At a glance.
- USA’s future cyber strategy to focus on regulation and hacking back.
- TikTok banned from Canadian government devices.
USA's future cyber strategy to focus on regulation and hacking back.
The international cyber community is waiting with baited breath for the US to finalize its new National Cybersecurity Strategy, expected to be signed by President Joe Biden in “coming weeks.” As Security Week reports, a recently released draft strategy document indicates the Biden administration will be making two impactful changes to the nation’s approach to cybersecurity. For one, there will be a shift away from the historically voluntary cybersecurity guidelines for operators of critical infrastructure to more mandatory regulation. The document reads, “[While] voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and, in many cases inadequate, outcomes.” As well, the new strategy will not only give law enforcement and intelligence agencies greater authorization to “hack back” into foreign networks suspected of conducting cyberoperations against the US, but also to offensively infiltrate the systems of adversaries in order to prevent future attacks. The aim of this more aggressive approach is to “disrupt and dismantle” hostile networks before they can cause damage to US infrastructure. The document states, “Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States.”
TikTok banned from Canadian government devices.
The National Post reports that Canada has become the latest nation to impose a ban on Chinese-owned social media app TikTok. The Canadian federal government announced yesterday it is prohibiting the use of TikTok on all government mobile devices, stating that the Chief Information Officer of Canada determined the app presents an “unacceptable level of risk to privacy and security.” Treasury Board Secretariat President Mona Fortier issued a statement yesterday saying, “Effective February 28, 2023, the TikTok application will be removed from government-issued mobile devices. Users of these devices will also be blocked from downloading the application in the future.”
The decision follows a series of similar TikTok bans enacted by the European Commission and US government agencies amid concerns that the Chinese government could use the platform to spread disinformation or to collect data on foreign users. The US Congress is currently considering a bill that would ban the app from the country even for personal use, and Canadian Prime Minister Justin Trudeau’s statement about the new ban on Monday left the door open for a similar decision. “This may be a first step, it may be the only step we need to take. But every step of the way, we’re going to be making sure we’re keeping Canadians safe,” President Trudeau stated. In response to Canada’s announcement, TikTok Canada spokesperson Danielle Morgan stated the company was “disappointed” the federal chief information officer made the decision “without citing any specific security concerns” or discussing it with the company.
(Added, 9:00 PM ET, February 28th, 2023. Ismael Valenzuela, Vice President of Threat Research & Intelligence at BlackBerry, thinks this was to be expected, and that Canada's won't be the last government to take similar action:
"I’m not surprised. Canada isn’t the first government to make this decision, and it likely won’t be the last. I believe this is the first time the EU has banned a mobile app, indicating that there are valid reasons to enforce this policy. On top of the bans from the U.S. government in 31 states and the White House’s decision to ban it on government-issued devices, I only expect more to follow. For example, just a few days ago, one of the most popular Australian politicians on TikTok said he refuses to use the Chinese-owned video app on his government or personal phones due to concerns about the security of his data, and UK politicians have started to receive pressure to do the same.
"The potential of this ban is not limited to government devices, either. I know for a fact many CISOs are considering banning TikTok from their corporate devices. Many commercial organizations, especially those with bring your own device (BYOD) policies, may not follow this type of policy, but I anticipate others in highly-regulated environments, such as the financial sector, will conduct their own product security testing and legal review of the privacy policy terms to restrict its use, at least on corporate devices or by high-value users. It’s no secret nation state groups often target large corporations for intelligence gathering or even for financial gain, so it’s not difficult to see why corporations may make a similar decision on this policy. Organizations that regularly update their threat model based on contextual intelligence, and that have mature asset management practices and unified management endpoint solutions, are definitely in a better position to manage this risk enterprise-wide.
"This highlights the importance of managing risk through organizations and the need to assess the security impact that introducing a new product, technology, even an apparently innocuous chat or social media apps, can have on the overall security of an organization. Supply chain attacks are a real concern, but privacy risks should also be top agenda items for CISOs of high-risk organizations. How many CISOs are aware of the statements in TikTok’s privacy policy? How valuable would this data collected by TikTok be in the hands of financially motivated attackers or nation states, when coming from high value individuals (i.e. executives)?)
(Added, 9:15 PM ET, February 28th, 2023. The US moving toward banning TikTok from Federal devices. Chris Vaughan, AVP - Technical Account Management at Tanium, sees the US ban as evidence that organizations are increasingly interested in taking a more comprehensive approach to security.
"This latest step at the federal level to ban TikTok from government-owned devices reflects that institutions are recognizing that a comprehensive approach is important to protect our citizens from social media campaigns designed to further foreign political objectives and deepen divisions in western societies.
"Chinese intelligence tactics are fueled by the sustained collection of user data such as commerce and purchasing information, combined with biometrics and activity tracking, feeds detailed intelligence to be used in operations with longer term objectives. Such data can deliver targeted, timely psychological operations against individuals or groups of citizens. We have seen this during election cycles and politically charged events in recent years. This move raises the question of the extent to which Chinese influence is acceptable when it comes to national infrastructure and everyday life. Concerns have increased in the West in recent months and the use of Chinese surveillance technology has been restricted. We have also seen reports of Chinese initiatives to influence politicians through lobbying and donations, as well as through the spread of disinformation through social media.
"We’ve previously seen Russia’s use of information operations during the 2016 US election and UK’s Brexit referendum. China’s focus meanwhile has been on the theft of intellectual property, but there are indications that the CCP may look to information and influence operations to advance its strategic goals. Such instances must be met head on by the US and other western political leaders, and this ban begins to reflect that realization.")