Identifying Banned Chinese Electronics on DoD Networks
Last year, Congress directed the U.S. government to remove all Chinese-made surveillance cameras from their networks and security systems. Congress and many experts believed that these devices or their components had so-called back doors that allowed the companies that made them, and hence the Chinese government, to collect the imagery. The deadline for removing these cameras was August 13. Now that the deadline has passed, how can we be sure that federal agencies and departments were successful in removing these Chinese spy devices? Ensuring that government networks are not hosting malicious devices requires specialized security protocols such as Comply to Connect.
Surveillance cameras are everywhere. There are some 30 million cameras deployed in the United States producing some 4 billion hours of footage a week. Virtually all public spaces – government buildings, military installations, border crossings, airports, train stations, tunnels, roads, bridges, prisons and even parks – are now under 24/7 surveillance. Private businesses routinely employ surveillance cameras to provide security, enhance safety, and monitor the behavior of customers. Individuals are increasingly deploying cameras to protect their homes.
Chinese companies are major players in the global surveillance camera market, leveraging massive domestic sales to produce high-quality but relatively cheap systems. It is estimated that there are around 175 million cameras operating in China this year; in three years, that number could rise to more than 600 million. These companies have significant ties to the Chinese government. They also have developed facial recognition software employed by Chinese internal security for the suppression of internal dissent.
Chinese high-tech video surveillance companies such as Hangzhou Hikvision Digital Technology and Zhejiang Dahua Technology have made major inroads into the U.S. electronic security market. These companies’ cameras were found to have back doors that allowed the company, and hence the Chinese government, to collect both video and audio information they record. Given the rapidly improving quality of these surveillance cameras and supporting software, for example, to read lips, these devices pose a significant threat to national security.
The 2019 National Defense Authorization Act (NDAA) included an amendment that directed all federal departments and agencies to halt purchases of Chinese-made surveillance cameras from manufacturers including Hangzhou Hikvision and Zhejiang Dahua. The deadline for compliance was August 13, 2019.
So, now that the NDAA deadline has passed, how secure is the United States from Chinese high-tech surveillance? The answer is we don’t know. Many departments and agencies do not have adequate records to know how many cameras they have deployed or who made them. In addition, Chinese cameras or their components were often acquired by U.S. contractors and relabeled, so the actual provenance of the equipment is obscured. Nor does the Government have a trust but verify” capability to validate that banned cameras had been actually removed from networks. Congress and the Administration generally have to take the agency or department’s word that they have complied.
The challenge of removing banned Chinese cameras from U.S. security and surveillance systems is a subset of the larger problem of ensuring that only authorized and compliant devices are connected to the networks. The number of devices connected to government networks, particularly those operated by the Department of Defense (DoD), is exploding. A significant subset of these are unauthorized or are not compliant with the required security features. This creates an enormous security problem.
The U.S. government is pursuing several initiatives intended to control access to critical networks and ensure that insecure devices are identified and removed. Because government networks are constantly morphing and evolving with new devices being attached, it is important that any solution provides for continuous diagnostics and mitigation.
One such solution, initiated first by the U.S. Navy and Marine Corps, is Comply to Connect (C2C). C2C is part of a broader Information Security Continuous Monitoring strategy that provides a cybersecurity framework of tools and technologies. Because of the sheer scale of the problem, C2C must rely on automated processes to continuously scan networks and assess the compliance of endpoints. C2C employs proven commercial platforms to automate device discovery, compliance evaluation, continuous monitoring and access control. The C2C protocols ensure that only approved devices, those that are properly configured, updated and feature the right security controls, are allowed access to defense networks and that those that are not compliant are either remediated or have their access blocked. C2C follows the same principles of a 5-year-old program within the federal civilian government called Continuous Diagnostics and Mitigation (CDM).
Where implemented, C2C and CDM are being used by federal agencies and departments to identify the Chinese-made video devices on their networks and ensure that they are removed. In essence, each camera is treated as an endpoint on the network to be identified, and their provenance assessed. In the case of Chinese-made cameras, once their presence on a network is detected, they can be replaced, and the network rendered secure.
The problem presented by banned Chinese-made video surveillance devices demonstrates how important it is to provide continuous monitoring, diagnostics, and remediation of critical networks. This type of security challenge is a harbinger of things to come as more and more devices are added to government networks.
The agencies that have implemented information security continuous monitoring fundamentals have an automated, real-time way to detect the prohibited Chinese-made cameras. Tomorrow, a different kind of threat may lead to a ban on some other device. With C2C in place, agencies will be able to use the same toolset to detect and remove (or segment off) those.
Congress directed DoD to implement C2C in 2016. The Pentagon recently moved to begin funding a program. Some $100 million is in the Defense Information Systems Agency’s FY 2020 budget request. In addition, the Navy and Marine Corps have reprogrammed $62 million for C2C. This is a good beginning. But it is only that. DoD needs to make implementing C2C on its networks one of its highest priorities.
Dan Gouré, Ph.D., is a vice president at the public-policy research think tank Lexington Institute. Goure has a background in the public sector and U.S. federal government, most recently serving as a member of the 2001 Department of Defense Transition Team. You can follow him on Twitter at @dgoure and the Lexington Institute @LexNextDC. Read his full bio here.