By CHHS Extern Peter Scheffel

National security and privacy concerns have grown with the advent of the internet and the subsequent shift to online-embedded life. Today, a functioning member of society enjoys arguably all of life’s necessary societal connections in a format digitally connected through hundreds of miles of fiber-optic cable and continent-spanning servers. To the average U.S. citizen, finances, education, entertainment, consumer habits, and much more have a close linkage with the digital world.

Recently, the social media app TikTok has been under discussion in Congress due to both privacy and national security concerns directed at TikTok’s connections to China, and the ongoing geopolitical tensions currently escalating between the U.S. and China. TikTok is owned by ByteDance, a Chinese company based in Beijing, though allegations assert TikTok and ByteDance as being functionally the same company, sharing chat applications, data analysis mechanisms, and managerial contact. Given the growth in geopolitical tension between the U.S. and China, questions have been raised as to the amount of data TikTok collects and to what extent Chinese authorities have channels with which to access TikTok’s U.S. data. While such privacy and national security concerns have merit, especially considering the lack of transparency in what TikTok data China has access to and the risk of algorithm manipulation China could be utilizing for U.S. users, an outright ban of TikTok in the U.S. would be a mistake.

Given the speed with which legislation has been drawn up to potentially ban TikTok, what concerns are being discussed? Privacy and national security concerns grew further in early March of 2023, after Senator Josh Hawley sent a letter to Treasury Secretary Janet Yellen seeking review of whistleblower allegations which had been brought to Senator Hawley. These allegations included Chinese Communist Party (CCP) members being able to toggle between U.S. and Chinese TikTok data with ease despite the supposed separation between U.S. and Chinese TikTok. This includes alleged access to U.S. citizen user data and most concerning: personal location. Other allegations detailed China-based employees being able to access U.S. data with simple managerial approval and that TikTok continues to maintain near constant contact with ByteDance, the China-based parent company. Other possible abuses the CCP could engage in using U.S. TikTok user data include increasing cyberespionage and hacking efforts based on the accessed data, especially with the data’s potential to benefit social engineering attacks (a cyber-attack chiefly built around how people think and behave, manipulating human error to gain access), which are often incredibly successful if prior intelligence has been gathered on the target. Also, psychological manipulation via algorithm bias, as TikTok has not shared how its algorithm functions leading to allegations the algorithm is biased in reinforcing/influencing negative content on America’s population.

Government cybersecurity officials share in the growing concern surrounding TikTok, with a focus on national security. Rob Joyce, who leads the U.S. National Security Agency’s cybersecurity division, has likened TikTok to a “Trojan Horse” which carries long term security concerns years into the future given the questions surrounding CCP access to and manipulation of data on the 150 million U.S. TikTok users. In 2022 four ByteDance employees were discovered to have accessed U.S. reporters’ data which has led to Department of Justice investigations into journalist surveillance by ByteDance. Though the employees were later fired, the fact that such surveillance took place has increased the pressure for Congress to act by banning or forcing the sale of TikTok in the United States. TikTok’s CEO Zi Chew did recently testify before Congress, but his testimony only further escalated the concern and the feeling around Congress that something ought to be done. On one occasion, Chew replied to a question on if ByteDance, TikTok’s parent company had spied on Americans at the behest of the CCP by stating that “I don’t think ‘spying’ is the right way to describe it.” Chew was also unable to definitively make a commitment TikTok would not sell data or if any data is currently being sold, responding “I can get back to you on the details.” On if TikTok would commit to not focus on targeting people under the age of 17, Chew replied that “It’s something we can look into and get back to you.”

Counter arguments include that TikTok is no different than other large social media apps in terms of “risk” of data being used or sold. While some truth may exist in this argument, such an argument does not differentiate between the U.S. based companies and TikTok. Of particular concern are the Chinese laws which enable the CCP to compel companies based in Beijing like TikTok, to share data. And even without the legal ability, given the rising competitive technological atmosphere between China and the U.S., it would not be surprising for the CCP to utilize coercion against ByteDance to access TikTok user data. This highlights the main difference in the comparison argument: China is a rival in many respects due to ongoing economic and national security tensions. Thus, unlike Instagram or Facebook, TikTok’s data, whether or not purposefully, carries a higher risk of problematic use simply due to its potential connection to the CCP. China is more adversary than ally in terms of national security currently. Now, such national security concerns have led to action, with the U.S. banning TikTok on government devices. But while this covers national security to an extent, further calls for banning of the app overall is a mistake for reasons beyond the argument that it collects data like U.S. social media companies.

