Banned Chinese Security Cameras Are Almost Impossible to Remove
An August deadline to remove them from federal agencies likely won’t be met as many departments don’t even know what cameras they’re using.
U.S. federal agencies have five weeks to rip out Chinese-made surveillance cameras in order to comply with a ban imposed by Congress last year in an effort to thwart the threat of spying from Beijing.
But thousands of the devices are still in place and chances are most won’t be removed before the Aug. 13 deadline. A complex web of supply chain logistics and licensing agreements make it almost impossible to know whether a security camera is actually made in China or contains components that would violate U.S. rules.
The National Defense Authorization Act, or NDAA, which outlines the budget and spending for the Defense Department each year, included an amendment for fiscal 2019 that would ensure federal agencies do not purchase Chinese-made surveillance cameras. The amendment singles out Zhejiang Dahua Technology Co. and Hangzhou Hikvision Digital Technology Co., both of which have raised security concerns with the U.S. government and surveillance industry.
Hikvision is 42% controlled by the Chinese government. Dahua, in 2017, was found by cybersecurity company ReFirm Labs to have cameras with covert back doors that allowed unauthorized people to tap into them and send information to China. Dahua said at the time that it fixed the issue and published a public notice about the vulnerability. The U.S. government is considering imposing further restrictions by banning both companies from purchasing American technology, people familiar with the matter said in May.
“Video surveillance and security equipment sold by Chinese companies exposes the U.S. government to significant vulnerabilities,” said Representative Vicky Hartzler, a Republican from Missouri, who helped draft the amendment. Removing the cameras will “ensure that China cannot create a video surveillance network within federal agencies,” she said at the time.
Dahua declined to comment on the ban. In a company statement, Hikvision said it complies with all applicable laws and regulations and has made efforts to ensure its products are secure. A company spokesman added that the Chinese government is not involved in the day-to-day operations of Hikvision. "The company is independent in business, management, assets, organization and finance from its controlling shareholders," the spokesman said.
Despite the looming deadline to satisfy the NDAA, at least 1,700 Hikvision and Dahua cameras are still operating in places where they’ve been banned, according to San Jose, California-based Forescout Technologies, which has been hired by some federal agencies to determine what systems are running on their networks. The actual number is likely much higher, said Katherine Gronberg, vice president of government affairs at Forescout, because only a small percentage of government offices actually know what cameras they’re operating. The agencies that use software to track devices connected to their networks should be able to comply with the law and remove the cameras in time, Gronberg said. “The real issue is for organizations that don’t have the tools in place to detect the banned devices,” she added.
Several years ago the Department of Homeland Security tried to force all federal agencies to secure their networks by tracking every connected device. As of December, only 35% of required agencies had fully complied with this mandate, according to a 2018 report by the Government Accountability Office. As a result, most U.S. federal agencies still don’t know how many or what type of devices are connected to their networks and are now left trying to identify the cameras manually, one by one.