You’d have thought the U.S. government would be moving fast to kick Chinese surveillance tech out of the country. But despite a legally mandated ban signed off on a year ago, the Trump administration hasn’t been able to clean networks of prohibited Chinese cameras keeping watch over U.S. government facilities.
As of this month, all federal government bodies should have started on plans to remove tech from four manufacturers that are considered too closely linked to the Chinese government. They include telecoms giants Huawei and ZTE, as well as surveillance camera makers Dahua and Hikvision.
But at least 2,000 devices from those latter two companies remain on U.S. government systems, according to data from government contractor Forescout. An additional 1,300 Huawei and 200 ZTE systems were also uncovered.Today In: Innovation
Forescout carried out two separate scans for the Dahua and Hikvision tools for Forbes, one a month ahead of the enactment of the ban, the other just a matter of days after the deadline of August 13. Little had changed over that period, indicating that, just as the U.S. can’t kick outlawed Russian software from Kaspersky Lab, the Trump administration is finding it tricky to root out and remove Chinese surveillance tech.
According to data from Forescout, which has been able to find banned devices via its government customers, there are at least 2,061 Dahua and Hikvision systems on U.S. federal government networks. That data was accurate as of August 19, and the figure is actually higher than the total from a July 11 scan, which stood at 1,797. But Forescout noted that the figure was higher only because it had gained more customers across government, not because agencies were buying more banned technology.
Looking across industry verticals, government appears to be the biggest user of such spy tech too. Manufacturing was the second-biggest user of the Chinese tech, with just under 1,200 Dahua and Hikvision tools, according to the Forescout data.
Dahua didn’t respond to a request for comment, but a Hikvision spokesperson said the ban had “potentially far-reaching implications for small and medium-sized American businesses.”
“We believe a standards-based cybersecurity process, as recently required by the Federal Acquisition Supply Chain Security Act, would better protect the federal supply chain and U.S. businesses. Hikvision is committed to complying with laws and regulations in all countries and regions where we operate and has made efforts to ensure the security of its products adhere to what is mandated by the U.S. government.”
Chinese surveillance “important for American national security”
One significant reason for the persistent presence of banned surveillance tools on U.S. government soil is confusion. It hasn’t been made “crystal clear” whether the law requires government agencies to remove the equipment rather than simply stop buying, said Katherine Gronberg, Forescout vice president for government affairs. As per the National Defense Authorization Act (NDAA), agencies are currently required to either have a plan for removing the relevant technologies or prove they’ve removed them already.
There’s also an irony when it comes to Dahua and Hikvision, noted Gronberg. Surveillance cameras perform an important function for many agencies. They are, after all, supposed to protect government sites from intruders. However, even while performing a national security function, they might at the same time be posing one because of their association with China. In such cases, the agency has to decide whether to accept the risk and keep the camera live, or swiftly remove it with the potential for disruption, Gronberg noted.
The Chinese manufacturers have known the ban was coming since Congress agreed to provisions under the NDAA last year. Huawei filed a motion in U.S. court this March, claiming that the NDAA ban was unconstitutional and should be abolished.
Banned Chinese tech everywhere across America
Forbes also had John Matherly, founder of the internet device scanning service Shodan, carry out a search for Hikvision and Dahua devices across the entirety of America. He claimed to have uncovered a vast number: as many as 200,000 for Dahua and 15,000 for Hikvision.
He believes that for the U.S. government the problem in rooting out Dahua and Hikvision will come in the form of “whitelabelling,” through which tech made by those firms is repackaged and sold under another brand name.
“These are inexpensive products, which is why they’re usually purchased, and the underlying software and hardware between Chinese vendors is very similar or sometimes even identical,” Matherly says.
“Organizations might not realize who originally wrote the software and designed the hardware for the device they purchased.”