At a Glance.
- The House passed a bill that would ban TikTok.
- EU passes the new Cyber Solidarity Act.
House Passes bill that would ban TikTok.
The News.
The US House of Representatives yesterday passed a bill that would ban TikTok or force its sale to a new owner. The bill passed with a 352-65 vote and now heads to the Senate. Senate Majority Leader, Chuck Schumer, commented that the Senate will review the bill and consult with the relevant committee chairs to determine the bill’s path. The bill, also known as the Protecting Americans From Foreign Adversary Controlled Applications Act, would force ByteDance, TikTok’s parent company, to sell the social media application five months after the bill goes into effect. The bill passed less than a week after it was first introduced by Representatives Mike Gallagher and Raja Krishnamoorthi and was quickly passed out of committee with a unanimous 50-0 vote to make its way to the House floor.
To pass this bill, House Republicans implemented a special rule that required a two-thirds majority to pass the bill rather than a simple majority to expedite the process. Of the Representatives that voted against the bill, fifty were Democrats and fifteen were Republicans.
The Knowledge.
This most recent effort to force ByteDance to sell TikTok comes after several efforts last year to address the many concerns surrounding feared Chinese involvement in the company. Last year, concerns about the Chinese government’s ability to access American user data from the social media application were routinely raised. To address these concerns initially, President Biden signed a bipartisan bill, in early 2023, that prohibited the app from being installed on federal government phones which was followed by several state governments across the US implementing similar policies. Later in 2023, another controversial piece of legislation, known as the RESTRICT Act, was debated intensively and would have allowed for the enforcement of orders and other mitigation measures including the ability to force mandatory divestment or prohibit companies from doing business in the US. However, the bill was never passed.
This most recent effort to force the sale of TikTok has already garnered significant attention with how fast the bill passed the House of Representatives as well as with President Biden announcing, last Friday, that he would sign the bill if it was passed by Congress. However, the bill does have its critics from both sides of the political spectrum. On the conservative spectrum, lawmaker Rand Paul and former President Donald Trump have expressed their concerns about targeting the application. Additionally, notable Democrat Alexandria Ocasio-Cortez has expressed her concerns surrounding the “incredibly rushed” legislation.
Wang Wenbin, a spokesperson for the Chinese foreign ministry stated that “although the United States has never found evidence that TikTok threatens US national security, it has not stopped suppressing TikTok.” The spokesperson continued by stating that “this [action] will inevitably come back to bite the United States.”
The Impact.
While this bill has yet to be signed into law, this bill represents a renewed and continued interest surrounding concerns over potential Chinese governmental access to American user data. If this bill were to pass, ByteDance would be forced to find an American buyer for the application or face being banned entirely within the US. If this were to happen, TikTok users should expect significant disruptions in the application as efforts to transfer data, servers, and other assets would most likely bring downtime among other technical issues.
Additionally, this renewed interest marks the continuation of tensions between the US and China over invasive data practices. In several previous actions, the Biden administration has taken several steps to reign in US data brokers and their transfers to specific countries, including China. With this most recent effort, the US government is continuing to signal its interest in reigning data brokers and how data is handled and transferred within the US.
The EU’s Cyber Solidarity Act aims to boost the region’s cyber readiness and collective response capabilities.
The News.
With the European Union (EU) introducing the Cyber Solidarity Act, the act’s regulations are intended to improve how organizations in the EU respond to the increasing number of sophisticated cyber attacks in the threat landscape. Originally proposed in April 2023, the European Parliament and Council reached an agreement for the regulation set to come into effect on March 5th, 2024. The act is comprised of three primary actions that all aim at improving the EU’s cybersecurity resilience. These three actions are:
- To create an EU-wide cybersecurity alert system to help spread information on the latest threats.
- To create the Cybersecurity Emergency Mechanism that included provisions for coordinating preparedness testing across critical sectors, such as healthcare or energy.
- To provide financial support for mutual assistance on cyber incidents within the EU.
The Knowledge.
