Since its establishment in 2001, video surveillance manufacturer Hikvision has grown rapidly to have the largest global market share for its segment. However, the company’s space in the industry spotlight has not come without challenges, including being vulnerable to the Mirai malware attack in March 2017 and skepticism from end users and other vendors about the Chinese video surveillance company.
Security magazine recently set some of these questions to Hikvision USA’s President, Jeffrey He (pictured above), who responded to some recent allegations and end users’ concerns.
SECURITY: Enterprise security leaders are justifiably concerned about the cybersecurity of their physical security systems. There have been challenges about cybersecurity on Hikvision and other surveillance products in the past. What has Hikvision done to mitigate this risk, and what should end users be aware of?
JEFFREY HE: Obviously, Hikvision faces cybersecurity-related challenges. We believe it is important to understand that cybersecurity incidents or vulnerabilities could affect our products. Most important, however, is how we resolve these matters, and how we inform and work with our partners on cybersecurity best practices. As a company, we work diligently to address cybersecurity issues, and we are investing significant resources to reduce risks. Our challenge here at Hikvision is the same as other video surveillance providers. But, as the No. 1 video surveillance provider in the world, we believe it is incumbent on us to be vigilant in terms of cybersecurity defense. It’s a formidable challenge, but everyone here at Hikvision is on board.
We all need to remember that no Internet-connected product is 100-percent secure from vulnerabilities or a cybersecurity breach. The manufacturer's role is to find and patch vulnerabilities, and alert customers. Today, we are working with several third-party cybersecurity experts including Cisco, Microsoft, EY, ISO, Rapid 7 and ICSA. In addition, we have actively encouraged unbiased independent cybersecurity professionals to work with us to identify and resolve potential vulnerabilities And, we all need to remember the basics, like updating firmware regularly, and ensuring that our business processes support cybersecurity best practices.
There is some misperception that exists about Hikvision. Of course, as the global video surveillance leader, we expect scrutiny and occasional criticism. Unfortunately, there is a single source of bashing and bullying in the security industry that spreads mendacious allegations about one major company at a time. Many companies and individuals have been attacked in the past; in recent years, it just seems to be Hikvision's turn to be on the receiving end. The source's goal is sensationalism. The tactic is to present an isolated fact or accusation in a reasonable manner, and then to tack on anonymous comments that extrapolate wild, far-fetched conclusions and conspiracy theories. It is unfortunate that some people choose to mislead our community on the real risks we are all facing, such as terrorist and criminal activities. Hikvision is committed to fighting the real threats and protecting the communities and people.
I will give you an example of what Hikvision really does to address cybersecurity concerns. Last March a security researcher found a vulnerability and reported it to us. I’m happy to tell you that within a week, we released updated firmware, and notified all of our customers via special bulletin and the public via notices on our website. We follow the responsible disclosure process and are committed to transparent communication with our partners.
SECURITY: From a broader perspective, what should CSOs and security end users be doing or requesting from their integrator and vendor partners to strengthen their security system’s cybersecurity?
JEFFREY HE: Partner is the key word in your question. At Hikvision, we're committed to working as a team with all of our partners. And, effective cybersecurity defense necessitates a team approach. I think it's a good idea for end users to ask vendor partners directly about their philosophy and approach to cybersecurity. We are always happy to answer questions and to discuss our cybersecurity program.
Among the many cybersecurity resources we offer is the Hikvision Security Center. At the Security Center end users can find detailed information about the Hikvision Network and Information Security Lab, third-party and internal testing, and third-party certifications.
To step up our cybersecurity efforts, we recently hired Chuck Davis for the newly created position of director of cybersecurity for North America. Chuck has 20 years’ experience building world-class cybersecurity programs for large enterprise organizations. He came to us from IBM, where he was an executive security architect. He holds seven U.S. Patents and numerous certifications, including the CISSP-ISSAP. Chuck will be another important direct resource for our end user customers. Chuck Davis’s task is to establish a strong cybersecurity team in North America. One of his team’s goals will be to work closer with security researchers to improve our cybersecurity defense and to ultimately deliver an even more secure set of products to our partners.
We also just announced a cybersecurity road show in key Canadian cities in December of 2017; a U.S. road show is planned for 2018. We expect many end users to participate in the road show, and all security professionals are cordially invited to attend.
Another resource is Hikvision's Learning and Development department, which offers a variety of learning tools and certifications, and we will offer more cybersecurity-focused education in the future. We also participate in industry events such as your Security 500 event, and we are actively engaged in industry-wide cybersecurity groups.
SECURITY: Some end users may be especially alarmed about Hikvision’s removal from the GSA listing. Could you explain what this means to Hikvision, and what is being done to address this?
JEFFREY HE: Thank you for the opportunity to clear up any misunderstandings about this incident. Hikvision is proud to be a Chinese company and our products are clearly marked “Made in China.” Currently, our products are not authorized for GSA listings. Any allegation about Hikvision’s unethical behavior here is ridiculously false, as we never authorized any resellers to put the products on the GSA Schedule website nor claimed that Hikvision products are made in the U.S. We do not condone any of this activity.
Here's the background: As you may know, in general, in order to be listed on the GSA Schedule, products must be made in the U.S. In December 2016, two unaffiliated distributors erroneously listed our product SKUs on a GSA website. Hikvision was not involved in any way. As we previously stated, Hikvision does not support any of these activities, and we immediately requested that the resellers remove the Hikvision product SKUs from the GSA website.
SECURITY: One vendor is refusing to work with Hikvision. Could you explain the situation from your perspective, and what are your recommendations to end users regarding this?
JEFFREY HE: The vendor you mention is a VMS provider based in Canada. For several years Hikvision and that provider have been engaged in strong partnership activities in the field on numerous projects in North America and other regions around the world, based on specific customer requirements. It's important to understand that the aforementioned VMS provider is also a competitor to Hikvision in some global markets. In late 2016, that company decided to require a special license/waiver and extra fees to support Hikvision cameras. This has proved to be an unfortunate decision for them and their integration partners. In the past year, it appears that many integrators, dealers and end users became aware that this decision was financially and politically motivated and designed to negatively influence perceptions about Hikvision and its approach to cybersecurity.
Fortunately for end users and integrators, Hikvision is involved with many of the leading VMS providers. End users have many choices in terms of VMS solutions that work with Hikvision products, depending on their requirements. One of the things I've heard from our integrator partners is how much they value Hikvision's extensive technical support team. We have knowledgeable, experienced sales, engineering and technical support experts based in markets across Canada and the U.S. These folks are dedicated to working together with integrators and their end user customers to help assess options and find the ideal total solution for each customer's unique needs.