June 9th, 2021
Essential to Worldwide Security’s approach is ensuring that no equipment or procedure is ever introduced to our clients’ environments which could compromise their security. The advent of IP-based CCTV concurrent with the ever-growing IoT approach means that a security camera with embedded malware – or System-on-a-Chip (SOC) – can theoretically gain access to databases, digital correspondence, and records. While not always understood, guarding against SOCs built into CCTV infrastructure is critical to the cyber-security of any enterprise. In conjunction with IPVM, we have prepared this memorandum to provide detailed information regarding compromised CCTV technology to our customers.
Worldwide Security Ltd will not support, sell, or integrate any non-compliant technology. Though this excludes many manufacturers from our consideration, it is essential for the protection of both our corporate ethic and several site and organization specific security clearances.
Background
The National Defense Authorization Act (NDAA) is passed each year by the U.S. Government and lays out the budget allocations, and purchasing limitations, for the U.S. Department of Defense. The United States Congress made waves in the physical security industry through the John McCain NDAA (2019) Section 889, by banning procurement and use of telecommunications equipment manufactured by certain companies within federal government operations. This rule was passed to avoid potential hacks and cyber-attacks by foreign entities, especially China. The mentioned telecommunications equipment and their manufacturers are:
- Video surveillance equipment manufactured by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company
- Telecommunications equipment produced by Huawei Technologies Company, ZTE Corporation
In 2020, the application of the NDAA was expanded to prevent federal agencies from doing business with companies that are selling non-compliant devices to non-government entities in the United States and banned federal funding on acquiring banned equipment/services. The ban also includes OEMs (Original Equipment Manufacturers) and does not include geographical constraints preventing integrators from using such equipment outside the U.S. The rule does give agency heads the ability to grant a one-time waiver on a case-by-case basis that will expire no later than Aug. 13, 2022.
The Worldwide Difference
Worldwide Security Ltd will not support, sell, or integrate any non-compliant technology. Though this excludes many manufacturers from our consideration, it is essential for the protection of both our corporate ethic and several site and organization specific security clearances. As cyber-threats continue to grow in complexity, this approach is, to our minds, the only reasonable one which might be adopted.
List of Non-Compliant Manufacturers
Many cameras from leading manufacturers are privately labeled and it is difficult to tell if a certain device is compliant without performing considerable research on the overall supply chain. Below is a list of companies that OEMs parts from Hikvision and Dahua provided by IPVM. Please note, that this manufacturers list is subject to ongoing changes.
