US President Joe Biden has signed the Secure Equipment Act which will have a major impact on the security and telecommunications industries. Under it, the US Federal Communications Commission (FCC) will no longer consider applications for licenses submitted by companies marked as "security threats". This primarily applies to Chinese producers.
US President Joe Biden has signed the Secure Equipment Act which will have a major impact on the security and telecommunications industries. Under it, the US Federal Communications Commission (FCC) will no longer consider applications for licenses submitted by companies marked as "security threats". This primarily applies to Chinese producers.
The consequences will be certainly game-changing, both in the telecommunications and security industries, and the reason for it is rather simple. The blacklist of companies includes five Chinese technology giants, with at least two major security players: Hikvision Digital Technology and Dahua Technology, alongside Huawei, ZTE, and Hytera Communications. Yes, Hikvision and Dahua are no longer welcome in government-funded projects in the States. This, along with a ban on Huawei which gets more media spotlight is a first-rate technological turnaround that could have global implications.
How was the act passed?
The Secure Equipment Act was passed almost unanimously by the US Senate in October 2021. The House of Representatives supported it with 420 votes in favor and only four against as an indicator of unity in the views of the two largest American political groups (Democrats and Republicans) at least when it comes to the status of Chinese technology companies. In March 2021, the FCC announced that five Chinese companies that supposedly pose a threat to US national security had been singled out. It was explained that this was in line with the 2019 National Defense Authorization Act with an important segment involving the protection of the telecommunications network in the States. However, at that time there was no legal obligation to reject the applications of these companies for the inclusion of their technologies in the operation of telecommunications networks. The situation is somewhat different today, because by declaring the equipment of Chinese companies "suspicious" in terms of their security, it will no longer be possible for them to be used in the network systems in the United States.
“The Secure Equipment Act is now the law of the land and will ensure that insecure equipment from Huawei, ZTE, and other untrustworthy entities can no longer be inserted into our communications networks. This gear poses an unacceptable risk to our national security”, said Federal Communications Commission Commissioner Brendan Carr. And that's not all – the FCC is already looking for ways to revoke previously approved licenses for Chinese companies. As expected, official reactions from China came soon afterward, saying that the United States was accusing Chinese companies without evidence in order to prevent their expansion.
Will Hikvision and Dahua be able to do business in the US?
Despite global difficulties and disruptions in the supply chain caused by the pandemic crisis, Chinese manufacturers are, in fact, weathering the ongoing global economic storm. After a slow recovery during the first coronavirus wave in the first quarter of 2020, the banned Chinese companies have actually achieved good results and even growth in the last 18 months. Their margins were slightly lower in 2021 than the maximum reached in late 2020, but the only unknown in the future forecast of their growth is the potential impact of Biden’s Secure Equipment Act. What are its possible implications? To begin with, these regulations would not only have a huge impact on the operations of Chinese security companies in the U.S. but could also significantly impact suppliers who use the OEM products of these companies.
In October, US retail giants Home Depot and Best Buy withdrew video surveillance systems from Chinese manufacturers Lorex and Ezviz. Lorex is a subsidiary of Dahua Technology, while Ezviz is a brand of video surveillance cameras owned by Hikvision. Following this act, Lorex removed the logos of five U.S. retail partners from its website. Representatives of the Home Depot platform stated that they immediately stopped selling Lorex products as soon as this issue was brought to their attention. Although the new regulations do not lay down the dynamics according to which the disputed technology should be removed, organizations using banned technologies are likely to be granted a transition period to remove the equipment and start using only video surveillance devices and technology compliant with the National Defense Authorization Act (NDAA) and FCC’s decisions.
Numerous challenges for end-users
The enactment of the NDAA alone represented a major event in the U.S. security sector as the American vendors had to quickly reorient themselves and start looking for replacement components to ensure compliance with applicable regulations. System integrators, planners, and end-users have faced the challenge of having to find compatible cameras that do not use banned components. In addition to the existing factors of price, quality, deadlines, and industry standards, suppliers and system integrators in the US must now address an additional source of concern - compliance of their products with new regulations on the so-called secure equipment.
The situation in the US security market is further aggravated by the ubiquity of Chinese components in video surveillance equipment. This could force many organizations and schools to immediately start planning to replace their existing camera systems and related security equipment. This also means that manufacturers now have to procure new chipsets and other legally compliant components, while integrators and end-users will have to modify their existing camera systems and the entire supply chain they rely on.
According to the American media, many companies are already forced to look for new suppliers, which requires additional efforts to strike a balance between physical availability and regulatory compatibility of security systems. An additional problem is the need to organize the training of entire teams in order to ensure proper configuration of the systems and their installation. For system integrators who already have to balance the price and quality of the products they use, this will be a new and, for some, insurmountable challenge in maintaining their competitiveness in the U.S. market.
Early implementation marked by scandals
Shortly after the signing of the Secure Equipment Act, a curious security scandal erupted in the States, showing that its implementation on the ground will not go smoothly, at least initially. At least three American federal agencies, including the military, procured video surveillance equipment from Chinese manufacturers which the federal government had blacklisted earlier.
According to the TechCrunch portal, various agencies spent thousands of dollars on the purchase of video surveillance equipment manufactured by Lorex, a subsidiary of the Chinese company Dahua Technology. Dahua was previously added to the list of companies covered by economic sanctions against China. According to the US authorities, Dahua was supposedly linked with activities aimed at helping the Chinese government exert pressure on the Uighur ethnic minority in Xinjiang. However, after the ban took effect, evidence emerged that the federal agencies had procured Lorex equipment through their contractors. According to available information, the Drug Enforcement Administration (DEA) purchased nine Lorex hard drives for surveillance systems in May 2021. Drug Enforcement Agency (DEA) spokeswoman Katherine Pfaff said that the purchase was made through the state procurement portal operated by the General Services Administration – GSA Advantage. For now, there is no information on whether Lorex equipment has been withdrawn from use.
