Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 prohibits the procurement or use of Huawei, ZTE, Hytera, Hikvision, or Dahua telecommunication and video surveillance products and services by federal agencies, government contractors, and the recipients of any federal grants or loans (this latter category includes many state and local governments).
SecurityScorecard’s scan data indicates that some government agencies at both the federal and local levels have continued to use products covered by Section 889 throughout 2022.
This equipment appeared most frequently on networks used by general local government rather than purpose-specific organizations (in these cases, hostnames suggested use by “the County of X” or “the Town of Y” rather than specific departments or agencies)
Hikvision products appeared the most frequently, while Dahua products appeared less frequently. No scans revealed Huawei, ZTE, or Hytera equipment.
Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 prohibits the procurement or use of Huawei, ZTE, Hytera, Hikvision, or Dahua telecommunication and video surveillance products and services by federal agencies, government contractors, and the recipients of any federal grants or loans (this latter category includes many state and local governments). It prohibits these companies’ products and services because of their ties to the government of the People’s Republic of China (PRC.) Such ties suggest that these companies could, knowingly or unknowingly, facilitate espionage and other malicious, PRC-backed cyber activity. Section 889 is, however, one element of a much wider effort by the federal government to respond to the national security risks it has linked to Chinese technology.
As early as 2012, then-NSA Director General Keith Alexander characterized the intellectual property theft enabled by cyber-espionage (much of it Chinese) as the “greatest transfer of wealth in history,” and subsequent actions by the federal government have highlighted Chinese technology firms’ role in that transfer. In January 2019, the Department of Justice charged Huawei, its CFO, and three subsidiaries with fraud, money laundering, and sanctions violations. Although the charges were not espionage-specific, commentators have cited them alongside the later bans to frame measures targeting Huawei as a single aspect of a widercompetition between the PRC and the US. Then-President Donald Trump’s May 2019 executive order barring US firms from doing business with technology providers deemed national security risks achieved considerable publicity due to its implicit focus on Huawei. Alongside the aforementioned executive order, the Department of Commerce’s Bureau of Industry and Security added Huawei and its subsidiaries to the Export Administration Regulations (EAR) entity list on May 16, 2019, and added an additional forty-six related companies to the list in August of that year, banning unlicensed transactions between US firms and the named entities. The Department of Justice filed additional charges of racketeering and conspiracy to misappropriate intellectual property (precisely the variety of espionage identified by General Alexander in 2012) against Huawei in February 2020. Then, in May 2020, the Department of Commerce imposed new export restrictions barring semiconductor manufacturers from using US products to manufacture semiconductor chips for Huawei.
Concern over Chinese technology has also largely remained consistent across administrations. In June 2021, President Biden signed Executive Order 14032, prohibiting US persons from investing in firms linked to the Chinese military and technology industries. It initially identified fifty-nine prohibited firms, but pursuant to the order, in December 2021, the Department of the Treasury named eight Chinese technology companies part of the “Chinese Military-Industrial Complex” and linked them to the production and deployment of surveillance technology that facilitates human rights abuses.
Despite the federal government’s more general concerns regarding Chinese technology and the specific requirements imposed by Section 889, SecurityScorecard’s scan data indicates that as of July 14, some government agencies at both the federal and local levels have continued to use covered products throughout 2022, despite the later of Section 889’s two phases of prohibition having gone into effect on August 13, 2020.
Hikvision products appeared the most frequently. SecurityScorecard’s scans have observed Hikvision products in use on government networks 49 times since the beginning of 2022:
28 observations of Hikvision IP Cameras on networks belonging to public school districts, local (city, town, and county) governments, and federal law enforcement agencies.
21 Network Video Recorder observations to public school districts, local (city, town, and county) governments, and local police departments.
Dahua products appeared less frequently
SecurityScorecard’s scans have observed Dahua webcams in use on the networks of public school districts, public libraries, regional offices of education, municipal governments, and local police departments five times since January 1, 2022.
No scans revealed Huawei or ZTE equipment. This may reflect the large publicity Huawei and ZTE have received due to other, better-publicized bans on their products and services.
This equipment appeared most frequently on networks used by general local government (i.e., the hostnames indicated their use by a county, city, or town government rather than an educational institution, law enforcement agency, or another service):
26 observations in local government (at either the county, city or town level)
23 observations in public education (either school districts/systems or specific schools)
5 observations in law enforcement (at either the federal or local level)
These findings may reflect a wider pattern, as reports that some federal agencies were still using banned Chinese technology surfaced in December 2021. However, they also suggest that state and local institutions face risks alongside federal agencies. Section 889 likely applies to many of these organizations. Speaking generally, local governments receive a variety of federal grants, but more specifically, schools and school systems may receive grants or loans from the Department of Education. Local law enforcement agencies are frequently the recipients of Department of Homeland Security grants, and the findings are almost certainly relevant to the FBI, which is itself a federal law enforcement agency with a national security function. Aside from the specific obligations imposed by Section 889, though, there are the wider national security concerns that informed Section 889 in the first place. Put bluntly, the federal government has warned US organizations against using Chinese technology because that technology could contain implants that the Chinese government could use for espionage.
SecurityScorecard’s data helps concerned organizations mitigate the risks posed by these products: the visibility SecurityScorecard offers can enable organizations to identify covered products within their networks and make better-informed decisions regarding their use. Due to the potential sensitivity of the information, we have removed identifying details from this report. If you are concerned that your organization may be affected, please contact [email protected] for more information.