UK TikTok ban gives us all cause to consider social media security
The UK ban on putting in and utilizing social media app TikTok on authorities gadgets brings our nation’s coverage in keeping with that of different jurisdictions together with the US and member states of the European Union.
Announced yesterday within the House of Commons by Oliver Dowden, chancellor of the Duchy of Lancaster, the ban covers gadgets in ministerial and non-ministerial departments, and is a precautionary transfer that has not been taken in response to any particular incident or risk.
It’s the newest step in a long-running feud between the West and China over information privateness points, that moreover TikTok has drawn within the likes of Hikvision, a producer of IP surveillance cameras, and most famously, networking and comms large Huawei, which discovered itself banned from the UK’s core communications infrastructure in 2020.
All of those circumstances come up from considerations shared by Britain, the US and different Western states. Broadly talking, these considerations centre on the likelihood that the Chinese authorities may be able to extract sensitive data from these corporations for espionage functions.
China has a protracted historical past of commercial espionage, and its state-backed cyber operations are extensively acknowledged as a very harmful risk, so these considerations usually are not wholly unjustified, and it’s not a stretch to think about how Beijing might exploit the non-public information of UK authorities officers ought to it fall into their fingers. In mild of this, Chris Vaughan, vice-president of technical account administration at Tanium, stated it’s no shock to see Westminster following within the footsteps of Brussels and Washington DC.
“Chinese intelligence tactics are usually focused on longer-term objectives and are fuelled by the sustained collection of data,” he stated. “The immense assortment of consumer information, to now embody commerce and buying info, mixed with biometrics and exercise monitoring, feeds detailed intelligence into Chinese state departments.
“This data can also be leveraged to deliver targeted, timely and often personalised psychological operations against individuals or groups of citizens. These tactics could potentially be used during election cycles and politically charged events in the coming years.”
Vaughan regards the UK’s TikTok ban as talking to a wider concern round how a lot Chinese affect is deemed acceptable in nationwide infrastructure and on a regular basis life (related points dogged Huawei beforehand).
“We have seen concerns increase in the West in recent months, with the use of Chinese surveillance technology being restricted,” he stated. “There have also been numerous reports of Chinese efforts to sway politicians by way of lobbying and donations, and the public via social media and the spread of disinformation.”
“Historically, Russia has been essentially the most outstanding consumer of data operations as we noticed from its actions associated to the 2016 US election and the Brexit referendum. China has been extra targeted on stealing mental property which it will probably then use to its personal benefit. However, there are indications that the CCP [Chinese Communist Party] will begin to focus extra on info and affect operations to obtain its strategic objectives which provides to the considerations about the usage of expertise similar to TikTok.
“Any instances of these activities need to be met head-on by Western political leaders who should take a strong stance against it at the government level, rather than leaving the responsibility to individual organisations.”
Double requirements
In her response to Dowden’s assertion yesterday, Labour deputy chief Angela Rayner was scathing in accusing the federal government of being behind the curve and making sudden U-turns, and for some within the cyber security neighborhood, there’s something distinctly fishy about its choice.
Matthew Hodgson, co-founder and CEO of safe comms providers supplier Element, stated that in a single vital approach, the ban is downright hypocritical.
“The UK government banning officials having TikTok on their phones while pushing through legislation that will give the UK government access to all UK communications screams of double standards,” stated Hodgson.
“Outwardly it seems like they’re taking the security of information critically by stopping China having a backdoor into UK information, albeit just for authorities officers at present. However, the UK authorities is pushing by the Online Safety Bill, which creates a really related backdoor into each communications platform utilized by UK residents.
“So, it’s not OK for China to access government communications but it is OK to provide a route for them to access citizen communications via Online Safety Bill weaknesses? We need to protect the privacy of UK citizens today from bad actors and nation states of all shapes and sizes,” he stated.
TikTok speaks out
Naturally, Westminster’s ideas usually are not shared by TikTok, which continues to stress that it’s by no means been requested to hand over information by the Chinese authorities, and insists it might by no means accomplish that if requested.
In an announcement following Dowden’s announcement on 16 March, a TikTok spokesperson stated: “We are upset with this choice. We consider these bans have been primarily based on elementary misconceptions and pushed by wider geopolitics, wherein TikTok, and our tens of millions of customers within the UK, play no half.
“We remain committed to working with the government to address any concerns, but should be judged on facts and treated equally to our competitors. We have begun implementing a comprehensive plan to further protect our European user data, which includes storing UK user data in our European datacentres and tightening data access controls, including third-party independent oversight of our approach.”
The organisation believes it’s inaccurate to describe it as Chinese-owned as its European presence is integrated and controlled within the UK and Ireland, and its guardian, Bytedance, is integrated exterior of China, so wouldn’t be topic to legal guidelines that require it to hand over information to Beijing if requested.
