Who controls which surveillance cameras can be used by federal government agencies — and critical infrastructure holders — remains a grey area that falls between multiple security agencies overseeing physical, electronic and cyber security, say people familiar with national security concerns.
As defence minister Richard Marles was pushed onto the back foot on Thursday after confessionals by government departments using Chinese surveillance hardware were aired by Victorian opposition senator James Paterson, explicit guidance for agencies on surveillance remains mixed at best.
For the government, this was an ambush hiding in plain sight, given that Paterson has been badgering any and every agency he can through the questions on notice process to compile his dossier of delinquent departments using Chinese kit rapidly being banned in the Five Eyes network.
They don’t call the senate a ‘house of review’ for nothing.
Paterson’s timing was adroit. On the morning of the day former robodebt minister Alan Tudge, a Victorian MP, announced he will leave the federal parliament, a full-pelt political defence and foreign policy curve ball came hurtling down the wicket, just in time for senate estimates. The issue is likely to burn for weeks.
The Huawei Show (repeat)
The problem government agencies are facing is a steadily shifting security posture on the use of Chinese manufacturers like Hikvision.
Hikvision, along with Dahua, has come to dominate so-called CCTV (closed circuit television), which these days actually runs on internet protocol (IP) and over wireless networks.
(In security circles there is an observation that CCTV also stands for China Central Television, a reference to the state-run national broadcaster with a reach in the billions.)
If this latest scandal feels like a repeat of the Huawei controversy, that’s because it is. The connection of security systems to the internet is half of the problem, and foreign ownership multiplies that.
The real reason Hikvision and friends are having their plugs pulled is that assessments by western intelligence agencies that Chinese firms can, if directed, be legally required to serve the interests of the Chinese government.
When confronted by the Huawei dilemma, Malcolm Turnbull lamented that non-Chinese enterprise-grade switch manufacturers had simply vacated the field, leaving no competitive alternatives and a void that was quickly filled.
As cameras became commoditised, they proliferated. Today, price dilution to achieve a dominant market share is seen as a broader acquisition strategy by PRC economic interests guided by the state.
This is seen as part of an overall strategy to get China to level up with the west’s technologically, and on its own terms where it can make or break markets, as opposed to being captive to them.
To the victor go the spoils
What Huawei achieved as a commoditised telco kit, Hikvision has achieved in surveillance, making a highly competitive product that now largely dominates the market. The Mandarin talked to four security practitioners who all said the Hikvision “issue” had been hanging around since 2017-18.
All stressed that the potential security holes that could be exploited were not just present in the two companies cited by Paterson, but also in other systems made in both Taiwan and China. Alternative ‘white-listed’ products that had been security evaluated and cleared for use were comparatively expensive and sometimes dated by the time they cleared evaluation.
And there isn’t a lot of non-Chinese kit left out there, with Hikvision’s systems being pretty much best in class.
“It’s cheap and it works,” said one security expert. Another pointed out that evaluations in the corporate space started noticing problems with firmware updates back in 2018.
Who makes the call
At a technical level, if camera systems are regarded as ‘physical security’, that’s the territory of the Australian Security Intelligence Agency, which regulates locks, containers (safes), doors, etc., that need to comply with national security standards. For a fee, ASIO will also sweep for bugs and listening devices.
The Australian Signals Directorate guards against hacking and regulates cryptographic standards.
But this is a little above the stock-standard video systems used in and around office complexes that are usually run by building security, or those in car parks, which practitioners said are often fairly easily detected and accessed using WiFi tools.
The video networks typically run multiple compressed streams down a single link, but these can be unpacked using easily available tools that decode common protocols.
The consensus seems to be that dealing with the Hikvision issue is not specific to one agency but the security apparatus as a whole.
One observation was that tightening up networks, at a corporate and government level, had both costs and benefits across law enforcement and intelligence agencies.
Another was that basic AI was now being fused with video for applications like facial recognition, object recognition (mobile phone detection cameras), movement signatures (fights, brawls, injuries) and vehicle recognition (otherwise known as automatic number plate recognition) used in tolling.
One practitioner questioned where number plate data harvested from shopping mall car parks went, and who had access.
See no evil, speak no evil
Aside from the awkward systemic dependency and inconvenient foreign government links, everything was ticking over fairly smoothly for government owners of Hikvision video systems until senator Paterson started publishing lists in answers to Questions on Notice.
Three primary national security questions arise: is there a remote access vulnerability, and is it known and being exploited? The first is never publicly answered, and the second and third trigger immediate alerts.
State governments contacted essentially said they would take their lead from Canberra on national security through well-established channels.
Again, private industry sources have told The Mandarin of concerns surrounding Hikvision, primarily around firmware and controllers, dating back five years.
Of course, the Chinese government and manufacturers and technology developers have been developing biometric and facial recognition for years for applications like state security and social credit.
There have also been questions raised in technical circles as to whether surveillance systems can be used to racially or ethnically profile people using either facial features and/or skin tone. This may not be permitted in democratic states, but such limits do not apply to authoritarian regimes.
With security a major business sector in its own right — Bunnings, JB HiFi and plenty of other retailers sell home surveillance — those selling security services need to be competitive to stay afloat.
Facing reality
One security expert prepared to go on the record is Daniel Lewkovitz, founder and head of private firm Calamity Monitoring, which specialises in commercial, home and health monitoring using a range of technologies.
Lewkovitz reckons the latest controversy over Hikvison has been brewing for a while.
“Government departments have now received a very long overdue wake-up call for potential threat surveillance equipment that is manufactured by companies owned by the Chinese Communist Party (CCP),” Lewkovitz said.
“The threats to information security of these organisations [public and private] comes from the fact that these cameras are almost universally connected, at some point, to internal networks, which potentially creates a backdoor into the network.
Lewkovitz said the CCP always reserved the right to tell Chinese companies what to do.
“A secondary issue is that these companies and their products have been directly, actively and massively involved in the surveillance and oppression of persecuted minority groups in China.
“There is an ethical question as to whether the Australian government and indeed private sector, the security industry and anyone else in Australia should be doing business with companies that actively engage in acts of genocide,” Lewkovitz said.
READ MORE:
Any feedback or news tips? Here’s where to contact the relevant team.