On August 13, 2018, the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 was signed into law. Broadly speaking, the NDAA is an annual bill that specifies the budget and expenditures for the Department of Defense and tends to pass without garnering much public attention. However, this particular version contained an interesting wrinkle: Section 889 of the 2019 NDAA prohibited federal agencies, their contractors, and grant or loan recipients from procuring or using “telecommunications and video surveillance services or equipment” from several specific Chinese companies.
Section 889 came as a surprise to many — especially those in the security industry. The companies named in Section 889 were Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company and their subsidiaries and affiliates, all of which have significant partnerships and relationships in the U.S. The companies also have close ties to the Chinese government. Accordingly, U.S. federal agencies have found that these companies and their affiliates are beholden to, and therefore subject to exploitation, influence, and control by, the Chinese government, making those relationships extremely risky. The sudden need to divest from these companies has posed an interesting challenge for American organizations. Remaining compliant with the NDAA is essential for any enterprise planning to do business with the U.S. government, and failure to do so can have serious consequences.
Understanding the NDAA
It goes without saying that the U.S. and China are rivals on the global stage, but there has always been significant trade between the two countries. Why, then, does Section 889 impose such harsh sanctions against specific Chinese companies? It is worth noting that the measure does not forbid American companies from doing business with the Chinese companies named in Section 889. It simply states that any American telecom or security company that does choose to continue doing business with those companies will no longer be able to do business with the U.S. government. Of course, given how lucrative government contracts tend to be, few companies will want to risk their business relationships with the U.S. government and its grant recipients — meaning that Section 889 has effectively drawn a line in the sand.
Those are the broad strokes, but it’s worth breaking down Section 889 in more specific terms. Telecom and security companies that wish to work with the U.S. government are not only prohibited from working with the companies named in Section 889, they’re also not permitted to use any components manufactured by those companies, nor can they partner with contractors or vendors that use those components. This means that any company that wants to receive a grant or a loan from the government must be similarly insulated from those Chinese companies. Finally, any organization that serves as a vendor, supplier, integrator, or other partner to the government and knowingly uses telecommunications or video surveillance components from any of the companies named in Section 889 will be banned from working with the government in the future.
What Are the Risks?
Why target these companies specifically? Companies like Huawei and Hikvision produce — among other things — computer chips and video surveillance products. Huawei is particularly noteworthy in this area, as the company is also one of the largest global manufacturers of 5G equipment — including HiSilicon chips, or “system on chip” (SOC). Because Huawei is one of just two companies involved in the development of 5G infrastructure, it has played an essential role in the global 5G rollout, which means that Huawei products are present in a wide range of devices. This poses several issues from a national security standpoint.
The first issue is that there are known backdoors in many of the products produced by Huawei and other Chinese companies, which could allow cybercriminals or other abusers of access devices and, by extension, any network they are connected to. The idea of the Chinese government having the ability to use a backdoor to access any device connected to a physical network is obviously not appealing to American agencies. Recent incidents have also highlighted the danger of compromised surveillance tools. Network cameras are used to increase security, but if an attacker can access the network through a backdoor, they might be able to listen in on classified conversations, track high values assets or even take the entire network down. Federal agencies like the Department of Defense, the CIA, and others have cameras placed throughout their facilities, and China is hardly the only state actor that would love the opportunity to gain access to those cameras. For the U.S. government, these are major, top-level concerns.
There is also the fact that the U.S. government wants to head off a potential danger at the pass. The world is more connected than ever, and — for better or worse — there are U.S. industries that have become heavily reliant on Chinese technology. The government would like to prevent the telecommunications and video surveillance industries from becoming similarly dependent, particularly when that dependence comes with such serious security concerns. Refusing to do business with companies that put themselves — and the public — at risk by using potentially compromised vendors is viewed as an effective way for the government to mitigate the potential danger.
Why Section 889 Is So Broad
Way back in 2013, a major retailer suffered a high-profile cyberattack that resulted in a large amount of customer data and financial information being stolen. Attacks like this are not uncommon today, but what made this incident particularly noteworthy was how the attackers got into the system. Instead of targeting the company’s network directly, they broke in via the HVAC system. This wasn’t the first time a company was compromised via a third party, but it did serve as a wake-up call for many organizations who may not have realized that a poorly secured vendor can put their own networks at risk as well.
