Details have emerged about when the rules implementing the federal ban on Hikvision, Dahua, Huawei and others will be made public for official comment and who exactly in the US government is drafting them.
Additionally, IPVM has found that SIA is quietly pushing for a less restrictive interpretation of the law, taking issue with the potential “blacklisting” of integrators using covered equipment from doing business with the federal government. SIA is also calling for the government to develop a “risk-based protocol” to determine whether OEM products/certain components should even be covered in the first place, a move which could create a major loophole.
In this post, IPVM examines:
Rules Schedule
Who is Drafting the Rules
SIA Pushes Against ‘Blacklisting’
SIA OEM Loophole?
Other NDAA Challengers
Integrator Impact
At stake are rules that will directly affect US integrators doing business with the federal government, a sprawling entity which includes not only well-known institutions like the FBI or the military but also the VA, Social Security, Coast Guard, numerous museums, etc.
*** ****** **** * **** ***** be ************ *******:
**** ***-******** ***********would ****** ** * **********-**** ******* ** “************” of businesses that utilize the covered equipment in a general sense, potentially encompassing the sale of such products to non-federal customers. Such an outcome would impose crippling ********* ******* on many U.S. security companies that serve the commercial marketplace and other non-federal customers, and ultimately increase ******** ***** to the U.S. business community at-large [emphasis added]
— (*) *** **** ** ** executive ****** *** ***— … (*)enter **** * ******** (** ****** ** ***** * ********) **** ** ****** **** **** *** *********, ******, ** ******* that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system [emphasis added]
********developing * ****-***** ******** for determining whether a video surveillance product is prohibited in cases where firms covered by the prohibition are not *** ************* ** *** ***-**** *** ****** ********* ** ******* ************. [emphasis added]
*** **** *** ****** **** **** “risk-based ********” ***** ******** ******* ** and ** ** ******* *** * government ****** ***** ********* ******* * certain ********* ** *** ****** ** a ************* ****, ****** ***** ** information ******** ** ************* **********. ** would ** *************** *** **************** ********* to ***** ********.
IPVM, as SIA members, and I, as a member of the SIA government relations committee objected to SIA not sharing this letter with SIA government relations committee members (Charles found this letter by going through government records). In my experience over the past 6 months, SIA struggles with transparency and clarity about what they do and how they make their decisions. On the positive side, SIA committed to disclosing such lobbying to SIA government relations committee members going forward.
While I believe the 'risk-based protocol' is well-intentioned, the burden is on SIA and the manufacturers to prove they can develop such a protocol that ensures security and is not simply a rubber stamp to allow Western companies to pass of Dahua, Hikvision and Huawei equipment as their own 'secure' products.
Any idea how this law could affect central stations? I am curious if a central station monitoring HikVision/Dahua cameras would then be excluded from monitoring any other government cameras in the future.
This would have to worded very carefully as well....China could claim, they were just "Monitoring" installed cameras at an installed site, not spying :)
That's a good question. However, we don't really know yet since the FAR hasn't actually been released - as mentioned in our post, it will only be made public in February 2019, and details about what it will contain are scant. However when the FAR is published, we'll definitely cover it and include anything it mentions about removals.
Is it anticipated that the FAR will be pushed to DFAR as soon as the administrative code is written for implementation? I would assume that would be a logical move as many of the risk areas are in DOD space.
That's also a good question but I don't know. DFAR isn't mentioned in either of the government filings we referenced but that would make sense. I'll contact some officials about this and update if they respond.
If losing USA camera sales were a big deal, all these guys would have to do is get creative with business entities, executives and controlling shares and they could get around the language of the NDAA. i.e. Huawei can "sell" HiSilicone to "another company".
I was thinking it would be similar for integrators. Tom's Security could remain Tom's Security selling HIKVision and Dahua all day long and just form up Jill's Security Emporium for government contracts not utilizing any HIKVision and Dahua and owned by Tom's wife.
What happens when a tech from Tom's Security is asked to work on a job for Jill's Security, or one of Jill's techs has to work on a HikVision/Dahua system for Tom's security?
I am not an expert but from previous article, link below, I got the impression that it was predominantly a problem of selling not servicing that would get you banned.
The prohibition is beyond selling to the government. If the “entity” sells Hikvision / Dahua cameras in any way to anyone, they are banned from doing business with the federal government
While the order is unlikely to name Huawei or ZTE, a source said it is expected that Commerce officials would interpret it as authorization to limit the spread of equipment made by the two companies. The sources said the text for the order has not been finalized...
The executive order would invoke the International Emergency Economic Powers Act, a law that gives the president the authority to regulate commerce in response to a national emergency that threatens the United States.
Not clear how this would impact video surveillance products or Dahua or Hikvision but Charles will be tracking this.
Good point. However there's a solid chance Huawei products outside of the telecom sphere would still be affected by such an order.
Technically, the text of the NDAA only says Huawei's "telecommunications equipment" and "video surveillance services" are covered. However, that didn't stop the Congressional committee which drafted the law, along with Pelco, from both stating that they believe the law effectively bans cameras with Hisilicon chips.
We're talking about US Congress members here. The ones who asked the Google CEO why their iPhone showed their grandchild an offensive image during a game. They also asked him why an image search for "idiot" showed an image of Trump. These aren't the most tech savvy people we're dealing with. They could easily conflate the term "telecommunications equipment" with surveillance equipment.
The US won't enact an embargo against these Chinese products even after declaring them a national security risk because of the political ramifications, yet they draft a bill to penalize all security professionals from doing business because it's easier to force your own people to comply in the hopes of achieving the objective.