Additionally, IPVM has found that SIA is quietly pushing for a less restrictive interpretation of the law, taking issue with the potential “blacklisting” of integrators using covered equipment from doing business with the federal government. SIA is also calling for the government to develop a “risk-based protocol” to determine whether OEM products/certain components should even be covered in the first place, a move which could create a major loophole.
In this post, IPVM examines:
Who is Drafting the Rules
SIA Pushes Against ‘Blacklisting’
SIA OEM Loophole?
Other NDAA Challengers
At stake are rules that will directly affect US integrators doing business with the federal government, a sprawling entity which includes not only well-known institutions like the FBI or the military but also the VA, Social Security, Coast Guard, numerous museums, etc.
IPVM, as SIA members, and I, as a member of the SIA government relations committee objected to SIA not sharing this letter with SIA government relations committee members (Charles found this letter by going through government records). In my experience over the past 6 months, SIA struggles with transparency and clarity about what they do and how they make their decisions. On the positive side, SIA committed to disclosing such lobbying to SIA government relations committee members going forward.
While I believe the 'risk-based protocol' is well-intentioned, the burden is on SIA and the manufacturers to prove they can develop such a protocol that ensures security and is not simply a rubber stamp to allow Western companies to pass of Dahua, Hikvision and Huawei equipment as their own 'secure' products.
Any idea how this law could affect central stations? I am curious if a central station monitoring HikVision/Dahua cameras would then be excluded from monitoring any other government cameras in the future.
That's a good question. However, we don't really know yet since the FAR hasn't actually been released - as mentioned in our post, it will only be made public in February 2019, and details about what it will contain are scant. However when the FAR is published, we'll definitely cover it and include anything it mentions about removals.
Is it anticipated that the FAR will be pushed to DFAR as soon as the administrative code is written for implementation? I would assume that would be a logical move as many of the risk areas are in DOD space.
That's also a good question but I don't know. DFAR isn't mentioned in either of the government filings we referenced but that would make sense. I'll contact some officials about this and update if they respond.
If losing USA camera sales were a big deal, all these guys would have to do is get creative with business entities, executives and controlling shares and they could get around the language of the NDAA. i.e. Huawei can "sell" HiSilicone to "another company".
I was thinking it would be similar for integrators. Tom's Security could remain Tom's Security selling HIKVision and Dahua all day long and just form up Jill's Security Emporium for government contracts not utilizing any HIKVision and Dahua and owned by Tom's wife.
While the order is unlikely to name Huawei or ZTE, a source said it is expected that Commerce officials would interpret it as authorization to limit the spread of equipment made by the two companies. The sources said the text for the order has not been finalized...
The executive order would invoke the International Emergency Economic Powers Act, a law that gives the president the authority to regulate commerce in response to a national emergency that threatens the United States.
Not clear how this would impact video surveillance products or Dahua or Hikvision but Charles will be tracking this.
Good point. However there's a solid chance Huawei products outside of the telecom sphere would still be affected by such an order.
Technically, the text of the NDAA only says Huawei's "telecommunications equipment" and "video surveillance services" are covered. However, that didn't stop the Congressional committee which drafted the law, along with Pelco, from both stating that they believe the law effectively bans cameras with Hisilicon chips.
We're talking about US Congress members here. The ones who asked the Google CEO why their iPhone showed their grandchild an offensive image during a game. They also asked him why an image search for "idiot" showed an image of Trump. These aren't the most tech savvy people we're dealing with. They could easily conflate the term "telecommunications equipment" with surveillance equipment.
The US won't enact an embargo against these Chinese products even after declaring them a national security risk because of the political ramifications, yet they draft a bill to penalize all security professionals from doing business because it's easier to force your own people to comply in the hopes of achieving the objective.