In the past few years, the United States has made more moves against technology companies that are based in China or backed by the Chinese government. To name a few:
- Hikvision – IoT cameras
- Dahua – IoT cameras
- iFlytek – voice recognition software
- Megvii – image recognition and deep-learning software
- SenseTime – facial, text, and image recognition, object detection, medical image analysis, and more
- Yitu Technologies – facial and speech recognition, natural language processing, and more
- And attempts to ban Huawei – telecommunications equipment
In late 2019, in response to the discovery of backdoors that facilitated communication between cameras made in China and destinations inside China, the U.S. government amended the National Defense Authorization Act to prohibit the U.S. government from purchasing and installing Chinese-made surveillance cameras. Other governments around the world followed suit.
Along with the NDAA amendments, the government advised that all federal agencies would have to remove the devices by August 13, 2019. At last check, there were still thousands of the devices in service. Once deployed, it seems, the cameras have been difficult to account for—despite a Department of Homeland Security mandate that federal agencies be able to track every device attached to their networks.
“There are all kinds of shadowy licensing agreements that prevent us from knowing the true scope of China’s foothold in this market,” The Freedonia Group’s Peter Kusnic told Bloomberg News. “I’m not sure it will even be possible to ever fully identify all of these cameras, let alone remove them. The sheer number is insurmountable.”
Depending on who you ask, by 2025 there will be between 41.6 billion and 83 billion IoT devices deployed to networks worldwide. A vast majority of these devices were created for ease-of-use by consumers, rather than with security in mind. Yes, both can exist in an ideal world, but for IoT devices, it is very uncommon. These devices often have obsolete or unsupported operating systems, unpatched vulnerabilities, and a lack of proper communication protocols.
As we know from the experience of the federal government, once deployed it can be difficult to find these devices making it nearly impossible to remove them if needed. Organizations are continuing the plight to ensure all connected devices are accounted for and the U.S. government is now attempting to do that through a number of directives from the National Institute of Standards and Technology (NIST) designed to ensure secure deployment, management, and operation of all network connected devices. These include standards like the NIST Cybersecurity Framework (CSF) and the Federal Information Processing Standard (FIPS) 140-2, requiring validated cryptography for device communications.
But, as the U.S. federal government’s experience with Chinese surveillance cameras illustrates the issue of unmanaged devices – one that every organization must grapple with. How do you find and secure the devices that are putting your organization at risk (Mirai, dark_nexus, malware, C2 takeovers, etc.)?
To find out more about how Ordr can help your organization discover and classify all network devices, identify high-risk devices (CVEs, FDA recalls, etc.), and give your team the ability to assign policies that protect your enterprise OR how we are the only IoT security company to support both NIST CSF and FIPS 140-2, click here.