Lawmakers target Chinese security companies over spy fears
Congress is weighing a ban on federal agencies using video surveillance equipment from two large Chinese companies, the latest sign of concerns about foreign espionage among lawmakers.
It’s part of a broader trend. Across the government, the U.S. is moving away from foreign state-owned tech companies to prevent cyber spying.
But one of the companies named in the proposed ban is pushing back. Hikvision argues that the legislation — written into the House version of the annual defense authorization bill — is a knee-jerk response to an anti-Chinese “Red Scare.”
“To my knowledge, and to my understanding, I’ve got a gut feeling that if we are not a Chinese company, this wouldn’t be an issue at all,” said Jeffrey He, president of Hikvision’s independent U.S. subsidiary, in an interview with The Hill.
“It’s very difficult to prove ourselves not guilty of providing back doors to Chinese government or any source.”
Indeed, unlike firms like ZTE or the Russian-owned Kaspersky, it’s a much more open question whether Hikvision products are pinging home to China.
Hikvision’s U.S.-based business touts its compliance with American laws. It worked with the Department of Homeland Security to patch a security vulnerability it uncovered in May 2017. It also recently opened a transparency center in California to allow law enforcement to view the source code for its products.
Its cameras have been purchased through middlemen for use on a U.S. military base, the American Embassy in Afghanistan and in a police department in Memphis, Tenn. Chris Nickelson, a Missouri-based contractor, touted Hikvision’s products as top-quality cameras with “world-class” support.
Nickelson argues that a ban on Hikvision products would actually harm small American businesses like his.
But Hikvision’s parent company’s close ties to the Chinese government — a state-run enterprise owns a controlling 42 percent share — and its participation in an extensive state surveillance program in China have raised questions about whether its U.S. arm can be trusted.
Supporters of the amendment to the 2019 National Defense Authorization Act (NDAA) banning government use of Hikvision products note that Chinese laws are written to give Beijing broad authority to intervene in business operations.
“The problem is that in China it’s really hard for a company to say no to the government when they come and ask for a request,” said James Lewis, a former U.S. official and expert in cyber and national security at the Center for Strategic and International Studies.
According to He, the U.S. company hasn’t gotten any requests from Beijing. Moreover, he notes, because the company doesn’t sell directly to end users, most of the time Hikvision doesn’t even know where its cameras end up.
“To my knowledge in 8 1/2 years in this job, I’ve not heard anything from anyone, either from the [state-owned enterprise] board members or managing team, that there’s any requirement from Chinese government to cooperate,” said He. “I have no knowledge, to be honest with you.”
The real victims, according to critics of the proposed ban, are the middlemen — often U.S.-owned small businesses. Nickelson, whose company used Hikvision products in a contract installation at Fort Leonard Wood, said the uproar has hurt his business.
Earlier this year, the U.S. Army disclosed that it had removed Hikvision-made cameras from Fort Leonard Wood — but said it did so only to “remove any negative perception” around the base following media reports about the company.
“We never believed [the cameras] were a security risk. They were always on a closed network,” said Col. Christopher Beck.
Since The Wall Street Journal named his company in a story about the installation, Nickelson says, he estimates he has lost orders worth “up in the hundreds of thousands.”
“I’m damaged,” he told The Hill.
Nickelson says if the ban goes through, he will also have to spend thousands on research and development to identify substitute products for government projects already using Hikvision cameras. He says he has already spent between $20,000 and $30,000 “looking at the what-ifs.”
“Somebody still needs to show me that there’s any real meat and potatoes behind any accusations that have been made towards Hikvision,” he said.
Most of the specific warnings about Hikvision revolve around a Homeland Security alert issued in May of last year, which revealed vulnerabilities allowing would-be hackers to remotely exploit some cameras easily.
Hikvision, like other companies dealing with vulnerabilities in their products, issued an update for affected users.
“With regards to this particular flaw, we did work with the research community. We discovered the vulnerability. We worked with the company. And they put out a software update that mitigated the impacts of this particular exploitation,” Richard Driggers, a top cybersecurity official at Homeland Security, said in a House Small Business Committee hearing in January. Driggers said the effort followed “standard practice.”
Hikvision also patched a second vulnerability, this one affecting its cloud platform, discovered by a security researcher this April.
“The question I’m sure people are asking is, are these accidental or are they purposeful back doors?” Eric Chien, a researcher at software firm Symantec, told The Hill. But Chien said the security vulnerabilities alone could “make users hesitant of using these products,” independent of espionage concerns.
The General Services Administration (GSA) removed Hikvision’s products from a list of those automatically approved for sale under certain federal contracts last November. While Hikvision never held a GSA contract, its products were sold to the federal government by third-party sellers. A spokesman said the decision was made because the products were not compliant with the Trade Agreements Act, under which China is not a “designated country” where approved products must be manufactured.
The amendment, from Rep. Vicky Hartzler (R-Mo.), whose district is home to Fort Leonard Wood, would go much further. It would prohibit federal agencies buying Hikvision cameras or contracting with “an entity that uses any equipment, system, or service that uses” Hikvision products or services as a “substantial or essential” component of its operations. Federal contractors would have five years to phase out their use of Hikvision-made cameras.
“I am deeply concerned that video surveillance and security equipment sold by Chinese companies exposes the U.S. government to significant vulnerabilities due to potential … built-in back doors creating a video surveillance network for China, purchased by the taxpayer and installed courtesy of the U.S. government,” Hartzler said at a House Armed Services Committee hearing last month.
Nickelson notes that the cameras are often used as part of closed-circuit security systems, meaning that they aren’t connected to the internet.
“By the time someone would get to one of our camera systems, the customer has a far bigger problem, because they’ve already gotten past all of their firewalls,” he said.
Officials have stepped up warnings that Beijing is looking to steal sensitive U.S.-made technologies, including through hacking, to gain an edge over the United States.
Beijing appears to be particularly interested in sensitive military technologies. In June, The Washington Post reported that Chinese government hackers accessed a Navy contractor’s computer and stole details on a secret submarine missile program.
The escalating worries about China have been highlighted by ZTE, a Chinese phone manufacturer that experts have long considered a potential security threat.
Earlier this year, senior intelligence officials testified that they would not recommend American citizens use products made by ZTE or Huawei, another Chinese telecom company. The Pentagon in May ordered military bases to stop selling ZTE and Huawei devices over security concerns.
The House-passed version of the National Defense Authorization Act would also bar the federal government and federal contract recipients from using ZTE or Huawei devices; Hartzler’s amendment would expand the ban to include Hikvision and Dahua Technology, another Chinese video surveillance company, as well as Chinese radio manufacturer Hytera.
National security experts say that lawmakers are simply trying to eliminate the risk that devices could be used for spying, even if there is not yet hard evidence of espionage.
“I think the idea was, let’s catch them all and not worry about the fact that this is unfair to a Chinese company,” said Lewis. “Is every federal contractor doing sensitive work? No, but it’s easier just to say don’t use Hikvision.”
But it’s difficult for Hikvision to prove that it is not acting as a Trojan horse for the Chinese government.
In March, Hikvision opened a transparency center in California so U.S. agencies could review the source code for their products.
So far, Hikvision says, no one has made an appointment.