U.S. Government Still Uses Suspect Chinese Cameras
WSJ · by Asa Fitch
Surveillance cameras made by China’s Hikvision are posted on a street corner in San Francisco. Photo: JOHN G. MABANGLO/EPA/Shutterstock
Oct. 19, 2019 8:00 am ET
Thousands of Chinese-made surveillance cameras remain in use at U.S. military installations and other government sites after purchases of such devices were banned, highlighting the hurdles in replacing costly equipment to address national-security concerns.
More than 2,700 of the banned cameras are in operation across the federal government today, according to data from Forescout, a security-technology company that detects equipment on networks under contract with the federal government. The total is likely higher because Forescout doesn’t have contracts to monitor all government networks and not all of its customers share their data with the company.
Congress last year passed legislation that prohibits federal agencies from buying equipment made by several Chinese firms, including Hangzhou Hikvision Digital Technology Co. 002415 -1.58% , 42%-owned by the Chinese government, and Dahua Technology Co., a privately owned Chinese surveillance-equipment maker.
Visitors at a Beijing event in 2018 were tracked with facial-recognition technology from Hikvision. Photo: Ng Han Guan/Associated Press
The legislation was driven by concerns that using the equipment on U.S. military installations, police departments and embassies posed security vulnerabilities the Chinese government might exploit. China has relied heavily on Hikvision to monitor its 1.4 billion citizens, including ethnic minority Uighur Muslims.
The legislation directed agencies not only to stop buying the equipment but also not to renew contracts involving use of the cameras. The provisions don’t require removal of already installed cameras, but experts suggest that was the spirit of the legislation.
“That is a clear expression of intent in my mind,” said Katherine Gronberg, the vice president for government affairs at Forescout. It is also common sense, she said, that if technology is found to pose a risk it should be removed.
Attempts to reach Vicky Hartzler (R., Mo.), who led the inclusion of the camera ban in the National Defense Authorization Act that passed last year and which took effect Aug. 13, were unsuccessful.
A Defense Department spokeswoman said the agency wouldn’t comment on security risks of specific products, but said measures were being taken to ensure the security of the supply chain and inspect equipment for vulnerabilities.
Agencies have been slow to remove such items from their networks, in part because of the cost and complexity of replacing them, former government IT officials said.
Jeanette Manfra, the Department of Homeland Security’s assistant director for cybersecurity, said the government was juggling the potential need to replace the suspect cameras with security demands that could require them to remain in place—while also considering the cost of replacing the items.
“It’s not that agencies aren’t concerned about the risk, or that they’re unwilling to take actions,” Ms. Manfra said. “It often just comes down to, they’ve got to balance all these different needs.”
Efforts to curb the use of Chinese equipment have run into roadblocks. After the sales ban on cameras took effect, Hikvision and Dahua cameras were still available for purchase on a U.S. government-operated marketplace where departments and agencies buy equipment, The Wall Street Journal found last month. The sales ban was included in the National Defense Authorization Act that took effect in August.
While the act said agencies could be granted waivers on the ban only if they submit phaseout plans to remove equipment from their networks, it didn’t discuss any allocation of funding for such efforts.
An effort across the government, led by the Office of Management and Budget, may draw up directives on what equipment agencies could buy and continue using, Ms. Manfra said.
One civilian department that Forescout declined to identify had 4,277 security cameras installed on its premises. Of that total, according to Forescout data, 659—or about 15%—were made by a pair of Chinese companies whose equipment has since been explicitly banned.
Hikvision, which has a headquarters in Hangzhou, China, works to ensure its products are secure and adhere to U.S. federal-government standards, a company spokesman said. Photo: str/Agence France-Presse/Getty Images
The Department of Commerce this month added Hikvision and Dahua to an export blacklist that requires their U.S. suppliers to gain licenses to ship components. The companies, along with others added to the list, “have been implicated in human rights violations and abuses in the implementation of China’s campaign of repression, mass arbitrary detention, and high-technology surveillance against Uighurs, Kazakhs, and other members of Muslim minority groups” in northwest China’s Xinjiang region, the department said.
A Hikvision spokesman said the company went to great lengths to ensure its products were secure and adhered to federal-government standards. A person close to Hikvision said the company was lobbying to have the provision repealed and would consider legal steps to fight it.
Dahua said its addition to the blacklist lacked any factual basis and called for a reconsideration.
“I think everyone is really concerned right now,” said a Senate staffer involved in legislative efforts to curtail the use of Chinese technology by the U.S. government. In addition to specific credible threats, he said lawmakers were anxious about broader, less well understood cyber threats linked to China.
Although there are known vulnerabilities with some of the Chinese equipment, getting some departments to take the threat seriously has been a challenge, according to a high-ranking IT official who recently left the government. “There are a significant number of people who are in denial,” he said. “They don’t believe the problem is that big a deal, and can be managed and mitigated in other ways.”
Security researchers for some time have raised concerns about vulnerabilities in Dahua and Hikvision cameras. ReFirm Labs, a Maryland-based cybersecurity company, found in 2017 that some Dahua cameras could allow intruders access to the video feeds. Dahua released updated firmware to address the issue, although ReFirm co-founder Terry Dunlap said a different backdoor appeared in the new firmware version.
A man walked in June near Dahua surveillance cameras in Kashgar, China. Photo: greg baker/Agence France-Presse/Getty Images
A Dahua spokesman said the company constantly posted cybersecurity updates to its website and was committed to release fixes to any vulnerabilities as they were discovered.
The Department of Defense has long been ahead of civilian agencies in addressing cybersecurity risks, said Greg Touhill, a retired U.S. Air Force general and the first Federal Chief Information Security Officer, until he stepped down in 2017. But, in some cases, the military keeps equipment when the cost to remove and replace it outweighs security concerns, said Mr. Touhill, now president of a firm that sells security and IT-management services to the government.
“If the camera’s doing surveillance outside the bowling alley on the base, it’s a different calculus than if the camera is doing surveillance at a nuclear missile silo,” he said.
Write to Asa Fitch at firstname.lastname@example.org
WSJ · by Asa Fitch