SIA Coaches Sellers on NDAA 889B Blacklist Workarounds

By: Conor Healy, Published on Aug 05, 2020

Last month SIA demanded that NDAA 899B "must be delayed". Now that they have failed to delay it, SIA is coaching sellers on workarounds to it.

IPVM Image

In an August 4th SIA webinar, led by Jake Parker, Senior Director of Government Relations, and Lynn de Seve, SIA board member, joined by Dismas (Dis) Locaria, a partner in Venable's Government Contracts Group.

In this post, we cover key points & quotes from the webinar, including:

  • Arguing that banned equipment is not touching critical systems
  • Forcing contracting officers to give awards despite banned equipment
  • Protests can lead to relief down the road
  • How the government using the 'False Claims Act' for cybersecurity issues is a "worn out shtick"
  • Shifting your assets to keep using banned equipment
  • How reasonable inquiry does not require going back to your providers or vendors

Not Touching Critical Systems

IPVM Image

The attorney argues that contractors can emphasize that banned equipment is 'not touching critical systems':

with that representation you’re supposed to provide explanation as to what your use is, and that’s an opportunity for contractors to explain that their use is not substantial, or essential, or critical. It’s not touching critical systems. [emphasis added]

While many contractors have argued for that distinction, e.g., when used in closed networks, nonetheless, the US government has not made such a distinction in this legislation or regulation.

Continuing, he contends that contracting officers may be forced to award with banned equipment:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

And I think what you’re going to see is you're going to see contracting officers, which I have to imagine have zero desire to get into this analysis, but they're going to be forced to that are going to say “well, I agree it’s not substantial, essential, or critical", and they’re essentially going to award regardless of the representation. [emphasis added]

And, as contractors object to the blacklisting, the government will be motivated to provide 'relief down the road' from the ban:

My understanding is a lot of ordering agencies or buying agencies like GSA...have taken this stuff back to OMB and said, 'Look, our defense contractors can’t comply with this as written.' And my understanding is at the highest levels of GSA, they’ve gone back to OMB and said ‘Our community cannot deal with this.’ So what does this mean? You know, hopefully that means some relief down the road.

Worn Out Schtick

The attorney later complained about the government using the False Claims Act to seek damages from contractors making misrepresentations, saying that such tactics could be applied to Section 889 representations, calling it a 'worn-out schtick':

We’re starting to see False Claims Act cases coming against companies that are not meeting their cybersecurity obligations. The second to last bullet here says no new enforcement approach, but I guarantee you the government will use its worn-out schtick of the False Claims Act if there are folks that are misrepresenting under this. [emphasis added]

Shifting Assets

Another recommendation was to shift banned 'assets' to other parts of a conglomerate:

The regs are, I'll say, very open to the idea of interpreting [the applicability of the rules] more broadly, and applying it to parents and subsidiaries…in one case I have clients who are actually shifting their assets to other organizations who are not the offeror. Right, so then they can so well, 'we’re not using it, our downstream affiliate is using it.' So there are some prophylactics you can do to get around this.

Reselling Still An Open Question

However, they were indefinite about whether reselling was covered:

If you’re merely acquiring products to resell, and it might have prohibited technology embedded in it, is that use? Right. And I don't know. I wouldn’t think so. But use is not defined in the regulation. I think in those instances you might be able to take a more aggressive posture: that that is not use.

No Need to Go Back To Providers or Vendors

While many companies have been investigating their suppliers (e.g., via IPVM's Dahua OEM directory and Hikvision OEM directory), the attorney argued that the 'reasonable inquiry' standard in the FAR does not require that:

you're only you know, that reasonable inquiry under the regs is you only need to do kind of in internal analysis, you don't have to go back to your providers and your vendors and ask them whether they include Huawei or ZTE or any of the other prohibited technology [emphasis added]

Given the amount of historically hidden relabelling of Dahua and Hikvision and us of Huawei Hisilicon especially in low-cost products, it is quite common for users not to be aware of their true source and if they have a requirement to even ask or check on that source, this makes it easy to continue to use banned equipment so long as neither party asks nor tells.