To pursue an outright ban would be ill-advised. Even assuming such a ban would overcome already established legal concerns addressed during the Trump Administration’s failed attempts; it would set a new concerning precedent on government control over technology and what information, speech, and communication means Americans have access to in the name of “privacy” as defined and controlled by Congress. Banning TikTok is a drastic response to concerns that while real, lack sufficient corroboration to warrant such an extreme remedy. Principles matter in times of tension and peace, and the United States ought not mimic China’s policies to ban foreign apps (YouTube, WhatsApp) in order to punish and compete against China. While some have argued that this is precisely what needs to happen; sacrificing the idea of an open internet (as China has), in order to control and punish countries as well as control what and how a populace communicates; this is not a strong enough answer to overcome the dangers in broadening the ability of the U.S. government to control what technology its citizens can communicate with. This response of banning TikTok, even if never carried out, is a clear reminder of how a hastened legislative response to combat foreign powers can quicken the pace to adopt the very ideals such legislation would be drawn up to defeat. As James Madison penned in a 1798 letter: “Perhaps it is a universal truth that the loss of liberty at home is to be charged to provisions agst. [against] danger real or pretended from abroad.”

By CHHS Extern Kimberly Gainey

The oft discussed and much anticipated National Cybersecurity Strategy addresses cybersecurity regulatory harmonization with two paragraphs entitled “Harmonize and Streamline New and Existing Regulation.” The Strategy instructs regulators, when feasible, “to harmonize not only regulations and rules, but also assessments and audits of regulated entities.” However, it diverges from a Presidential advisory committee recommendation by designating the Office of National Cyber Director (ONCD), coordinating with the Office of Management and Budget, to lead these efforts, rather than a newly created office within the Cybersecurity and Infrastructure Security Agency (CISA). It is perhaps unsurprising that ONCD received the nod, given their involvement drafting the National Cybersecurity Strategy and the role of the National Cyber Director “as a principal advisor” on cybersecurity policy and strategy to the President.

However, one wonders about the wisdom of this decision on the heels of the retirement of the National Cyber Director Chris Inglis last month, leaving big shoes to fill for the former deputy, now Acting National Cyber Director Kemba Eneas Walden. Serving as the first National Cyber Director, Inglis brought decades of experience in the federal government in a variety of positions at the National Security Agency and the Department of Defense. Praised as a “tremendous leader” and “the best person for the job,” CISA Chief of Staff Kiersten Todt remarked on Inglis’ establishment of ONCD and unifying influence; in “a short period of time, he established an office and a reputation and this ability to unify in many ways, this interagency process and he has been such a tremendous partner to CISA.”

In contrast to two paragraphs in the National Cybersecurity Strategy, another option is presented within a 27 page report after years of study by the committee charged with providing “the best possible industry advice” to the President to assure “the availability and reliability of telecommunications services,” along with other national security and emergency preparedness challenges, which issued several recommendations to ensure internet resilience. The clear theme, per Politico, is “to coax, cajole and needle agencies toward consistent, or ‘harmonized,’ cybersecurity regulations.” The President’s National Security Telecommunications Advisory Committee (NSTAC) released the draft report in anticipation of a meeting where they approved the Strategy for Increasing Trust in the Information and Communications Technology (ICT) and Services Ecosystem, voting to send it to the President for consideration per the Washington Post. The report represents the culmination of a multi-phase study on “Enhancing Internet Resilience in 2021 and Beyond.” After a series of significant cybersecurity incidents, the White House tasked the NSTAC with three crucial cybersecurity topics “foundational” to national security and emergency preparedness. Prior phases developed recommendations regarding those three topics: 1) Software Assurance in the Information and Communications Technology and Services Supply Chain (November 2021); 2) Zero Trust and Trusted Identity Management (February 2022); and 3) Information Technology and Operational Technology Convergence (August 2022). Building from earlier recommendations, the draft report contains a veritable treasure trove of information. For those unable to delve into the 27 page report and appendices, here are the main nuggets.

