U.S. Government Sets Deadline to Delete TikTok from Agency Devices
The deadline has been set: U.S. government agencies have 30 days to ensure they do not have Chinese-owned app TikTok on any federal devices or systems and prohibit Internet traffic from reaching the company, Reuters reported. Within 90 days, agencies must address any TikTok use by IT vendors through contracts, and within 120 days, all agencies’ new solicitations must include a prohibition on TikTok.
TikTok is owned by ByteDance Ltd., a Chinese company that has been targeted by bipartisan critics who say the Chinese government could use it to access users’ data, including browsing history and locations. The FBI and the U.S. Federal Communications Commission (FCC) have warned that TikTok user data could be shared with the Chinese government, and other U.S. officials have worried that the People’s Republic of China could use TikTok to push pro-China narratives or misinformation, according to the Associated Press.
Some cybersecurity professionals in the United States praised the move, viewing the ban as a step toward a more comprehensive data security and disinformation mitigation approach.
“Chinese intelligence tactics are fueled by the sustained collection of user data such as commerce and purchasing information, combined with biometrics and activity tracking, [which] feeds detailed intelligence to be used in operations with longer term objectives,” said Chris Vaughan, AVP of technical account management for Tanium, in a statement. “Such data can deliver targeted, timely psychological operations against individuals or groups of citizens. We have seen this during election cycles and politically charged events in recent years. This move raises the question of the extent to which Chinese influence is acceptable when it comes to national infrastructure and everyday life.”
The U.S. Congress ordered the ban in late 2022, driven by concerns around data security and spying fears. A U.S. House of Representatives Committee also advanced legislation Wednesday that would allow U.S. President Joe Biden to ban TikTok and other apps considered security risks.
These moves follow similar bans from specific government agencies, such as the White House, U.S. Department of Defense (DOD), U.S. Department of Homeland Security (DHS), and the U.S. State Department. The ban does not apply to research activities related to national security, law enforcement, or security research, but agency leaders must approve those exceptions.
Individual U.S. states have also taken action to ban the app from government devices. More than half of states have banned the use of the app on devices, the AP reported.
In response, Chinese spokespeople have said that the bans reveal the United States’ insecurities and are an abuse of state power, Reuters reported.
But the United States is far from the only country taking action against TikTok. Canada and Denmark both announced efforts to ban TikTok on government-issued phones. Demark’s Center for Cyber Security presented an assessment demonstrating that TikTok posed an espionage risk, the AP reported, and the Danish parliament subsequently sent a “strong recommendation” to lawmakers and employees to delete the app from their devices.
The executive branch of the European Union temporarily banned TikTok from employee phones to “protect data and increase cybersecurity.” This ban also means European Commission staff cannot use TikTok on personal devices that also have official apps installed.
“I believe this is the first time the EU has banned a mobile app, indicating that there are valid reasons to enforce this policy,” said Ismael Valenzuela, vice president of threat research and intelligence at BlackBerry, in comments emailed to Security Management. “On top of the bans from the U.S. government in 31 states and the White House’s decision to ban it on government-issued devices, I only expect more to follow. For example, just a few days ago, one of the most popular Australian politicians on TikTok said he refuses to use the Chinese-owned video app on his government or personal phones due to concerns about the security of his data, and UK politicians have started to receive pressure to do the same.”
UK Prime Minister Rishi Sunak has faced calls to ban the app in the past week, but so far he has resisted barring parliamentary staff and MPs from using TikTok, The Guardian reported. The app has been popular among UK politicians, but Alicia Kearns, chair of the Commons foreign affairs committee, told The Guardian that “We run the risk of becoming a tech security laggard amongst free and open nations” by not taking decisive action about TikTok and security concerns.
“The potential of this ban is not limited to government devices, either,” Valenzuela added. Some U.S. university systems—including the University of Texas-Austin, Texas A&M, the University of Wisconsin, and the University System of Georgia—have already banned the use of TikTok on school-owned devices and prohibited the use of school Wi-Fi or networks to access TikTok, NBC News reported.
“I know for a fact many CISOs are considering banning TikTok from their corporate devices,” Valenzuela said. “Many commercial organizations, especially those with bring your own device (BYOD) policies, may not follow this type of policy, but I anticipate others in highly regulated environments, such as the financial sector, will conduct their own product security testing and legal review of the privacy policy terms to restrict its use, at least on corporate devices or by high-value users. It’s no secret nation-state groups often target large corporations for intelligence gathering or even for financial gain, so it’s not difficult to see why corporations may make a similar decision on this policy. Organizations that regularly update their threat model based on contextual intelligence, and that have mature asset management practices and unified management endpoint solutions, are definitely in a better position to manage this risk enterprise-wide.
“This highlights the importance of managing risk through organizations and the need to assess the security impact that introducing a new product, technology, even an apparently innocuous chat or social media apps, can have on the overall security of an organization,” he continued. “Supply chain attacks are a real concern, but privacy risks should also be top agenda items for CISOs of high-risk organizations. How many CISOs are aware of the statements in TikTok’s privacy policy? How valuable would this data collected by TikTok be in the hands of financially motivated attackers or nation states, when coming from high-value individuals (i.e. executives)?”
