US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns
By John Honovich and Charles Rollet, Published Oct 16, 2019, 12:50pm EDTA senior DoD official said the US is "concerned" with the cybersecurity of Hikvision, Dahua, and Huawei due to "CCP" (China Communist Party) influence and the potential military/intelligence applications of their products, particularly in case of conflict.
The official is Randall Schriver, the Assistant Secretary of Defense for Indo-Pacific Security Affairs - i.e. the top China advisor to the Secretary of Defense.
Schriver's comments were made in response to a question IPVM asked during the Jamestown Foundation's China Defense and Security Conference in Washington, DC on Tuesday, October 15, 2019. Watch the Q&A below:
In this note, we examine the comments and broader meaning.
Comments Transcript
IPVM asked:
Can you talk a little bit about the Department of Defense's concerns about cybersecurity as it relates to the PRC? Last year in the NDAA there was a ban for Huawei, Hikvision, and Dahua. So is the Department of Defense concerned about companies and organizations that might have influence by the PRC government?
Schriver responded:
Again, we're concerned, given the nature of the relationship that these Chinese companies have with the CCP [China Communist Party] and the influence that the CCP may have on their decision-making and how they may be involved in state-sponsored goals such as theft of technology, intelligence, etc. So our first concern is the vulnerabilities that can be created by dealing with these companies, using their technologies, etc. The concerns in the cyber realm, of course, go beyond that, because we see that the Chinese are investing in cyber not just for the purpose of intellectual property theft, technology, and helping their own technological innovation base, but integrating it into military plans and contingency plans. And so understanding better how the Chinese may use cyber in their own future war fight is a growing interest and concern of ours. If you look at our cyber strategy report that the Department of Defense put out, it addresses both sides of the equations, the vulnerability and protection side as well as the war fighting side. [Emphasis Added]
Speaker Background
Randall Schriver was speaking on the heels of an official trip to China, stating that he "was last week in China, Vietnam, and Japan". Schriver has been serving in his current position since early 2018 and previously served as a senior State Department official overseeing East Asia. From 1994 to 1998 he worked for the Secretary of Defense overseeing US military relations with the armed forces of both the PRC and Taiwan.
PRC Government Influence Concerns
Schriver cited these PRC tech firms' government ties as a concern, with the "influence of the CCP on decision making" leading to "state-sponsored goals such as theft of technology, intelligence, etc".
As IPVM has reported, PRC tech firms are ultimately under CCP control - not just Hikvision which is a state-owned and controlled firm but also private firms like Dahua, which just released a video an expert told IPVM demonstrates its "total and unconditional fealty to the Party".
Overall, Schriver's comments undermine Hikvision's efforts to brand themselves as a trustworthy cybersecurity partner for US entities, particularly Chuck Davis' dismissal of Hikvision's PRC government control as "fearmongering".
Cyber Vulnerabilities A Threat to US Military
Schriver also raised the potential of PRC firm vulnerabilities being used for PRC intelligence/IP theft. This issue has been raised by the DoD before, with a declassified 2019 DoD report stating:
adversaries could exploit known cybersecurity vulnerabilities that exist in COTS items purchased by the DoD. If the DoD continues to purchase and use COTS information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised. The Department of State issued a warning in May 2017 against using Hangzhou Hikvision Digital Technology Company and Dahua Technology Company video surveillance equipment, citing cyberespionage concerns from China. [emphasis added]
For context, Huawei, Hikvision, and Dahua all have a long history of serious vulnerabilities:
- Dahua Wiretapping Vulnerability
- Dahua Backdoor Uncovered
- Hikvision Backdoor Exploit
- Hikvision IP Camera Critical Vulnerability
- Vodafone Found Hidden Backdoors in Huawei Equipment
- UK Watchdog Slams Huawei Over 'Serious' Cybersecurity Vulnerabilities
Moreover, PRC law explicitly mandates China companies to cooperate with intelligence requests.
Harnessing Tech for Military Purposes
The final concern Schriver raised is of China potentially integrating these cyber capabilities "into military plans and contingency plans", hence the importance of "understanding better how the Chinese may use cyber in their own future war fight".
To the US military, this is an obvious concern in the case of a US-China military conflict. The rising authoritarianism of Xi Jinping and the increasing tensions between the countries underscores DoD's concerns about PRC made products being used as weapons in future conflict.
US Concerned About PRC China Control
Whether industry people agree or disagree with the DoD's position here, it is obvious that the US government sees cybersecurity as more than simply a technical issue but one of trust (or lack thereof) of China Communist Party.
Cybersecurity - Technical Only or Foreign Control?
Many in the industry have argued for evaluating cybersecurity solely based on technical criteria, without factoring in any concerns about the trustworthiness of the source / supply of products.
