By Anna Lehman-Ludwig
As concerns have grown in recent years about the economic, national security, and human rights risks posed by Chinese technology firms, the United States has responded by banning or restricting the way many Chinese firms can operate in the country. Around the world, other governments are taking similar measures, citing security risks due to these companies’ alleged ties to the Chinese Communist Party (CCP). Many Chinese firms, like Hikvision, Huawei, and TikTok, have pushed back on these measures, asserting their independence from the Chinese government. However, questions remain about how susceptible these companies are to Chinese influence, and how countries can evaluate these risks to calibrate their policy measures according to the actual dangers posed to citizens and their data. In making this risk calculation, one of the most important questions regards the corporate governance structure of Chinese firms.
An illustrative example of a Chinese firm whose corporate governance raises significant concerns about Chinese influence is Hikvision. The Hangzhou-based Hikvision is the world’s leading video surveillance equipment supplier, with revenue of over $7 billion in 2018. The United States has raised a number of concerns about the security risks posed by Hikvision, however, and has leveraged a number of restrictions against the company in recent years.
One of the most powerful policy tools the United States has to act against Chinese firms it deems risky is to add them to the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) Entity List – making these companies subject to specific licensing requirements for exports. Companies on BIS’ Entity List “have been determined by the U.S. Government to be acting contrary to the foreign policy interests of the United States.” In October 2019, Hikvision was added to the entity list amidst growing concerns that the Chinese government would be able to use Hikvision technology to spy on or collect data from individuals outside of China. Western leaders have expressed concern over Article 7 of the Chinese National Intelligence Law which reads, “Any organization or citizen shall support, assist, and cooperate with state intelligence work in accordance with the law.” In calling for limits on Chinese tech companies’ presence in the U.S. and other Western countries, policymakers often cite Article 7 and raise concerns over companies’ limited ability to resist requests for information from the CCP.
Hikvision has not been allowed to sell its products to U.S. government agencies since August 2019, and the White House is in the process of finalizing a federal contractor ban for Hikvision and four other companies. Given Hikvision’s deep-seated integration with the CCP, the recent scrutiny is not unwarranted: Hikvision’s founding, controlling stakeholders, and leadership structure are all inextricably connected to the Chinese government.
The People’s Republic of China (PRC) is the controlling stakeholder of Hikvision, with 41.88% ownership. The state-owned China Electronics Technology Group (CETC) controls these shares through its subsidiaries, the China Electronics Technology HIK Group Co., LTD (CETHIK) and CETC No. 52 Research Institute. Hikvision disclosed that these CETC-owned enterprises are shareholders, but still brands itself as an “independent” corporation. However, as IPVM reported in 2017, the labelling of these CETC subsidiaries as simply shareholders minimizes and obscures the control the Chinese government actually has over Hikvision. CETHIK includes Hikvision’s revenue and employees in its own reported metrics, and the two supposedly independent corporations have the same leadership and governance structure. Chen Zongnian is not only the CEO of Hikvision, head of the 52nd Institute, and Communist Party Secretary of CETHIK, in 2018 he also joined the National People’s Congress. Hikvision’s own 2015 annual report makes clear the nature of CETC and the State’s involvement: the controlling stakeholder is labeled “Central State-owned,” while the corporation, called “the actual controller,” is described as a “Central State-owned assets management agency.” It is difficult to discern where Hikvision begins and the CETC ends.
The close ties between the CCP and Hikvision suggest that Hikvision will be able to exert influence in Beijing, and may be quick to cooperate with government requests for information. Government contracts helped launch Hikvision: in 2008, the surveillance company helped with security at the Beijing Olympics, and in 2011 Hikvision signed a $1.2 billion deal to create a safe city in Chongqing. Between 2016 and 2017, Hikvision signed deals worth $272 million with the police in the Xinjiang Uighur Autonomous Region, where Uighur Muslims are subject to invasive security measures.
While the United States is now taking action to limit the presence of Hikvision technology in government agencies, that hasn’t always been the case. In August 2016, the U.S. Embassy in Afghanistan put out a federal bid for security cameras, with the stipulation that only Hikvision products would be accepted. Stephen Bryen, an international affairs and cybersecurity expert, expressed concerns about the purchase of Hikvision cameras by the U.S. Embassy in Kabul. Bryen warned of security risks, lamenting that Hikvision products are not secure, and that “installing [Hikvision’s] commercial cameras in one of the [United States’] most sensitive locations…is a big mistake.” IPVM also reported on the bid, calling it “a risk for the US government to be deploying Chinese government controlled surveillance cameras into high security federal facilities.”
In November 2016, Hikvision cameras were removed from the Kabul embassy.
Security experts have long alleged that Hikvision technology is insecure, and that poorly-written code could allow unauthorized users to access cameras’ metadata and video footage. The main risks concerning Hikvision’s questionable cybersecurity track record are well founded. Hikvision cameras were hacked in the Chinese province of Jiangsu in March 2015 and DVR technology in Hikvision cameras was co-opted in 2014 to mine for bitcoin. Some fear that backdoors in the technology could grant the Chinese government access to all Hikvision footage, whether captured domestically or abroad. In May 2017, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory revealing the presence of a backdoor into Hikvision cameras that was classified as “remotely exploitable/low skill level to exploit.” The researcher who discovered the loophole, Monte Crypto, confirmed that the backdoor “allows unauthenticated impersonation of any configured user account.”
Though Chinese intelligence operations are not always visible, there seem to be real risks involved in installing Hikvision and other Chinese technology in our most sensitive institutions. The discovery of easily exploitable backdoors, as well as Hikvision’s inextricable links to the CCP, suggest that it is highly possible that the Chinese government has access to footage captured by Hikvision cameras, which could be used to build dossiers on Chinese nationals abroad and punish them at home, or to collect information on other countries’ national security infrastructure.
While the addition of Hikvision to the entity list and the federal contractors ban are positive steps, they may be too little too late. In October 2019, more than 2,700 Hikvision cameras were reportedly still in use across the federal government, despite the numerous DHS warnings about Hikvision’s security vulnerabilities. The technology is found in police departments and on army bases throughout the country, potentially exposing our most sensitive information to the Chinese government.
The increased scrutiny of Chinese owned companies in recent months raises questions about how the U.S. might respond to these companies’ operations and mitigate the risks posed to American users. As the U.S. government considers weighs potential bans and export controls, it must closely consider the unique governance structures of these corporations in order to effectively evaluate the risks they pose and to implement proportionate controls and countermeasures.
Anna Lehman-Ludwig is a research intern with the Technology Policy Program at the Center for Strategic and International Studies in Washington, DC.
No comments:
Post a Comment