As seen on Infosecurity Magazine
News about TikTok tends to fall into one of two categories. First, there are the dangerous viral “challenges” the “kids” are (supposedly) trying en masse. Then there are the stories about bans on TikTok, such as the recent White House announcement banning TikTok on all devices owned by the federal government and its vendors. And since I’m of the age where I’m more likely to yell at kids to get off my lawn than I am to learn a new dance to perform on a stranger’s lawn, it should be pretty clear which of these categories I get asked about.
This isn’t to say we shouldn’t be asking about TikTok’s data harvesting practices, what happens when this app is on a device connected to our enterprises’ networks, or how well this proposed technology to separate TikTok’s US data will work. (From a cybersecurity perspective, the answers to all those questions are a wormhole of bad news, despite all claims otherwise from TikTok or their parent company, ByteDance). Rather, organizations need to be willing to look at the longer-term picture.
Over the last decade, the Chinese government’s focus has turned toward the large-scale propagation of disinformation while successfully maneuvering through international court battles, effectively staking out their legal rights to do so indefinitely. TikTok is simply the latest and most effective piece of this long-term plan. Why? Because of who mostly comprises their audience and how objectively fun and addictive this app is.
We already know that TikTok users in China are fed different types of videos than their American counterparts. We know they’re harvesting much more data than they will admit to. We know TikTok’s algorithm suppressed videos about protests in Hong Kong as well as videos with news about the Uygur people in China’s Xinjiang region. Forbes recently reported about TikTok using the app’s harvested data to track and silence journalists. Finally, we also know that no matter what technological promises about keeping Americans’ data closed off from China or other foreign adversaries, with enough effort and money (which ByteDance and the Chinese government certainly have plenty of for this), those promises can be broken.
It is clear these past actions from TikTok warrant concern for any organization trying to secure their digital assets – not just government-affiliated ones. So what should we do?
There’s the nuclear option of trying to ban TikTok in the US for everyone and not just on devices owned by the federal government, but given China’s recent history in the international courts, the legality of that is murky at best. That’s even if it managed to pass through our polarized government leadership, which renders that option pretty much a non-starter. There’s also the current effort to wall off Americans’ TikTok data from passing to and from China, which is, of course, an excellent idea, but technologically speaking, there is simply no way to know if they are willing to spend the effort and money to get around this. And then there’s the piece we have been missing in all of this, and where organizations must also adapt their security efforts: education and end-user buy-in as we build strong security cultures among organizations.
Here is where security leaders need to see and start playing the long game. This includes large-scale education efforts, especially around helping employees understand in very basic terms what is happening to their data and what the dangers of this are. They must be empowered to make better decisions instead of being told what not to do. We can’t take an authoritarian short-term approach and hope it works forever, nor can we allow our opinions of this issue to be formed in simple retaliation to someone else.
The idea of ‘security culture’ is hotly debated in the cybersecurity world. Some of my more cynical peers see the education piece of cybersecurity as a compliance nuisance instead of an endeavor worth pursuing. I don’t. I believe deeply that cybersecurity is every employee’s job, but it is also the leader’s job to empower employees to be successful at it. Helping employees understand the ‘whys’ of the policies helps garner buy-in. Pulling back the curtain for them to see how these apps can manipulate what they see and what they might not see can help them make informed decisions.
TikTok is a phenomenon for a reason. But this is why we can’t sit back and hope that technology is enough to curb the risks of its use. Too often, we forget the people part of the ‘people, processes, and technologies that comprise cybersecurity. But people are where any cybersecurity plan around TikTok will succeed or fail. It’s up to us to decide which way we want that to go.