Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.
At 1,500 words, this briefing is about a -minute read.
At a Glance.
- US appeals court upholds TikTok ban law.
- US alleges Chinese hackers targeted senior officials.
US appeals court upholds controversial TikTok ban law.
The News.
On Friday, a US federal appeals court upheld the controversial “TikTok ban” law, which would force the social media site’s parent company, ByteDance, to divest from the application or face a nationwide ban. The trial was held at the US Court of Appeals for the D.C. Circuit and was ruled on by a three-judge panel, which found that the law did not violate the First Amendment as TikTok had argued. With their ruling, the court wrote that “the First Amendment exists to protect free speech in the [US, and] the government acted solely to protect that freedom from a foreign adversary nation and to limit that adversary’s ability to gather data on people in the [US].” With this decision, the law is likely to go into effect in January, unless the incoming administration or the Biden administration gives the company a ninety-day extension.
With this ruling, TikTok condemned the decision in a statement suggesting that the company would appeal it to the Supreme Court. With this statement, TikTok emphasized that “the Supreme Court has an established historical record of protecting Americans’ right to free speech, and we expect that they will do just that on this important constitutional issue.”
The Knowledge.
For greater context, the “TikTok Ban bill,” also known as the Protecting Americans from Foreign Adversary Controlled Applications Act, was passed in April earlier this year after it was overwhelmingly supported in the House and Senate and later signed into law by President Biden. Once the bill was passed, the law gave ByteDance nine months to divest from TikTok or have it be banned within the US. When originally passed, the bill’s supporters emphasized that TikTok posed national security concerns due to the risk of sensitive citizen data being exposed to the Chinese government. While TikTok has strongly denied these accusations, lawmakers remained unconvinced after several classified Congressional briefings were held that informed members of the app's various risks.
However, since the law was passed, the bill has been heavily debated and some concerns have arisen regarding how the incoming Trump administration will handle the law. While Trump attempted to ban the application in his first administration through an executive order, he may have changed his stance during his presidential campaign. During his race Trump emphasized that banning TikTok would empower other social media companies giving them too much power in the market; however, it remains unclear what Trump would be willing to do to impede the divestment.
The Impact.
While ByteDance still has several weeks to divest from TikTok and has announced its intentions to challenge the law in the Supreme Court, it is unclear if this effort will be successful. Given the overwhelming bipartisan support behind banning TikTok, it would be a surprising turn of events if the Supreme Court were to fully rule in the company’s favor.
Whether or not Trump would oppose the law also remains unclear. While Trump does not have the power to overturn the law, his support of TikTok could result in the company being given the ninety-day extension or could result in a different outcome from the Supreme Court. In the meantime, businesses and citizens should be prepared to operate if TikTok were to be sold or banned within the US, and what potential disruptions it could cause.
US alleges that Chinese hacking group hacked calls of senior political figures.
The News.
Over the weekend, Anne Neuberger, the US deputy national security advisor for cyber and emerging technology, commented on a situation alleging that a Chinese cyber espionage campaign successfully targeted senior American political figures. This campaign, better known as Salt Typhoon, has been attributed to numerous incidents recently, but in this case US officials believe this operation was highly focused. In a statement, Neuberger said that “we believe…the actual number of calls that they took, recorded and took, was really more focused on very senior political individuals.” Neuberger did not reveal the identities of the officials who were targeted and stated that the US was still actively investigating the “scope and scale” of the hacking campaign.
Chinese officials have denied previous allegations related to Salt Typhoon stating that Beijing “firmly opposes and combats cyber attacks and cyber theft in all forms.”
The Knowledge.
While the US is still actively investigating this latest incident, this is not the first time that Salt Typhoon’s name has appeared as several major espionage incidents have been attributed to the campaign. One of the most infamous incidents involved a major breach that targeted several of the US’s largest telecommunications companies, which has been dubbed by some as the “worst telecom hack in [the] nation’s history.” In this attack, Salt Typhoon was allegedly able to listen in on audio calls in real-time and move from around various telecommunication networks. These efforts enabled the espionage campaign to target major political figures within the State Department, people within the Harris political campaign, President-elect Trump, and his running mate JD Vance. Senator Mark Warner commented on the attack stating that “this is an ongoing effort by China to infiltrate telecom systems around the world, to exfiltrate huge amounts of data.”
These efforts have already drawn action from the current administration with the Federal Communications Commission (FCC) proposing a new cybersecurity rule. Chairwoman Jessica Rosenworcel proposed a rule that would require communications service providers to submit an annual certification attesting that they have a plan that will help protect against cyberattacks. After proposing this rule, Chairwoman Rosenworcel stated that “while the commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.” If the rule was adopted, the rule would take effect immediately.
The Impact.
While the investigations into this latest incident are still ongoing and no formal actions have been taken in response to these incidents, it is clear that officials both within Congress as well as within federal agencies are paying greater attention to these matters. However, despite the growing momentum behind these addressing efforts, it is unlikely that anything significant will be implemented until the next administration takes power in early 2025. Additionally, it is also unclear what Trump’s second administration plans to do when addressing these cyber incidents.
In the meantime, people involved in the telecommunications industry should understand that hostile actors are actively looking to target this key infrastructure sector and be prepared accordingly. While the average person is unlikely to be able to stop attacks associated with advanced persistent threats, people should remain vigilant for phishing attacks or unusual activity.
Highlighting Key Conversations.
In this week’s Caveat Podcast, our team sat down with Petra Molnar, a Harvard faculty associate, lawyer, and author of the newly released book, “The Walls Have Eyes: Surviving Migration in the Age of Artificial Intelligence.” Throughout this conversation, we discussed with Petra Molnar how Big Tech and artificial intelligence (AI) will enable the incoming Trump administration to be able to execute their immigration policies. Additionally, our team also covers the recent court decision that upheld the constitutionality of the “TikTok Ban” law and how detectives are using video footage to investigate the killing of the UnitedHealth CEO.
Like what you read and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.
Other Noteworthy Stories.
Trump names David Sacks as AI and crypto czar.
What: President-elect Trump has named David Sacks, a venture capitalist, to serve in his administration’s newly created role, as the AI and cryptocurrency czar.
Why: Last week, Trump announced that he would nominate Sacks to this new role and task him with developing a legal framework for the crypto industry among other duties. With this announcement, Trump wrote that “David will focus on making America the clear global leader in both areas” and that he would “safeguard Free Speech online, and steer us away from Big Tech bias and censorship.”
US sanctions Chinese firm over ransomware attack.
What: The Department of Treasury sanctioned a Chinese cybersecurity company over a ransomware attack that occurred in April 2020.
Why: On Tuesday, the Treasury Department announced that they are imposing new sanctions on the Chengdu-based Sichuan Silence Information Technology Company and one of its employees, Guan Tianfeng. These sanctions were imposed in response to the company deploying malicious software to more than 80,000 firewalls worldwide. Of the firewalls targeted, the Department stated that over three dozen impacted firewalls were protecting the systems of critical infrastructure companies that could have led to a loss of life if not fixed in time. Beijing has routinely denied being involved in these hacking attempts.