Alarmed by reports of cyberattacks and the growing threat China poses to national security, the United States Congress passed a law in 2018 that would ban any facility operated by the U.S. government or one of its contractors from using equipment made by five state-backed Chinese technology firms: Huawei, ZTE, Dahua, Hytera and a company called Hikvision, the world’s biggest maker of security and video surveillance cameras.

According to the National Defense Authorization Act, all U.S. government facilities — including military bases — are required to rid themselves of any device made by these five firms within a year, or by August 2019. And then, a year later, by August 2020, the government said that all contractors have to rid their premises of equipment made by the five Chinese firms, and attest to that in writing, if they want to conduct business with the government.

If that wasn’t enough, in 2019, the U.S. Commerce Department added three of the firms (Huawei, Dahua and Hikvision) to what is known as the U.S. Entity List, a blacklist that forbids any American registered company from exporting goods, such as raw materials or microchips, to firms on the list without federal approval.

This is how the U.S. is beginning to wage war on some of China’s major technology firms. But how effective is it? Has the world’s economic superpower been able to batter these Chinese firms and rid the U.S. of their goods?

Well, not exactly. 

Ripping Chinese telecom equipment out of America’s networks will take time, analysts say, and complying, monitoring and enforcing rules that compel all government facilities and contractors to pull out any equipment made by the five firms, at facilities they operate around the world, is going to be difficult, particularly for smaller businesses.

“Can they truly attest to whether their internet service provider doesn’t have a Huawei or a ZTE router somewhere in that system?” asks Wesley Hallman, a senior vice president at the National Defense Industrial Association in Arlington, Va., which represents about 1,700 defense companies. “I’d bet you they can’t. I can’t tell you what my internet service provider has in its backbone.”

Can they truly attest to whether their internet service provider doesn’t have a Huawei or a ZTE router somewhere in that system?

Wesley Hallman, National Defense Industrial Association

Also, while the Chinese firms face new barriers to selling their equipment to the U.S. government and government contractors, the new law does not bar them from selling goods in the U.S. market. Consumers can still purchase Huawei or ZTE phones at retail outlets, or buy Hikvision security cameras on Amazon through third-party sellers, or online through one of Hikvision’s dozens of authorized distributors.

To better understand the challenges and complications of banning Chinese technology equipment makers, The Wire interviewed nearly a dozen experts, consumers and technology analysts about just one of the Chinese firms on the designated list of five Chinese firms: Hikvision, the $8 billion state-backed Chinese camera maker that the Pentagon now says has ties to the People’s Liberation Army, or the Chinese military. 

It’s also a company that controls nearly a quarter of the global video surveillance market.

The U.S. government decided to bar federal facilities and contractors from using its cameras — and added it to the U.S. Entity List last October — over concerns that Hikvision’s cameras might give the Chinese government the ability to spy, and the company’s role in human rights abuses in Xinjiang, not to mention U.S. government reports that showed that its security cameras had vulnerabilities that may have allowed state actors to hack into the devices and spy on users.

It’s important to note that Hikvision, which declined to comment for this article, has never been publicly accused of spying on U.S. citizens. In July 2018, in an interview with The Hill, Jeffrey He, the then-president of Hikvision’s U.S. operations, said, “It’s very difficult to prove ourselves not guilty of providing back doors to Chinese government or any source.”

Forescout, a cybersecurity firm that specializes in securing the “enterprise of things,” says that 1,500 security cameras produced by Hikvision remain at various government locations, though the firm said it could not comment on the locations of the cameras. (The firm conducted a similar review last year, tracking Hikvision and Dahua equipment.)

Getting Hikvision cameras removed from government contractors, though, could be a major challenge. Under the law, government contractors are not only obligated to remove them from their U.S. facilities, but also any facilities they operate overseas, even in far off locations like India or China. 

“If you think about it, everyone does business with the U.S. government… whether it’s a catering company or Office Depot, selling paper,” says Nate Pollack, a spokesperson for Forescout, which is based in San Jose.

Members of Congress are aware of the challenges. In a May 2020 letter to the U.S. Office of Management and Budget, Sen. Marco Rubio, the Florida Republican, and Sen. Ben Cardin, a Democrat from Maryland, acknowledged that getting government contractors to comply is a potentially complex and costly challenge, and that some businesses “may need more assistance and time.”

Security experts say China has demonstrated an interest in accessing secrets in the U.S. and elsewhere, and that Chinese state-backed technology firms could pose a risk. “It looks like the Chinese are trying to push their surveillance state into the U.S., and that’s grounds for concern,” says James Lewis, the director of the technology policy program at the Center for Strategic and International Studies, the Washington, D.C. based think tank. 

After the multiple vulnerabilities were exposed by analysts in 2017 and 2018, and noted in the government’s National Vulnerability Database, Hikvision became a “poster child of vulnerable IP cameras,” says Allan Liska, a senior security architect at the intelligence firm Recorded Future, which is based in Somerville, Mass.

Experts say many video camera companies have similar flaws, including the Chinese security camera maker Dahua, which is also being targeted by the U.S. (Together, Hikvision and Dahua control nearly a third of the global video surveillance market, as of 2019.) 

Analysts say that businesses are beginning to reduce their reliance on Hikvision, though many of Hikvision’s competitors also have their equipment manufactured in China. 

Gregory J. Touhill, who served as the U.S. government’s first chief information security officer and now teaches at Carnegie Mellon University, says that once the U.S. government identifies a company as a security threat, allies and global businesses pay attention. “It really is a very complex problem, but at its core, it’s a risk-management decision,” Touhill says.

In other words, if the U.S. is really going to bar Chinese firms and remake its technology supply chain it’s going to take years, if not decades, and be costly to rethink and to monitor its facilities and contractors.

Still, some security experts say the U.S. approach is often flawed and not a comprehensive policy to dealing with China. “You see the government playing Chinese company whack-a-mole,” says Ainikki Riikonen, a researcher on technology and national security at the Center for a New American Security, in Washington, D.C. “They’re just on an ad hoc basis, adding this company here, that company there, and this patchwork of policy tools to do that.”

Lewis, at CSIS, says the U.S. is going to have to take a more holistic approach to dealing with China.

“We may have to do some rebuilding, whether it’s in drones, or in telecoms or in cameras,” Lewis says. “We thought we could depend on a Chinese supply chain, and that was a mistake.”

---