Insightful Look At Seller Strategy / Risk To Security And Law

This SIA webinar provided an insightful look at how sellers may undermine this legislation and the government's national security stance. Undoubtedly, such tactics benefit sellers of banned China equipment in the short term though increases the risk to the US, as a whole, long term.

1 report cite this report:

The Cowardly, Greedy "Leaders" of Video Surveillance - SIA on Nov 19, 2019
The video surveillance industry suffers from cowardly, greedy 'leaders'...

Comments (29)

Only IPVM Members may comment. Login or Join.

Shady Industry Association strikes again!

I beg to differ, the webinar tried to help people stay in business despite irrational regulations. Not everyone can easily switch to another vendor, nor should they. I wouldn't install hikua cameras in a nuclear missile silo, but they are perfectly fine for a municipal library or intersection.

this article is one step shy of depicting SIA as communist traitors undermining national security.

but they are perfectly fine for a municipal library or intersection.

You are certainly entitled to your opinion but that's not US law.

help people stay in business

Please! Where were you when Hikua was driving various US companies out of business with their race to the bottom? Where were you when the PRC was blocking out all the other world video surveillance companies?

Most legislation has positive and negative impacts on businesses. Companies can 'stay in business' with or without Hikua but Hikua is the easy money.

"You are certainly entitled to your opinion but that's not US law."

Laws reflect the society you live in. 5 years ago smoking weed was illegal, now it's ok... Weed hasn't changed, society's perception of it changed. The current ban is based on politics and a little bit of xenophobia, not on rational decision making.

I doubt hikua ever had a sinister plan to take over the world, they made a cheap product because of people that wanted to buy it, it's not their fault they won.

The current ban is based on politics and a little bit of xenophobia, not on rational decision making.

The rational decision making is that we are faced with an authoritarian regime hostile to democracies. As for 'xenophobia' this has nothing to do with other countries generally or even Asians, the US has strong relations with many governments in Asia even Chinese led ones like Taiwan. This is a specific issue with a specific leader, Xi Jinping, of a specific organization, the China Communist Party.

And yes I agree with you that things changed. That change is Xi Jinping and the policies he has enacted.

Don't whine or dismiss what the US is doing as 'politics' without being fair that this is clearly a response to politics from Xi Jinping.

if Xi and the CCP are the problem, why ban only 3 companies ? ban them all. that would be the rational thing to do.

when you single out the top 3 competitors and leave the rest of the CN ones to do business as usual that doesnt make sense.

Because the "top 3 competitors" represent the overwhelming majority of business / offerings in the space.

Btw, I know you guys think this is a clever comeback but it's a bit like saying "Why did you only accomplish the 3 most important things today. Clearly, if you cared, you would have done everything."

Think about it. Literally, your contention is that it's irrational only to ban the largest 3 companies/risks.

if Xi and the CCP are the problem, why ban only 3 companies ? ban them all. that would be the rational thing to do.

Section 889 B allows the Secretary of Defense to expand the list, a possibility that may well occur.

But to answer your question more directly:

  • Because the US has direct concerns about these companies, they weren't picked at random;
  • Because everything has to start somewhere (policies don't need to be all or nothing);
  • Because, as Secretary of State Mike Pompeo stated in a speech last week, America's foreign policy goal here is to change the nature of China's participation in the world, not to end it. Banning all companies at once leaves you with no more moves to make.
  • Because solving problems in one place can cause problems in others, and it is generally inadvisable (and, contrary to your assertion, not a rational move) to solve problems all-at-once before beta testing your solution.

Laws reflect the society you live in. 5 years ago smoking weed was illegal, now it's ok... Weed hasn't changed, society's perception of it changed. The current ban is based on politics and a little bit of xenophobia, not on rational decision making.

