Author: Dale Fowler - Company Director INDECT USA
January 2, 2018
The John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA) was signed into law on August 13, 2018. Apart from authorizing $716 billion for the National Defense Budget, it also contains wide-ranging cybersecurity provisions that may have an unexpected effect on many federally funded organizations, airports in particular.
Section 889 of the NDAA prohibits the use of federal funds to acquire:
From August 2020, government funded agencies will also be barred from entering into, extending or renewing a contract with any company that uses the above-mentioned telecommunications or video surveillance equipment.
The NDAA ban also covers essential components and/or critical technology as part of any system manufactured or produced by the named entities. It is believed that this extends to the ‘system on a chip’ (SoC), which includes embedded processor circuitry capable of executing software commands frequently used in video surveillance systems.
It is important to note that this ban affects other manufacturers or vendors if the video surveillance equipment or systems are offered under another brand name typical of OEM, ODM and JDM relationships. This is commonly known in the industry as re-badging.
What does the 2019 NDAA mean for airports and the parking industry?
At first glance it may seem that the NDAA ban only applies to federal agencies, however, there are a number of public entities that rely on federal funds in the form of grants. Airports are one of these entities.
While most airports are state or city owned, many receive federal funding for capital improvements through the Federal Aviation Administration (FAA), which operates under the Federal Airport Act. In July 2018, the FAA awarded $659.9 million in infrastructure grants to 390 airports nationwide as part of the $3.18 billion Airport Improvement Plan. This funding may be used for a variety of projects ranging from runways and aircraft rescue to terminal renovation and parking infrastructure.
A common requirement of many modern airport infrastructure projects is the inclusion of a parking guidance system. Parking guidance systems dramatically improve airport congestion by quickly and easily directing traffic to available spaces. Many parking guidance companies offer a camera system, which utilizes video surveillance equipment and technology to enable license plate recognition (LPR) software and security features. However, it’s not just parking guidance systems that may be affected, other security components such as CCTV may also be adversely impacted by the 2019 NDAA.
According to Jennifer Mapes-Christ, Senior Analyst and Manager of the Consumer and Commercial Goods Group of the Freedonia Group, nearly all video surveillance equipment currently sold in the USA is manufactured in China. Hangzhou Hikvision, the world’s largest manufacturer of video surveillance equipment is 42% controlled by a state-owned company. Hikvision’s cameras can be found in all industries and sectors across the USA with a large proportion sold by third-party vendors. To put the size of this company into perspective, its nearest competitor, Dahau, is only one fifth its size.
Although Dahua has stated that it is a privately-owned company, a vast majority of all Chinese telecommunication and technology companies are wholly or partially government owned . This may mean that airports are unknowingly breaching Section 889 (3, d) of the NDAA by installing parking guidance systems and CCTV sold by companies with an OEM, ODM or JDM manufacturing relationship with an entity linked to the Chinese Government.
Why all the concern?
In March 2017, a major cyber security flaw was discovered across many Dahau products that effectively created a backdoor into any system or network to which the product was connected. The backdoor allowed remote unauthorized administration access via the internet. Once inside, a hacker could easily access and change user names and passwords, download information and execute malicious commands . Dahua issued a statement claiming the flaw was unintentional, however, it appears the potential security risk was great enough for the US government to take action.
Further, in 2017 China passed a new law allowing national intelligence institutions to establish cooperative relationships with individuals or organizations and commission them to carry out related intelligence work. The law also requires all Chinese organizations and citizens to provide information, support and assistance to national intelligence agencies when requested. It seems to be these requirements that have prompted not only the US government to act but also other countries including Australia and the United Kingdom.
When thinking of potential security threats, a parking guidance system doesn’t readily spring to mind. However, it is better to be safe than sorry. If an airport is considering installing parking guidance equipment as part of their expansion or renewal projects, it is vital to know where the components have been manufactured. Ask the supplier where their equipment is manufactured, who made their SoC chip and whether their products have been re-badged for sale in the USA?
All INDECT components are manufactured in Europe, it does not have any OEM, ODM or JDM manufacturing relationships with other entities and the SoC chip is not manufactured in China.