Posts Tagged ‘cybersecurity’

Singapore: Defence Minister to invite hackers to break into its Internet-connected systems to detect weaknesses

December 12, 2017


SINGAPORE – In a first for the Singapore Government, the Ministry of Defence (Mindef) will be inviting about 300 international and local hackers to hunt for vulnerabilities in its Internet-connected systems next year, in a bid to guard against ever-evolving cyber threats.

From Jan 15 to Feb 4, these selected experts will try to penetrate eight of Mindef’s Internet-facing systems, such as the Mindef website, the NS Portal and LearNet 2 Portal, a learning resource portal for trainees.

These registered hackers can earn cash rewards – or bounties – between $150 and $20,000, based on how critical the flaws discovered are. Called the Mindef Bug Bounty Programme, it will be the Government’s first crowdsourced hacking programme.

This follows an incident earlier this year when Mindef discovered that hackers had stolen the NRIC numbers, telephone numbers and birth dates of 854 personnel through a breach of its I-Net system.

One of the systems being tested, Defence Mail, uses the I-Net system for Mindef and SAF personnel to connect to the Internet.

On Tuesday (Dec 12), defence cyber chief David Koh announced the new programme after a visit to the Cyber Defence Test and Evaluation Centre (CyTEC) – a cyber “live-firing range” where servicemen train against simulated cyber attacks – at Stagmont Camp in Choa Chu Kang.

On the significance of the “Hack Mindef” initiative, he told reporters: “The SAF is a highly networked force. How we conduct our military operations depends on networking across the army, navy, air force and the joint staff.

“Every day, we see new cyber attacks launched by malicious actors who are constantly seeking new ways to breach our systems… Clearly, this is a fast-evolving environment and increasingly, you see that it is one that is of relevance to the defence and security domain.”

The bigger picture is that cyberspace is emerging as the next battlefield, said Mr Koh, who is also deputy secretary for special projects at Mindef.

“Some countries have begun to recognise cyber as a domain similar to air, land and sea. Some have even gone so far as to say that the next major conflict will see cyber activity as the first activity of a major conflict,” he added.

Servicemen at the Cyber Defence Test and Evaluation Centre at Stagmont Camp on Dec 12, 2017. ST PHOTO: ALPHONSUS CHERN


While there will be some risks in inviting hackers to test the systems, such as an increase in website traffic and the chance that these “white hat” hackers will turn over discovered vulnerabilities to the dark Web, measures will be put in place.

“(If) we can’t even manage the increase in traffic, that in itself would be a vulnerability that we would need to address,” said Mr Koh.

White-hat hackers are those who break into protected systems to improve security, while black-hat hackers are malicious ones who aim to exploit flaws.

The programme conducted by US-based bug bounty company HackerOne is expected to cost about $100,000, depending on the bugs found. But Mr Koh noted that this would be less than hiring a dedicated vulnerability assessment team, which might cost up to a million dollars.

Mr Teo Chin Hock, deputy chief executive for development at the Cyber Security Agency (CSA), said: “By embarking on a bug bounty programme, companies have the advantage of uncovering security vulnerabilities on their own by harnessing the collective intelligence and capabilities of these experts and addressing these vulnerabilities before the black hats do.”

In a statement, he added that the CSA is currently in discussions with some of Singapore’s 11 designated critical information infrastructure sectors which have expressed interest in exploring a similar programme for their public-facing systems.

Major Yiew Pie Ling (centre) taking Mr David Koh, deputy secretary (Special Projects), Mindef, and chief executive of the newly created Cyber Security Agency (CSA) of Singapore, through a demonstration of a mock cyber attack at the Cyber Defence Test and Evaluation Centre at Stagmont Camp on Dec 12, 2017. ST PHOTO: ALPHONSUS CHERN

Large organisations, such as Facebook and the United States Department of Defence, have embarked on similar initiatives with some success.

For instance, a similar Hack the Pentagon programme, also conducted by HackerOne, was launched by the US defence department in 2016. A total of 138 bugs were found by more than a thousand individuals within three weeks.

The initiative caps a year in which Singapore has been gearing up for the battlefront in cyberspace.

In March, it was announced that the Defence Cyber Organisation will be set up to bolster Singapore’s cyber defence, with a force of cyber defenders trained to help in this fight.


North Korea allows smartphones in ‘Orwellian’ move to monitor citizens and bolster power

December 7, 2017
NORTH Korea has allowed more access to smartphones in an “innovative Orwellian move” to “keep tabs” on the population and bolster the regime’s powers, it has been revealed.


Mobile phones are becoming commonplace in North Korea and are seen as status symbols.

But, access to the internet is limited and people are being employed by the regime to monitor people round the clock.

Director of strategic threat development at Recorded Future, Priscilla Moriuchi, said: “In an Orwellian sense, North Korea is innovating on surveillance.”

Nearly all North Korean phones, tablets, laptops and computers run on locally developed operating systems stocked with censorship and surveillance tools.


Mobile phones are becoming commonplace in North Korea and are seen as status symbolsInternet from the outside world is cut off, according to researchers and groups that work with defectors.

Computers either run a system called Red Star or a localised version of Microsoft Windows whereas smartphones and tablets run on localised versions of Android.

The operating systems direct users to curated intranet loaded with Kim Jong-un speeches and recipes to North Korean dishes.

Ms Moriuchi added that by mandating that certain technologies be installed on mobile devices, North Korea could be “establishing a playbook for other authoritarian regimes”.

