Published on May 12, 2019 by Matt Garnham in Helpful Article Blog Posts
Does the NDAA 2019 Affect Orange Security?
No – Orange Security is not affected by the National Defense and Authorization Act of 2019 . We do not work with any of the companies either directly or otherwise.
[7/22/19 : My team is asked this question on an increasing more frequent basis as the date of the ban approaches. I have moved this section to the top of the post.]
What is the National Defense and Authorization Act of 2019?
In short, the National Defense and Authorization Act of 2019 (NDAA 2019) tells government agencies what they can spend money on for many different cost centers. There are numerous sections that cover all manner of different things that these government agencies are allowed to purchase and use. This blog post is going to concentrate on “the covered telecommunications or video surveillance equipment or services” and specifically the “video surveillance equipment” part as is relevant to our industry here at Orange Security.
If you are interested in some light, bedtime reading (!!) you can view the full act on the Congress website here.
What Relevance Does it Have to Security Camera Systems?
In summary, along with many other things the NDAA 2019 restricts what “telecommunications or video surveillance equipment or services” can be used by government agencies in the United States of America.
Who Does it Apply To?
The NDAA 2019 effectively bans United States government agencies from purchasing or using video surveillance products from certain manufacturers (specifically Hikvision and Dahua).
What Manufacturers are Affected?
There are 5 main manufacturers (and their subsidaries/affiliates) specifically excluded in the NDAA 2019 under the category of “telecommunications or video surveillance equipment” of which the first 2 are the most common from the list for supply of security cameras:
- Hangzhou Hikvision Digital Technology Company (Hikvision)
- Dahua Technology Company (Dahua)
- Huawei Technologies Company (Huawei)
- Hytera Communications Corporation (Hytera)
- ZTE Corporation (ZTE)
The act also specifically excludes any subsidiary, successor entity or affiliate.
This is a very good qusetion! Over the last months, the U.S. has grown more and more suspicious of cybersecurity threats posed by the Chinese government.
“We must face the reality that the Chinese-government is using every avenue at its disposal to target the United States, including expanding the role of Chinese companies in the U.S. domestic communications and public safety sectors,” Hartzler said in statement. “Video surveillance and security equipment sold by Chinese companies exposes the U.S. government to significant vulnerabilities and my amendment will ensure that China cannot create a video surveillance network within federal agencies.”
In the past years, there have been a number of high profile security breaches and the companies involved have been identified as the source. Not only that, but one of the companies promised they had fixed the issue with one version of their firmware – the fix just relocated the vulnerability to a different part of the code hoping it would go undetected.
The US government clearly feels these huge companies (some of which are known to be owned by the Chinese government) can not be trusted and the risk of further security breaches is too great. This applies not only to rogue individuals or groups but also the entire Chinese government!
When Does it Come into Effect?
The bill ‘H.R.5515 – John S. McCain National Defense Authorization Act for the Fiscal Year 2019’ was approved and became law on August 13th, 2018.
The bans on these products being purchased or used by government agencies starts from August 13th 2019 onwards.
I’m not a Government Agency. Should I be Concerned?
Clearly if you are not a government agency, the NDAA 2019 doesn’t ban you from purchasing surveillance products from either of these two companies. That doesn’t mean you shouldn’t be concerned. In this connected age of information and technology, all buinesses (and private individuals alike) should be concerned about the security of their data and cyber security in general.
Who is Hikvision and Dahua?
Hikvision is the largest Chinese manufacturer of video surveillance products based in Hangzhou, China. Ultimately, the Chinese government own approximately 42% of the business giving them extremely strong influence over the company and thier actions.
Dahua is a large Chinese manufacturer of video surveillance products also based in Hangzhou, China. It is not believed that the Chinese government own any controlling portion of the business, however Dahua products have been involved in a number of high profile security breaches over the last few years. Dahua have been known to “fix” vulnerabilities in it’s code with firmware updates and patches…however these same firmware updates remove the vulnerability from one location and relocate it to an altogether different part of the code. Some researchers have classified this as deliberate deception.
Both of these companies have supplied (either directly or indirectly) not only government agencies, but also schools, places of worship and other public places.
What is an OEM?
OEM stands for ‘Original Equipment Manufacturer’. It’s a misleading term that is used in several ways. For the purposes of this discussion OEM is used to describe a company that has a relationship with a manufacturer and the OEM resells this other company’s product but using their own name and with their own marketing and branding. White labelling is another name for the same process.
Is being an OEM bad?
No! Re-branding a manufacturers product as your own is not necessarily a bad thing, as long as you are selecting the right product to put your brand name on. Many huge household names sell products manufactured by a third party company. For example, Apple sells their iPhone that is manufactured by a company called Foxconn.
Is Orange Security an OEM?
Some products that we sell here are rebranded as Orange Security. Others are built specifically for us customized to our own design. We are especially careful about who we partner with and the product selection – we undergo many tests before selecting a product to stock including security and vulnerability testing.
Some OEMs Affected By NDAA 2019
Some (but not all!) Hikvision OEMs
|Dunlop||DVR Unlimited||Elisa Live||Epcom||Ezviz||Global Network Security||GovComm Intelligent Transportation Systems|
|Grundig||GVS Security||HES Supply||Hills||Hinovision||Hitosino||Honeywell|
|Hunt CCTV||Infinite Pixels||Inkovideo||Innekt||Interlogix (UTC)||Invidtech||JFL|
|Jlinks||KT&C||LaView||LTS||Matrix Security Solutions||MicroView||Negaco|
|Nelly’s Security||Norelco SafeCam||Northern (Tri-Ed)||Novicam||Oco||Oculur||Onix|
|Panasonic||People Fu||Pnet||Power Technology||Raster||Raster Blue Line||Safety Vision|
|Safire||Scati||Security Camera Warehouse||SecurityTronix||Sentry CCTV||Siqura||SnapAV|
|Vezco CCTV||W Box||Winic||Wirepath||Xyclop||Zicom|
The above list is not exhaustive and has been assembled as a result of our research into Hikvision OEMs.
Some (but not all!) Dahua OEMs
|Ascendent||BCS||Bosch||Bticino||Cantek||CCTV Security Pros||CCTV Star|
|CP Plus||DH Vision||Dotix||DVR Unlimited||eLine||ENS||Expose Security|
|Eyenor||FLIR||GSS||Honeywell||HQVision||IC Realtime||Impath Networks|
|Lorex (by FLIR)||Lumixen||Maxron||Montavue||Norden||OCO||Panasonic|
|Saxco||Security Camera King||SecurityTronix||Sentry360||SpaceTechnology||Speco||Techpro|
The above list is not exhaustive and has been assembled as a result of our research into Dahua OEMs.
If you are a government agency or another organization that may be concerned about this vulnerability and whether it affects you, we offer security consulting services. Get in touch and find out how we can help you. We are also able to help private individuals if you have concerns.
about the author: Matt Garnham
Security Camera expert for many years. He is the founder and owner of Orange Security. Started life in the security industry in the UK. Relocated to Southern Florida and Orange Security was formed.