You've got to be kidding, xenophobia? The government finds certain products manufactured by Chinese companies, some owned by the PRC, to be a risk to our national security and your response is "xenophobia". The Chinese government is not our friend, and pointing that out doesn't make someone a xenophobe.

Your analogy of "smoking weed" is equally obtuse. Society's perception of "weed" is based on its moral values. Laws can reflect the moral values of a group of people, but in this instance we are not talking about moral values. The NDAA is in place to protect our country from the threat of cyber-security, which is not a moral issues, it's a national defense issue.

You claim the law is not based on "rational decision making"; fine, make your argument. I would love to hear a "rational" argument about why NDAA is not necessary, or is politically motivated (which I think can be a legitimate reason). Throwing out words like xenophobia only weakens your argument and make you sound like a bitter denier who doesn't know how to adjust to the new regulations.

I painfully sat through the SIA webinar yesterday and I completely agree with John's assessment.

the ban is not rational because it is a blanket ban, but this blanket is full of holes:

1. it doesn't solve the china risk,how do you know TVT or Uniview aren't in cahoots with the CCP? you dont right? if china is a risk, ban all chinese products, or switch back to analog if you are afraid of cyberattacks :)

2. it conveniently singles out the biggest competition, the bottom feeders and second tier manufacturers can still sell to the government, again, no sense. you allow inferior quality products but ban the good ones (maybe not best in breed, but best for what you pay for)

3. security is based on rational risk assessment, but this is a blanket ban treating a camera in a national park the same as a camera in a military base... it's not and you know it. the risks are different.

"bottom feeders"

I thought those who sell HIK and Dahua WERE the bottom feeders!

Nope...there are many many bottom feeders in China you never heard of...

LOL. True.

Had you ever stepped into the Asia section at ISC West? That was just a fraction of them.

I did it once.

Once.

Never again.

1. it doesn't solve the china risk,how do you know TVT or Uniview aren't in cahoots with the CCP? you dont right? if china is a risk, ban all chinese products, or switch back to analog if you are afraid of cyberattacks :)

"These prohibitions reflect the Government’s increased concerns that Chinese intelligence services could use Chinese telecommunications companies to exploit U.S. technological data. This comes after the heads of six U.S. intelligence agencies recommended, during a Senate Intelligence Committee hearing in February 2018" FBI Director Chris Wray.

The intelligence community seems to have reason to believe that Huawei Technologies and ZTE pose a risk to national security. If I'm not mistaken, the ban isn't necessarily a Hikvision and Dahua ban; it's a ban on any company that uses telecommunication devices manufactured by Huawei or ZTE.

2. it conveniently singles out the biggest competition, the bottom feeders and second tier manufacturers can still sell to the government, again, no sense. you allow inferior quality products but ban the good ones (maybe not best in breed, but best for what you pay for)

The biggest competition are using devices manufactured by Huawei and ZTE.

3. security is based on rational risk assessment, but this is a blanket ban treating a camera in a national park the same as a camera in a military base... it's not and you know it. the risks are different.

It depends on what you consider a risk. Are you familiar with the Mirai botnet in 2016, a DDoS attack that shutdown part of the internet. IP cameras played an important role in that cyber attack.

5 years ago smoking weed was illegal, now it's ok... Weed hasn't changed, society's perception of it changed.

Using your framework: "5 years ago selling/using technology from China was completely legal, now it's illegal to sell/use some of it in some cases...China technology hasn't changed, society's perception of it changed."

Really? There's nothing in the last five years that's changed on the China side? It's all just the blowing winds of American politics and American xenophobia?

I could give you a dozen examples only to do with Xi Jinping that speak to changes on the China side of the equation that have taken us to where we are. Yes, of course, there are many relevant US developments too.

On another note:

Laws reflect the society you live in.

