ISMG Editors: Is TikTok a Ticking Time Bomb?

Anna Delaney: Hello and welcome back to the ISMG Editors’ Panel. I’m Anna Delaney. And this is our weekly editorial get together where we chew over some of the top InfoSec stories. On this episode, I’m delighted to be joined by Marianne Kolbasuk McGee, executive editor of HealthCareInfo security, Mathew Schwartz, executive editor of DataBreachToday and Europe and Tony Morbin, executive news editor for the EU. Wonderful to see you all. Where do I begin today? Marianne, with all that color, you’ve got to explain.

Marianne McGee: Well, I usually have landscapes, but there’s a college campus not far from where we live where we take the dog almost every night and we pass this mural like every evening. It’s in a tunnel that connects one part of the campus to the other. And I just thought it was pretty and it’s called humanity. Every year at the beginning of the school year, or before the school year starts, they paint over the wall of this tunnel and there’s a new mural every year so I wanted to catch this one before they whitewash it in May.

Delaney: Love it. Love the message as well. It’s great. Tony, that’s a bit ominous, the eye watching.

Tony Morbin: Well, surveillance. I thought what better than an eye to have for surveillance story.

Delaney: Right. More on that later. Mathew, Spring has sprung indeed in Dundee.

Mathew Schwartz: That’s right. Yeah, it’s spring here in Scotland, bring all the daffodils, just a little bit of color after – it’s been a long winter, so bring it on.

Delaney: Very long winter. I am in springtime as well, springtime in Germany. Check that out. Not too far from Frankfurt airport. So I was there last week and with friends for a little bit of a jolly wine tasting festival. Not a bad way to spend the weekend. Anyway, moving on, Mathew, starting with you this week with sort of an unusual story, I guess, for us, about a social media app. TikTok which is, of course owned by a Chinese company and is extremely popular in the U.S. with more than 150 million users in the country. Now lawmakers are calling for the app to be banned, citing a threat to U.S. national security. And I think this is a really interesting story because it’s triggered a bit of a debate in the InfoSec world. Is this about data collection or more about information dissemination, maybe potential political influence with ties to the Chinese Communist party. But anyway, I’ll leave it there because I know you covered last week’s hearing when TikTok CEO appeared before Congress to allay lawmakers’ concerns assuring them that TikTok is no threat to national security. What’s your perspective? What’s your take on this?

Schwartz:

