Numerous federal agencies, including several branches of the military, buy video surveillance equipment that can’t legally be used in U.S. government systems and that is made by Chinese companies sanctioned on national security grounds, records and products reviewed by The Intercept indicate.
The agencies purchased blacklisted hardware through a network of American resellers that claimed the camera systems were in compliance with the sanctions. Those claims in numerous cases had little apparent basis, according a joint investigation with IPVM, a video surveillance industry research publication.
The security sanctions originated in the 2019 iteration of Congress’s annual defense policy and funding bill, known as the National Defense Authorization Act. They barred Dahua and Hikvision, two of China’s leading manufacturers of security cameras, from selling their products to the federal government, citing concerns that such sales could let the Chinese government remotely spy on federal facilities.
But public purchase records show that since the sanctions were put in place, the Air Force, Army, Navy, Veterans Affairs, and the Office of the Secretary of Defense all purchased camera systems containing or consisting of hardware that IPVM determined was in fact originally manufactured by Dahua or Hikvision and sold under another brand. IPVM visually compared both hardware and software of the camera systems and, in some cases, physical disassembled cameras. Listings posted to GSA Advantage, a marketplace for federal vendors to sell their wares to the government online, show that rebranded Dahua and Hikvision cameras are still freely available for purchase under different brand names.
The sales raise questions of due diligence, transparency, and the seriousness of even the toughest-appearing sanctions, as the U.S. government has not provided the public with any evidence that Dahua and Hikvision are spying on customers. At the same time, it’s not clear how effectively the government is able to police the sale of allegedly dangerous technology: The sheer quantity of products available through the GSA e-commerce portal “just grew into a beast that at some point became unmanageable,” according to Denise Buczek, who runs a consultancy for businesses who list their products on GSA Advantage. Burczek noted that while the General Services Administration is in her experience very diligent about removing prohibited items that are brought to its attention, “a lot of things start to fall through the cracks that GSA, at this point cannot physically have the resources to monitor, or to follow up with.” There is simply too much available for sale to be sure of what it all truly is.
GSA spokesperson Kim Armeni told The Intercept in an email that GSA contractors are required to comply with the provisions of the Federal Acquisition Regulation, or FAR, which provides rules for government purchases and contracting practices and was updated in 2019 to implement the NDAA’s Hikvision and Dahua ban. Armeni noted that “GSA has multiple means to vet vendors and products sold on GSA Advantage” but did not elaborate on these methods.
Of all the federal customers, only two responded to requests for comment. The Army, which records show purchased a Dahua DVR resold by Global Data Center Inc. under the Amcrest brand name in September 2020, said it relies on attestations by its vendors. “Companies that propose on federal contracts are required to assert their compliance with various Federal Acquisition Regulation and Defense supplement provisions and clauses,” Army Lt. Col. Brandon Kelley wrote in an email. “This piece of equipment, which was purchased through the GSA website, is a DVR used to store video footage of fish at the Mill Creek Project near Walla Walla, Washington. The team that purchased it observed that neither AMCREST nor GDC Inc. were listed as prohibited companies, and saw no indication that they may have been associated with any prohibited companies.”
An Amcrest representative told The Intercept in an email that “Amcrest cameras and security products are conceptualized and designed by Amcrest in Houston, TX,” and that “Amcrest works with various contract manufacturers from around the world (Mexico and China) to complete the design, assembly, and physical manufacturing processes.” The representative confirmed that its wares are not NDAA compliant, meaning they can’t legally be sold to the federal government.
An analysis by IPVM determined that the Amcrest AMDV10814-1TB-C DVR resold to the Army by Global Data Center is in fact a Dahua XVR4104 in slightly different clothing: While the unit’s front panel appears to have been modified in the Amcrest version, both models have identical side ventilation panels, and, crucially, their array of rear ports is identical, indicating that they’re using the same inner circuitry. Both devices also appear to come with nearly the exact same software, though Amcrest has given its version some new coloring. Reached via email, Global Data Center vice president Chris Davis told The Intercept “We had and have no wrongdoing to do with this matter [sic]. We had no knowledge that Amcrest or Bosch were selling and shipping anything other than the exact Amcrest or Bosch products they advertised and sold,” adding that “If they then, on their own, shipped banned 3rd party products, this was not done with our knowledge, consent or approval. This was unbeknownst to us and anyone else that may have bought these products.” Davis also noted that he had recently been informed of the situation by the GSA itself, “and have fully cooperated with them and provided all information requested that clearly proves without any doubt that Global Data Center, Inc. had nothing to do or any involvement whatsoever with this matter.”
Bosch spokesperson Anne Insero told The Intercept that “Global Data Center purchased the video recording products through distributors, as Bosch does not have a direct purchase relationship with the company,” and added “We have been transparent with any customer inquiries related to NDAA compliance.” Amcrest did not reply to a request for comment on Global Data Center’s claim.
“A lot of things start to fall through the cracks.”