The Red Star system and the preloaded surveillance software allow Pyongyang to monitor behaviour, according to German researcher Florian Grunow.

Authorities can use the software to remotely delete files from a computer and can block users sharing files, according to Ms Grunow.

A tool called TraceViewer records app usage and intranet browsing history.

The software takes random screenshots which users can see but cannot delete.

Phone usage is monitored and smartphone users face random stops by police, who check their phones’ contents, according to defectors.

North Korea’s intranet first became widely available in the early 2000s.

But, in 2004 a suspected assassination attempt on then-leader Kim Jong Il, allegedly triggered by a wireless handset, led to a five-year ban on mobile phones.

The regime began allowing the devices again in 2009.

Some experts attribute the concession to Pyongyang’s desire to endear the government to local citizens.

A researcher at Amnesty International, Arnold Fang said: “North Koreans aren’t completely oblivious to the outside world.


A tool called TraceViewer records app usage and intranet browsing history“In order to keep people happy, the North Korean government needs to show they are living a life of quality that is comparable to neighbouring countries.”

Early devices allowed some defectors to smuggle TV dramas from South Korea or elsewhere, but newer devices with tighter monitoring have made it more difficult to get access to foreign media, according to defectors.

An extremely small number of the North Korean elite have access to the external internet, according to Ms Moriuchi.

They are mainly researchers, government officials and party members whose jobs require information from the outside world.


An extremely small number of North Korean elite have access to external internetThe elites gain access via a connection ultimately run by China Unicom, operational since 2010.

But, according to North Korea-focused blog 38 North, there is a second internet connection provided by a Russian state-owned company, TransTeleCom.

Pyongyang’s traditional tools of power, such as propaganda and ruling by terror, are beginning to diminish in effectiveness, former North Korean diplomat Thae Yong Ho said.

But some experts said they doubt smartphones and online activity will do anything but strengthen the regime.

Head of intelligence research at Cybereason, a cybersecurity firm, and a former U.S. Department of Defence analyst, Ross Rustici, said: “As long as North Koreans primarily consume the propaganda from the state, I don’t see it having a short-term destabilising effect.”

Philippines, US agree to boost bilateral ties in human rights, other areas

December 2, 2017
On Sunday, President Rodrigo Duterte said US President Donald Trump . The STAR/Krizjohn Rosales 

MANILA, Philippines — The Philippines and the United States have reaffirmed their commitment in various areas, including human rights, which had been a sore point in the two countries’ ties.

“The U.S. and Philippine delegations emphasized the importance of the rule of law, human rights, and fundamental freedoms,” read a joint press statement issued following the two nations’ seventh Bilateral Strategic Dialogue from Nov. 30 to Dec. 1, 2017 held in Washington.

“The United States and the Philippines reaffirmed the importance of regular high-level consultations,” the statement also said.

Philippine President Rodrigo Duterte is facing strong criticisms for his brutal drug war, which has taken the lives of thousands of suspected small-time drug dealers, most of whom are from the urban poor.

The maverick Duterte earlier sparked diplomatic alarm for announcing Manila’s “separation” from its century-old alliance with Washington after former US President Barack Obama denounced the deadly crackdown.

He also sought to realign his country’s diplomatic and military alliance toward China and Russia, Washington’s strategic rivals.

Headlines ( Article MRec ), pagematch: 1, sectionmatch: 1

Ties between the two countries’ later improved upon US President Donald Trump’s election victory. In a telephone conversation last April, Trump had told his Philippine counterpart he was doing an “unbelievable job on the drug problem.”

RELATED: Resuming rebuke of Obama, Duterte calls him ‘black, arrogant’ | Duterte: No feud with US, only with some of its officials

Ahead of the two firebrand leader’s meeting in November, several US lawmakers had urged Trump to confront Duterte about the mounting fatalities in Manila’s drug war.

But according to Malacañang, Trump—in a dramatic turnaround from past practice by American presidents to press foreign leaders about allegations of human rights violations—avoided the sensitive topic.

Meanwhile, the White House said human rights “briefly came up in the context of the Philippines’ flight against illegal drugs,” a stark contrast to the Palace’s statement.

Other areas

Aside from human rights, senior officials from Manila and Washington also discussed a wide variety of issues of mutual interest, with both sides reaffirming their partnership in maritime security, humanitarian assistance and disaster response.

They also tackled how the two countries can deepen ties in cybersecurity, countering transnational drug trafficking and terrorism, improving drug prevention and treatment services, as well as combating wildlife trafficking and illegal, unreported, and unregulated fishing.

In terms of boosting extensive economic relationship between the two countries, representatives from the US and the Philippines noted the “substantive discussions” on cooperating in areas such as science and technology, agriculture and fisheries, and health and environment.

They likewise welcomed the bilateral Trade and Investment Framework Agreement discussions held on November 29, and “look forward to more robust discussions on ways to expand free, fair and reciprocal bilateral trade, including through exploring a potential Free Trade Agreement.”

Both countries also highlighted regional security challenges, particularly North Korea’s “unlawful ballistic missile and nuclear programs” and the South China Sea dispute.

At length, the US welcomed the Philippines’ offer to host the next Bilateral Strategic Dialogue in Manila in 2018.

Vietnam Wants to Control Social Media? Too Late.

November 30, 2017

No automatic alt text available.