Well, that’s a fantastic introduction. And this is such a complicated topic. I’ve been trying to think my way around, if you will, as have a bunch of people who are asking what is the real threat here. And so if I could get super dystopian – not to steal the rug out from under Tony’s feet there with his surveillance eye – but there is the surveillance question. And if I was to author, which I’ve never done before, let’s say a science fiction short story about a way to conduct surveillance on a large portion of the Earth’s population, possibly creating a widely used social media app beloved by adults, as well as many teenagers, getting them to spend all their time on it, possibly using it to shape public discourse around hot button issues, or maybe just your favorite presidential candidates: Sky’s the limit. This would be a really kind of a horrible dystopian story that we’ve been talking about. And I think it’s overly simplistic to say that a tool like TikTok is a tool of China’s immediate national security agenda. But – there’s always a huge but – this is one of the concerns that is being voiced by especially the Western intelligence establishment. You’ve had the director of the FBI come out and say, “I find this to be very concerning.” It screams out, he said, with national security concerns regarding China. This week, we had Rob Joyce, who runs the cybersecurity unit at the National Security Agency, saying in a conference that he saw this tool, we’ll call it a tool for the moment, not having a tactical impact necessarily. So he’s referring to TikTok. It’s not that having TikTok on your phone is going to give the Chinese government a way to hack into it, for example, or to steal all your data or to track you in real time using GPS. He sees it as more of a strategic weapon, collection of data and perhaps likes and psychological predilections on a massive scale, not just from the U.S., but from other countries. And it’s interesting that China runs a different version of the app for its own population. So these are some of the national security concerns. But when you start digging into this a bit, it raises some really big questions. For example, there is a great OpEd that just appeared in The Guardian, written by Emily Taylor. She’s the CEO of a threat intel firm in Oxford. And she says, and I think this is a great take on things, that although the security and privacy risks posed by TikTok are plausible, they’re largely without evidence. Again, there’s no smoking gun here. Rob Joyce of the NSA said it’s more like a loaded gun that could be used at any point in the future. And so what Taylor said was really at issue here is trust, trade and geopolitics. And we saw that in the appearance of the CEO of TikTok Shou Zi Chew before the House Committee, he testified before Congress last week. And he was promising lawmakers everything from greater transparency to safety controls for parents to independent reviews of TikTok’s code conducted by neutral third parties as well as he promised to firewall, he said, U.S. data, he’s promised to do the same for Europeans in a data center so that nobody else can touch it. Lawmakers didn’t seem very convinced. And there’s some technical disagreement here that a firewall would actually do much. And there are some questions about whether China might not just be able to access this data, anyway. But what it really seemed to come down to, the hearings, was the big problem that Tiktok has that it is owned by ByteDance, which is a Beijing-based company. So China has a national security lock and compel companies to help it quietly, silently. If they reveal it, everybody could go to jail. So this is a huge concern. But in speaking with experts, one of the bigger concerns is that what TikTok is doing is not unique. Also, there is a great report that came out from Georgia Tech in January, looking at what TikTok collects. And this report makes the case that the information collected by any social media app, TikTok or otherwise, could be used to monitor specific users without requiring a government order. The information they’re collecting can be accessed using open-source intelligence tools. So the Georgia Tech report says if TikTok is a threat and one that applies to all social media, forgive me, if it’s a threat, it should be a threat that does apply to all social media, regardless of the provider’s national origin. So it’s a deeply complicated topic. But as I say, when I’ve been speaking with experts reading up on the latest reports, the issue here, I think, needs to be much more than just TikTok, it needs to be the fact that what Facebook is doing, and maybe selling or using for marketing, what Twitter is doing for similar purposes, what Google does, what Apple probably does, what a whole bunch of companies are doing is collecting data on such a scale that it could be used for for lots of different purposes, including surveillance by nation states, and not just China. So this week, we saw France banning not just TikTok but any recreational app from government devices. And I spoke with Professor Alan Woodward at the University of Surrey. He said, maybe this is the model we should be talking about, at least where governments are concerned. We used to have hardened devices issued for any government use. How have we gotten to the point where TikTok is allowed to run on a device used by governments, we’ve seen other bands of TikTok: U.S., U.K., New Zealand, EU, government devices, it’s banned. But he’s saying why aren’t all recreational apps banned? And I think this is getting toward the discussion we’re not having much and we need to be having is this massive collection of data. Until we address that, China is far from the only concern that we should have.

Morbin: I really like that particular comment about it being a loaded gun because that really does kind of describe it quite well. I don’t think there is any actual evidence that they have been using the data gathered from TikTok. But having said that, the capability is there. And exactly as you say, Facebook, Twitter are also loaded guns. And you could argue that the owners of certain of those media, you may wonder about their suitability to have that gun in their hands. But I think the big difference you also noted was that with China, they are compelled to, for example, cooperate with the government, giving any zero-days, any flaws they find, vulnerabilities. It’s not disclosure, its disclosure to the government. And the Chinese spying and espionage has been described as the largest transfer of wealth in history as they have taken global IP. So on the one hand, there’s this underlying war going on. On the other hand, they are a huge market that we don’t want to alienate. So China is a particular case. But I think you’re also right in that there are different perspectives when it comes to social media apps. And it’s partly to do with the attitudes toward big corporations versus the attitude toward authoritarian governments.

Schwartz: Well, and one really, I thought, great point that Alan Woodward raised with me was all of this data that China is allowed to collect on U.S. users, U.S. and other social media firms are not allowed to collect on Chinese users. Why would that be?

Morbin: In data, as you say, they use different versions of the apps there. And so that, yeah, it’s not an equal playing field.

McGee: One of the questions I had is how would a ban actually work? How could you implement that and enforce it if that app has been installed on so many devices? Like who would cut the connection to China? How would that work?

