The Remediation Gap in Civilian Camera Security

In March 2026, the Financial Times reported that Israeli intelligence had spent years exploiting nearly all of Tehran’s traffic cameras, transmitting encrypted footage to servers in Israel and using it to build pattern-of-life profiles of Ayatollah Ali Khamenei’s security detail—intelligence that helped the U.S. and Israel locate him on the morning of his assassination. The Associated Press independently confirmed the camera exploitation, and CNN reported on the broader intelligence architecture that enabled the strike. The cameras were civilian infrastructure, owned and operated by the Iranian state for traffic management.

The pattern—states exploiting civilian camera infrastructure for military and intelligence ends—extends well beyond that operation. Both sides of the Russia-Ukraine conflict have systematically hijacked civilian cameras for battlefield surveillance since at least January 2024, when Ukrainian authorities reported Russian-compromised cameras in Kyiv being used to observe air-defense positions. In March 2026, the Israeli cybersecurity firm Check Point documented a surge of exploitation attempts against consumer-grade Internet Protocol (IP) cameras across the Middle East in the opening hours of U.S.-Israel-Iran hostilities. The campaign, which Check Point attributed to Iranian-linked threat actors, targeted devices from Hikvision and Dahua. Both are Chinese surveillance camera manufacturers that hold significant U.S. consumer market share.

Hacking civilian cameras is now a recurring feature of war. The question for the United States is whether its legal framework can compel remediation of the millions of exploitable devices already deployed across U.S. cities. A walk through the existing statutory landscape suggests the answer is no, and that the authority architecture capable of changing that answer would introduce risks of its own.

Consider an equivalent compromise on U.S. soil. A foreign service penetrates IP cameras across an American city, transmits the data home, and builds pattern-of-life intelligence on the residences and movements of officials, military personnel, and infrastructure operators. Which federal authority compels remediation of the installed base? The statutory landscape has expanded considerably since 2018, but each instrument turns out to address a different problem.

CIRCIA: Reporting Without Remediation

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), enacted in 2022, requires covered entities to report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransom demands within 24 hours. CIRCIA is a reporting regime, not a remediation power. Its definition of “covered entity” is limited to organizations within critical infrastructure sectors that meet either a size-based threshold or sector-specific criteria. A homeowner with a compromised Ring doorbell does not qualify. Neither does a corner store running an unpatched Hikvision camera. The millions of consumer devices that collectively constitute a city-scale surveillance layer fall entirely outside CIRCIA’s scope—not by oversight, but by design. CIRCIA’s purpose was to give CISA visibility into threats affecting power grids, pipelines, and hospitals. The act was not designed to address the aggregate national security risk created by millions of individually insignificant consumer devices.

CISA’s Mandate: Coordination Without Compulsion

CISA, established under the Cybersecurity and Infrastructure Security Agency Act of 2018, serves as the operational lead for federal cybersecurity coordination and the national coordinator for critical infrastructure resilience. The agency’s authority over federal civilian agencies is real and includes the Binding Operational Directive power. Over the private consumer market, that authority is advisory. CISA publishes guidance, issues alerts, and provides technical assistance. It cannot compel a private citizen or a small business to patch a camera, change default credentials, or remove vulnerable hardware from a home network. CISA is therefore not the mechanism for closing the remediation gap on consumer devices, even in principle.

The FCC Covered List: Future Risk Frozen, Present Exposure Tolerated

The Federal Communications Commission (FCC) has taken the most visible action against the specific hardware at issue. The FCC’s Covered List, maintained under the Secure and Trusted Communications Networks Act of 2019, identifies equipment posing an unacceptable risk to national security. Hikvision and Dahua are both on it for concerns rooted in their Chinese state ownership ties and the obligations China’s  2017 National Intelligence Law places on Chinese organizations to support state intelligence work. The Secure Equipment Act of 2021 went further, prohibiting the FCC from authorizing any new equipment for covered-list companies.

What the Secure Equipment Act explicitly does not do is revoke prior authorizations. The FCC’s own guidance confirms that previously authorized device models are not prohibited from import, sale, or use. Congress knowingly froze future risk while tolerating present exposure. The implicit policy is that the installed base will diminish through natural hardware replacement cycles—a deliberate choice to wait out a threat that Check Point’s research shows state actors are exploiting now.

The natural-attrition argument is not without logic. Consumer electronics do age out, and replacement cycles for IP cameras typically run five to 10 years. Market pressure from the authorization ban will gradually reduce covered-list hardware’s share of the installed base. But “gradually” carries significant weight in that sentence. The exploitation value of these cameras is not a future risk awaiting a future solution.