Attracting immediate attention, several recommendations encourage harmonizing cybersecurity regulations and requirements. First up, recommending that CISA establish the Office of Cybersecurity Regulatory Harmonization (OCRH) to “institutionalize and expand upon existing harmonization efforts” of existing government forums, which lack “the required combination of mission, expertise, and resources that can address the scale of the challenge.” To elucidate the need to establish the OCRH, the report highlights two government entities attempting to address this issue, at least in part. First, the intergovernmental Cyber Incident Reporting Council established to “coordinate, deconflict, and harmonize federal incident reporting requirements, including those issued through regulations.” Note that the Cyber Incident Reporting Council’s mission is limited to incident reporting. Second, the federal interagency Cybersecurity Forum for Independent and Executive Branch Regulators critiqued for lacking the dedicated staffing necessary to develop expertise across sectors as most participating officials juggle Forum participation on top of various responsibilities for their home agencies. This may explain why the Forum has only held one meeting since it was relaunched in February 2022 under Federal Communications Commission (FCC) leadership, after several years of inactivity.

Resolving the dearth of dedicated staff and resources by forming and funding OCRH “would create an institutionalized source of in-depth cybersecurity regulatory expertise across sectors that does not currently exist within the federal government,” which is one of OCRH’s responsibilities. Other OCRH responsibilities include creating resources for regulators to use to develop cybersecurity requirements that leverage consensus standards where possible and providing regulators with technical assistance during rulemaking. These responsibilities respond to “[a] recurring challenge that . . . even though most regulations cite consensus standards as the basis for their requirements, variations in implementations across regulators often result in divergent requirements. Developing regulatory resources that provide common language that could be used across sectors could address the challenge.” OCRH’s first task would involve coordinating with the National Institute of Standards and Technology “to publish a public report that catalogs existing cybersecurity requirements across sectors, analyzes how they align or diverge from consensus standards down to the control level, and identifies opportunities to drive harmonization.”

Unlike the National Cybersecurity Strategy, the NSTAC report explains why CISA was selected to house the OCRH:  “primarily because the responsibilities are well aligned with CISA’s role as National Coordinator for critical infrastructure security and resilience, which includes ensuring a unified approach to cyber risk management . . . .” The OCRH also aligns with CISA’s preference to remain non-regulatory as it “would act only in an advisory capacity in support of other federal government regulators.” CISA Director Jen Easterly describes regulation as “one tool” for federal officials, “not a panacea,” which she has previously disavowed in favor of partnerships: “I am certainly not a proponent of regulation, because we’re a voluntary agency.”

Two other recommendations in the NSTAC report involve regulatory harmonization, specifically creating policies and processes to encourage:  1) regulation harmonization and 2) federal government cybersecurity requirement harmonization and drive consensus standards development, listing suggested Presidential actions for federal agencies. The NSTAC Report’s remaining recommendations are to advance the adoption of Post Quantum Cryptography and further work done in earlier phases by: creating and improving transparent procurement language to encourage vendor security best practices; enhancing CISA’s Continuous Diagnostics and Mitigation Program; and maximizing automation and reuse of evidence in federal compliance with the Federal Information Security Management Act.

Response to the NSTAC report, prior to being overrun by a deluge of coverage around the National Cybersecurity Strategy, was positive. United States House of Representatives Committee on Homeland Security Chairman Mark Green welcomed the emphasis on regulatory harmonization, citing “duplicative and burdensome regulatory obligations, most of which stem from the White House push for cross-sector mandates.” Chairman Green expressed enthusiasm for “pursuing strong oversight over this Administration’s scattershot cybersecurity regulations this Congress and . . . working with CISA to ensure the red tape doesn’t strangle industry,” referring to “Cyber Incident Reporting for Critical Infrastructure Act rulemaking.” However, American Banker reported that while many share the goal of regulatory harmonization, many barriers may hinder achievement including the lack of authority to harmonize a variety of state-level requirements. Further, expanding CISA’s role to include advising on regulations may change political dynamics, negatively affecting the support CISA currently receives in conjunction with its “primarily operational role in improving cybersecurity across all levels of government and providing resources that private enterprises can use to improve their own cybersecurity.”

Pursuant to the National Cybersecurity Strategy, the Acting National Cyber Director will likely encounter similar difficulties and faces the daunting prospect of leading regulatory harmonization on a national and international scale. The Strategy calls for the pursuit, when necessary, of “cross-border regulatory harmonization to prevent cybersecurity requirements from impeding digital trade flows.” Despite consensus around the value of regulatory harmonization, the path toward realization remains murky.