Schwartz: So Apple and Android both have kill switches, which I suppose they could be instructed to use to forcibly delete the app from American devices.

Morbin: The other thing is there are lots of apps which gather data as part of how they work. I mean, Kaspersky got slammed because it feeds back data in order to analyze what the threats are. And then a U.S. government user was using his personal laptop and the Kaspersky software was exploited or misused. But all the other antivirus programs also collects telemetry that could be used for nefarious purposes. So there are legitimate reasons why you want to collect this data. And are you going to switch those apps off as well?

Delaney: But also, what will be the ripple effect, if it is banned? Nearly all smartphones used by Americans have been made in Chinese factories at some point. So does the government believe they’ll be risky as well?

Morbin: And there’s also been suggestions that in the U.S., at the moment, because of elections and so on, but the backlash from the younger generation, who are the biggest users of TikTok might be such that they don’t want to actually enforce any ban just yet.

Delaney: Yeah, I think that’s actually a really good point, the U.S. elections coming up. And the influence here, the scale of where it’s going. So I think that’s on lawmakers’ minds for sure. So Mathew, what’s next? What’s likely to happen? Are lawmakers convinced? You said they weren’t convinced by the CEO’s reassurances. This is a juicy start and gliding very smoothly onto our next topic. Tony, President Joe Biden has signed an EO, executive order, restricting the government’s use of commercial spyware technology. I mean, the feedback that I’ve read has been largely positive. They think it’s a good move. What’s your take?

Schwartz: As is typical with these hearings, they’re extremely performative. And it was interesting to see TikTok CEO answer some of their questions, but also evade some of their questions, for example, about how free speech could potentially be suppressed on the platform or questions about if China was accessing the data? And he said, “Well, I’ve seen no signs they have.” So there is some maybe not-overly-transparent answers. So what happens next is really unclear. Congress can’t get this act together too fast to pass federal privacy legislation, which I think we need, I think is overdue. I think GDPR is a good starting point for that. A lot of members of Congress see that is too much, though, too much to impose on businesses. So until there is something meaningful done like that, I think this does seem like a largely academic question, unless they do decide to come down on TikTok. But then, if you’re the Chinese government, experts are warning you can go get this info on Twitter and Facebook.

