It’s Time to Talk About TikTok

3–20–2023 (Monday)

Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.

I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io. Today is Monday March 20th, and there’s been an undeniable theme to the security news of the past week. It’s time to talk about TikTok.

Let’s dig in.

TikTok: What’s The Risk? And Why Now?

It was hard to ignore the news about TikTok this week, whether it was the outright ban of the app on government devices in the United Kingdom, announcement of the bipartisan RESTRICT Act here in the United States, or the news that TikTok themselves are sending influencers from the app to DC in hopes of preventing additional restrictions or bans here in the US.

A solid piece this week by economist Noah Smith, entitled “Of Course We Should Ban TikTok” lays out a few of the reasons why TikTok is drawing scrutiny in the West - largely centered around two themes:

  1. Espionage Risk

  2. Influence Risk

To the espionage point, I think there’s demonstrated evidence that not only is the app collecting a tremendous amount of data in the United States, about US Citizens (and, to a stunning extent, US Children) and exporting that data to China in a way that is accessible to the Chinese Communist Party. The data includes Physical Location, but also faceprint, voice prints, browsing history, text messages, and other data from these mobile devices.

Once repatriated, this data can be used for a variety of pro-China, anti-US purposes, today and in the future. The rise of AI and generative videos, combined with voice and faceprint data available here at scale, is scary enough. To think about the amount of data it has on our younger generation is downright frightening.

At the same time, the Wall Street Journal ran an exclusive article this week about a “Wave of Stealthy China Cyberattacks” that "exploit previously undiscovered flaws and represent a new level of ingenuity and sophistication from China.” Not only are these attacks novel, but "Defense contractors, government agencies, and technology and telecommunications firms appeared to be bearing the brunt of the newly discovered Beijing-linked attacks.”

Arguments that China isn’t conducting sophisticated espionage operations in the US are simply non-starters. They’re also conducting unsophisticated influence operations, out of “overseas police service centers” - including four in the US.

The second concern is more subtle, but just as pressing. The ability to control the flow of information at this type of scale is absolutely a concern.

Smith’s article suggests that this could be used in the event of an invasion of Taiwan, but I think there are other events that the CCP might find worth influencing, as well, long before an invasion. The fact that these influences, and the algorithms that drive them, are largely opaque isn’t helpful, either.

Larger Lessons

So, why are all of these different countries coming to the same conclusion that banning (or otherwise disrupting) TikTok makes sense? It’s because they’re acting in their own interests. Having a channel that can not only siphon sensitive data out, but also inject data in - that is controlled by a sophisticated adversary with vested interests that are counter to your own only makes sense.

As we see heightened rhetoric, and physical action’s like Xi’s visit to Moscow this week, it’s hard not to imagine the new Axis and Allies lines being drawn.

We’ve already done this with chips -recently getting buy-in from our friends in the Netherlands, and maneuvers like this have been a mainstay of China’s posture for the better part of two decades.

For our companies, not only do we need to think about the impact of TikTok on our corporate devices (wouldn’t recommend it, for all the reasons discussed above), but we also need to think about our reliance on other third-parties whose interests are not necessarily aligned with ours.

As businesses continue to focus on their core value propositions and outsource every other function, this can be a difficult task. And, to be clear, often times incentives are aligned - i.e. your payroll provider is focused on make sure that payroll runs every two weeks, just like you are.

But there are plenty of cases where incentive alignment isn’t so strong, and we need to be at least aware of those, if not outright wary.

There are tremendous shifts taking place at the geopolitical level that are going to have impacts that are difficult to predict. Instead of trying to control or influence them, let’s focus on building resilient teams and organizations that are able to weather whatever storms may be just over the horizon, and do so with a level of intentionality that lets us move confidently in making decisions over things we actually can control.   

Fundraising

I mentioned last week that funding announcements are likely to be light, given the turmoil surrounding Silicon Valley Bank, in particular, and the banking / technology investment sectors more specifically.

Boy, did we see that this week.

I was only able to find a few new fund announcements, all in relatively small amounts, totaling $385M - an order of magnitude smaller than the previously smallest week of about $4B.

Is it temporary? Will it last? I don’t really know. Markets seem to have a pretty short memory lately.e

You can find all the links to the stories we covered in the section below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.

Links

https://noahpinion.substack.com/p/yes-of-course-we-should-ban-tiktok

https://archive.ph/wWts4

https://www.wired.com/story/mark-warner-us-tiktok-ban-restrict-act/

https://www.politico.com/news/2023/03/17/tiktok-dc-government-influencers-00087653

Previous
Previous

CISA Gets It In Gear - Are We Ready To Go?

Next
Next

LastPass Update: Senior Engineer’s Home Network Hacked, Key Material Stolen, Corporate Vaults Lost