However, technology users need to trust their technology providers, since periodic firmware upgrades and cloud management (e.g., VSaaS) mean that increasingly users are highly susceptible to any issues, inadvertently or malicious, from one's technology providers, whether it be Japan / Sweden Axis or PRC / CCP Hikvision, etc.
Vote / Poll
Conclusion
The fact that a senior US defense official has raised these concerns shows that while PRC controlled firms like Hikvision want to be trusted partners for the US, the US government has serious concerns about their PRC government control.
1 report cite this report:
Comments (33)
Harnessing Tech for Military Purposes
The final concern Schriver raised is of China potentially integrating these cyber capabilities "into military plans and contingency plans", hence the importance of "understanding better how the Chinese may use cyber in their own future war fight".
though Schriver seems to say as well that the U.S. strategy is similar:
...as I said in the previous comment if you if you really want to understand pillar one of the national defense strategy, pillar one of our Indo Pacific strategy, increasing the lethality of our force, look at where we're going to make investments for the future, where we're doing research and development, but where we're trying to acquire capabilities as quickly as we can and cyber is at the top of that list.
Once we acquire the greater capability, and also ourselves, we need to think about how it integrates into contingency planning. [Emphasis and commas added]
IPVM is so political. I mean it's not like politics relates to security. *wink* *wink*
not like politics relates to security
Lol, in fairness, most everyone now admits that politics relates to security. There was a time not too long ago (last year, the year before?) where many industry people either really thought they were not related or were hoping that it was not. Obviously, the events of the last year have made things very clear.
Ultimately, when the largest video surveillance manufacturer is owned by the PRC government, the industry is going to get political. Add cloud and AI to it and the politics get even steeper.
Theoretically speaking, it would make things much simpler in technology if it did not have political implications but that is not the world we are now in.
I bring it up all the time at my job, and some people roll their eyes, but I don't care, we're not buying China. I support your perspective. Part of my job is security and purchasing from insecure places isn't smart policy. I have ethical and moral reasons beyond that, but I don't feel what you guys do is off-topic. I appreciate it.
We have children of diplomats here, and many high profile children, I would be an idiot to run a system broadcasting to foreign governments such information.
It's probably not so far fetched to say that at least some of this is schadenfreude over seeing the company that helped drive down prices industry-wide has found itself in trouble. And I say this as an early convert to IPVM's alarm over Hikvision.
Of course...
If we know we would do it in the time of war we have to assume that our enemies would as well. It is a smart move to protect your home land. Just ask China, they have effectively banned foreign tech products as well.
The US SIA has provided a response to IPVM on the DoD's quote:
SIA trusts the U.S. government to make decisions (based on information available to U.S. intelligence and homeland security agencies) that will protect its networks from cyber-attacks. SIA also strongly supports efforts by federal agencies to protect supply chains. In fact, SIA supported the enactment last year of the Federal Acquisition Supply Chain Security Act of 2018.
This law, which I recommend IPVM review, created the Federal Acquisition Security Council. Criteria and procedures will be established for recommending exclusion from agency procurements and the removal of software and equipment from agency information systems when it determines that those items present a supply chain risk regardless of the source. The law permits any federal agency to exclude an item from procurement where it determines that the item poses a significant supply chain risk. We expect the implementing rules to be published by the end of the year.
Cybersecurity - Technical Only or Foreign Control?
Defiantly both
of course, for our trusted allies, cyber security cooperation is to be expected ;)
Russia says it is starting to resume U.S. cyber cooperation: TASS
Politics and business should stay well apart, I know this is easier sad than done.
If security is a concern for China products, i would wonder about the implementation of the system, I run a large network of cameras from China, to ensure that there is no chance of hacking or unauthorized access the whole network is completely isolated from the internet on its own private fibre network. Simple solution if it is not plugged into public networks it cant be hacked.
Why is nobody asking why the network security is not up to scratch, like routers and access points? or at a basic level of has the equipment been installed properly.
Politicians hand pick scenarios that they can manipulate, banning a product that was used by a government that has abused human rights leaves the field wide open for many products, knowingly or unknowingly.
simple example, does the rest of the world ban the CCTV systems that were used at
Guantanamo Bay detention camp or in the Gaza strip?
All i know for certain is that when politics gets involved with business then business is on the losing end and so are the consumers.
Security installers should disclose risks to clients, in reality any device connected to a public network could be hacked, this is not limited to Chinese products. If my client understands the risk they can make an informed decision whether to have their system on a public or private network.
All i know for certain is that when politics gets involved with business then business is on the losing end and so are the consumers.
agree.
these days you can’t buy a single rhino horn, or some decent yellowcake ore, or just a matching kidney. not even on eBay!