By CHHS Extern Kimberly Gainey

State bans on TikTok are all the rage, with Kentucky poised to join North Carolina, Wisconsin and at least 25 other states prohibiting use on state devices. The federal government recently expanded its ban, making it illegal to have TikTok on federal government devices, and nearly the entire US military has prohibited use on government-issued devices since 2020. Even if people comply with these bans, which may be lacking in Department of Defense personnel according to a recent Inspector General report, they may be drawing attention away from more serious, systemic vulnerabilities from foreign technology.

A recent op-ed by the CEO of CyberSheath, Eric Noonan, highlights a “pervasive and omnipresent” threat posed by China, discussing TikTok and Huawei. While not household names like TikTok, Americans should be concerned about Huawei and ZTE, another Chinese telecommunications provider. Huawei provides “information and communications technology (ICT) infrastructure and smart devices.” ZTE offers “wireless, wireline, services, devices and professional telecommunications services.” CNN reporting revealed that in 2012 Congress released a report advising people to view Huawei and ZTE “with suspicion,” and in 2013 Congress passed legislation preventing NASA and the departments of Justice and Commerce from purchasing information technology systems without approval from federal law enforcement. Further, in 2018 top officials from the CIA, NSA, FBI, and the Defense Intelligence Agency testified before the Senate Intelligence Committee about global terror threats including Huawei and ZTE. The 2019 National Defense Authorization Act prohibited executive agencies from using or procuring telecommunications equipment or services from Huawei or ZTE, which Huawei unsuccessfully fought in court. Huawei and ZTE attracted the attention of the Federal Communications Commission (FCC), which designated them as national security threats in 2020. That was a particularly bad year for Huawei, which was indicted for conspiring to violate the Racketeer Influenced and Corrupt Organizations Act (RICO) and conspiring to steal trade secrets from its’ “alleged long-running practice of using fraud and deception to misappropriate sophisticated technology from U.S. counterparts.” The following year, Huawei’s Chief Financial Officer entered into a deferred prosecution agreement (DPA) to resolve bank and wire fraud charges.

Despite these actions, Huawei represents a potential threat to sensitive military sites; CNN reported various potential threats in 2019 including:  carrying out Intelligence, Surveillance and Reconnaissance; shutting down service; sending out malign text messages; or launching a denial of service attack. Huawei’s cell phone tower technology “is widely deployed by a number of small, federally-subsidized wireless carriers . . . [and] [i]n some cases those cellular networks provide exclusive coverage to rural areas close to US military bases.” These threat concerns persist and could disrupt nuclear arsenal communications. According to CNN sources, “there’s no question the Huawei equipment has the ability to intercept not only commercial cell traffic but also the highly restricted airwaves used by the military and disrupt critical US Strategic Command communications, giving the Chinese government a potential window into America’s nuclear arsenal.”

The United States’ response to this threat is the Secure and Trusted Communications Networks Act of 2019, which requires the FCC to establish “a reimbursement program for the replacement of communications equipment or services posing [national security] risks.” The FCC received a $1.895 billion appropriation for this reimbursement program, under which small providers may apply for reimbursement for replacing covered equipment. Last July, the FCC reported a $3.08 billion funding shortfall and a plan to prorate reimbursement funding to eligible applicants in the first prioritization group, those with 2 million or fewer customers, resulting in a “pro-rata factor . . . [of] approximately 39.5% of demand.” Congress responded to the funding shortfall via the Spectrum Innovation Act of 2022 (H.R.7624), increasing funding for the Secure and Trusted Communications Networks Act from $1.9 billion to $4.98 million. The Spectrum Innovation Act passed in the House in July 2022, but stalled in the Senate Committee on Commerce, Science, and Transportation.

A few days after reporting the shortfall, the FCC announced the approved applications for the reimbursement program, citing the 2021 Supply Chain Order clarifying that the program covers communications equipment or services produced or provided by Huawei or ZTE. The FCC has drawn criticism from the Rural Wireless Association, a trade group representing many “rip and replace” program participants, for “slow progress” allocating funds. The FCC reports that, as of January 2023, just under $41 million have been approved in reimbursement claims, with participants “experiencing four main challenges in their efforts to permanently remove, replace, and dispose of covered communications equipment and services in their networks: (1) lack of funding; (2) supply chain delays; (3) labor shortages; and (4) weather-related challenges.” Perhaps if some of the political capital from the TikTok bans were applied toward Huawei and ZTE we would be able to resolve the first challenge: lack of funding.

by CHHS Extern Cat Sarudy

The Inspector General recently released a report that audited the Department of Defense’s (DoD) cybersecurity policies as they relate to the control of government-issued phones. The two biggest issues from the report were that the audit revealed “that DoD personnel are conducting official business on their DoD mobile devices using mobile applications in violation of Federal and DoD electronic messaging and records retention policies.” Further, the report revealed that personnel were downloading applications that “could pose operational and cybersecurity risks to DoD information and information systems.”

