At a glance.
- US moves toward banning federal employee use of TikTok.
- US blacklists more Chinese-owned companies, Saudi Arabia welcomes them.
- Security implications of Chinese ownership of TikTok.
- NSA’s year in review.
US moves toward banning federal employee use of TikTok.
On Wednesday, the US Senate passed a bill to bar federal employees from using TikTok on government-owned devices. US fears surrounding the potential national security threat presented by Chinese-owned social media platform TikTok continue to grow, and in recent weeks a growing number of states have taken the matter into their own hands by banning the video-sharing app from government-issued devices. It appears federal action is not far behind. In August 2020 the Senate unanimously approved legislation to bar TikTok from government devices, and Republican Senator Josh Hawley reintroduced it in legislation last year. Hawley said previously, "TikTok is a major security risk to the United States, and it has no place on government devices.
As Reuters explains, the bill must next be approved by the US House of Representatives before the current congressional session ends, and the vote is expected next week. Then it will go to the White House for President Joe Biden’s signature. In addition, Republican Senator Marco Rubio of Florida on Tuesday announced bipartisan legislation to ban TikTok from operating in the US, E-Commerce Times reports. In May Rubio urged the White House to address concerns over the app’s ties to China-based parent company ByteDance. The measure would block all transactions from any social media company in or under the influence of China and Russia, and Republican Mike Gallagher and Democrat Raja Krishnamoorthi have sponsored a companion bill in the US House of Representatives.
TikTok continues to assert that US’s security concerns are unfounded. On Wednesday, in response to announcements of new states banning government employee use of the platform, a spokesperson stated, "We're disappointed that so many states are jumping on the political bandwagon to enact policies based on unfounded falsehoods about TikTok that will do nothing to advance the national security of the United States.”
Added, 9:15 PM, December 17th, 2022.
Adam Marrè, CISO at Arctic Wolf, commented on the additional risk a company that collects as much data as TikTok poses.
"Although we should be cautious when using all social media platforms, no matter who owns them, TikTok is collecting massive amounts of information from American consumers, and we don’t know what that data is being used for or if a foreign government has access to the data. While this idea isn’t new, TikTok collects information like user location, voiceprints, calendar information and other sensitive data. As the number of users in America continue to grow, this needs to be addressed at a federal level.
"With the rise of data brokers who make a living out of selling user information, this platform can serve as a vessel where malicious actors can leverage that. In turn, they can sell this information, which can be used to target people via phishing emails, influence via propaganda or even controlling/accessing devices. Let this be a reminder that nothing is truly “free” and that we should all exercise caution.”
US blacklists more Chinese-owned companies, Saudi Arabia welcomes them.
Yangtze Memory Technologies Co. (YMTC), China’s leading memory chip producer, was added to the US Commerce Department's Entity List yesterday, along with thirty-six other Chinese companies and research organizations. YMTC, which as of last year held around 5% of the global market share in NAND flash memory chips, was seen as China’s best chance to compete with foreign dominance in the semiconductor industry. The Commerce Department said the use of YMTC products in the US could expose the country to national security threats or damage foreign policy interests, especially through YMTC’s engagement with companies like Huawei and Hikvision, which are already on the trade blacklist. As Nikkei Asia notes, other new additions to the Entity List include Shanghai Micro Electronics Equipment and Cambricon Technologies. The expansion of the blacklist comes as Beijing initiated a dispute against the US with the World Trade Organization regarding the White House’s restrictions on semiconductor exports to Beijing.
Despite the US’s security concerns about Huawei, Saudi Arabia signed a deal this month with Chinese Chinese President Xi Jinping partnering with the tech giant on activities concerning cloud computing, data centers, and the construction of high-tech complexes in Saudi cities. Business Standard reports that President Xi Jinping's recent three-day visit to Saudi Arabia signals Beijing’s efforts to increase its influence in the region. In total, Saudi and Chinese officials signed thirty-four agreements (at an estimated value of approximately $30 billion) related to information technology, green hydrogen, photovoltaics, transportation, information technology and cloud services, construction of houses, logistics and medical services.
Security implications of Chinese ownership of TikTok.
Lou Steinberg, who leads the cybersecurity research lab and incubator, CTM Insights, described the implications of Chinese ownership of a platform, product, or service:
“There's a degree of influence that the Chinese government can exert over application developers in China. By Chinese law, they can do things like demand data. Remember that your data might include things like your family heath interests, your political biases, etc. Knowing your political leanings today might be of interest if they want to amplify or suppress messages you post and promote.
"We know China is retrieving data on their citizens and storing it in massive databases and suspect the Chinese government trying to accumulate data about U.S. Citizens The Chinese are using these apps as a way to get data and we believe that they're building huge profiles on American citizens and not just adults but kids. Some younger users will grow up to be senior political figures, reporters, scientists, and other important figures. Collecting data now let's them play a long game.
"Just remember the data you legitimately shared either through your profile or your TikTok posts is being used for an unintended purpose and stored on databases which may or may not be used at some point."
He also points out the risks of further exploitation after installation of software under potentially hostile control:
"If you install TikTok, do we know you aren't installing a backdoor to other things on your phone (like the ability to read email and texts)? The app stores try to make sure they don't include security vulnerabilities, but unfortunately things get past the checks. By installing something on your phone, you're potentially giving them (in an indirect form the Chinese government) a toehold and this is largely why state governments and now the federal government is saying they don't want that app on a state or a federally- owned device. This is an even larger concern when the companies making the apps have ties to the government.
"We would never let China install a potential Trojan horse on a state or federally-owned device. A government issued phone has government data, increasing the impact of a backdoor with no upside to having TikTok on those devices. "
And, of course, TikTok is a channel for influence:
“TikTok is a source of news for a lot of younger people and that's an issue--especially if the Chinese Communist Party is deciding what news you read. We know the Chinese are very, very sensitive to how they are perceived outside of China. There's a huge concern if an opaque algorithm they control is making decisions re the news we consume, but more importantly what kids consume. There is always editorial bias, but since it’s not free market driven there can be government messaging bias in the kinds of stories you see and don’t see. Just as they control the narrative in the news within China, the Chinese government could influence the narrative and the news in the US to impact elections and how China is perceived.”
NSA’s year in review.
With the new year just around the corner, the US National Security Agency (NSA) today released its 2022 Cybersecurity Year in Review, highlighting the agency’s major accomplishments. NSA Cybersecurity Director Rob Joyce stated, “By protecting the U.S. Government’s most sensitive networks, we cascade solutions that help secure critical infrastructure, U.S. allies, and businesses and consumers around the world. Our efforts to protect those networks help protect yours.” The report spotlights NSA’s efforts to scale cybersecurity solutions by strengthening partnerships through its Cybersecurity Collaboration Center, which doubled its industry partnerships in the past year to over three hundred collaborative relationships. Other highlights include the disclosure of dozens of zero-day vulnerabilities, supporting the National Defense Strategy by contributing whole-of-government campaigns to counter malicious cyber activity, and the publication of the Commercial National Security Algorithm Suite 2.0.