In recent years, certain Chinese video surveillance and telecommunications equipment manufacturers have come under scrutiny because of the potential security risks they pose to U.S. security. These manufacturers include familiar industry names, and their subsidiaries and affiliates. The U.S. Government has taken actions restricting the purchase of this equipment by Federal agencies and grant recipients, as well as prohibiting the marketing and sale of these products to certain markets. These actions include section 889 of the National Defense Authorization Act (NDAA) and the Secure Equipment Act of 2021 (SEA), the requirements of which were recently implemented by the Federal Communications Commission (FCC).
What are the NDAA and the SEA?
The NDAA is legislation that Congress passes annually to set out priorities for national defense policy and funding. Section 889 of the NDAA generally prohibits the use of federal funds (including grant funds) to buy certain telecommunications equipment or services from Huawei, ZTE, or Hytera Communications Corporation, or video surveillance equipment or services from Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities).
The SEA directed the FCC to adopt rules that clarify that it would no longer review or approve any application for equipment authorization for equipment that is on the FCC’s list of telecommunications and video surveillance equipment deemed a threat to national security. The FCC implemented this mandate by adopting rules that prohibit the marketing and sale of broadband capable telecommunications and video surveillance equipment manufactured by these companies and their affiliates and subsidiaries to certain markets, e.g., government facilities, critical infrastructure. These rules became effective on February 6th, 2023.
Why were these laws passed?
Both Section 889 and the SEA reflect growing concerns by the federal government about the security threat posed by equipment provided by certain Chinese manufacturers. As video cameras and telecommunications hardware have become increasingly smarter and better connected, related cybersecurity risks have grown in likelihood and threat level.
A camera or broadband-enabled radio might not seem like the most likely candidate for a cybersecurity breach. But networked devices or any devices in the Internet of Things (IoT) can be used as a “back door” by hackers to enter larger networks or obtain user data. These risks are heightened by the fact that Chinese manufacturers tend to make these devices available at low price points and most tend not to be as rigorously secured as laptops or servers.
What’s more, many newer models contain System on a Chip (SoC) technology. This gives a great deal of computing power to devices like cameras but also makes them a much more likely risk vector for hackers.
These threats could be catastrophic for any business, but the stakes are even higher when these devices are used by the federal government or in the public safety environment. If devices were hacked, the possibility of eavesdropping on classified conversations, accessing confidential information, or disrupting essential services could have enormous repercussions, both nationally and globally.
This legislation will push many security companies and service providers who work with the U.S. government to carry out thorough due diligence of all their equipment, services and relationships to ensure they are compliant.
What do Section 889 and SEA mean for businesses?
Section 889 requires that security companies and service providers working with federal agencies or receiving federal grants carry out sufficient due diligence of their equipment, services and supply chain relationships to ensure they are compliant. The SEA and the FCC’s implementing rules have broader impacts. By restricting the marketing and sale of certain Chinese manufactured equipment to certain markets, security manufacturers using such equipment may find their products compromised or investments stranded.
While it seems as though these rulings apply solely to physical security systems, these decisions will have further-reaching implications for any business with government contracts. Since government contracts are often large opportunities for many businesses, they cannot be too careful in their choice of security equipment or their security service provider.
If you are concerned your business will be affected by the NDAA or the SEA, the first, and most important step to take is to check who manufactures your equipment. If you outsource your physical security to a third party, ask them about the steps they are taking to ensure compliance. Finally, research NDAA-compliant manufacturers and products — such as those produced by Pelco — for a viable and secure alternative.