The firm recently announced Project Clover, a devoted safe European “enclave” to harbour its UK and European Economic Area (EEA) consumer information. The fulfilment of this undertaking may even see UK consumer information – at present saved in datacentres in Singapore and the US – moved inside European jurisdiction.
It has additionally named a third-party cyber security firm to audit its controls and protections, monitor information flows, and confirm its compliance with related legal guidelines, which it believes goes past what another tech platform is at present doing.
Venari Security chief expertise officer Simon Mullis agrees that the TikTok ban is politically motivated, to some extent. “The concerns are really rooted in the ability to assure the chain of trust of data protection from beginning to end, and at all steps in between,” he stated. “With TikTok, this has confirmed to be extraordinarily tough for quite a lot of technical and political causes.
“In fairness, the ban is as much political as it is a consequence of the technical design of the application,” stated Mullis. “Is the TikTok design and architecture so wildly different from other social media applications in widespread use as to cause massive security fears? The answer is ‘probably not’.”
Long time coming
But Jamie Moles, senior technical supervisor at ExtraHop, stated that given what we do learn about how TikTok works, and most significantly, what we all know in regards to the information it requests and will need to have entry to so as to run on a tool, it’s mystifying why the UK authorities has dallied for thus lengthy.
“I’m a security expert who downloaded and used TikTok when it came out like so many others, including those working in the UK government,” he stated. “But right here’s the distinction: I eliminated it as quickly because it grew to become clear that the app might harvest something from my telephone together with contacts – GPS information, authentication data from different apps, and so forth.
“Having this app on your phone is tantamount to giving the Chinese government the keys to our economy.”
Arctic Wolf chief info security officer (CISO) Adam Marrè stated: “TikTok is accumulating huge quantities of data from shoppers like consumer location, voiceprints, calendar info and different delicate information. The concern is we don’t know what this information is getting used for, or if a overseas authorities has entry to it.
“With the rise of data brokers who make a living out of selling user information, this platform can serve as a vessel for malicious actors to leverage. They can then sell this information, which can be used to target people via phishing emails, influence via propaganda, or even control or access devices. Let this be a reminder that nothing is truly ‘free’ and that we should all exercise caution.”
Faaki Saadi, UK and Ireland gross sales director at SOTI, stated: “Any app that harvests the information you place into it must be handled with warning. Especially for individuals trusted with delicate firm info.
“TikTok being banned from UK government devices should act as a wake-up call to other organisations – do you have full visibility over the apps your employees have on their corporate devices? If not, perhaps now is the time to take stock. And it doesn’t need to be a heavy lift – there are solutions available that can do this for you, and wipe any unwanted apps in an instant.”
Social media security
Marrè and Faadi each converse to a wider concern with social media typically. Other social media platforms similar to Facebook and Instagram proprietor Meta have proven themselves repeatedly to be extremely blasé with regard to their consumer information and security insurance policies. Twitter, below the management of the erratic Elon Musk, is heading in an analogous course.
And Robert Huber, chief security officer at Tenable, stated that focusing solely on TikTok means we threat lacking the forest for the bushes. “There are hundreds of software applications used in government agencies every day that introduce risk, and unpatched known vulnerabilities are the most likely source of data breaches,” he stated.
“The key is for security leaders to understand their organisation’s unique risk profile, discover where vulnerabilities exist and prioritise remediation efforts to root out those that could be the most harmful first.”
Should we all ban TikTok?
Ismael Valenzuela, vice-president of risk analysis and intelligence at BlackBerry, stated he’s already seeing CISOs contemplating banning the usage of TikTok on firm gadgets. This is especially related to these working for organisations that function in extremely regulated environments, such because the monetary providers sector, the place corporations are rightly anticipated to conduct their very own product security testing and authorized overview of privateness coverage positions to, on the very least, limiting use on company gadgets or by high-value customers.
“There is no doubt that organisations with regularly updated threat models based on contextual intelligence, mature asset management practices and integrated management endpoint solutions are better positioned to manage this risk enterprise-wide,” stated Valenzuela.
“It underscores the significance of managing threat all through the organisation and the necessity to assess, and thereby management, the impression of the introduction of latest merchandise and applied sciences upon total organisational security. This consists of the usage of seemingly innocuous chat and social media apps.
“I suspect that only a limited number of CISOs are aware of TikTok’s privacy policy statement,” he continued. “While attacks on the supply chain are a real concern today, privacy risk should also be a top priority for CISOs of high-risk organisations. This is because personal data on company executives and other important individuals can be of great value in the hands of financially motivated attackers or the state.”
Ultimately, the query of whether or not or not security leaders ought to ban or prohibit the usage of TikTok on company-owned gadgets is one which solely they’ll reply. But given the rising variety of authorities bans being proposed or enacted, on the very least, a radical threat evaluation is so as, coupled with a wider audit of company social media exercise.