Commerce’s ICTS Authority: Category-Level Power, Structural Resistance

Executive Order 13873, signed in 2019, gives the Commerce Department broad authority to prohibit or mitigate transactions involving information and communications technology and services (ICTS) that pose an undue national security risk. On paper, this authority is substantial. In practice, the scope of what it covers and the structural orientation of the department assigned to administer it has limited the order’s exercise..

Start with the scope. The implementing office, the Office of Information and Communications Technology and Services (OICTS), sits within the Bureau of Industry and Security. Its mandate covers future transactions—acquisitions, imports, transfers, and installations. The office was not tasked with looking backward at products already in private hands. The Kaspersky prohibition in June 2024 and the connected-vehicles rule finalized in January 2025 both involved clear national security rationales applied to defined product categories and targeted future transactions and supply chains. Neither touched devices already deployed in homes and small businesses. Two category-level determinations—the Kaspersky prohibition and the connected-vehicles rule—in the program’s short history, each contingent on years of public threat reporting, CISA Binding Operational Directives, advance notice of proposed rulemaking, and sustained interagency pressure. Whether that pace reflects the tempo inherent to a novel regulatory authority or something structural is the relevant question.

The structural explanation deserves more attention than it typically receives. OICTS is a small office inside a department whose institutional center of gravity runs in the opposite direction. The International Trade Administration’s explicit mandate is the promotion of U.S. exports and foreign transactions. The National Institute of Standards and Technology, the National Oceanic and Atmospheric Administration, the Census Bureau, the National Telecommunications and Information Administration, and the Patent and Trademark Office share an orientation toward facilitating commerce rather than restricting it. The Bureau of Industry and Security is the exception inside the Commerce Department, not the rule. This matters because exercising ICTS authority at the scale the consumer camera problem would require—a category-level determination affecting tens of millions of devices and the domestic commercial relationships that sold and service them—would require the political will to push through an institution whose default is to facilitate trade. So far, the department’s record does not give much confidence that this will materialize without substantial external pressure.

In any case, the government has already determined that Hikvision and Dahua hardware is too dangerous for federal procurement under Section 889 of the National Defense Authorization Act, and too risky for future authorization under the Secure Equipment Act. The government has not applied the ICTS authority to the consumer market for these cameras. A foreign intelligence service is not going to compromise the camera inside a Sensitive Compartmented Information Facility. It is going to compromise the camera on the street corner outside of one.

The Aggregate Problem

The common thread across every instrument in the current framework is a mismatch between the unit of analysis and the nature of the threat. CIRCIA covers entities. The FCC authorizes equipment models. Commerce regulates transactions. Each authority addresses individual devices, individual sales, and individual organizations.

The threat is aggregate. One vulnerable camera on a residential street is a cybersecurity nuisance. A million vulnerable cameras covering a city’s transport routes, government buildings, military facilities, and the homes of officials and intelligence personnel constitute a de facto intelligence, surveillance, and reconnaissance architecture: one that a foreign power can exploit without deploying a single human asset or tasking a satellite of its own. No existing authority treats the aggregation of consumer devices as a collective national security exposure requiring systematic remediation.

What Existing Authorities Can Do

This does not mean existing authorities are without relevance, or that they should be applied only as they have been so far.

The Federal Trade Commission (FTC) has used Section 5 of the FTC Act against manufacturers of network-connected devices that misrepresented their security posture. The enforcement record against D-Link, TRENDnet, and ASUS establishes that material misrepresentations about device security expose manufacturers to liability. Hikvision and Dahua’s consumer-market marketing in the United States has not, on the public record, been the subject of comparable action. It should be.

State attorneys general have parallel authority under state consumer-protection statutes. The federalist pattern in which state attorneys general lead and federal enforcement follows is well-established in consumer product litigation (most directly in the 2017 Vizio settlement, where the FTC and the New Jersey Attorney General jointly resolved a case over smart-TV viewing-data collection misrepresentations). A coordinated multi-state action against covered-list manufacturers’ U.S. marketing claims would not require new federal authority and would build on, rather than displace, the existing enforcement architecture.