Speaking from direct personal experience, the nation's top political scientists have relatively little idea what laws do or should "reflect".

You're really oversimplifying the reasons for the U.S. Government ban. It was more than the potential risk of providing China with back doors into American private business networks.

- A 2012 Congressional report stated that Chinese companies were stealing intellectual property form U.S. businesses.

- Internal documents supplied to the U.S. that showed that companies like Huawei supplied services to a cyber-warfare unit of the PLA.

- The U.S. uncovered evidence of economic espionage countless times.

And if none of that changes your mind, there's always:

- Forced labor camps

- Execution of innocent people

- And organ harvesting

But hey, who care's right? Your margins are much more important.

IPVM Image

I wonder how many Hikvision trips they went on.

However, they were indefinite about whether reselling was covered:

If you’re merely acquiring products to resell, and it might have prohibited technology embedded in it, is that use? Right. And I don't know. I wouldn’t think so. But use is not defined in the regulation. I think in those instances you might be able to take a more aggressive posture: that that is not use.

the lawyer is arguing that the definition of USE is not definitive and could be challenged because reselling doesn't mean USE?

reading this comment made my eyes roll so far back in my head I could see my scalp.

I was surprised by what was presented in this webinar. As you stated, it really seemed to be all about ways around, and not addressing the massive risk involved. Sure, as with all restrictions/laws there is a good chance that they won't be discovered, but if they are, the costs and damage to your reputation could be immense. Let alone putting our infrastrucure at risk, which is the main point of all this. Seems that SIA would've better served their members to focus on the best ways to be compliant, rather than how to dodge it...for now.

I was surprised by what was presented in this webinar. ... Seems that SIA would've better served their members to focus on the best ways to be compliant, rather than how to dodge it...for now.

The few times we've talked to SIA about the NDAA, they expressed surprise that anyone would support it. It was as if I asked them to fund me building a hotel on Pluto. They were just incredulous.

Another problem is a complete lack of transparency. There is no explanation of how they come to their decision or who has been lobbying them.

Upleveling, the general principle I have found with SIA is that they oppose anything that would threaten to decrease revenue for the security industry as a whole, regardless of ethics or, in this case, the law. As such, I was only surprised they made this public but not that they would attempt these tactics.

the general principle I have found with SIA is that they oppose anything that would threaten to decrease revenue for the security industry as a whole,

As we all know many of the products banned are at the bottom or lower end of the price scale. Logically then, if the industry is being compliant wouldn't that then increase revenue for the security industry. Items could be sold on the basis of being a bit more expensive as they are compliant.

Logically then, if the industry is being compliant wouldn't that then increase revenue for the security industry

Maybe, maybe not. What SIA knows clearly is that many large members who make good money right now selling those banned products would lose revenue immediately.

SIA does not show much of a long term sense of perspective, e.g., they missed the pushback to China very badly, e.g. China Is Not A Security Megatrend, Says SIA

Logically yes, but I'm guessing SIA's main funding comes from large integrators so that's who they are working for rather than for the "industry".

I'm guessing SIA's main funding

SIA's main funding is from manufacturers. For background, here is SIA's 2019 financial filings, breakdown screencap below:

IPVM Image

Sponsorships is primarily the money Reed pays SIA for 'sponsoring' ISC West and that money is, of course, primarily from manufacturers.

Btw, in terms of large integrators, my understanding is that ADT, JCI, Convergint are not selling much, if any, Hikua now.

I thought organizations like SIA were supposed to help move the industry forward. The way I see this whole debacle is basically SIA saying Electronic Security Professionals don't really need to care about Security. Are we just product movers now? Sell and install and that's it? No thoughts about the ramifications of installing software or devices with vulnerabilities? "Who cares, not my network!"

