The Department of Justice (DOJ) recently announced that Aventura Technologies, Inc. and its senior management are charged with fraud, money laundering and illegal importation of equipment. The criminal complaint charges the company and seven current and former employees with selling Chinese-made equipment with known cybersecurity vulnerability to the U.S. government while falsely representing that the equipment was “Made in U.S.A.” and purposefully concealing that the products were manufactured in the People’s Republic of China. Aventura has generated more than $88 million in sales revenue since November 2010, and the charged scheme has been ongoing since 2006.
“As alleged, the defendants falsely claimed for years that their surveillance and security equipment was manufactured on Long Island, padding their pockets with money from lucrative contracts without regard for the risk to our country’s national security posed by secretly peddling made-in-China electronics with known cyber vulnerabilities,” stated United States Attorney Richard P. Donoghue. “…the defendants’ brazen deceptions and fraud schemes have been exposed, and they will face serious consequences for slapping phony ‘Made in the U.S.A.’ labels on products that our armed forces and other sensitive government facilities depended upon.”
Local cyber-security thought leader, Sterling S. Rooke, Ph.D., CEO of Hanover, MD-based X8 LLC discussed the ramifications of such cameras and software being installed at U.S. Government federal agencies’ and military locations. “Without proper cyber infrastructure controls within government sites, backdoors in cameras might enable nation-state actors to ingest footage. Think Artificial Intelligence (AI); these cameras could serve as a portal for facial recognition. Most notably, countries in Asia and the Middle East are deploying expansive facial recognition systems within cities and buildings, and the ability to include U.S. government and military employees in this dragnet might be of interest to such countries. “
The original issue of finding products to meet certain specifications and also satisfy Trade Agreement Act and the Buy American Act requirements creates logistical and supply chain risks. Rooke further states “Worldwide component sourcing presents a grand challenge to the moniker “Made in America”. It just takes one vulnerability in a supply chain to give advantage the cyber actor, thus domestic sourcing alone does not provide assurance. The government should immediately institute a random audit program for video surveillance devices starting with the most sensitive government sites; and audits should include firmware checks and updates at a minimum.”
While the Aventura Technologies case is blatant fraud according to the DOJ, other companies may inadvertently put our nation’s security at risk by selling products including cameras, detection equipment, software and hardware with untraceable origins. Rooke, who is also an Army-reservist and a researcher at the University of Tennessee Knoxville recommends “As the Department of Defense finalizes the Cybersecurity Maturity Model Certification (CMMC) for the Defense Industrial Base (DIB), that same rigor should be applied to all federal contractors. Supply chain risk management must be a key tenant of product, hardware and software deliveries to the government, and enforcement should include random audits. These audits can even include “sandbox” testing of surveillance devices for unexpected features.
The DOJ announcement of the Aventura Technologies case states “The defendants are presumed innocent unless and until proven guilty. If convicted, the defendants each face up to 20 years’ imprisonment on each charge in the complaint.” For the entire announcement and case details go to: https://www.justice.gov/usao-edny/pr/aventura-technologies-inc-and-its-senior-management-charged-fraud-money-laundering-and