HO CHI MINH CITY, Vietnam — When access to Facebook’s Messenger app went intermittent throughout Vietnam on Nov. 4 — an unusual occurrence, even in this repressive state — netizens were thrown for a loop. “Has it happened already?” some of my Facebook friends asked.

Messenger was on the fritz in other countries as well, and earlier that day Typhoon Damrey had hit Vietnam’s central coast, hard. Yet some of my friends were attributing the service disruption to something else: a cybersecurity bill that had made headlines the day before.

The bill was released for public consultation in June but only garnered wide attention recently, when as the National Assembly was reconvening, the Chamber of Commerce stated its objections. The proposed law requires foreign tech giants like Google, Facebook and Skype to set up offices and data servers in Vietnam. Although the National Assembly isn’t expected to vote on the bill until mid-2018, the prospect of it has already sparked fear among internet users, the business community and even some lawmakers.

The government cites growing concerns over cybersecurity and fake news as reasons to exert more control over social-media platforms. But internet access has also served as an outlet for political activism and exposés denouncing corruption and government misconduct.

Vietnam has one of the highest rates of social-media usage among countries with comparable per capita incomes. There are about 52 million Facebook active accounts here, for a population of about 96 million. Google and YouTube also are very popular.

Like China, Vietnam hoped to rein in the internet from the outset. It, too, tried to block Facebook, in 2009, by ordering major local service providers not to carry it. But the government didn’t dare set up a firewall outright, for fear of driving away internet business and e-commerce; it permitted certain sites instead of blocking them outright as China had, banking that it could coax them into collaborating as needed. On occasion, the Vietnamese government has asked local service providers to remove certain sites from their list of known hosts, but that is easy enough to skirt by changing domain names.

China built its online infrastructure with control foremost in mind; the system it developed is now more countrywide intranet than internet. Vietnam’s more mild approach has bred a hybrid infrastructure that keeps developing and adapting faster than the government’s ability to regulate and control it.

One difference is that China is a much larger country, and the domestic market’s economy of scale allowed alternative indigenous platforms, like Weibo or WeChat, to develop. Not so in Vietnam: This country simply doesn’t have the financial or political wherewithal to match big-time Silicon Valley. YouTube and Facebook now account for two-thirds of the domestic digital media market.

The government has at best been able to block Facebook at sensitive moments, such as when President Barack Obama visited Vietnam in May 2016 or during local protests over an environmental disaster. But only for a time, because tech-savvy Vietnamese internet users have always been able to find workarounds.

In 2015, Nguyen Tan Dung, then the prime minister of Vietnam, said that it was impossible to ban social media and that the government should instead use such platforms to spread its own message. After Mr. Dung fell out of political favor in 2016, the Vietnamese government continued to tolerate Facebook while trying to police information published online.

In an effort to seem responsive to the public’s concerns, in 2015 the government set up official Facebook pages to stream news conferences after cabinet meetings and announce new policies and regulations. At the same time, it has deployed groups known as “public opinion shapers” to spread its own views and defend the state against detractors, or what it calls “hostile forces.”

Earlier this year, the information ministry issued a circular asking websites, social media and mobile applications with more than one million users in Vietnam to “collaborate” with the authorities and remove “ill-intended and toxic” content, ranging from ads for contraband merchandise or protected wildlife to state secrets. The ministry also asked Google to take down 2,300 YouTube clips it said defamed Vietnamese leaders; Google complied in part, removing nearly 1,500.

Perhaps emboldened by this measure of success, and by increasing repression of the internet in other Southeast Asian states, the authorities want to go further still. But it’s too late for that. The bill currently being discussed, which appears to be modeled after legislation China adopted earlier this year, will only backfire.

In August, President Tran Dai Quang — who once headed the Ministry of Public Security, the bill’s main proponent — stated the need “to prevent news sites and blogs with bad and dangerous content” partly because online campaigns “undermined the prestige of the leaders of the party and the state.” Yet the proposed law itself may hurt the prestige of the state even more.

As some legal experts have pointed out, the bill is too broad, notably because it goes beyond cybersecurity to lapse into actual control over content. Facebook and Google have also argued that there are ample mechanisms already in place to flag and remove content that violates local laws; and so there is no need to store data locally, which their systems were not designed for anyway.

Vietnam routinely draws international criticism for its poor record on human rights, especially free speech — for strictly controlling print, radio and television news, and for muzzling blogglers. Passing this internet bill would hardly help its reputation. The law would also fly in the face of Vietnam’s commitments to various trade agreements, including under the World Trade Organization, and would likely unnerve foreign investors.

In November, Vietnam celebrated the 20th anniversary of the internet’s arrival in the country. Blocking ever-popular social media platforms now would seem like a retrograde move — and to a time of fuller controls that never even was. It would also most certainly trigger a popular backlash.

The government sees the internet as a source of instability, but regulating it more strictly may be a source of instability as well — and even in an authoritarian state like Vietnam, some measure of popular support is crucial to a regime’s longevity.

Hackers could get even nastier in 2018: researchers

November 29, 2017


© AFP/File | Report by the security firm McAfee said hackers will develop new strategies in 2018 and target connected devices which offer less security than computers and smartphones

WASHINGTON (AFP) – After a year marked by devastating cyber attacks and breaches, online attackers are expected to become even more destructive in 2018, security researchers said Wednesday.A report by the security firm McAfee said the ransomware outbreaks of 2017 offer just a taste of what’s to come as hackers develop new strategies and “business models.”