The GSA did not state why the banned security products were made available for purchase after the ban took effect. It has just been said that the process of improving the system has started, including the launching of a new portal with verified commercial products in line with the 2019 bans.
The Defense Finance and Accounting Service (DFAS), which operates as an agency within the U.S. Department of Defense, also purchased Lorex video surveillance cameras through its New York vendor in July 2021. The same thing was done by the U.S. military which procured video surveillance systems and recording equipment between 2019 and 2021.
What now?
What will be the consequence of the newly passed regulations? First, it is highly likely that the contractors that supply banned equipment to state institutions will lose their contracts. On the other hand, representatives of the security industry argue that contractors and subcontractors working with the state were given too little time to allow the full implementation of the current ban on the use of Chinese technology before the law actually came into force. The Information Technology Council published a statement in which they claim that due to the extended time required to introduce rules for such far-reaching requirements, contractors may not be able to consistently meet all the objectives of the enacted law. On the other hand, Lorex, which found itself in the media spotlight, states that its products are intended exclusively for consumer and business use, and neither for the federal government agencies nor for the projects funded by the state. The same applies to contractors who are covered by the regulations of the National Defense Authorization Act. They add that they guarantee that they do not and will not sell their equipment to any person or organization covered by the current bans.
The Future
Regardless of the scandals, the current events are an excellent illustration of the complexity of implementing these bans in the field, especially if we know that they represent a precedent of sorts in the security industry. An additional burden around the neck of American integrators, distributors, manufacturers, and, finally, end-users is the fact that companies whose products are covered by the new regulations are among the strongest security and technology players in the world. The time ahead will show if this will lead to major disruptions in the security market, although it can already be said that, regardless of the outcomes, the industry will remain permanently changed by these events.
Dahua operates in accordance with applicable regulations
In response to the recently passed Secure Equipment Act, Dahua Technology called on all parties to check its credibility when it comes to its commitment to cyber security. Its statement reads as follows:
“As we have stated publicly and consistently, Dahua Technology does not and never has represented any type of threat to the U.S. We respect the right of the U.S. government to regulate the market as it sees fit. However, we are a publicly traded corporation that exists to serve our fiduciary duty to our shareholders, and our corporate responsibility to our customers, employees, and other stakeholders. We are neither owned nor controlled by any government. Our company does not and has not acted in ways that are contrary to the foreign policy interests of any countries in which we operate. We keep practicing what we preach that enables a safer society and more intelligent life and conduct our business operations being compliant with all applicable laws and rules.
We understand that in today’s security industry, cybersecurity is the biggest challenge. We have provided remedies to correct those issues with our customers. Dahua takes cybersecurity very seriously by implementing a 7-module cybersecurity baseline into our product design. We have created Dahua Cybersecurity Center (DHCC) to solve cybersecurity issues and aims to provide more robust and secure products/solutions for customers. At the same time, we have established a Cyber Security Institute to ensure the security technology research, product security R&D and delivery, and the establishment of a security emergency response team and procedures.
Dahua Technology also attaches great importance to personal data and privacy protection. Complying with applicable laws and regulations, such as GDPR, EDPB’s guidelines, and ETSI EN 303645’s Cyber Security for Consumer Internet of Things, Dahua Technology has received Protected Privacy IoT Product Certification and ETSI Certification from TÜV Rheinland, as well as ISO 27018 and ISO 27701 Certification from the BSI, which help in demonstrating its capability in managing personal information and compliance with privacy regulations around the world”.
Hikvision opts for a legal fight
Hikvision has decided to fight the latest moves by the US government in a legal arena. The company has filed a complaint to the US Federal Communications Commission stating that the Commission does not have the legal authority to exclude Hikvision technology from the equipment approval process. The reason for this is the fact that Hikvision does not offer network equipment for broadband internet. At the same time, the Secure Equipment Act itself did not expand the list of types of equipment that are prohibited under the Secure and Trusted Communications Networks Act of 2019. As the focus of the new regulations is exclusively put on communication networks, and not on peripheral devices such as those offered by Hikvision, the Chinese company states that its video surveillance cameras and network video recorders are not connected with the function of providing broadband Internet access service. Since Hikvision's technology does not constitute "communication equipment or service," it was requested for it to be removed from the blacklist.
At the same time, the company hired American FTI Consulting to do a quality assessment of cyber security technology used for cameras and network video recorders of this manufacturer. The results of the assessment showed that these devices did not pose a risk to the end-user in any environment and application. FTI Consulting has established that the communication between the devices and Hikvision's servers takes place in accordance with the normal mode of operation. In addition, testing and analysis did not reveal any standard forms of the Common Vulnerabilities and Exposures (CVE) with any device, and the same goes for the possibility of an unauthorized party to get access to the video signal.
Final conclusions
- The situation in the US security market is further aggravated by the ubiquity of Chinese components in video surveillance equipment. This means that manufacturers now have to procure new chipsets and other legally compliant components, while integrators and end-users will have to modify their existing camera systems and the entire supply chain they rely on.
- Despite global difficulties and disruptions in the supply chain caused by the pandemic crisis, Chinese manufacturers are, in fact, weathering the ongoing global economic storm.
Originally published on the a&s Adria website