U.S. federal agencies have four weeks to rip out Chinese-made surveillance cameras in order to comply with a ban imposed by Congress last year in an effort to thwart the threat of spying from Beijing.

But thousands of the devices are still in place and chances are most won’t be removed before the Aug. 13 deadline. A complex web of supply chain logistics and licensing agreements make it almost impossible to know whether a security camera is actually made in China or contains components that would violate U.S. rules. 

The National Defense Authorization Act, or NDAA, which outlines the budget and spending for the Defense Department each year, included an amendment for fiscal 2019 that would ensure federal agencies do not purchase Chinese-made surveillance cameras. The amendment singles out Zhejiang Dahua Technology Co. and Hangzhou Hikvision Digital Technology Co., both of which have raised security concerns with the U.S. government and surveillance industry.

Hikvision is 42-percent controlled by the Chinese government. Dahua, in 2017, was found by cybersecurity company ReFirm Labs to have cameras with covert back doors that allowed unauthorized people to tap into them and send information to China. Dahua said at the time that it fixed the issue and published a public notice about the vulnerability. The U.S. government is considering imposing further restrictions by banning both companies from purchasing American technology, people familiar with the matter said in May. 

“Video surveillance and security equipment sold by Chinese companies exposes the U.S. government to significant vulnerabilities,” said Representative Vicky Hartzler, a Republican from Missouri, who helped draft the amendment. Removing the cameras will “ensure that China cannot create a video surveillance network within federal agencies,” she said at the time.

Dahua declined to comment on the ban. In a company statement, Hikvision said it complies with all applicable laws and regulations and has made efforts to ensure its products are secure. A company spokesman added that the Chinese government is not involved in the day-to-day operations of Hikvision. "The company is independent in business, management, assets, organization and finance from its controlling shareholders," the spokesman said.

Despite the looming deadline to satisfy the NDAA, at least 1,700 Hikvision and Dahua cameras are still operating in places where they’ve been banned, according to San Jose, California-based Forescout Technologies, which has been hired by some federal agencies to determine what systems are running on their networks. The actual number is likely much higher, said Katherine Gronberg, vice president of government affairs at Forescout, because only a small percentage of government offices actually know what cameras they’re operating. The agencies that use software to track devices connected to their networks should be able to comply with the law and remove the cameras in time, Gronberg said. “The real issue is for organizations that don’t have the tools in place to detect the banned devices,” she added. 

Several years ago the Department of Homeland Security tried to force all federal agencies to secure their networks by tracking every connected device. As of December, only 35 percent of required agencies had fully complied with this mandate, according to a 2018 report by the Government Accountability Office. As a result, most U.S. federal agencies still don’t know how many or what type of devices are connected to their networks and are now left trying to identify the cameras manually, one by one. 

Those charged with complying with the ban have discovered it’s much more complicated than just switching off all Hikvision or Dahua-labeled cameras. Not only can Chinese cameras come with U.S. labels, but many of the devices, including those made by Hikvision, are likely to contain parts from Huawei Technologies Co., the target of a broad government crackdown and whose chips power about 60 percent of surveillance cameras. 

“There are all kinds of shadowy licensing agreements that prevent us from knowing the true scope of China’s foothold in this market,” said Peter Kusnic, a technology writer at business research firm The Freedonia Group. “I’m not sure it will even be possible to ever fully identify all of these cameras, let alone remove them. The sheer number is insurmountable.” 

Video surveillance is big business in the U.S. Sales of video cameras to the government are projected to climb to $705m in 2021 from $570m in 2016, according to The Freedonia Group. Hikvision is the world’s largest video-surveillance provider, with cameras installed in U.S. businesses, banks, airports, schools, Army bases and government offices. Its cameras can produce sharp, full-color images in fog and near-total darkness and use artificial intelligence and 3D imaging to power facial recognition systems on a vast scale.

Once they arrive in the country, some of Dahua and Hikvision’s cameras are sent to their U.S.-based warehouses. Others go to equipment manufacturers like Panasonic Corp. or Honeywell International Inc., and are sold under those brands, said John Honovich, founder of video surveillance site IPVM. Then the cameras are bought by intermediaries, such as security firms, which go on to sell them to government agencies and private businesses. The NDAA also covers Dahua and Hikvision’s extensive agreements with original equipment manufacturers, sweeping up any vendor who re-sells the devices or uses the companies’ equipment.

Effectively, two cameras running identical Hikvision firmware could carry completely different labels and packaging. This means it would be nearly impossible to tell if the thousands of video cameras installed across the country are actually re-labelled Chinese devices. A Honeywell spokeswoman said the company couldn’t track these re-labelled products, even if asked. Panasonic didn’t respond to emailed requests for comment.

This convoluted supply chain has left government agencies confused over how to actually obey the law. “We’ve been trying to get our arms around how big the problem is,” says a government worker at the Department of Energy, who asked to remain anonymous because he’s not authorized to speak publicly. “I don’t think we have the full picture on how many of these cameras are really out there,” he said.

The law itself is vague on whether it means agencies must remove the cameras or simply stop renewing existing contracts. A group of government officials and experts are meeting this week in Washington to try to parse the legislation. Hikvision has about 50,000 installation companies and integrated partners that are all wondering how broadly the law is likely to be interpreted.

Many have contacted the company, asking how they could be affected, according to a person familiar with the discussions. Some security vendors are already refusing to purchase equipment from Hikvision and Dahua. Shares of both companies have tumbled since March amid speculation of U.S. sanctions. Last month U.S. President Donald Trump said he would allow U.S. companies to resume supplying some of their products to Huawei, if they apply for a license and if there is no threat to national security.

If someone is routinely tapping into cameras to spy on federal agencies, they could easily determine the identities of those who work in government departments and even CIA operatives, said Stephen Bryen, former deputy under-secretary of defense for trade security policy. “This is extremely dangerous,” he said. “It can’t be tolerated and quite frankly every agency should be writing its own directives to make sure the job gets done.”