McAfee researchers said that as ransomware profitability fades in the face of new defenses, hackers will turn to new kinds of attacks that could involve damage or disruption of computers and networks.

Attackers will also look to target wealthy individuals and aim at connected devices which offer less security than computers and smartphones.

“The evolution of ransomware in 2017 should remind us of how aggressively a threat can reinvent itself as attackers dramatically innovate and adjust to the successful efforts of defenders,” said Steve Grobman, McAfee’s chief technology officer.

McAfee also predicted wider use of cyber attacks “as a service,” allowing more hackers for hire to have an impact.

Raj Samani, chief scientist at McAfee, said the events of 2017 showed how easy it is to commercialize hacking services.

“Such attacks could be sold to parties seeking to paralyze national, political and business rivals,” Samani said.

McAfee’s 2018 Threats Predictions Report also said privacy is likely to be eroded further as consumer data — including data involving children — is gathered and marketed by device makers.

“Connected home device manufacturers and service providers will seek to overcome thin profit margins by gathering more of our personal data — with or without our agreement — turning the home into a corporate store front,” the McAfee report said.

The report said parents “will become aware of notable corporate abuses of digital content generated by children,” as part of this effort to boost profitability.

McAfee said it expects some impact for the May 2018 implementation of the European Union’s General Data Protection Regulation, which limits how data is used and sold and which would affect companies with operations in the EU.

The GDPR regulation “makes 2018 a critical year for establishing how responsible businesses can pre-empt these issues, respecting users’ privacy, responsibly using consumer data and content to enhance services, and setting limits on how long they can hold the data,” said McAfee vice president Vincent Weafer.

Europol and EU call for greater cooperation to fight drugs trade on dark net

November 28, 2017

By Peter Wise

Image may contain: one or more people and people sitting

European officials have warned that increased cooperation with technology and social media companies is vital to tackle the growing threat of drug trafficking on the dark net – websites that provide a largely anonymous platform for trading illegal goods and services.

“Engaging with key industries”, including payment and distribution services as well as IT and social media groups, “will be increasingly important for identifying and responding to new threats,” Rob Wainwright, executive director of Europol, the EU’s law enforcement agency, said in Lisbon on Tuesday.

He was speaking at the launch of a joint report by Europol and the Lisbon-based EU drugs agency (EMCDDA) on how dark net markets function and the threats they pose to health and security.

Around two-thirds of sales offers on the dark net are drug-related, according to the report, with EU-based suppliers accounting for almost half of all drug sales in 16 global dark net markets analysed between 2011 and 2016. The total monthly revenue from illicit drug sales on the top eight dark net markets is estimated at €10.6m-€18.7m.

The report said that “evidence is beginning to emerge for the use of instant messaging and social media apps, together with global positioning systems (GPS) technologies, for drug distribution in some European cities.”

It warned that if these apps were combined with existing darknet markets to create “a darkcloud-based drug distribution platform” linked to numerous low-volume suppliers, it could disrupt the drug-trafficking models traditionally used by organised crime. This would pose “even greater challenges to existing regulatory and law enforcement approaches,” the report said.

“Over the last decade, illegal online markets have changed how drugs are bought and sold,” said Dimitris Avramopoulos, European commissioner for migration, home affairs and citizenship. “Criminal activity on the darknet has become more innovative and more difficult to predict.”

The report recommends placing darknet investigation teams at the heart of a broader EU strategy to tackle the security and health threats, together with the pooling of national resources and increased investment.



Drug sales on darknet a ‘growing threat’: EU report

© AFP/File | Drug sales account for two-thirds of exchanges made on encrypted darknet markets, according to a new EU report

Drug trafficking on the so-called darknet of hidden networks and web sites represents a growing threat that Europe must fight together, according to a report published Tuesday by the EU’s police and drugs agencies.

“Drug sales on these markets, although modest when compared to the overall retail drug market, are signifiant and appear to be expanding,” the report said.

Presented in Lisbon, the report by the European Union’s law enforcement agency Europol and it drugs agency, the European Monitoring Center for Drugs and Drug Addiction (EMCDDA), said illicit substance trafficking accounted for two-thirds of exchanges made on the encrypted darknet.

Europol director Rob Wainright said strengthened intelligence sharing in Europe would be critical in fighting the suppliers.

European suppliers, particularly in Germany, the Netherlands and the United Kingdom, account for about 46 percent (about 80 million euros, or $95 million) of sales on the 16 major darknet markets analysed from 2011 to 2015.

The dynamic nature of the online markets and the ability of traffickers to evolve against efforts to shut them down mean it is crucial for authorities to keep pace, the report said.

“In just a few clicks, buyers can purchase almost any type of drug on the darknet, be it cannabis, cocaine, heroin or a series of new substances,” EMCDDA chief Alexis Goosdeel said.

“This poses a growing threat to the health and security of citizens.”

Dimitris Avramopoulos, European Commissioner for Home Affairs, said the EU was “boosting our efforts to fight illegal drugs and step up cybersecurity”.

Includes video:

FBI didn’t tell US targets as Russian hackers hunted emails

November 26, 2017

U.S. Flagged Russian Firm Kaspersky as Potential Threat as Early as 2004

November 18, 2017

Intelligence agencies have expressed concern about the cybersecurity company’s software

WASHINGTON—A Russian cybersecurity firm whose products current and former U.S. officials suspect Moscow has used as a tool for spying was flagged by U.S. military intelligence as a potential security threat as early as 2004, according to new information the Defense Department provided to Congress.

