At a glance.
- US Executive Orders would ban WeChat and TikTok by late September.
- Texts announcing Rewards for Justice reach Russia, Iran.
- Industry sources express reservations about the US Clean Network program.
US Executive Orders target TikTok and WeChat.
US President Trump yesterday issued two Executive Orders that impose new limitations on Chinese-owned social media apps TikTok and WeChat. WeChat is a subsidiary of Tencent, TikTok of ByteDance, and both parent companies are mentioned in the Orders.
The Wall Street Journal summarizes the effect of the orders as prohibiting anyone in the United States or subject to US jurisdiction from conducting “transactions” with the owners of the two services. The ban will become effective forty-five days from the date of the Executive Orders, which, unless we’ve miscounted, puts the deadline on September 20th. This could prevent US citizens from downloading the apps from such sources as Google Play or the Apple store. It also puts a deadline on Microsoft’s possible acquisition of TikTok.
Both Executive Orders stated, as an official finding, that “additional steps must be taken to deal with the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain).” Both of the apps represent a threat because they automatically capture “vast” amounts of information from their users, and the data they collect are in principle accessible to the Chinese Communist Party and Chinese government intelligence services.
The social platforms, the Orders say, actively censor domestic dissent in China, and the Order pertaining to TikTok finds that the platform has been active in spreading COVID-19 disinformation on behalf of the Chinese government. The Order affecting WeChat, in an aside, cites restrictions India and Australia have placed on the app as an indication that the US isn’t alone in seeing a problem with Chinese data collection practices.
The Secretary of Commerce will be in charge of implementation and enforcement.
TikTok, which has moved data formerly held in US servers to servers in Ireland, objected to the Executive Order in a strongly worded statement it issued this morning. The company sees what it views as a lack of due process as most objectionable.
“We are shocked by the recent Executive Order, which was issued without any due process,” the company said. “For nearly a year, we have sought to engage with the US government in good faith to provide a constructive solution to the concerns that have been expressed. What we encountered instead was that the US Administration paid no attention to facts, dictated terms of an agreement without going through standard legal processes, and tried to insert itself into negotiations between private businesses.”
The statement also includes an explicit denial of the specific accusations in the Order: “We have made clear that TikTok has never shared user data with the Chinese government, nor censored content at its request.”
Rewards for Justice reaches Russians and Iranians by text message?
The US State Department reward being offered for information concerning attempts to hack US elections has been communicated in some surprising places. Reuters reports that text messages communicating the offer and a link to Rewards for Justice have been turning up in Iranian and Russian devices.
Who sent the texts isn’t clear, but there’s speculation that the messaging was done on behalf of the US Government. US Cyber Command referred Reuters to the State Department, and State had nothing to say, so the origin of the texts remains unclear. While there are certainly grounds for thinking that Russian and Iranian Internet users might well be in a position to have noticed people up to no good with respect to elections, texting them and offering a reward may, some observers told Reuters, expose the recipients of the texts to risk. Neither Moscow nor Tehran are known for a light hand or a tolerant view of interference with security and intelligence services.
Commenting on the reward program itself, and its application to the prevention of election interference, Ilia Kolochenko, ImmuniWeb founder and CEO, gives the program high marks, but notes that its likely outcomes are unclear:
“I think it’s a smart move but the outcomes are highly uncertain for the time being. Most of the cybercriminals implicated in grand hacking campaigns will likely keep silent fearing arrest and prosecution for their past sins when communicating their details for payment. Moreover, in light of uncertain and ambiguous conditions of the bounty payment by the government. From the current context, it’s also a bit unclear whether the $10 million is to be apportioned for all of the reports or if it’s a per payment cap.
"We will likely get a considerable volume of “false positives” or even fraudulent reports aimed to extort money from the government or frame up a rival. In the future, however, bounty awards for information about cyber criminals may become a formidable weapon of law enforcement. Frequently, technical sophistication, the unpreparedness of victims and crypto-currencies make data breaches technically uninvestigable and provide virtual impunity to cybercriminals. The sole tenable way to identify them is to get a hint from an ex-accomplice or a rival cyber gang. Thus, we may see a gradual growth of such bounty payments by governments in the near future as the last resort to curb the uncontrolled proliferation of cybercrime."
Reactions to the US Clean Network program.
This week's announcement of the US Clean Network program's five lines of effort has drawn adverse comment from the Internet Society, a not-for-profit organization that takes as its mission the promotion and "open development, evolution and use of the Internet for the benefit of all people throughout the world." Their statement deplores the measure as an unwelcome step toward autarky in cyberspace:
"We're very disappointed; The United States, the country that funded the early development of the Internet, is now considering policies that would fracture it into pieces. This is part of a larger disturbing trend where governments directly interfere with the Internet, attempting to score short-term political points without regard to the long-term damage that results.
"The Internet is a global network of networks, where networks interconnect on a voluntary basis with no central authority. It is this architecture that has made the Internet so successful. Today’s announcement of the Clean Networks program challenges this architecture at its very core. The 'Clean Carrier' and 'Clean Cable' programs alone would force vast amounts of Internet traffic to route into third countries, extending the distances data must traverse, increasing the potential for surveillance and manipulation of Internet traffic, increasing the risk of Internet outages, and in general increasing costs to everyone on the Internet.
"Having a government dictate how networks interconnect according to political considerations rather than technical considerations, runs contrary to the very idea of the Internet. Such interventions will significantly impact the agility, resiliency and flexibility of the Internet. If this approach were to spread further, the ability of the Internet to bring the broader benefits of collaboration, global reach, and economic growth will be significantly threatened. Interventions like these only increase the global momentum towards a 'Splinternet' -- a fractured network, rather than the Internet we have built over the last four decades and need now more than ever."
McAfee Senior VP and CTO Steve Grobman was less condemnatory, and acknowledged the legitimacy of the concerns behind Clean Network, but he also saw problems with moving decisions he regards as properly belong to the private sector to the government:
“U.S. government agencies must identify and make public potential risks in software, especially software that may be utilized by nation states for purposes beyond an application’s seemingly benign handling of sensitive or personal data. However, rather than banning these software applications, the government should advise organizations and individuals on the security and privacy implications associated with the developer’s technology supply chain and data management policy. The U.S. government needs the ability to restrict the use of potentially dangerous applications on government devices; however, private organizations and individuals should be the final deciders on which applications should be used.”