Why is nobody asking why the network security is not up to scratch, like routers and access points? or at a basic level of has the equipment been installed properly.
A couple of reasons A) Hikvision will sell to anyone including end-users who don't understand network security. B) Most of the alarm company's installing Hikvision don't understand IP or network security C) Customers shopping at this price point don't want to pay for proper network security. D) Large enterprise systems with multiple locations make it harder to keep the cameras on an air gaped network.
banning a product that was used by a government that has abused human rights
#4, thanks for the detailed feedback. I agree with you if these products were simply 'used' by a government there should be no objection towards the product manufacturer.
However, Dahua and Hikvision directly sold more than a billion dollars worth of projects (including installation and even operation in some cases) in Xinjiang where these human rights abuses are taking place.
Google has also been implicated in providing private data to the the Chinese government also making them complicent in the human rights abuses, will Google be banned too?
banning company's for providing tools to governments that commit human rights abuses opens up a huge spiders nest, there are many company's, western and eastern that would be caught up in the web, it would make more sense to sanction the government than the private company's.
Google has also been implicated in providing private data to the the Chinese government also making them complicent in the human rights abuses, will Google be banned too?
What is your source for this?
Google's search is banned in China since 2010. Please clarify your allegation here. What private data are you saying Google has provided?
UI#4, you said this video somehow shows that:
Google has also been implicated in providing private data to the the Chinese government
But the video you posted makes no such claim. The video has a lot of commentary, but concretely, it only references two facts about Google:
- In 2018, Google said it would invest $500 million in JD.com, China's second-largest e-commerce firm.
- Google opened up a China AI lab in Beijing in 2017.
The video then raises concerns about these decisions "indirectly" supporting the Chinese military. But there's not a single reference to Google "providing private data to the the Chinese government". There's also no such proof or even allegation of that happening elsewhere.
Regarding your broader point that:
Politicians hand pick scenarios that they can manipulate, banning a product that was used by a government that has abused human rights leaves the field wide open for many products, knowingly or unknowingly. simple example, does the rest of the world ban the CCTV systems that were used at Guantanamo Bay detention camp or in the Gaza strip?
The key difference is that Hikvision itself was contracted to directly build and operate surveillance systems in Xinjiang, including in re-education camps and mosques. It was not a mere "product supplier" as we have debunked many times. Xinjiang is at the center of one of the world's most serious human rights crisis, with over a million civilians locked up in so-called re-education camps. Video surveillance has been referenced many times as a core part of Xinjiang's repressive apparatus, which is why IPVM decided to look into PRC manufacturers' huge deals there in the first place. I don't think Western tech firms are angels, but the level of direct involvement/complicity here has no direct analogue.
Yeah, Google has a... rocky relationship with China.
However, UI#4 might have a point if they used Apple instead of Google, though it's not an open-shut case. Nothing quite as clear as what Hikvision has done.
- Apple Safari browser sends some user IP addresses to Chinese conglomerate Tencent by default
- Apple sending user browsing data to Chinese company Tencent - 9to5Mac
- Apple Defends Sharing Browser Data With Google, Tencent 10/15/2019
- Apple Under Fire Over Sending Some Users Browsing Data to China's Tencent
There's also the alleged poor working conditions at Chinese factories and the mass suicides at Foxconn.
Any system on the network open or closed can be hacked. It is just a matter of time before the bad actors locate and find the door.
To assume you are safe because a system is closed is just not a sound policy.
Just ask the former CIO of Target corporation. They got hacked and it was not through an open network. It was through a secure VPN network with venders for the transmission of invoices.
Unfortunately one can never assume a system is 100% secure.
Any system on the network open or closed can be hacked.
1) integrators don’t write firmware
2) integrators configure and commission networks
since integrators can’t count on manufacturers to secure their devices, they count on themselves to secure the network.
since integrators can’t count on manufacturers to secure their devices, they count on themselves to secure the network.
And what about the vast number of integrators who port forward? Are they securing their networks? :)
Any system connected to the public networks can be hacked.
If remote viewing is enabled, be it via a dedicated IP and ports opened on the firewall, or via a cloud host that keeps ports open for the remote user, this allows a bad actor to access the system and load firmware that compromises the system.
VPN technology can resolve this in most cases, but there are workarounds known to the hacker community (and if not by them, to governments) for VPN solutions.
However, in the majority of cases it comes down to the humans that operate these networks. We find this to be the biggest vulnerability, and the hardest to control.
Once the camera or NVR/DVR is compromised, the hacker has root privilege's with admin access on your network, with a working Linux (or other) device to which he can send very damaging commands.
If for no other purpose, this access to your network can be used to observe the workings of secured areas, such a laboratories, industrial plants, water treatment facilities, utility installations, cell towers, and more.