ICTS authority applied prospectively—targeting future imports and authorizations of consumer camera equipment from covered-list manufacturers—could support requirements for default-credential resets, mandatory firmware update channels, and end-of-life disclosure obligations as conditions for continued market access. The Kaspersky and connected-vehicle precedents demonstrate that the framework accommodates category-level restrictions. Applying comparable logic to consumer cameras would be a defensible extension of existing authority, and one more suited to the Department of Commerce’s forward-looking statutory remit than any attempt to reach the installed base.

Each of these mechanisms addresses a distinct slice of the problem: manufacturer accountability, vendor incentive structure, and future market access. None reaches the installed base. FTC action and state enforcement create consequences that run forward through liability rather than backward through already-deployed devices. Forward-looking ICTS determinations shape the next purchase cycle, not the current exposure. Together, they constitute a more aggressive use of existing tools. They do not aggregate to close the gap.

The Rip-and-Replace Question

Let’s be direct about what this piece argues. It does not argue for the mandatory removal of consumer cameras already in private hands. A compelled rip-and-replace of the installed base does not follow from the analysis, and the reasons are not merely political.

The practical case against it is formidable even before reaching the legal one. The Huawei rip-and-replace program for rural U.S. telecoms required billions of dollars in congressional appropriations, years of logistical coordination, and has left significant quantities of covered-list equipment running in networks years after the program began. Consumer cameras number in the tens of millions, are distributed across private homes rather than regulated commercial entities, and are owned by people with no existing compliance obligation and, in many cases, no technical capacity to remediate on their own.

What this piece does argue is that the current default, allowing the installed base to diminish through natural attrition as state actors exploit it in active conflicts today, should be named for what it is: a deliberate policy choice to tolerate a present-tense intelligence risk. The existing framework has formalized that choice by addressing future risk while leaving current exposure unaddressed. Congress and the relevant agencies should acknowledge the gap explicitly rather than allowing it to persist through institutional drift, and should accelerate use of tools that can affect manufacturer behavior and future market dynamics even if the installed base remains beyond their legal reach.

What Compulsion Would Require

Any proposal that aims to reach the installed base—required removal, mandatory reconfiguration, or network inspection to verify compliance—runs into legal objections that are not easily dismissed.

The Fifth Amendment problem is structural. Compelled physical removal of lawfully purchased property is exposed under the per se rule of Loretto v. Teleprompter Manhattan CATV Corp. Compelled reconfiguration short of removal invites a regulatory takings analysis under Penn Central Transportation Co. v. New York City. Either path produces federal compensation liability at a scale—tens of millions of devices at retail-replacement cost—that Congress is unlikely to authorize even under sustained national security pressure.

Additional constitutional constraints cluster. Any enforcement architecture that inspects home-network traffic to verify device configurations raises questions left genuinely unsettled by Carpenter v. United States and the home-interior doctrine of Kyllo v. United States. First Amendment interests complicate the picture further: surveillance systems operated by news organizations, religious institutions, and organizations providing security to political dissidents and domestic-violence survivors carry expressive-association interests that a compelled reconfiguration would implicate. Consumer-product regulation has historically been a state domain, and federal preemption to mandate camera remediation would face both structural commerce-clause questions and the operational reality that state enforcement infrastructure is better positioned to reach individual consumers. None of these objections is independently dispositive. Any serious proposal has to address all of them.

The structural concern, though, is the one that deserves the most sustained attention from policymakers who take the threat seriously. A federal authority capable of compelling private homes to modify surveillance devices would necessarily develop, as a byproduct, a domestic surveillance-regulation apparatus whose latent potential for abuse is harder to constrain than the foreign intelligence threat it was designed to address. That apparatus, an inspection regime with visibility into home-network configurations, a regulatory trigger that executive-branch officials could apply without additional congressional authorization, and a compliance infrastructure extendable to other categories of connected devices by administrative determination, does not disappear when the camera threat recedes. It would exist as a standing capability available to future administrations for purposes well beyond the one that created it. The historical record of national security powers surviving their original justifications is not encouraging on this point.

Conclusion

The statutory framework bars covered hardware from federal procurement and prohibits future equipment authorizations while leaving the consumer’s installed base intact. That posture substitutes formal recognition of the risk for operational response to it.

The gap will not close within existing authorities, because the authority architecture capable of closing it would carry structural risks of domestic surveillance and political abuse that are harder to constrain than the foreign intelligence threat itself. Until Congress is prepared to confront that tradeoff explicitly, rather than tolerating the present exposure through institutional drift, every unpatched consumer camera covering U.S. streets, government buildings, and the homes of officials and security personnel remains a potential intelligence asset for a foreign power that has already demonstrated it knows how to use them.