The Air Force, which records show bought Dahua cameras and a Hikvision security camera system, said through spokesperson Capt. Joshua Benedetti that the camera purchases were made under the purview of the Army and that the camera system had been acquired before the Federal Acquisition Regulation rule banning such a purchase went into effect. But the records show a transaction date more than a month after the ban was implemented. Asked about this discrepancy, Benedetti said he would investigate but did not provide an update in time for publication.
The issue of NDAA violations appears to be ongoing: In the course of our reporting, a federal surveillance camera vendor contacted IPVM, apparently mistaking them for a camera reseller and not a publication that covers cameras, asking if they could help supply four Hikvision-manufactured cameras to install at the U.S. Embassy in Venezuela.
The State Department’s Diplomatic Security Service declined to comment.
Though none of the devices in question were sold under the names Dahua or Hikvision, IPVM was able to determine their actual provenance often just by looking at them and matching them with identical models offered by the sanctioned companies. For instance, the “Performance” line of surveillance cameras recently available through GSA Advantage and ostensibly manufactured by Honeywell, a major U.S. defense contractor, is a visual match with Dahua models, and both cameras use a nearly identical software interface. A partial disassembly of the Honeywell unit reveals even more: A silicon processor plainly labeled as manufactured by Huawei, a sanctioned Beijing firm at the center of the Trump administration’s China furor.
In the course of our reporting, a vendor asked IPVM to help supply four Hikvision-manufactured cameras for the U.S. Embassy in Venezuela.
Honeywell spokesperson Megan McGovern told The Intercept that “the products on GSA Advantage are shipped and sold by third-party security dealers that are responsible for meeting the purchasing and delivery requirements of various government agencies” and that “when we become aware that a third-party reseller is selling Honeywell products on GSA Advantage that do not work in NDAA-compliant systems, we notify that reseller that the listed products do not meet requirements for sale to federal government entities.”
The byzantine ecosystem of federal procurement, filled with small, generically named firms like SPS Industrial and Global Data Center, can make it difficult to tell at a glance what anyone is actually buying. These resellers are often simply middlemen for larger North American camera manufacturers like Honeywell and Speco, which are, in turn, often buying Chinese hardware in bulk and, as shown by IPVM’s research, doing little more than slapping on a new logo and sending it on its way. In order to represent themselves as the manufacturer, companies must attest that they have “substantially transformed” any items they list on GSA Advantage that were originally made elsewhere, but the listings and transactions reviewed by The Intercept offer little indication that the equipment was meaningfully altered or reconfigured beyond some aesthetic changes. Many surveillance systems arrive at the customer’s door looking and functioning identically as they would if they carried their original Hikvision or Dahua mark, and often come preloaded with these companies’ software interfaces, making their genuine identities knowable if one cares enough to look. Because the actual manufacturers of camera systems sold to the federal government are obfuscated through layers of resellers, the very companies the 2019 NDAA made out as dire Chinese threats are still selling products that end up delivered to the government agencies the defense bill was supposed to protect.
Recent surveillance camera purchases by the Department of Defense provide several clear examples of this supply chain obfuscation in action. Acquisition records show that in May 2020, the Air Force purchased surveillance cameras from Virginia-based Ekoam Systems, a federal IT vendor, for LNE8950ABW model cameras ostensibly made by Lorex, a video surveillance supply company with offices in Maryland and Ontario, Canada, that was in fact acquired outright by Dahua in 2018. In reality, the LNE8950ABW is made by parent company Dahua, as is immediately apparent by looking at both of them and noticing that they are identical down to the placement of screws. That companies are willing to sell blacklisted products to the Army or Navy is one thing, but that three branches of the military apparently aren’t checking whether they’re buying these products suggests that either the threat these cameras present is overblown or that the military isn’t doing enough to counter it. Ekoam did not respond to requests for comment. SPS Industrial, which sold the Air Force two Hikvision security camera systems in 2019, told The Intercept that it “goes above and beyond the minimum” sanctions compliance guidelines, and that “the equipment you have referred to is being destroyed and a full refund has been offered to the Government.”
A Lorex spokesperson told The Intercept that “It would be inaccurate to describe our company as ‘rebranding’ Dahua products,” but that rather, “Like many companies across many different industries, Lorex’s business model is and always has been based on bringing to market security solutions specified and designed by Lorex, that are manufactured by other manufacturers from around the world, making them conveniently available to consumers and businesses in North America.” Additionally, a Dahua spokesperson contacted The Intercept to add that “The decision to acquire Lorex was not based on any consideration of U.S. foreign or trade policy.”
Congress and the Trump administration’s crackdown on these firms came amid years of anti-China rhetoric and trade warfare. The 2019 NDAA described Dahua and Hikvision as a menace to “public safety, [the] security of government facilities, physical security surveillance of critical infrastructure, and other national security” goals. It reflected fears that China exports deliberately sabotaged (or “backdoored”) products that will grant invisible access to the country’s spies. “We must face the reality that the Chinese government is using every avenue at its disposal to target the United States, including expanding the role of Chinese companies in the U.S. domestic communications and public safety sectors,” said Rep. Vicky Hartzler, a Republican from Missouri who helped write the NDAA amendment that banned Dahua and Hikvision. “Video surveillance and security equipment sold by Chinese companies exposes the U.S. government to significant vulnerabilities and my amendment will ensure that China cannot create a video surveillance network within federal agencies.”