Why learn anything for ourselves, or try to educate the public/customers, when we can just keep selling stuff and making $$$.

basically SIA saying Electronic Security Professionals don't really need to care about Security

Keep in mind, SIA invited an NSA director to speak at their cybersecurity conference which they had Dahua and Hikvision sponsor... in 2019. SIA defended it and, I kid you not, by declaring:

nothing under Section 889 of the NDAA restricts the ability of affected companies to participate in any educational conferences as sponsors. We welcome the participation of SIA members and businesses which support the goal of educating the industry about cybersecurity.

I may have just lost a $175,000 PO because I learned that the mask/temperature unit I sold has a Hauwei Hisilicon chip in it. When I started the process with this sale I honestly didn’t know this unit had one. Didn’t even think about it. Then I asked the distributor to look into it after IPVM released some clarification on NDAA. So I alerted the company who placed the order. I explained to them I found a unit that was NDAA compliant but don’t know much about it. I’d rather lose the money now before we do the install then look like an idiot after everything is installed and someone discovers it.

...or you could go the way some in the industry seem to be going...continue with the job and ask for forgiveness or assume lobbying attorney's will have something to stand on so you can stand behind them.

...but why do you think you may have lost it? If you found a replacement can you not:- get any info on it here at IPVM- get one in ASAP and test it to make sure it meets your needs.

On the heels of this they release principles of facial recognition. So, is it ethical for a manufacturer target ethnic groups?

SIA Principles for the Responsible and Effective Use of Facial Recognition Technology | Security Industry Association

Related Reports

US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
The Guide To The NDAA Video Surveillance Ban / Blacklists on Aug 24, 2020
This 25-page guide provides a reference to the NDAA ban and blacklist. The US...
DoD Confirms No Blacklist Delay for Video Surveillance Sellers on Aug 19, 2020
The Department of Defense has confirmed to IPVM that the waiver granted does...
Trade Groups Request NDAA Blacklist Delay Citing Coronavirus on Apr 06, 2020
Two trade groups representing government contractors have asked Congress to...
SIA: "Refrain From Working With Companies And/or Products That Are Implicated In Human Rights Abuses" Like Dahua and Hikvision on Aug 17, 2020
The US (Security Industry Association) SIA has taken a stand, declaring that...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
NDAA Blacklist Delay Amendment Fails on Jul 24, 2020
The Blacklist Clause, which bans Hikvision/Dahua/Huawei users from doing...
Wyze Fails To Deliver Own On-Board Analytics, Launches Novel Name Your Own Price Service on Jul 24, 2020
While Wyze failed to deliver their own onboard analytics to replace the...
White House Expands Dahua Hikvision Blacklist To Federal Funding [Final Rule Reverses] on Aug 13, 2020
The White House is expanding the NDAA to blacklist anyone who "uses" banned...
Genetec CEO Declares "We Don't Negotiate Payment With Patent Trolls" on Aug 11, 2020
Are patent trolls like terrorists? Genetec's CEO is coming out strongly...
Thermology Expert: "95-99%" Doing Fever Screening Wrong, Unjustified Compensating Algorithms "Insane" on Aug 27, 2020
A thermology expert tells IPVM "95 to 99% of people" are doing fever...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
InVid Flaunts Violating FDA Guidelines on Aug 28, 2020
InVid Tech is showcasing an open violation of FDA fever screening guidelines...
U.S. Government Accountability Office Urges Facial Recognition Regulation on Aug 27, 2020
The US Government Accountability Office (GAO) is urging facial recognition...

Recent Reports

New Products Show Fall 2020 continues tomorrow with Genetec, Milestone, Avigilon, Microsoft and more! on Sep 29, 2020
IPVM's sixth online show continues tomorrow and will feature New Products...
Avigilon / Motorola VS Virtual ISC West on Sep 29, 2020
ISC West has historically been so dominant that no player would think of...
Dartmouth College Deploys K3 Temperature Screening on Sep 29, 2020
While Dartmouth College has a $6+ billion endowment, the College has bought...
Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...