This helps to illustrate why Section 889 paints with such a broad brush. A narrow scope wouldn’t do much good — after all, what’s the point of banning Huawei chips in government phones or laptops when the very same chip might wind up in a 5G tower outside the Pentagon? Why ban chips in surveillance cameras when a backdoor in the Video Management System (VMS) could leave them just as vulnerable? Some industries affected by Section 889 are surprising — such as the retail industry. Many retailers use Hikvision cameras to secure their physical locations, but if they want to work with — or receive funding from — the U.S. government, they need to make a change. With suspect components present in such a wide range of industries, a blanket approach was necessary. Any components from those Chinese companies under suspicion are banned, and any organizations known to do business with them are also banned.
The Challenges of NDAA Compliance
While it is easy to understand why the government wanted to keep Section 889 broad, it makes it more difficult for manufacturers, resellers, integrators, and other government vendors to understand how best to maintain compliance with the new regulations. Of course, the core of the legislation is to simply not buy devices manufactured by the listed Chinese companies or their subsidiaries and affiliates. But it isn’t as easy as that. Companies like Huawei manufacture laptop computers and smartphones, but they also manufacture individual components that might be used in any number of non-Huawei devices. By the letter of Section 889, using a device with a chip made by any of the named companies would result in serious penalties.
This isn’t just a theoretical issue. In the runup to the NDAA’s passing, the government discovered that technology from the listed Chinese companies was present in a wide range of sensitive locations, including military bases, government buildings, embassies, and more. While those locations did not use devices sold by the companies in question, looking under the hood of certain cameras or sensors revealed components manufactured by them. In fact, something as easy as checking the MAC address of a piece of equipment would reveal that the device itself came from China, regardless of the brand label. This is to say that it isn’t always easy to tell whether a device is compliant with Section 889 at a glance — it can take some forensics. It might be a hassle, but it’s necessary. The government does not want to be put in a compromising position by a vendor that failed to conduct proper due diligence.
Taking Steps toward Compliance
There isn’t a one-size-fits-all approach to NDAA compliance. A wide range of companies, advisory bodies and educational resources have published NDAA compliance guides, many of which can provide helpful insights into the new requirements and how to adhere to them. Others can help users identify the equipment they have installed and whether it is potentially in violation of Section 889. But ultimately, network security professionals will need to take a deep dive into the equipment used by the respective organizations. It’s impossible to overstate the scale of the problem: any component in any telecommunications of video surveillance equipment that comes from one of the restricted companies can result in a permanent ban from doing business with the government. With that in mind, organizations should be as thorough as possible when it comes to vetting the equipment they use.
Businesses can start by making a list of the hardware and software they use for telecommunications and security purposes. Any device that comes from one of the companies named in Section 889 should be immediately tagged and marked for replacement. Further, it is strongly recommended that they contact everyone relevant in the solution supply chain, including manufacturers, integrators, and anyone else who has the knowledge needed to confirm that no components in the remaining devices were manufactured by the banned companies. Some organizations may even want to disassemble the devices themselves, run manual MAC address checks, or conduct other hands-on forensics. Those with the know-how to do so should do everything possible to ensure that their equipment adheres to the NDAA restrictions.
Of course, confirming that equipment in use is compliant with Section 889 is only half the battle. The provision has been part of the NDAA since 2019, which means most organizations should have already taken steps to ensure that they are in compliance. But it is also important for businesses to ensure that any new equipment they purchase does not contain components from any of the banned companies. Most manufacturers and integrators should be well acquainted with NDAA guidelines by now, which should make it relatively easy to determine whether devices are compliant. Still, due diligence is important. When the cost of failure is being blacklisted by the government, it is impossible to be too thorough.
Choose Your Partners Carefully
The NDAA’s sweeping ban on components from specific Chinese companies has changed the face of the telecommunications and video surveillance markets. And the NDAA is no longer alone in its targeting of these companies: the FCC recently declined to authorize Hikvision and Dahua products for import, effectively preventing them from being sold in the United States. Organizations looking to purchase communications and security equipment now need to be much more mindful of where they come from, or they risk potentially locking themselves out of lucrative government opportunities.
Careful vetting of vendors is more important than ever, and businesses should ensure that they are working with integrators and manufacturers capable of demonstrating strict adherence to NDAA regulations. The security concerns associated with the five Chinese companies listed in the legislation are real, and the NDAA and FCC measures underscore the fact that the government takes them very seriously. Today’s businesses must do the same.