The 2019 National Defense Authorization Act (NDAA) contains a provision barring U.S. government agencies from purchasing Dahua and Hikvision products, including their OEMs.

WASHINGTON, D.C. — With the stroke of a pen Monday, President Trump ratified a $716 billion defense policy bill and with it a provision to ban United States government agencies from purchasing video surveillance products made by Dahua and Hikvision, among other telecommunications gear from Chinese firms.

The ban points to rising suspicion in the U.S. against Chinese technology and potential cybersecurity threats posed by the Chinese government. It was included as part of an amendment to the defense bill proposed by Rep. Vicky Hartzler (R-Mo.).

“We must face the reality that the Chinese-government is using every avenue at its disposal to target the United States, including expanding the role of Chinese companies in the U.S. domestic communications and public safety sectors,” Hartzler said in statement. “Video surveillance and security equipment sold by Chinese companies exposes the U.S. government to significant vulnerabilities and my amendment will ensure that China cannot create a video surveillance network within federal agencies.”

Along with the Dahua- and Hikvision-branded equipment portfolios, each company’s extensive OEM or white label agreements also fall under the technology ban, along with any other vendors that use the company’s equipment.

The bill, known as the National Defense Authorization Act (NDAA), states the ban will take effect Aug. 13, 2019. Language in the ban on U.S. federal agency procurement includes:

“For the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities).”

Hytera is a provider of radio communication devices. Also included in the ban is ZTE Corp., the Chinese telecom giant, and Huawei Technologies Co., China’s largest telecom equipment maker. Products manufactured by ZTE Corp. and Huawei has been effectively blocked from the U.S. since a Congressional report in 2012 warned the equipment could pose a national security threat, which both companies have refuted.

In statement released to SSI, Hikvision said the ban “was quickly drafted without sufficient evidence, review, or investigation to warrant the video surveillance technology restrictions outlined in section 889.”

The statement continues:

“The process resulted in an ambiguous provision with potentially far-reaching implications for American business and represents a rejection of the U.S. government’s commitment to use a standards-based approach when evaluating security risks in federal procurement.”

Hikvision said it is committed to complying with all applicable laws and regulations and has made efforts to ensure the security of its products go beyond what is mandated by the U.S. government. These efforts include certification under the Federal Information Processing Standard (FIPS) 140-2, as well as opening its Source Code Transparency Center (SCTC), which makes the company’s source code available for review by law enforcement authorities and government agencies in the U.S. and Canada.

When contacted for comment Tuesday, Dahua referred SSI to a statement posted on its website Aug. 3 in reaction to the NDAA prior to it becoming law.

“We understand that in today’s security industry, cybersecurity is the biggest challenge. We have provided remedies to correct those issues with our customers. We take cybersecurity very seriously by implementing a 7-module cybersecurity baseline into our product design,” according to the statement. “Meanwhile, we continue to work with 3rd party partners like DBAPP Security and Synopsys Technology, to rigorously test our products to combat against current cybersecurity vulnerabilities.”

Lynn de Seve, president of GSA Schedules, tells SSI the ban is concerning to commercial security industry suppliers. GSA contracts for the security industry require compliance to the Trade Agreement Act (TAA). As such products from China are currently not allowed on the GSA contract. Such items must be quoted as “open market,” meaning not on the GSA contract, de Seve explained.

“The change with NDAA 2019 does pose some new serious restrictions on government procurement regarding Chinese products, but how far will that reach into the commercial marketplace? We don’t know enough of the implementation details to know the full impact of NDAA 2019 and so, of course, that is a concern,” she said.

It is understood there are lots of questions on what will be the resulting ripple to the commercial industry, de Seve continued. But since the ban is yet to be implemented, stakeholders simply do not know to what extent it will reach through to impact industry OEMs, existing end-user systems or government contractors’ building systems.

“I have heard and read some public comments on what could be premature assumptions as to possible far reaching implications. We hope to learn more from government procurement policy leadership in future meetings to have some clarity,” she said.

The Security Industry Association also continues to explore potential ramifications from the ban.

“At this point, SIA is researching the language of the NDAA and seeking guidance on how some specific provisions related to the security industry will be interpreted,” said SIA CEO Don Erickson.

Wholesale distributors, many of which carry Dahua- and Hikivsion-branded products and their OEM partners, stand to be impacted by the ban. The extent of which also remains to be seen, but ADI’s Trent Perrotto, senior director of corporate and digital communications, suggests the industry’s largest wholesale distributor of security and low-voltage electronics products will be fine.

“At this time, we do not anticipate a significant impact to our business resulting from the legislation,” Perrotto said. “We take cybersecurity seriously and will work with customers, as always, to ensure compliance with any laws and regulations.”