At a glance.
- US lawmakers’ continued focus on TikTok as national security threat.
- NTSB lacks CISA-mandated vulnerability disclosure policy.
- US Army works to improve cybersecurity training.
US lawmakers’ continued focus on TikTok as national security threat.
The fact that the US government views TikTok as a threat to national security is no secret, but what makes lawmakers view this particular app as so much more dangerous than the myriad other social media platforms out there? The video streaming app boasts an estimated 135 million US users, and Wired offers an in-depth look at why US lawmakers are so worried about TikTok’s reach. The fact that the app is owned by Chinese tech giant ByteDance has fueled fears that the Chinese government could use TikTok to collect data on Americans, launch influence campaigns, or spread disinformation, and a recent BuzzFeed investigation revealed that ByteDance employees are allowed access to US TikTok users' data, pushing US legislators to ramp up their warnings about the platform’s threat to privacy this summer. The US military, Transportation Security Administration, and several other federal agencies have already banned their members from using TikTok, and as we noted yesterday, sources say President Joe Biden is preparing a series of executive orders to address TikTok and the Chinese tech sector's access to US user data. The fact is that TikTok creates a power imbalance, as the US lacks a similar level of access to Chinese user data through any comparable platform. Jake Williams, director of cyber-threat intelligence at the security firm Scythe and a former National Security Agency hacker, explains, “Let's assume for a second that US intelligence has access to WeChat. They would have to fight hard for that access, and it would constantly be at risk of discovery and neutralization. China, on the other hand, doesn't have to fight for access to TikTok; they have it by statutory authority.”
NTSB lacks CISA-mandated vulnerability disclosure policy.
In 2020 the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 20-01 mandating that all federal civilian executive branch agencies under the agency’s authority develop formal vulnerability disclosure policies. However, a review conducted by Nextgov revealed that the National Transportation Safety Board (NTSB) is the only federal civilian agency under CISA that has so far failed to do so. At first, an NTSB spokesperson stated that because the directive was “addressed to executive branch departments and agencies and other security related agencies,” the policy did not apply to NTSB, which is an independent federal agency focused on investigating transportation accidents. But after being contacted by CISA about their lack of compliance, the spokesperson seemingly reserved his stance, stating that new information showed that the directive “does involve NTSB” and that CISA had arranged their vulnerability disclosure policy (VDP) platform to help smaller agencies like NTSB to better support the program. Indeed, in July CISA launched a VDP platform that “automatically facilitates the majority of required compliance reporting metrics to CISA on behalf of the participating agencies, reducing agency reporting efforts. The NTSB spokesperson stated, “NTSB immediately expressed interest to CISA to be a participant in their program and are on their list for implementation,” the spokesperson added. “Their system became fully authorized to operate in March of 2022 and NTSB is on track to be operational on it by the end of this fiscal year. The policy is expected to be posted at that time.”
US Army works to improve cybersecurity training.
The US Army Cyber Center of Excellence, located in the US state of Georgia, is updating its curriculum to ensure that soldiers are better prepared for taking on cyber roles. “The vast majority of our students are ready day one that they hit the ground to their assigned units,” said Maj. Gen. Paul Stanton, the center's commanding general. However, Stanton noted, due to the ever-changing landscape of global cyber threats, some soldiers sent to Cyber Mission Force, National Mission Teams, National Support Teams, Combat Mission Teams, Combat Support Teams, and Cyber Protection Teams could be better prepared. In cooperation with US Cyber Command, the center is developing a new course integrating lessons from the Russia-Ukraine conflict. Still in its pilot stage, the course, Staton says, “requires a little bit of a change in curriculum, a change in approach, a change in our assessment strategy,” and is expected to be fully operational within a year. Stanton told Defense One, “We're watching cyber, we're watching information, we're watching the electronic warfare unfold in front of our eyes. We absolutely have to pay attention and then incorporate those lessons learned right back into what we're teaching our soldiers inside of our schoolhouse that we're responsible for at the Cyber Center of Excellence.” As well, the center has developed a cyber pilot program with the Junior Reserve Officers’ Training Corps (JROTC) to ensure that they have a steady pipeline of cyber talent starting at the high school level. With ten locations participating in the JROTC cyber pilot programs so far, it’s designed to “increase the culture of cyber in the next generation” of Army leaders.