In 2013, the Defense Intelligence Agency, the U.S. military spy service, also issued a Pentagon-wide threat assessment about products made by the company, Kaspersky Lab, according to an email this week from the Pentagon to the House Committee on Science, Space and Technology. The contents of the assessment weren’t disclosed.

The DIA “began producing threat reporting referencing Kaspersky Lab as a threat actor as early as 2004,” according to the email, reviewed by The Wall Street Journal, raising questions about why other federal agencies continued to use the firm’s products.

The Journal reported in October that hackers suspected of working for the Russian government targeted a National Security Agency contractor through the contractor’s use of Kaspersky Lab antivirus software and stole details of how the U.S. penetrates foreign computer networks.

Kaspersky has long said it doesn’t assist the Russian government with spying on other countries.

The revelation about Kaspersky comes as concern over Russian infiltration of American computer networks and social-media platforms is growing after the U.S. intelligence assessment that the Russian government worked to help President Donald Trump’s 2016 campaign. Russia has denied meddling in the election.

Kaspersky published a report on Thursday saying that the computer it believes may have belonged to the NSA contractor in question was infected with other malware that could have been responsible for ex-filtrating information.

The company said in a separate statement, in response to the revelation that U.S. military intelligence flagged the firm as a threat actor, that it remains “ready to work with the U.S. government to address any and all concerns and further collaborate to mitigate against cyber threats, regardless of their origin or purpose.” It added: “we maintain that there has yet to be any credible evidence of the risks presented by the company’s products.”

The DIA’s threat analysis center, established in 2009, circulated analysis regarding Kaspersky Lab to various acquisition programs within the Pentagon, according to the email. It also made its views about the potential threat posed by Kaspersky Lab known to other agencies as early as 2012, the email said.

The email the Pentagon official sent this week was a follow-up to questions posed by the committee chairman, Rep. Lamar Smith (R., Texas), about why the Pentagon had decided not to use Kaspersky products while other U.S. federal agencies felt safe to do so.

A top Pentagon cybersecurity official, Essye Miller, told the committee at a hearing this week that the Defense Department hadn’t used Kaspersky products because of intelligence information regarding the firm.

Still, other federal agencies didn’t follow the same precautions and used Kaspersky products. Jeanette Manfra, a top Department of Homeland Security official, said at the hearing that roughly 15% of the federal agencies that checked to see if Kaspersky was operating on their systems found the company’s products. DHS has set a Dec. 12 deadline for all U.S. government agencies to remove the firm’s software.

“We expect to continue to get more information and also get those basic questions answered—like why did they ever start using Kaspersky Lab products?” Rep. Smith said.

Write to Paul Sonne at

Surveillance Cameras Made by China Are Hanging All Over the U.S.

November 13, 2017

Company 42%-owned by the Chinese government sold devices that monitor U.S. Army base, Memphis streets, sparking concerns about cybersecurity

The Memphis police use the surveillance cameras to scan the streets for crime. The U.S. Army uses them to monitor a base in Missouri. Consumer models hang in homes and businesses across the country. At one point, the cameras kept watch on the U.S. embassy in Kabul.

All the devices were manufactured by a single company, Hangzhou Hikvision Digital Technology. It is 42%-owned by the Chinese government.

Hikvision (pronounced “hike-vision”) was nurtured by Beijing to help keep watch on its 1.4 billion citizens, part of a vast expansion of its domestic-surveillance apparatus. In the process, the little-known company has become the world’s largest maker of surveillance cameras. It has sold equipment used to track French airports, an Irish port and sites in Brazil and Iran.

Elsewhere in the WSJ

  • Polish Nationalist Youth March Draws Thousands in Capital
  • Three UCLA Players Remain in China Amid Theft Probe
  • This Sunday, Some Churchgoers May Choose to Pack Guns With Their Bibles
  • Spain Sees Signs That Tide Is Turning in Catalonia

Hikvision’s rapid rise, its ties to the Chinese government and a cybersecurity lapse flagged by the Department of Homeland Security have fanned concerns among officials in the U.S. and Italy about the security of Hikvision’s devices.

“The fact that it’s at a U.S. military installation and was in a very sensitive U.S. embassy is stunning,” says Carolyn Bartholomew, chairwoman of the U.S.-China Economic and Security Review Commission, which was created by Congress to monitor the national-security implications of trade with China. “We shouldn’t presume that there are benign intentions in the use of information-gathering technology that is funded directly or indirectly by the Chinese government.”

Some security vendors in the U.S. refuse to carry Hikvision cameras or place restrictions on their purchase, concerned they could be used by Beijing to spy on Americans. The General Services Administration, which oversees $66 billion of procurement for the U.S. government, has removed Hikvision from a list of automatically approved suppliers. In May, the Department of Homeland Security issued a cybersecurity warning saying some of Hikvision’s cameras contained a loophole making them easily exploitable by hackers. The department assigned its worst security rating to that vulnerability.

Hikvision’s heat-mapping technology can be used for crowd counting and data collection.Photo: Hikvision

The artificial-intelligence camera uses facial and behavior-recognition technology.Photo: Hikvision

The concerns about Hikvision are reminiscent of the controversy surrounding Chinese technology giant Huawei Technologies Corp., whose telecom gear was effectively banned in the U.S. after a 2012 congressional report raised fears that its networking equipment could be used to spy on Americans. The company, founded by a former Chinese army engineer, has repeatedly dismissed such concerns.

