of course, go beyond that, because we see that the Chinese are investing in cyber not just for the purpose of intellectual property theft, technology, and helping their own technological innovation base, but integrating it into military plans and contingency plans. And so understanding better how the Chinese may use cyber in their own future war fight is a growing interest and concern of ours. If you look at our cyber strategy report that the Department of Defense put out, it addresses both sides of the equations, the vulnerability and protection side as well as the war fighting side. [Emphasis Added]
Speaker Background
Randall Schriver was speaking on the heels of an official trip to China, stating that he "was last week in China, Vietnam, and Japan". Schriver has been serving in his current position since early 2018 and previously served as a senior State Department official overseeing East Asia. From 1994 to 1998 he worked for the Secretary of Defense overseeing US military relations with the armed forces of both the PRC and Taiwan.
PRC Government Influence Concerns
Schriver cited these PRC tech firms' government ties as a concern, with the "influence of the CCP on decision making" leading to "state-sponsored goals such as theft of technology, intelligence, etc".
As IPVM has reported, PRC tech firms are ultimately under CCP control - not just Hikvision which is a state-owned and controlled firm but also private firms like Dahua, which just released a video an expert told IPVM demonstrates its "total and unconditional fealty to the Party".
Overall, Schriver's comments undermine Hikvision's efforts to brand themselves as a trustworthy cybersecurity partner for US entities, particularly Chuck Davis' dismissal of Hikvision's PRC government control as "fearmongering".
Cyber Vulnerabilities A Threat to US Military
Schriver also raised the potential of PRC firm vulnerabilities being used for PRC intelligence/IP theft. This issue has been raised by the DoD before, with a declassified 2019 DoD report stating:
adversaries could exploit known cybersecurity vulnerabilities that exist in COTS items purchased by the DoD. If the DoD continues to purchase and use COTS information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised. The Department of State issued a warning in May 2017 against using Hangzhou Hikvision Digital Technology Company and Dahua Technology Company video surveillance equipment, citing cyberespionage concerns from China. [emphasis added]
For context, Huawei, Hikvision, and Dahua all have a long history of serious vulnerabilities:
- Dahua Wiretapping Vulnerability
- Dahua Backdoor Uncovered
- Hikvision Backdoor Exploit
- Hikvision IP Camera Critical Vulnerability
- Vodafone Found Hidden Backdoors in Huawei Equipment
- UK Watchdog Slams Huawei Over 'Serious' Cybersecurity Vulnerabilities
Moreover, PRC law explicitly mandates China companies to cooperate with intelligence requests.
Harnessing Tech for Military Purposes
The final concern Schriver raised is of China potentially integrating these cyber capabilities "into military plans and contingency plans", hence the importance of "understanding better how the Chinese may use cyber in their own future war fight".
To the US military, this is an obvious concern in the case of a US-China military conflict. The rising authoritarianism of Xi Jinping and the increasing tensions between the countries underscores DoD's concerns about PRC made products being used as weapons in future conflict.
US Concerned About PRC China Control
Whether industry people agree or disagree with the DoD's position here, it is obvious that the US government sees cybersecurity as more than simply a technical issue but one of trust (or lack thereof) of China Communist Party.
Cybersecurity - Technical Only or Foreign Control?
Many in the industry have argued for evaluating cybersecurity solely based on technical criteria, without factoring in any concerns about the trustworthiness of the source / supply of products.
However, technology users need to trust their technology providers, since periodic firmware upgrades and cloud management (e.g., VSaaS) mean that increasingly users are highly susceptible to any issues, inadvertently or malicious, from one's technology providers, whether it be Japan / Sweden Axis or PRC / CCP Hikvision, etc.
Vote / Poll
Conclusion
The fact that a senior US defense official has raised these concerns shows that while PRC controlled firms like Hikvision want to be trusted partners for the US, the US government has serious concerns about their PRC government control.
1 report cite this report:
Comments (33)
Harnessing Tech for Military Purposes
The final concern Schriver raised is of China potentially integrating these cyber capabilities "into military plans and contingency plans", hence the importance of "understanding better how the Chinese may use cyber in their own future war fight".
though Schriver seems to say as well that the U.S. strategy is similar:
...as I said in the previous comment if you if you really want to understand pillar one of the national defense strategy, pillar one of our Indo Pacific strategy, increasing the lethality of our force, look at where we're going to make investments for the future, where we're doing research and development, but where we're trying to acquire capabilities as quickly as we can and cyber is at the top of that list.
Once we acquire the greater capability, and also ourselves, we need to think about how it integrates into contingency planning. [Emphasis and commas added]
Of course...
If we know we would do it in the time of war we have to assume that our enemies would as well. It is a smart move to protect your home land. Just ask China, they have effectively banned foreign tech products as well.
The US SIA has provided a response to IPVM on the DoD's quote:
SIA trusts the U.S. government to make decisions (based on information available to U.S. intelligence and homeland security agencies) that will protect its networks from cyber-attacks. SIA also strongly supports efforts by federal agencies to protect supply chains. In fact, SIA supported the enactment last year of the Federal Acquisition Supply Chain Security Act of 2018.
This law, which I recommend IPVM review, created the Federal Acquisition Security Council. Criteria and procedures will be established for recommending exclusion from agency procurements and the removal of software and equipment from agency information systems when it determines that those items present a supply chain risk regardless of the source. The law permits any federal agency to exclude an item from procurement where it determines that the item poses a significant supply chain risk. We expect the implementing rules to be published by the end of the year.
Cybersecurity - Technical Only or Foreign Control?
Defiantly both
of course, for our trusted allies, cyber security cooperation is to be expected ;)
Russia says it is starting to resume U.S. cyber cooperation: TASS
Politics and business should stay well apart, I know this is easier sad than done.
If security is a concern for China products, i would wonder about the implementation of the system, I run a large network of cameras from China, to ensure that there is no chance of hacking or unauthorized access the whole network is completely isolated from the internet on its own private fibre network. Simple solution if it is not plugged into public networks it cant be hacked.
Why is nobody asking why the network security is not up to scratch, like routers and access points? or at a basic level of has the equipment been installed properly.
Politicians hand pick scenarios that they can manipulate, banning a product that was used by a government that has abused human rights leaves the field wide open for many products, knowingly or unknowingly.
simple example, does the rest of the world ban the CCTV systems that were used at
Guantanamo Bay detention camp or in the Gaza strip?
All i know for certain is that when politics gets involved with business then business is on the losing end and so are the consumers.
Security installers should disclose risks to clients, in reality any device connected to a public network could be hacked, this is not limited to Chinese products. If my client understands the risk they can make an informed decision whether to have their system on a public or private network.
Any system connected to the public networks can be hacked.
If remote viewing is enabled, be it via a dedicated IP and ports opened on the firewall, or via a cloud host that keeps ports open for the remote user, this allows a bad actor to access the system and load firmware that compromises the system.
VPN technology can resolve this in most cases, but there are workarounds known to the hacker community (and if not by them, to governments) for VPN solutions.
However, in the majority of cases it comes down to the humans that operate these networks. We find this to be the biggest vulnerability, and the hardest to control.
Once the camera or NVR/DVR is compromised, the hacker has root privilege's with admin access on your network, with a working Linux (or other) device to which he can send very damaging commands.
If for no other purpose, this access to your network can be used to observe the workings of secured areas, such a laboratories, industrial plants, water treatment facilities, utility installations, cell towers, and more.