Part of the report focused on an investigation into the DoD’s own app store, the “Personal Use Mobile Application” from which personnel can download apps. Their findings were that their employees are able to download any apps that are available to them from a normal app store like Apple’s App Store to bypass any restrictions the Personal User Mobile Application may have. While these applications are against DoD guidelines, employees were still able to download the unmanaged apps. “Managed” applications are apps that are “approved by DoD Components for official DoD business.” The next level of apps is those that are “authorized unmanaged” which are apps that the DoD Components have authorized “for personal use on DoD devices” Lastly, there are “unauthorized unmanaged” which are apps that are “downloaded from public application stores and cannot be used to conduct official DoD business or for personal use on DoD mobile devices.”

The Inspector General report detailed a number of apps that were downloaded onto work devices that were not authorized, such as dating or cryptocurrency apps. As the Inspector General report points out, the potential danger these apps can do, especially when it revealed many of these apps required access to a user’s location data, contacts, and photos. While the report had information relating to the name of the apps and the number of apps it found redacted, it did not shy away from hinting at the applications it found such as “applications for the creation of short-form videos.” While not releasing the name of the application that creates “short form videos,” one cannot help but assume this could be a reference to TikTok, which is app that’s most prominent feature is its ability to create and view short videos by other users. TikTok has been under fire in the US since 2020 when Former President Donald Trump threatened to ban the app from US platforms. The Federal Communications Commission, the Federal Bureau of Investigation and the National Security Agency (to name a few) have all highlighted the cybersecurity risk that TikTok presents given the data it collects and China’s ability to request that data from the app’s owner, Byte Dance Ltd. Further, President Joe Biden banned the use of TikTok on federal government issued devices this past December.

Further, the Inspector General noted there were communications apps that were used by violent extremist groups and apps used to live stream crimes. The Inspector General noted that apps that are not managed by the DoD specifically “pose operational and cybersecurity risks and could result in users inadvertently revealing sensitive DoD information or introducing malware to DoD information systems.” Further, even if the cybersecurity implications of this were not blatant, the report said that the lack of policy dealing with strictly unmanaged applications pose a risk of cyber espionage given that applications could have malicious code and the DoD Chief Information Officer does not require regular cybersecurity assessments of unmanaged applications.

Further, the report showed that there were personnel who had been using unmanaged and unsecured messaging applications to conduct official DoD business, which is against DoD policy. The current DoD policy is that “government-owned communication systems and equipment (including mobile devices) should be for official use and authorized purposes only.” This is problematic because personnel can use the unauthorized applications, like messaging apps, and the DoD then loses its ability to track and retain that information. The Inspector General noted that the unmanaged apps “create(s) the opportunity for DoD personnel to conceal communications and circumvent the creation of official DoD records, sheltering them from scrutiny or oversight.” The lack of control over retaining messaging records does not come as a surprise after the still missing text messages relating to the January 6th insurrection. The report addressed the missing messages and further reported that after the text messages couldn’t be found, the Deputy Secretary of Defense issued a memo directing that “DoD information service providers are to capture and save the data resident on DoD-provisioned mobile devices when they are returned by their users.” However, this only protects the records of apps from managed messaging applications, meaning that any messages sent over unmanaged messaging applications cannot be retained, directly against DoD policy and federal retention laws. This is even scarier given that the Inspector General found that there had been unmanaged unauthorized messaging applications which had “end-to-end encryption and automatic message deletion capabilities.”

While the DoD does supply training on the proper use of apps on government devices, the report found glaring holes in this training, such as the fact that the trainings do not teach users “the difference between managed, authorized unmanaged, and unauthorized unmanaged applications” or “how to identify applications approved for official DoD business.” Further, the trainings did not teach the cybersecurity risks associated with authorized unmanaged and unauthorized unmanaged applications and did not provide training on how to protect “sensitive DoD information on mobile devices.” This is perhaps one of the most shocking parts of the report given that the most basic advice  for employers is to have cybersecurity trainings. While the report made specific recommendations to the DoD based on the audit, one can only hope that all other government agencies take a hard look at their internal cybersecurity practices and make necessary changes.