When Sanctions and Cybersecurity Collide
Compliance professionals talk constantly these days about cybersecurity, third-party risk, and sanctions compliance. Now we have an example from the news that is one headache-inducing brew of all three — and also, I fear, a harbinger of compliance and risk challenges to come.
The company in question is Hikvision, a Chinese maker of security cameras. Last year Congress passed the National Defense Authorization Act, which bans the use of Hikvision cameras by U.S. government agencies, for fear that the Chinese government might hack into the cameras to spy on American interests.
The deadline to comply with that ban is Aug. 1. Spoiler alert: government agencies aren’t going to meet that deadline, because nobody is sure how many Hikvision cameras are connected to government networks or where those cameras are.
An article in the Financial Times has the full tale of compliance failure here. An IT forensics firm identified nearly 2,400 security cameras manufactured by Hikvision and other banned Chinese companies that were still operating on U.S. networks as of July 23.
The total number of cameras is probably even larger, the FT says, because not all government agencies use that forensic firm’s detection services. The FT found Chinese security cameras operating on U.S. military bases and police forces, some of which had purchased the cameras even after federal law banned the equipment last year.
The cameras are cheap, easy to buy, and easy to use. I located a U.S. distributor of Hikvision equipment in less than a minute, ready to ship me a wi-fi enabled camera today for $210. Hikvision, along with fellow Chinese companies Dahua, Huawei, and Hyeter, all sell hundreds of models online. Anyone can buy them with a computer terminal and a few keystrokes.
The fear, of course, is that the Chinese government has planted security bypasses into the cameras’ software, so Beijing could hack into the cameras without the owners knowing. (Fun fact: the Chinese government owns 42 percent of Hikvision.) It’s the same fear that supposedly led the Trump Administration to ban Huawei telecom gear on U.S. networks, although President Trump has also said he’ll lift that ban if China gives him a favorable deal on trade.
Snapshot: The Compliance Angle
So we have third party, Hikvision, that has become exposed to sanctions risk, because of the cybersecurity risk that its products pose. There’s a bundle of compliance challenge for us to unpack here. (Yes, this Hikvision example applies to government agencies, but we can still use it to derive broad compliance lessons for all of us.)
First, does your company have any procurement policy about where its technology components come from? Do you even have a centralized procurement function? Because if you don’t have that centralized function, but employees do buy equipment that might fall under a sanctions ban, then you need internal controls around their purchasing activity.
That gets sticky quite quickly, because Hikvision cameras (and many other sanctioned components) are so easy to buy. An employee really just needs an internet connection and a payment card to cause all sorts of trouble. So do you have training to warn them against certain vendors? Do your payment cards block transactions with certain vendors?
And there’s more: If an errant employee buys equipment with his own credit card and submits for reimbursement, can your expense policies and systems catch that? Do those controls ask for the right details, such as names of product manufacturers rather than just distributors; and for copies of receipts?
Even if you do have a centralized procurement function, that team needs to know which vendors sell what goods from prohibited manufacturers, so procurement’s ability to cross-reference suppliers to watch lists is critical. Policing against “Hikvision” in the payment system is easy; monitoring distributors such as B&H Photo, Graybar Electric, or Vegas Electric Supply (they’re all Hikvision suppliers) gets much more difficult.
The good news is that at least some of the steps necessary to intercept troublesome vendors and distributors are similar to what companies already do for anti-corruption compliance.
That is, when you receive an invoice from a high-risk third party, your payments function should be able to flag that invoice and block payment until some risk assurance function (compliance, procurement, legal) determines that, yes, this payment is permissible. That same capability needs to exist regarding vendors under sanctions or cybersecurity risk.
I’m not saying it’s easy. On the contrary, I suspect it will be harder than due diligence for FCPA risks, because it’s much easier for an employee to buy a piece of banned equipment than it is for an employee to hire a corrupt distributor in an emerging market. Vendors with sanctions or cybersecurity risk are more likely to get into your procurement process somehow — but the capability to stop payment before money goes out the door is the same, whether we’re talking about those risks or corruption.
The Bigger Risk Picture
I also love this Hikvision issue because it’s such a good example of the cross-disciplinary capabilities an organization needs to address cybersecurity risk effectively.
Go back to all those Hikvision cameras still connected to government networks. Yes, procurement policies failed to prevent the cameras from getting onto your network somehow — but that’s not surprising. As we said, the cameras are cheap, easy to order, and easy to install.
Well, if your procurement controls fail to prevent Hikvision cameras from getting onto your network, the compensating control is a method to find those cameras so you can remove them. But that’s the IT security department’s job. So now more questions come along: Does IT security know that Hikvision cameras are a risk? Does the security function have an ability to identify all devices connected to its network? Does it have procedures to remove banned devices, or at least block their access to data?
These questions are more for internal audit or risk management departments, but anyone can appreciate the complexity here.
A new regulatory policy (the ban on Chinese equipment) is forcing changes to procurement procedures, but any compliance failure there (an inability to prevent the use of Chinese equipment) will result in more operational risk (spying on your operations and data). So a risk assurance function that usually devotes its time to operations (IT security) will need to improve its capabilities to backstop potential compliance failure.
How do you assess the risk of all that, at an enterprise level? How do you decide the balance between stricter compliance up front, or stronger IT security capability later? It’s a mess of risk that straddles compliance, audit, cybersecurity, procurement, and accounting functions, at least.
Moreover — as a big enterprise risk, this issue is only going to get larger. Wi-fi enabled devices will continue to get cheaper, manufactured by more firms, around the word. Other parties will be able to weaponize this technology against U.S. interests. U.S. regulators will use sanctions and regulatory enforcement as tools to strike back.
So if those Hikvision cameras are capturing anything, it’s the shape of things to come.