With the Cyber Solidarity Act, the EU is aiming to facilitate the improvement of their region’s security posture when handling threats. EU commissioner for internal markets, Thierry Breton, remarked how this new bill was vital for ensuring that the region is adequately protected through robust mechanisms for mutual support. Breton stated that “the Cyber Solidarity Act is a crucial step to establish a European cyber shield.”
Regarding the alert system, the EU is looking to create an international network of national and cross-border Cyber Hubs that will use both artificial intelligence and data analytics to detect cyber threats faster within the region. With the creation of the Cybersecurity Emergency Mechanism, the EU also created the “EU Cybersecurity Reserve,” which will be made up of incident response services from several trusted providers who can be used to provide support for handling EU cyber incidents. Lastly, when providing financial aid, this new bill will provide funding to member states to support them with technical assistance after severe or large-scale cyber incidents.
The Impact.
With these new regulations, organizations and member states should begin to prepare themselves for the new requirements that are being prepared to be implemented. To comply with these regulations, organizations operating within the EU should prepare themselves to cooperate with the expanded information-sharing requirements through the new alert system. Additionally, critical infrastructure entities must be ready for mandatory preparedness testing.
Key EU governmental organizations, like the EU’s Cybersecurity Agency and the EU Commission, will aim to regularly identify the relevant sectors that are designated as “high criticality” and will be subjected to regular preparedness testing. EU organizations involved in these “critical sectors,” should expect greater assistance and governmental oversight over the coming months and years when managing cybersecurity efforts.
Other Noteworthy Stories.
Watchdog states that the EU’s use of Microsoft software breaches privacy rules.
What: According to the European Data Protection Supervisor (EDPS), the European Commission breached the European Union’s (EU) privacy rules when using Microsoft software and failed to implement safeguards for data transfers to non-EU countries.
Why: The EDPS has announced that it has ordered the European Commission to comply with its privacy rules and stop data transfers to countries that do not have privacy deals with the EU. The EDPS has given the Commission until December 9th to comply with both of these orders. These orders come after a three-year investigation that was originally started following rising concerns related to the Snowden leaks and fears of US surveillance.
The EDPS cited in this announcement that “the Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA.” The European Economic Area (EEA) is an area of territory made up of the twenty-seven EU countries. Additionally, the watchdog group stated that “in its contract with Microsft, the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365.”
Shanghai Zhenhua denies being a cyber risk to US ports.
What: On Sunday, Shanghai Zhenhua Heavy Industries (ZPMC) made a statement saying its cranes are not a cyber threat.
Why: After coming under increasing pressure from US Congressional committees, the Chinese state-owned company stated that its cranes do not pose a threat to US ports. This statement came after the House of Representatives security panels raised concerns about ABB’s, a Swiss engineering group, installation of these ZPMC-manufactured cranes. ZPMC stated that they “take the US concerns seriously and believe that these reports can easily mislead the public without sufficient factual review” continuing to state that “the cranes provided by ZPMC do not pose a cybersecurity risk to any ports.”
These concerns were raised shortly after the Biden administration raised its concerns surrounding Chinese-manufactured cranes making up large portions of the cranes being used in ports around the US. The Biden administration directed the Coast Guard to investigate these cranes amid security concerns surrounding the use of these remotely operated cranes.
Italian watchdog looks into Open AI tool for turning text into video.
What: Last Friday, Italian data protection agency, Garante, announced that it has opened an investigation into a service operated by Open AI that can create videos from text inputs.
Why: With this investigation, Garante has requested Open AI to clarify if the way it informs users and non-users about Sora, the video generation software, is in line with EU regulations. Garante has become one of the most proactive authorities when it comes to assessing AI and its compliance with the EU’s data policies. In 2023, Garante banned ChatGPT citing its concerns that the AI software did not follow the EU’s privacy rules. In addition to requesting more data on Sora, Garante requested that OpenAI provide information on how the algorithm was trained, what data was collected, what data was used to train Sora, and if the service is already available for use in the EU and Italy.