What You Need to Know about the Future of NDAA Compliance
Over the past several years, the United States and China have been engaged in a series of regulatory sanctions regarding the creation and control over data captured by hardware and software products. While the situation is still evolving, the Trump administration, Congress, and the Department of Commerce have made their stance clear.
“Bad actors are persistent in trying to infiltrate US networks – often exploiting technologies from the identified Chinese companies to do so.” Wilbur Ross, U.S. Department of Commerce Secretary
In 2018, the United States Congress made waves in the physical security industry with its decision to ban government use of telecommunications equipment made by specified Chinese manufacturers. This rule was motivated by concerns over politically motivated cyber attacks, specifically those exploiting a potential “backdoor” in Chinese-made components.
In 2020, the House of Representatives approved the IoT Cybersecurity Improvement Act, which regulates the purchase of connected devices based on cybersecurity features and vulnerabilities. IoT devices have long been seen as a security risk due to their inconsistent security protections. For this reason, the National Institute of Standards and Technology (NIST) has been tasked with outlining standardized rules for the safety of connected devices- starting with those purchased by federal bodies.
Who is Impacted?
These hardware bans, while on the surface apply specifically to only government agencies, have farther reaching consequences than they appear. NDAA bans the procurement, maintenance, and use of restricted technologies by "executive agencies," which includes organizations ranging from the office of the President, across the various executive cabinet organizations such as the Departments of Defense, Education, Commerce, and the Interior. Every organization is unique in its compliance needs and funding model. Even if your particular organization is not directly affiliated with one of these federal bodies, you may still need to comply with NDAA rules if you wish to continue receiving federal grants or to renew a government contract.
Earlier this year, Congress approved the yearly National Defense Authorization Act which expanded the federal banlist to include certain mobile apps developed and managed by Chinese companies. Notable among these is WeChat, a popular multipurpose messaging app developed by Tencent Holding Ltd. Tencent is one of several conglomerates that are under investigation for ties to the Chinese Government.
In his executive order describing the ban, President Trump had this to say:
“WeChat automatically captures vast swaths of information from its users. This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information.”
The implication of these words is clear.
This is no longer simply an issue of governmental secrecy or of specific hardware security. These actions are the beginning of a global movement towards more stringent evaluation of who controls the source code and data of all hardware or software products.
Some 19 million Americans use WeChat on a daily basis, generating an immense amount of personal data.
This statistic begs the questions--who owns this data? Where is it being stored? Items such as username/password pairs could pose a massive and widespread security threat if captured by a malicious entity. Password reuse is “a ticking time bomb” and nation state actors with comprehensive access to millions of credential pairs could be the catalyst that sets it off.
A recent example of data misuse is Tencent, who was under fire for misrepresenting their WeChat data policies, including the fact that they must retain private data for six months in order to assist in law enforcement action.
Case Study: GoldenHelper Spyware
In July of this year, the FBI issued a warning to US companies about a potential malware backdoor found in the Baiwang Tax Control and Intelligence Tax programs. These programs are the only government-authorized software to operate the Chinese value added tax (VAT) system. The use of either software is required by the China Tax Bureau in order for US companies to operate within China’s market. Both companies operate the VAT system under the management and oversight of the state-owned National Information Security Engineering Center (NISEC). The NISEC has foundational links to the 3PLA, China’s primary
The backdoor malware contains characteristic hashes that identify it as GoldenSpy, believed to be an improved version of 2019’s GoldenHelper virus. This particular strain of malware “was designed to provide cyberactors with unfettered access to victim networks and is believed to have been around since 2016.”
Based on the nation's historical interest in these sectors, the FBI specifically directed its warning at US companies in the healthcare, chemical, and finance sectors operating in China.
What should your takeaway be?
In this dynamic and unpredictable global climate, new security regulations may be on the horizon at any time. This means that responsible organizations must be knowledgeable and up-to-date about how their data is being collected and used. Simply because a vendor is located in an approved country does not mean that they have you and your data’s best interest at heart.
That’s why it’s more important than ever to evaluate vendors and their approach to data security if they manage, store or interface with private organizational data. A thorough audit, especially if you’re in the process of installing a new technology, will help you identify whether or not they’re held accountable to the protection of your information. It also builds the partnership on a foundation of trust, knowing that both parties share the responsibility of keeping data safe.
How do you know if you’re affected? If you receive federal funding or provide services to a federal organization, it is highly likely that you have already dealt with the increasingly strict regulations around device manufacturing. Additionally, if you hope to create or renew a government contract in the future, you may likely be held accountable to the same compliance requirements of government entities and associated subsidiaries.
Regardless of the industry you’re in, understanding these trends--as demonstrated through recent bans--should not be an oversight. Proactively understanding the implications of ever changing laws around data security could offset urgent, timely and cost-intensive replacements of your hardware and software solutions.
What should you look for in choosing a vendor?
Purchasing connected devices and software in this day and age is a process with some inherent uncertainty. That’s why it is highly important that you put time into evaluating the available providers before making a major purchase. By finding a quality vendor who looks at data security and privacy the right way, much of the responsibility of protecting your organization will be abstracted away.
Compliance: Most telecommunications companies published a public statement regarding their compliance with section 889 of the 2019 National Defense Authorization Act. This article about the act compiles most major camera manufacturers’s written materials on the subject and features links to their company policies regarding compliance.
Hardware/Software Sourcing: Ultimately, the relevant regulations of the 2019 and 2021 NDAAs come down to the restriction of where hardware and software components can be acquired. Hardware components as well as software services can become deprecated over time and emerge as security risks, posing serious risk to an organization. Look for vendors that are transparent in reporting where hardware and software components were sourced from.
Attitude Towards Data Ownership: In addition to their oversight regarding hardware and software management, it is important to research how a vendor handles user data. Manufacturers may use only approved parts and software but have a dangerous or anti-consumer perspective on data rights. Users should seek to retain as much operational control over their data as possible especially when dealing with high-security devices such as surveillance cameras.
Verkada’s Approach to Data Ownership and Security
In an era where control of personal data is increasingly being taken away from the user, Verkada aims to give as much of this control back as possible through transparent and easy-to-understand data policy.
Hardware and Software Policy
All Verkada hardware and software is designed by our teams in San Mateo, California. Our teams have complete control over the software development lifecycle, and no component or service is written or introduced without thoroughly vetting it for performance, reliability and security.
On the hardware side, all of our devices are made in Taiwan to our specifications by our trusted manufacturer partners, who themselves have in place strong compliance guidelines on privacy and cybersecurity. We have complete control over the firmware that is loaded onto each device and have incorporated 256-bit SHA2 HMAC cryptographic integrity checking to ensure that only authorized Verkada software is uploaded to our devices.
This means that Verkada customers can be confident in the creation and management of our devices. Our products comply with NDAA, meaning that they can be used without fear by federal bodies, federal grant recipients, and organizations that maintain government contracts. The Verkada Dome, Mini, and Bullet Series of cameras utilize US-based Ambarella chipsets which makes them compliant to even the most stringent industry regulations.
Verkada puts control back into the hands of the user by offering a variety of privacy options. These policies apply to all Verkada employees and partners.
We believe that the data your organization generates is your own, and that you should have complete control over who accesses it. Under no circumstance do we share personal information for any commercial or marketing purpose unrelated to the activation and delivery of your device.
To learn more about Verkada’s stance on data privacy and our relevant policies, read our trust page.