Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

What a Security Products Blacklist Means for End Users & Integrators

A recent US Commerce Department blacklist of several Chinese entities leaves a looming question: What happens if your products are now prohibited?

Joan Goodchild, Contributing Writer, Contributing Writer

November 6, 2019

5 Min Read

Steve Surfaro wants to make something clear: The recent blacklisting by the US Department of Commerce of several Chinese technology companies is what he calls "an absurd overreaction" — and one that will impact technology markets for years to come.

"The black eye that [artificial intelligence] has suffered is probably one of the worst," says Surfaro, reacting to a move last month in which 28 organizations – including eight technology providers – were placed on a US government entities list. "We won't realize until we start seeing the amount of money that investors are spending on AI overseas, in India, Israel, mainland China, Hong Kong, but not in the United States. Some of these are AI IPOs and are going to say, 'Thanks, but we will take our business elsewhere.'"

The entity list bars the companies included from buying parts and components from US firms without US government approval. Although the list is not an outright embargo, they've been placed on the blacklist because the Trump administration accuses them of involvement in human rights violations against Muslim minorities in the China's far-western region of Xinjiang.

Among the companies named are two of the world's largest video surveillance manufacturers, Hikvision and Dahua Technology, and several startup firms that specialize in AI, voice recognition, and data. The US government accuses them all of playing a role "in the implementation of China's campaign of repression, mass arbitrary detention and high-technology surveillance," the Commerce Department filing states. In the case of Hikvision and Dahua, their addition to the entity list also takes place because of a 2017 ban that prohibits federal agencies from purchasing their products.

In recent year, the US has banned a variety of popular technology products on the basis that they might pose threats to national security. In September 2017, the administration ordered the removal of all Kaspersky (then known as Kaspersky Lab) products from federal systems, citing concerns that the Kremlin could influence the Russian cybersecurity company. This May, the US government prohibited the use of Huawei technologies, citing national security concerns over the tech giant's alleged ties to China's government and intelligence apparatus. Huawei currently offers a broader range of technology products than almost any other company.

These prohibitions are causing complications for IT and physical security professionals, especially those with government contracts. They need to weigh the security risks of using these tools versus the risk of not using them. A complex international supply chain also makes it hard to evade all these potential entrapments.

Surfaro, an Arizona-based independent security consultant and chairman of the Public Safety Working Group for the Security Industry Association (SIA), says regardless of where one's political standpoint on the issue lies, the move leaves many organizations who use equipment from the listed companies reeling and trying to understand what it may mean for their security strategies going forward.

"This is significant for a lot of K-12 schools that rely on government funding for their security," he says. "And this does make a difference for small industries doing cutting edge things with AI."

Questions About Supply Chain Security Now in Play
Danielle VanZandt, ananalyst specializing in security, aerospace, and defense for Frost & Sullivan, says Dahua's and Hikvision's positions within the overall global digital surveillance market makes their blacklisting somewhat of a shock, with the immediate effects touching off significant questions among US partners, end users, and supply chain partners about the state of the security products supply chain.

"I think much of the market would prefer tensions to settle in order for supply chains to figure out what the new normal is," she says. "There was never an opportunity to understand what the 2017 ban meant for security supply chains, and now with this 2019 blacklisting, supply chain participants need to work together to strategize with how best to proceed."

VanZandt notes both Dahua and Hikvision have never considered the US a primary market, despite the country being the largest market for security products. Both vendors not only had a solid customer presence in their domestic markets, but their growth in other regional markets, including the Middle East, Asia, and Europe, is enough to negate any economic effects they might feel from the blacklisting. However, for other vendors on the list, this could prove detrimental.

"Seeing how the blacklist hits the start-up vendors who were included could give us key insights into this over the next few months," she says.

The Path Forward if You're Impacted
What if you are using products from an impacted entity? The instructions for how to proceed are murky. VanZandt says she only recommends rip-and-replace to end users who were already considering updates to their systems. It is unnecessary to incur the huge expense that a total system replacement would require based solely on the blacklist. However, she does not recommend that end users or systems integrators just "hope for the best" either when it comes to the security products they are using. The list could present an opportunity for a fresh evaluation of systems in place.

"I think this is a great opportunity for end users to take stock of their data security policy when it comes to their surveillance systems and identify any potential security vulnerabilities," VanZandt says. "If that does involve potentially replacing equipment, then it will then be their prerogative to take next steps with their integrator partners."  

Adds Surfaro: "You will likely have to stay the course and keep using this equipment if you have. You don't have a choice. If you rip and replace, you screw yourself two ways: What you buy is going to cost you more, and, two, your budget to buy is going probably going to be to less. It's a lose-lose."

Related Content:

(Image: zeleniy9 via Adobe Stock)

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How HR and IT Can Partner to Improve Cybersecurity."

About the Author(s)

Joan Goodchild, Contributing Writer

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights