Hikvision cyber chief rubbishes spying claims, sets record straight

New Zealand Security Magazine, December 2018 - January 2019

Chuck Davis
Chuck Davis: Misinformation is dangerous because people focus on the wrong issues.

Amid sensationalist media allegations of back-door vulnerabilities and Chinese government snooping, Hikvision director of cybersecurity Chuck Davis talks to editor Nicholas Dynon about the company’s less widely reported cyber efforts.

With more than 20 years’ experience building world-class cybersecurity programs for large enterprises, Chuck Davis joined Hikvision as director of cybersecurity in North America in 2017.  Chuck came to Hikvision from IBM, where he was executive security architect.

Holding seven US patents and numerous certifications, including the CISSP-ISSAP,  he is on the SIA Cybersecurity Advisory Board, and is a ISSA senior member, having also held the position of ISSA Chapter President. Chuck is also an adjunct professor of computer science and ethical hacking at the University of Denver.

NZSM: A number of influential media outlets appear to promote the proposition that Chinese-made security tech products are less cyber-secure than US or European-made. What are your thoughts on this?

CD: We adhere to all cybersecurity laws and regulations of the markets in which we operate, and we strive to offer the most secure products.

In fact, Hikvision was one of the first companies in the industry to eliminate the “plug and play” model by requiring passwords to be reset at the time of first use, replacing all factory-set defaults and establishing an additional layer of security.

In March 2017, for example, a security researcher found a vulnerability and reported it to Hikvision the next day. Six days later, Hikvision released a firmware patch, notifying integrator partners via a special bulletin and the public via notices on our website.

The Department of Homeland Security then released an ICS-CERT notification in May 2017 confirming that a vulnerability was found and that the updated firmware previously released had resolved the issue. Hikvision was pleased to work with DHS throughout the whole process.

Enjoying this article? Consider a subscription to the print edition of New Zealand Security Magazine.

This event was confirmed by Richard Driggers, Deputy Assistant Secretary for DHS’ Office of Cybersecurity and Communications during the US House of Representatives Small Business Committee hearing in January 2018.

Below are other select examples of our cybersecurity certifications, initiatives and our commitment to transparency:

  • Hikvision’s encryption module for IPCs and NVRs has been granted certification for Federal Information Processing Standard (FIPS) 140-2, a US government standard established by the National Institute of Standards and Technology (NIST).
  • Some of Hikvision products have achieved the certificate of Common Criteria for Information Technology Security Evaluation, one of the most widely recognised international standards in information technology security.
  • Hikvision is also a CVE Numbering Authority and part of the family of global companies who maintain the CVE vulnerability library.
  • In March 2018, Hikvision opened a Source Code Transparency Center at its US headquarters in California that allows US and Canadian government and law enforcement agencies to review the computer code used in our products.
  • Hikvision worked with the US-based cybersecurity company Rapid7 in 2015 and in September 2017 when it conducted a penetration test on two Hikvision cameras and two NVRs, finding no critical vulnerabilities.
  • Furthermore, in March 2018, Hikvision announced a partnership with the security lab Brightsight to serve as its lab of choice for Hikvision’s range of security products.

NZSM: New Zealand is a member of the ‘five eyes’ grouping along with the US, UK, Canada and Australia. Moves are afoot among many of these countries to ban Chinese tech from government contracts deemed to be of national security significance (such as Australia’s recent Huawei 5G ban). Is it possible that manufacturers like Hikvision might spy on behalf of the Chinese government?

CD: Hikvision is a publicly traded company on the Shenzhen stock exchange, which means we are subject to public scrutiny of our operations and finances.

Hikvision products in the US and EU are all sold via distribution network to integrators who then install them at end-user facilities. In most cases, Hikvision does not know where the products are eventually installed and Hikvision cannot access any end user’s data.

The only time Hikvision may access a system is when called upon for technical support.

In New Zealand, there have never been any real allegations or evidence of spying brought against Hikvision, so it is unfair to group us with other Chinese tech companies in that context.

NZSM: You’ve been director of cybersecurity for Hikvision North America since around April 2017, having come from IBM. What has been your biggest challenge in the role?

CD: I joined Hikvision USA and Hikvision Canada, as the Directory of Cybersecurity in September 2017. My team has accomplished a lot in the past year, but I would say that the biggest challenge has been raising awareness across the industry.

We have seen so much misinformation being reported regarding cybersecurity and vulnerabilities and that is dangerous because people focus on the wrong issues.

IP video cameras and recorders are actually computers. All computers have vulnerabilities, so all IP cameras and recorders have, and will continue to have vulnerabilities. In the same way that our Windows, macOS, Android and iOS devices get security patches every month, IoT devices also need to be patched and updated regularly.

This requires thinking differently about IoT devices. The IP camera on the wall is a video camera in the physical world, but when you plug it into an IP network, it is a Linux web server and we have to manage them as Linux web servers.

Getting people to understand this concept is not necessarily difficult. However, getting an entire industry to shift its perspective is a challenge, especially when there is so much misinformation being spread.

NZSM: What is your vision for Hikvision’s cybersecurity, and how close is Hikvision to achieving this?

CD: I see Hikvision continuing to lead the industry in adopting the cybersecurity best practices that IT companies like Microsoft, Apple, Google, Intel and others use. In the past year Hikvision has really invested in cybersecurity, and it shows. Over this period, Hikvision has:

  • Worked with third party ethical hackers to test our products.
  • Released a Cybersecurity whitepaper, a camera security guide and recorder security guide.
  • Toured North America and Australia and New Zealand with a cybersecurity road show.
  • Announced that Hikvision has been accepted as a CVE Numbering Authority (CNA).
  • Hikvision’s HSRC became a member of FIRST which is an international confederation of trusted computer incident response teams who cooperatively handle computer security incidents and promote incident prevention programs
  • Opened the Source Code Transparency Center in the US.
  • HikSSL, which is Hikvision’s implementation of the encryption behind https connections, was certified by the United States National Institute of Standards and Technology (NIST) with the FIPS 140-2 Level 1 certification.
  • Welcomed myself being named on the SIA Cybersecurity advisory board.

We have been very busy, and there is still a lot of work to accomplish. The video surveillance industry needs to change; manufacturers need to become IT companies, resellers and integrators need to become IT and networking savvy, and end users need to realise that these devices are computers and require protection from the dangers of the Internet. This includes patching and applying network security best practices.

In terms of achieving our vision, it is important to remember that cybersecurity is a journey, not a destination. From a cybersecurity standpoint our work is never done. We continually strive to provide the same world class cybersecurity service that you get from major software companies like Microsoft, Apple and Google.