Morbin: Well, it does, as you say, follow on from what Matt’s just said in that they were called for legislation in his area where they have put forward legislation. So earlier this week, our colleague David Pereira, he wrote an article for ISMG on how the new U.S. presidential executive order prohibits U.S. agencies from buying licenses for commercial spyware that poses risks to national security. Now, the move makes perfect sense if we think of spyware as a weapon, or at least a kind of an espionage tool. It’s obvious that we don’t want to fund the development of capabilities which are being used against us. And various commercial spyware tools that the U.S. government uses have been found to have been used against U.S. government employees. So this is more than the smoking gun, they’ve actually found Pegasus spyware on devices. Most notably, U.S. diplomats in Uganda found Pegasus spyware on their devices in 2021, which led to the Israeli spyware manufacturer NSO and fellow Israeli spyware provider Candiru being put on the U.S. Department of Commerce’ blacklist of companies subject to technology export licensing. And then this month, the phone of a U.S. and Greek national working on Facebook security entrusting was found to be infected with Predator spyware from Cytrox, while they were based in Greece. Now, while nominally a North Macedonia startup CitizenLab has reported that Cytrox also appears to have corporate presence in Israel and Hungary, the White House says that at least 50 U.S. personnel overseas had been targeted by advanced spyware in 10 countries on multiple continents. Now, Pegasus has been reported to have live operations of at least 45 countries. Cynics could well argue, but since clandestine surveillance using the latest technology is conducted by the U.S. government, so it shouldn’t be surprised if the same techniques and tools are used against it. And that’s true. But it’s no contradiction to want the strongest capabilities for yourself and not want your adversary to have them, especially if you part funded their development through your purchases. So the U.S. move really just formalizes on a global basis, the approach that the U.S. took when it found out the tools developed by highly capable Israeli surveillance industry were being used against it. On a broader humanitarian basis, the tool was also condemned as being used for internal repression by authoritarian regimes. So the justification for the move is twofold. It’s both protecting fundamental national security and foreign policy interests. But it’s also upholding and advancing democracy, promoting respect for human rights, defending activists, dissidents and journalists against threats to their freedom and dignity. Apparently, the Biden administration’s timely announcement as a cornerstone U.S. initiative to support the second summit for democracy, which began today. We’re talking about Wednesday, the 29th of March. The first question an observer might ask is, “So does that mean that the U.S. won’t have access to the best tools available?” Well, the order doesn’t actually prohibit the government from buying advanced commercial spyware. But it does require an agency official to certify before an actual operational use that it meets the government restrictions on its use. The move won’t prevent adversary governments developing their own surveillance technology, it won’t prevent private organizations with the capability to do so, from selling their innovations in surveillance to the highest bidder. It won’t even drive the sale underground along the lines of the sale of zero-days. What it will do is it will reduce the commercial incentive for free market surveillance tech developers to sell to countries and regimes deemed either adversaries of the U.S. or using the tools to repress their population. There are about 30 advanced surveillance tech vendors worldwide, which previously had no restrictions on their activities. For now, the U.S. government is likely to remain the most important commercial buyer. And while who knows that might change over time or even for specific circumstances, the potential loss of this lucrative customer will have an impact on the wider availability of such tools for nefarious purposes. The U.S. is providing leadership to both protect its own interests and those of like-minded countries to promote what it deems responsible use of commercial spyware. To do this, it’s establishing robust protections and procedures to ensure that any U.S. government use of commercial spyware helps protect its information systems and its intelligence and law enforcement. And the move ensures that the U.S. government doesn’t contribute directly or indirectly to the proliferation of commercial spyware that’s been used against it by foreign governments or facilitate such use. So if it does that, it will be deemed a success. Of course, Russia, China, North Korea, Iran and others, seeking to change the current world order will denounce the movers’ hypocrisy, even as they seek ways to circumvent the order and acquire the tools to conduct exactly the operations that it’s designed to prevent. So the extent to which the executive order frustrates those attempts will be the true measure of success.

Delaney: An interesting timing, as you say, you mentioned timing earlier, interesting that Israeli government is a bit busy at the moment with their own concerns.

Morbin: Well, again relating to democracy and the whole situation in Ukraine is very much a furthering of democracy.

Delaney: Well, that’s big news there. Thank you. Marianne, you’ve got a story this week, and you’ve written about a HIPAA enforcement action taken by New York State Attorney General against a law firm that represents healthcare entities. Do tell us more.

McGee: Yeah. Usually it’s the Department of Health and Human Services for Civil Rights that acts as the primary agency in the U.S. responsible for enforcing the HIPAA privacy, security and breach notification rules. But in the case you just mentioned, that’s an example of how the HITECH Act gave state attorneys general the authority to take action against so called HIPAA violators. And the case we saw this week in New York State was sort of an interesting example. The New York State Attorney General’s Office announced that Heidell, Pittoni, Murphy & Bach or HPMB, a New York-based law firm, was paying a $200,000 financial settlement to the state and agreed to take a long list of actions to improve its data security in the aftermath of a 2021 health data breach that affected nearly 115,000 people in the U.S., including more than 61,000 New Yorkers. Now this law firm, HPMB, represents many New York area hospitals and clinics in patient malpractice lawsuits and other similar legal disputes. The 2021 breach that the law firm experienced involved a ransomware and data exfiltration attack by LockBit, exfiltrated files in the attack included legal proceedings, patient lists, medical records and the patient information compromised included names, birth dates, social security numbers, health insurance information, medical history information, health treatment information and a lot more. So the New York State Attorney General’s office says that the investigation into the incident determined that in November 2021, an attacker exploited known vulnerabilities in a Microsoft Exchange email server to gain access to the law firm’s systems. Now Microsoft had previously issued patches for those vulnerabilities months earlier in April and May of 2021. But the law firm failed to apply them in a timely manner leaving the vulnerabilities exposed for potential exploitation according to the Attorney General. Upon discovery of the ransomware attack in 2021, the law firm hired an outside set of experts to negotiate with the hackers and the law firm ultimately paid $100,000 ransom in exchange for the return and promise deletion of the exfiltrated data. But the law firm, not surprisingly, was unable to obtain evidence that the deletion actually happened. So HPMB paid not only $100,000 to the attackers, now it’s paying $200,000 to New York State’s Attorney General for not taking actions that the regulators say could have helped prevent the law firm from falling victim to the incident in the first place. And as I mentioned earlier, the HITECH Act gave state attorney generals the authority to take enforcement action in breaches involving HIPAA violations. But over the last several years, there’s only been sort of a handful of states that have actually acted on this authority. Some of the more active states include New York, New Jersey, Massachusetts and Connecticut. A few years ago, there was a case involving health insurer Aetna, where the company was fined by both several state attorneys generals and the U.S. government for an alleged HIPAA case that pertained to two related privacy breaches in which the protected health information of about 12,000 HIV patients in the U.S. were exposed in a mailing incident that actually involved paper records. So this New York state enforcement action is just another reminder to the healthcare sector that it’s not just the federal regulators that could impose expensive penalties against their organizations in the aftermath of an egregious health data breach, but also the states. And it also was embarrassing that this involved a law firm. And that’s my opinion.