Hikvision says its equipment is safe and secure, that it follows the law wherever it does business and that it worked with Homeland Security to patch the flaws the agency cited. It says it “cannot in any way access and control the content of the video cameras.” It says the vast majority of its products are sold through third-party vendors, meaning it often doesn’t even know where they wind up. It declined to comment on Ms. Bartholomew’s remarks.

“Hikvision is a business,” said Chief Executive Officer Hu Yangzhong, one of several Hikvision executives interviewed for this article. “It would be impossible for us to add a backdoor to our cameras, as that would damage our business.”

Once the stuff of science fiction, facial-scanning cameras are becoming a part of daily life in China, where they’re used for marketing, surveillance and social control. Video: Paolo Bosonin. Photo: Qilai Shen/Bloomberg

Vulnerabilities in surveillance cameras have become more of a concern as internet-connected devices become more prevalent. Cameras can be a weak link in an organization’s information-technology network, potentially opening “backdoors”—ways to gain access by bypassing security mechanisms—for hackers, including state-backed ones.

Last year, hackers took control of hundreds of thousands of cameras, including many made by a Chinese rival of Hikvision, to launch a huge “denial of service” attack that security experts said made sites run by Inc., PayPal Inc. and Twitter Inc. unavailable for hours.

Hikvision grew out of a government laboratory started a half-century ago to develop military and industrial technologies. Its largest shareholder is China Electronics Technology Group Corp., or CETC, a state-owned defense and military electronics manufacturer. Its biggest individual shareholder is Gong Hongjia, a Hong Kong billionaire and university classmate of top Hikvision executives. Some executives are Communist Party members also employed by subsidiaries of CETC, according to securities filings in China.

Mr. Gong said in an interview that he provided capital to help found Hikvision in 2001, in an arrangement that gave the government-backed lab a 51% stake. Although the size of that stake has since declined, the government only began to more actively aid the company in the past few years. “The government can’t help you sell in overseas markets,” Mr. Gong said. “That was all thanks to the years the company spent investing in expanding our presence.”

CETC didn’t respond to a request for comment.

Contracts from Chinese government agencies propelled the company’s rise. It helped with security at the 2008 Beijing Olympics. In 2011, the company said the value of contracts for its “safe city” camera project in Chongqing, a large city in China’s southwest, reached $1.2 billion. Its cameras are now ubiquitous on the city’s streets.

Hikvision helped with security at the 2008 Olympic Games in Beijing. Contracts from Chinese government agencies propelled the company’s rise.Photo: Paula Bronstein/Getty Images

China’s President Xi Jinping, who has made high-tech security a priority, visited the firm’s headquarters in 2015. Since that year, Hikvision has received major loans from two of China’s three policy banks, which finance state development goals.

Zheng Yibo, a Hikvision vice president, says CETC has no role in Hikvision’s day-to-day operations. He declines to say how much revenue comes from the Chinese government, but says its “government-sales portion isn’t high.”

Hikvision’s head of research, Pu Shiliang, holds a leadership position at a Hangzhou laboratory run by the Ministry of Public Security, China’s police force. The lab explores ways authorities can leverage data gathered by the company’s cameras and other sources to improve policing, according to the lab’s website.

Chinese authorities are encouraging new surveillance projects in China to feature artificial-intelligence capabilities, Mr. Pu told an audience in Beijing in September. Scores of high-tech companies have emerged to address the government’s call for more innovative surveillance techniques.

China has been rolling out new technologies to monitor its people in ways that would unsettle many in the U.S. and the West. Unfettered by privacy concerns or public debate, Beijing’s authoritarian leaders have introduced facial-recognition technology and other surveillance measures in a vast experiment in social engineering. Their goal is to influence behavior and identify lawbreakers.

At Hikvision’s Hangzhou showroom, walls are lined with monitors and video cameras that employ artificial intelligence to recognize objects and sounds from afar and to produce visible images despite pollution or darkness. Hikvision’s “Darkfighter” thermal camera enables it to record under ultralow light conditions, the company says. Its “Blazer Pro” server, it says, allows license-plate recognition. It says its dome-shaped “bullet” cameras are explosion-proof, and it offers camera-equipped drones and cameras programmed to alert authorities to large gatherings.

The Darkfighter camera can turn dark into light. This split screen shows the illuminating effect.Photo: Hikvision

‘Defog’ cameras use algorithms to sift through atmospheric interference such as fog or pollution.Photo: HIKVISION

The company’s consumer camera line, called “EZVIZ,” can sync with a smartphone app. One softball-sized device can detect noises—a dog barking loudly or the sound of a door opening—and automatically direct its lens at the source of the disturbance, sending an alert to the phone.

Global sales of surveillance equipment has increased 55% in the five years through 2016, according to consulting firm IHS-Markit. By pricing cameras below those made by Western competitors, Hikvision has become the top seller of surveillance equipment in Europe and No. 2 in the U.S., according to IHS-Markit and other industry analysts. Its cameras frequently are sold without the Hikvision name and are rebranded by U.S. distributors—a frequent practice in the industry.

This year, Hikvision opened research-and-development offices in Silicon Valley and Montreal. It plans to employ 350 people in North America by year’s end and 800 by 2022, the company says.

