At a glance.
- France bans TikTok (and then some) from government phones.
- Could a Cyber Force become the seventh arm of the US military?
- Biden administration restricts use of commercial surveillance software.
France bans TikTok (and then some) from government phones.
As worries continue to mount that popular video-streaming platform TikTok could be leaking user data to the Chinese government, Western nations have been banning the app from government devices. The Register reports that France has taken it a step further, not only banning TikTok, but all recreational apps from government-owned devices. Minister of Transformation and Public Service, Stanislas Guerini, explained the move by stating that recreational apps do not have sufficient enough security to be used on government employee phones and could compromise data stored by government agencies and staffers. Guerini did state that some exceptions could be made for apps that are needed for official government communication.
The move comes on the heels of TikTok CEO Shou Zi Chew testifying before US Congress’s House Committee on Energy and Commerce, where he apparently failed to convince lawmakers of the app’s data security. In a tweet posted on Sunday, House speaker Kevin McCarthy signaled that a full ban of the app could be on the horizon in the US. “It's very concerning that the CEO of TikTok can't be honest and admit what we already know to be true—China has access to TikTok user data,” McCarthy stated. “The House will be moving forward with legislation to protect Americans from the technological tentacles of the Chinese Communist Party.
Could a Cyber Force become the seventh arm of the US military?
The Military Cyber Professional Association has issued a memorandum calling on lawmakers to establish a US Cyber Force, a dedicated cyber service that would become the seventh branch of the military. The memo states, “For over a decade, each service has taken their own approach to providing United States Cyber Command forces to employ and the predictable results remain inconsistent readiness and effectiveness. Only a service, with all its trappings, can provide the level of focus needed to achieve optimal results in their given domain.” It goes on to say that cyberspace is the only domain without its own service, and that the lack of a dedicated military service poses an “unnecessary risk” to national security.
The Record notes that while policymakers have increasingly expressed the need to address the ever-growing digital threats posed by adversaries like China and Russia, there has not yet been a sustained effort to create a cyber-focused branch in the military. Still, the association said there’s no rush to create the new branch, and that any legislative approval should be accompanied by a “thorough study to determine what this military service should look like, how it be implemented, and the applicable timeline.”
Biden administration restricts use of commercial surveillance software.
US President Joe Biden yesterday issued an executive order restricting the use of commercial spyware by the federal government, the Wall Street Journal reports. The EO limits the purchase and deployment of surveillance software from vendors whose products have been connected to human-rights abuses (ahem, Pegasus?) or considered a risk to counterintelligence or national security. A senior administration official told the press, “The executive order…prohibits departments and agencies across the federal government, from operationally using commercial spyware tools that pose significant counterintelligence or security risks to the U.S. government, or significant risks of improper use by a foreign government or foreign person, including to target Americans or enable human rights abuses, and it encompasses spyware tools that are furnished by foreign or domestic commercial entities.” However, as Nextgov.com notes, the move stops short of banning surveillance tools completely, signaling that lawful intercept tools could still play an important part in government intelligence operations.
The announcement came as US officials revealed that surveillance software had been used to target the devices of at least fifty US personnel working overseas. As the Washington Post reports, the matter is still under investigation, and the number of victims is expected to rise as details surface. Authorities have not specified what type of spyware was involved. One senior official stated, “We had a hunch early on, when we started this process that [such spyware] could pose counterintelligence and security risks. … We realized increasingly that the counterintelligence and security risks were profound.”
Although the EO is a clear demonstration of the US’s commitment to preventing spyware abuse, the Register notes that it could be difficult to execute. For instance, determining whether specific software is, as the order states, "is under the direct or effective control of a foreign government or foreign person engaged in intelligence activities…directed against the United States" will be a difficult process. And is it even possible to create spyware that doesn’t, as the EO suggests, pose “significant counterintelligence or security risks to the United States Government”?
(Added, 7:00 PM, March 29th, 2023. Michael Covington, PhD, VP of Portfolio Strategy at Jamf, likes the effort and intent, but thinks the order by itself will not revolutionize the security of mobile devices. “Though it’s encouraging that President Biden is setting guidelines around spyware abuse, an executive order isn’t going to make mobile devices more secure. Individuals and organizations need to take a concerted effort to secure these devices, particularly when they are used to handle sensitive information," he wrote. "Data from Jamf, a cybersecurity company, shows that mobile security has historically not been a priority for many. In 2022, nearly a third (31%) of organizations had at least one user fall victim to a phishing attack on a mobile device. In addition, Jamf found that 1 in every 5 devices ran an operating system that was lacking critical security patches and updates. Businesses and governments alike need to realize that the attackers are shifting to mobile, and that the time has come to protect the devices used off campus as effectively as those used within an organization’s facilities.”)