“Surveillance equipment sold by Chinese companies exposes the U.S. government to significant vulnerabilities.”
In the case of Huawei, named U.S. officials have publicly stated that intelligence indicates the company has backdoors into mobile phone networks globally, but the evidence remains classified and unavailable to the public. The U.S. government has itself used sales of computer hardware internationally as a vector for surveillance, a type of spying known as a supply chain compromise.
As for Hikvision and Dahua, security researchers have discovered serious security vulnerabilities in their cameras, but the possibility that these software holes were placed there by or at the behest of the Chinese government remains a matter of speculation, and the U.S. government hasn’t made any public allegations of backdooring by either company. Though Federal Communications Commission Acting Chair Jessica Rosenworcel stated that both firms “pose a threat to U.S. national security or the security and safety of Americans” as recently as March, according to a report by Reuters, the comment came without any evidence. Moreover, the U.S. private sector has provided its own examples of how insecure internet-connected security cameras can be. In March, for example, Bloomberg reported that hackers had gained remote access to thousands of cameras sold by California-based surveillance firm Verkada.
In addition to the NDAA ban, the Commerce Department’s “Entity List,” managed by its internal Bureau of Industry and Security, bars American firms from selling directly to Dahua and Hikvision on human rights grounds; the companies have been involved in building ubiquitous surveillance networks used to track and repress China’s embattled Uyghur ethnic minority. Although the list does not bar U.S. agencies from doing business with the companies, the fact that the federal government is sourcing surveillance equipment that comes from the very businesses it has deemed complicit in human rights abuses would seem to undermine the spirit of the list and potentially embarrass the agencies.
Experts said the federal government ends up purchasing blacklisted hardware because its lacks sufficient mechanisms to enforce laws around purchasing. Sales to U.S. agencies are facilitated through a self-regulatory honor system; while vendors must certify that they aren’t peddling prohibited items — like Hikvision surveillance cameras — the GSA isn’t equipped to vet the millions of listings on its marketplace, leaving government shoppers to take self-certifications of sanctions compliance at face value. As Global Data Center VP Chris Davis put it, “We were reliant and trusting of the product info they provided and advertised to us, as is industry standard.”
This reliance on attestation is what lets Western companies get away with presenting themselves as “manufacturers” of Chinese tech when what they’re really doing is reselling it. According to Buczek, the federal contracting consultant, companies can only claim to have “manufactured” products originally created elsewhere if they assert that they’ve added a “substantial transformation” to the original, a standard that’s deeply vague but that in other contexts typically is meant to describe the process of, say, assembling disparate parts into a laptop, rather than just slapping a new logo on a Hikvision camera. Here again the GSA is trusting companies to honestly regulate themselves: “They’re declaring, ‘We’re the manufacturer,’” said Buczek, “and then they’re just sliding through to see if GSA is going to investigate it, and nine times out of 10, GSA will not.”
Christian Nagel, a government contracts attorney with Holland & Knight specializing in defense acquisitions, told The Intercept that while standards vary as to how much latitude a company has to claim it has “manufactured” a product built elsewhere, “it is pretty clear-cut that a company can’t make merely cosmetic or repackaging changes and consider itself to have manufactured the product.”
The ultimate legal blame for the federal government’s purchase of equipment it is banned from purchasing may well lie with the sellers. “In this scenario, the reseller certainly could face liability,” said Nagel, including through the False Claims Act, and so could the original manufacturer, “if the manufacturer reasonably should have known that the reseller was planning to sell relabeled equipment to the federal government.”
Nagel added that “my experience has been that most federal contractors are very conscientious of their obligations” but that “almost every day brings examples of contractors who face steep financial and/or criminal penalties as a result of not taking their compliance obligations seriously.”
Putting aside the question of whether the equipment in question actually poses a genuine threat to national security, the difficulty in finding someone involved in the procurement process willing to go beyond lip service, shrugging, and finger-pointing is deeply revealing: The buck always appears to stop somewhere else. It’s clear that the way the distended government procurement process overlaps with the sprawling global electronics supply chain and with congressional purchasing mandates has a tendency toward confusion and incentives for ignorance. When a product works well and doesn’t cost much, there’s a little incentive to actually figure out what it is you’re buying and selling. But at a certain point, the United States will have to determine whether its appetite for imposing sanctions will be matched with robust enforcement mechanisms to match its rhetoric. If so, it may warrant someone in the process taking out a screwdriver every now and again.
Correction: July 22, 2021
A previous version of this article misattributed a quote from the U.S. Army; it was provided by Lt. Col. Brandon Kelley.