Delaney: And as you say that the law firm failed to comply with many of the requirements of the HIPAA privacy and security rules. But what do you see as the main reason, what’s the root of these failures? Is it lack of resources or just poor management?

McGee: I don’t know what was going on behind the scenes at the law firm. But I think one of the things that was spotlighted pretty heavily by the state AG was the fact that they didn’t apply these patches. And when we see this all the time that companies just, they’re either negligent, or they have so much on their plate, they just go, “Yeah, we’ll get around to it,” or they just are not even aware that there are these updates for these vulnerabilities that need to be patched. So, the compromised or the hackers apparently got into the systems in November of 2021. And the patches were available a few months earlier. So it wasn’t even like these vulnerabilities were on patch for years, which we often see in a lot of health data breaches that I’ve covered. It was only a few months. And the New York State Attorney General made a point of spotlighting that. But it was made available to you a few months ago, you didn’t act on it, and look what happened.

Delaney: I hope this will serve as an example to others. Thank you, Marianne. And finally, I’d like you to share an InfoSec-related tweet or quote that you’ve heard this year that you feel is worth sharing.

McGee: I
t’s kind of tailing onto the stuff I was just talking about. This is not really earth shattering. But it’s something that you see in every data breach notification letter. We take your information, privacy and security seriously. But not seriously enough.

Schwartz: Okay, so seriously we lost control over it. Well, I was going to do something similar and say on the heels of my story, there was a tweet from the head of CitizenLab, which researches nation-state surveillance. The tweet was in response to the TikTok CEO in his written statement to the committee before he testified last week. He said that CitizenLab had found no overt data transmission by TikTok to the Chinese government, and that TikTok didn’t contact any servers in China. In a tweet, the head of CitizenLab said, “That’s not actually what he said. What he said was, we couldn’t see any, but that doesn’t mean there isn’t ample time for it still to happen after we lose sight of where the data goes.” So this interesting little exchange kind of tried to keep some people real.

Morbin: I can’t even remember who the person was that put the tweet up that most affected me but it was essentially one that explained how to join a Mastodon Infosec-based exchange, which I then subsequently did. So it actually drove action.

Delaney: He could. Yes. And I was going to share a phrase reading from a recent Roundtable. I think it’s a cracker. “Automating a rubbish process just makes it rubbish faster.” And in all honesty, the word rubbish wasn’t used. We’ll leave it to you to guess the word. But anyway, it’s true.

Schwartz: Thank you for sparing our delicate sensibilities.

Delaney: Well, Tony, Marianne, Mathew, it’s always a pleasure. And thank you, this has been a lot of fun. Thank you.

Morbin: Thank you, Anna.

Schwartz: Thanks, Anna.

Delaney: And thanks for watching. Until next time.