Its shares have risen sharply since its initial public offering on Shenzhen’s stock exchange in 2010, and they have more than doubled this year, giving the company a valuation of $56 billion, close to that of Sony Corp.

Fort Leonard Wood, an Army base in Missouri’s Ozarks, uses Hikvision cameras in its security system, according to the Chinese company and NexGen Integration, a U.S. company that handled the installations. The base offers basic combat training and includes a school for chemical, biological and nuclear-defense drills.

Fort Leonard Wood, a U.S. Army base in Missouri’s Ozarks, uses Hikvision cameras in its security system.Photo: Orlin Wagner/Associated Press

To win the contract with the Army, Hikvision says, it had to show its cameras could stream at 30 frames per second, providing sufficiently fast motion detection. It custom-built some of the technology to accommodate the base’s limited internet bandwidth.

Chris Nickelson, NexGen’s owner, says none of his customers have raised any issues about Hikvision gear. The army base referred questions to the U.S. Army’s installation management command public affairs office, which said it doesn’t discuss equipment or capabilities, but added that “any equipment or software that goes on a military network is thoroughly tested for security vulnerabilities.”

At the U.S. Embassy in Kabul, Afghanistan, Hikvision cameras were installed “to monitor nonsensitive electrical closets for theft prevention,” says a State Department spokesperson, referring to closets housing electronics equipment.

Last year, the security-industry trade publication IPVM published a procurement order for several dozen Hikvision cameras, revealing their presence in the Kabul embassy. The government canceled the order in September 2016 and removed the Hikvision cameras already in the embassy.

A State Department official says that was because security officials at the department, who are supposed to be notified of new security-related installations, weren’t given a heads up about the purchase. The department wouldn’t comment on whether security concerns were a factor in the removal of the existing cameras.

In a written statement, Hikvision said it had no knowledge of the Kabul project’s particulars “on the end-user level,” and that “accepting or removing particular products is always at the discretion of the end-user.”

Surveillance equipment and other gear is on display at Hikvision’s office in Hangzhou.Photo: Xinhua/ZUMA PRESS

Shortly thereafter, the General Services Administration removed Hikvision from a list of automatically approved suppliers, companies that make their products in countries that have certain trade agreements with the U.S. The agency says it nixed the firm after it was alerted the products were manufactured and assembled in China, which isn’t on the list. U.S. government agencies that want to buy Hikvision gear can’t go through the GSA system, but have to take extra steps such as showing the items are fairly priced.

Hikvision says its gear was listed on the GSA by two resellers, which it says it hadn’t authorized. Hikvision says it asked the resellers to remove the products from the GSA list.

In January, Italy’s government awarded a $49 million contract to a supplier in a deal that included the installation of Hikvision cameras at some state buildings. The deal was publicly questioned in June by Italian legislator Arianna Spessotto, who said the cameras “could pose a risk to national public security” and asked how the government planned to verify the cameras’ safety.

A spokesman for Italy’s government procurement agency said the supplier “guaranteed a level of security appropriate to the risk,” but that “no one can be absolutely sure that a participating firm has not surreptitiously inserted backdoor devices and security vulnerabilities for malicious purposes.”

Hikvision says the Italian legislator’s concerns about security risk are “totally unfounded and absurd.”

Hikvision cameras are ubiquitous on the streets of Chongqing, a large city in China’s southwest.Photo: Prisma Bildagentur/UIG/Getty Images

Nathan Brubaker, an analyst at U.S. cybersecurity firm FireEye Inc., says the software vulnerabilities identified by the Department of Homeland Security could make those Hikvision cameras prone to a hacking attack similar to the “Mirai” denial-of-service attack on the internet last year.

“Camera security is often poor’’ across the industry, says Marco Herbst, chief executive of Dublin-based Evercam, which develops camera software. “You’re dealing with a device that in many cases is sloppily installed with default passwords that are publicly available on the internet.”

Security experts say backdoors that allow outsiders to bypass security protections are often difficult to identify. Such vulnerabilities can be accidental—the result of flaws in the software’s original design or in updates.

The Hikvision flaws identified by the Department of Homeland Security affected more than 200 camera models and potentially tens of millions of shipped devices, estimates John Honovich, editor of IPVM. They made it possible for outsiders to hack into internet-connected Hikvision cameras in just a few steps, according to Mr. Honovich and FireEye, the cybersecurity firm. Hikvision acknowledged the flaws affected some cameras, but dismisses Mr. Honovich’s assertions as “unfounded insinuations and hearsay.”

Hikvision says it cooperated with the DHS to fix the problem and directed customers to a software fix. “This issue did not cause a noticeable impact on Hikvision’s overseas business,” a company spokeswoman says.

Genetec, a Canadian security company with a U.S. presence, requires customers who want to buy Hikvision cameras to sign a waiver disclaiming Genetec of liability in the event of a security breach. Pierre Racz, the Montreal-based company’s chief executive officer, says concern over cameras made by “companies owned or controlled by the Chinese government” and “Beijing’s reputation for aggressive cyberespionage” led him to require the waiver.

Hikvision says “linking Hikvision with espionage is simply outrageous and completely unfounded.”

Surveillance cameras hung near Tiananmen Gate in Beijing in 2013.Photo: Ng Han Guan/Associated Press

Hikvision has been selling cameras to the Memphis police department since 2007. Lieutenant Joseph Patty II, who manages the system, says cameras became more essential after the police department lost 500 officers—about one-quarter of the force—because of budget cuts three years ago. Officers can observe streets from a central command center. Some devices use advanced lighting technology to produce clear images even in the middle of the night.

