On Monday night, the Italian investigative journalism programme Report – produced by the national network, Rai – aired a new episode, titled “The Return of the Dragon”. The producers focused once more on Hikvision products, Chinese-made cameras widely installed across Italy, and their security implications.
Thomas Smitham, business attaché at the US embassy in Rome, called China a “danger to our economies” when interviewed by the Italian daily Il Messaggero. But there are security-related issues, too, starting with technologies such as 5G and, indeed, surveillance cameras.
A previous Report episode aired in May, titled “The Eye of the Dragon,” centred on an odd software glitch in Hikvision security cameras installed in Rai’s own video surveillance system. After the episode was aired, Report received numerous reports. Among them, a more disturbing one: a similar anomaly had also affected Rome’s Fiumicino airport, Italy’s largest.
Who controls the electronic eyes that watch over Italian every day? And what will happen to the €65 million State tender awarded in October by Consip (the central purchasing body of the public administration), which could open the doors of Italian government buildings to tens of thousands of devices that are banned in other countries? These are the questions underlying Report’s investigations.
The Dragon’s eyes
The new episode’s contents stem from an email dated April 1, 2015, and addressed to Sigma, the company contracted to install the cameras that controlled all the escalators in the Fiumicino terminal. Each of the 140 Hikvision cameras in the Roman airport had been sending four types of requests to open a connection to the outside world; 11,000 per camera each hour, amounting to over a million and a half in total.
Report presenter Sigfrido Ranucci speculated that the event could have been either an attempt to “[give] away sensitive information of a strategic place of our country,” given that 45 million people pass through the terminal every year, or “a tentative cyberattack, aiming to use the cameras as a Trojan horse to access the airport and crash the whole system, putting at risk the safety of flights.”
Following data flows
In Italy, Hikvision is the market leader. The Chinese maker’s cameras are placed in strategic locations to national security such as airports, political institutions, courts and police forces.
Hikvision Italia is owned by a European holding company, which is in turn owned by the Chinese parent company. The directors of the Italian company are Chinese nationals. CETC, a Chinese state company with ties to the People’s Liberation Army, controls the camera-making company. The director is Chen Zong Nian, a Chinese Communist Party MP.
“Thus, our sensitive data arrives in a server registered in the US and ends up in China, in the region where Hikvision is based. [The event] happened about a year ago. We alerted Rai’s in-house security, who immediately remedied the situation. But that wasn’t an isolated case,” explained Mr Ranucci when summarising the first incident detailed in the May episode.
Understanding the danger
“This type of activity is planned, organised and deployed as part of a specific organisation of the company” in China, explained Enrico Borghi, head of security for the Democratic Party and a member of Copasir (Parliament’s intelligence oversight committee), to Report.
Recently the MP filed a parliamentary question to find out whether the government deems the activities of the Chinese company “fully compatible with the necessary national security standards.” He also added that he had “verified that these cameras had a data transfer mechanism that did not correspond to the standards and requirements that must be guaranteed in our country.”
Relying on these Chinese technologies poses three main risks, namely: strengthening companies accused of human rights violations by giving them money and legitimacy; endangering data security (in light of the warnings coming from several Western intelligence agencies); favouring the rise of Beijing, which is determined to dictate global standards in the tech arena.
Tackling the issue
Following Report’s findings, Consip – which is on the verge of awarding a mega-tender for 65 million cameras to be placed in municipalities – asked the DIS, Italy’s security services, how to deal with such cameras. The problem is clear-cut: Beijing can force Chinese companies to share data under Chinese laws.
Roberto Baldoni, former vice-director of the DIS and currently head of the newborn National Cybersecurity Agency, explained to Report that while the United States can create equipment blacklists in sensitive sectors, such practice “does not exist in Europe.” Instead, he said, Italy now operates by “certifying” the technologies that fall within the remit of the NCA.
Report’s findings confirm what Maurizio Mensi, Professor of Law and Economics at the National School of Administration, wrote months ago. For suppliers included in the NCA’s field of operation, the law does indeed “outline a system of precise and articulated protection, to guarantee the security of contracts.”
However, problems arise with regards to “tendering procedures relating to supplies, services or ICT goods initiated by entities that do not fall within the perimeter.” Hence, the expert argued the need to “establish a system of pre-qualification that would allow the creation of a whitelist of operators with adequate security and reliability requirements, who can subsequently participate in tenders.”