“We probably make up to 100 arrests every year” because of the cameras, including for car theft, robbery and murder, says Lt. Patty. The cameras have been used to monitor Black Lives Matter protests and recent demonstrations surrounding Memphis’ Confederate monuments, he says.

He says the city started using the cameras long before concerns about hacking came into play. The department uses a decentralized network where cameras aren’t connected to the police mainframe computer, he says.

“At the end of the day, they are the No. 1 camera manufacturer in the world,” says Lt. Patty. “They make a lot of cameras and many people use them, even if they don’t say Hikvision on the product.”

—Liza Lin and Wenxin Fan contributed to this article.

Write to Dan Strumpf at

American Intelligence Horror Story

November 13, 2017

Are U.S. spies losing their technological edge?

The National Security Agency campus in Fort Meade, Maryland in 2013.
The National Security Agency campus in Fort Meade, Maryland in 2013. PHOTO: PATRICK SEMANSKY/ASSOCIATED PRESS

NSA, sometimes said to stand for Never Say Anything, does not want to talk about this. But it’s a momentous crisis for the largest US intelligence agency. 

The N.S.A.’s headquarters at Fort Meade in Maryland. Cybertools the agency developed have been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.

Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core

A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide.

For years technologists have been warning about the possibility of a sort of digital Pearl Harbor in which a hostile foreign power launches a devastating cyber-attack on the United States. Is it already happening?

A disturbing report in the New York Timesdescribes the damage that has been done—and is still being done—by a mysterious group called the Shawdow Brokers, which managed to steal the hacking tools the U.S. National Security Agency has used to spy on other countries. The Times describes an “earthquake that has shaken the N.S.A. to its core” and adds:

Current and former agency officials say the Shadow Brokers disclosures, which began in August 2016, have been catastrophic for the N.S.A., calling into question its ability to protect potent cyberweapons and its very value to national security. The agency regarded as the world’s leader in breaking into adversaries’ computer networks failed to protect its own.

A reported breach of the NSA has been described as “catastrophic” and even worse than Edward Snowden’s massive data leak. CBS News Senior National Security Contributor @MichaelJMorelljoins @CBSThisMorning to discuss

Among the most disturbing aspects of the case is the fact that, long after the theft of critical data was detected, our government still doesn’t know how it happened. The Times writes:

Fifteen months into a wide-ranging investigation by the agency’s counterintelligence arm, known as Q Group, and the F.B.I., officials still do not know whether the N.S.A. is the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or both. Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place. And there is broad agreement that the damage from the Shadow Brokers already far exceeds the harm to American intelligence done by Edward J. Snowden, the former N.S.A. contractor who fled with four laptops of classified material in 2013.

Mr. Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach. But Mr. Snowden released code words, while the Shadow Brokers have released the actual code; if he shared what might be described as battle plans, they have loosed the weapons themselves. Created at huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.

15 mos intensive investigation & FBI still can’t solve catastrophic NSA hack … but surprised people question certainty of conclusions on DNC hack where it never examined server. 

The N.S.A.’s headquarters at Fort Meade in Maryland. Cybertools the agency developed have been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.

Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core

A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide.

This NSA disaster occurred on President Obama’s watch and the Times report suggests that Mr. Obama ignored advice from top officials in his national security team to address the management failure because he prioritized the effort to search for potential 2016 Trump campaign links to Russia:

One N.S.A. official who almost saw his career ended by the Shadow Brokers is at the very top of the organization: Adm. Michael S. Rogers, director of the N.S.A. and commander of its sister military organization, United States Cyber Command. President Barack Obama’s director of national intelligence, James R. Clapper Jr., and defense secretary, Ashton B. Carter, recommended removing Admiral Rogers from his post to create accountability for the breaches.

But Mr. Obama did not act on the advice, in part because Admiral Rogers’s agency was at the center of the investigation into Russia’s interference in the 2016 election.

As for President Trump, the question is why he has not initiated a house-cleaning at the top of the NSA.

For all Americans, the question is whether the technological edge that the United States has enjoyed in defense and intelligence for essentially all of our lifetimes is now in jeopardy.


Bottom Stories of the Day

Why would Kim Jong-un insult me by calling me “old,” when I would NEVER call him “short and fat?” Oh well, I try so hard to be his friend – and maybe someday that will happen!

Does This Tweet Make Me Look Apophatic?
“Trump mocks North Korea’s Kim, says he would never call him ‘short and fat’,” Fox News, Nov. 12

Annals of Single-Payer Health Care
“Canadian Patients And Doctors Are Sharing ‘Excruciating’ Wait Times On Twitter,” Huff Post, Nov. 3

So Much for the War on Drugs
“GOP Tax Plan Could Deal Blow to Seniors Paying for Long-Term Care,” ElderLawAnswers,” Nov. 10

Hypothesis and Proof

  • “Without Humans, Artificial Intelligence Is Still Pretty Stupid,” The Wall Street Journal, Nov. 12
  • “How to Survive a Robot Apocalypse: Just Close the Door,” The Wall Street Journal, Nov. 10


Follow James Freeman on Twitter.

Subscribe to the Best of the Web email with one click.

To suggest items, please email

(Carol Muller helps compile Best of the Web. Thanks to Irene DeBlasio, Myles Pollin, Jordan Bruneau, Rod Pennington and Paul Wood.)