Sep 15, 2020

Analysis | The Cybersecurity 202: Trump administration examining whether TikTok's Oracle deal satisfies security concerns

Tonya Riley

Treasury confirmed on Monday that TikTok submitted a proposal to bring on Oracle as a “technology partner” in the hopes of staving off the Trump administrations threatened ban on U.S. operations. But rather than an outright sale demanded by the White House, the deal would allow Chinese parent company ByteDance to retain majority ownership of the company while outsourcing data management to the U.S.-based software giant. 

Regulators are going to be looking for assurance that the arrangement satisfies national security concerns. 

“I will just say from our standpoint, we’ll need to make sure that the code is, one, secure, Americans’ data is secure, that the phones are secure and we’ll be looking to have discussions with Oracle over the next few days with our technical teams,” Treasury Secretary Steven Mnuchin told CNBC yesterday that the administration.

Trump's son-in-law and senior adviser Jared Kushner said on CNBC this morning: “I don’t believe a final decision’s been made yet as to whether it qualifies.” 

The White House has fixated on how TikTok stores and uses Americans user data — and how its algorithms could be used for political manipulation. TikTok has repeatedly insisted that it is not a national security threat and that it does not share any U.S. customer information with the Chinese government. 

The Committee on Foreign Investment in the United States (CFIUS), a Treasury-led interagency group that first launched an investigation into national security concerns about the app last fall, “has to be happy with however Oracle structures it to put a firewall between TikTok and ByteDance,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies and a former official at the State and Commerce departments.  

“That will be the main challenge: Assure me ByteDance isnt still pulling the levers. And I think if Oracle can do that, [the committee] will sign off on it,” Lewis told me. 

Some tech experts were not convinced that this arrangement would secure TikTok’s future in the United States. 

“I think what were going to need to look for is whether there are significant changes in TikToks data practices and algorithm and whether theres an increase in transparency,” said Lindsay Gorman, emerging technologies fellow at the German Marshall Funds Alliance for Securing Democracy. “I think without those changes, it's harder to see how this kind of half measure will resolve these two big national security concerns.” 

From Alex Stamos, director of the Stanford Internet Observatory and former chief security officer of Facebook: 

The deal is already facing congressional scrutiny.

Sen. Josh Hawley (R-Mo.) called on the Treasury Department to outright reject the proposal. “An ongoing ‘partnership’ that allows for anything other than the full emancipation of the TikTok software from potential Chinese Communist Party control is completely unacceptable, and flatly inconsistent with the President’s Executive Order of August 6,” he wrote in a letter to Mnuchin. 

If thats not possible, the U.S. government should consider moving forward with a full ban of the app, he said.

Neither Oracle nor TikTok would provide details about how the proposal might resolve security or transparency concerns.   

We can confirm that weve submitted a proposal to the Treasury Department which we believe would resolve the Administrations security concerns, TikTok spokesman Josh Gartner said in a statement. 

Microsoft, whose bid ByteDance rejected, publicly committed to auditing TikTok for privacy, security and digital safety. Thats now the standard Oracle needs to meet for CFIUS approval, Lewis said. It doesnt matter who ends up being the owner,” says Lewis. If you want to meet the concerns the administration had, youll have to do everything Microsoft laid out. 

One potential thing going for Oracle is that its one of the few technology companies that has publicly cozied up to Trump, Cat Zakrzewski reports. Oracle Chairman Larry Ellison hosted a fundraiser for Trump earlier this year, and Oracle chief executive Safra Catz served on Trumps transition team.

Experts say CFIUS will need to do a deeper dive into other elements of the deal. 

For instance, its unclear whether Chinese company ByteDance would get data from Oracle as part of the deal or whether it could establish a bigger foothold in the country by partnering with one of the United States’ biggest data brokers which has faced its own criticism for failing to protect user data.

Its also unclear how Oracles role would mitigate concerns of Chinese government influence over TikToks algorithm and potential censorship. 

I think giving TikTok U.S. a trusted tech partner that makes no demands on how [the Chinese Communist Party] can request U.S. data just lends an imprimatur of legitimacy, said Gorman. Without a meaningful change in control of these critical assets, its possible this partnership could create more concerns than it addresses.

Its possible some of these solutions are included in the proposal, which is not public. ByteDance could move its headquarters outside China to alleviate concerns that it would be subject to Chinese laws that require firms, if directed, to share data in their systems with the government, Rachel Lerman, Ellen Nakashima and Jay Greene report

U.S. officials could also decide to require TikTok to remove ByteDances algorithm completely, Lewis suggested.

“The deal, if it happens, is going to have to address our underlying national security concerns,” an official told my colleagues.

Regardless of the outcome, the White House assault against TikTok has raised the stakes in the tech clash. 

Chinas decision to update its export controls for the first time since 2008 to protect technologies like TikToks algorithm shows that the United States caught it by surprise, Lewis said. 

The U.S. has been doing to China what China has been doing for the rest of the world, he said, referring to China’s push to keep foreign Internet companies from operating in its borders. China is going to have to think more seriously about what the game is like now. 

Trump’s decision to accept or reject the deal could have significant implications for cyber and foreign policy.

Unlike 5G telecommunication technology policy, where the White House has taken care to try to drum up allied support in banning Chinese vendors, the United States hasnt taken much action to strategize with allies who have launched their own investigations into TikTok. 

Security experts say the failure to do so was a lost opportunity for Western democracies to work together on pressing issues of Internet governance and data sharing.

This may be a missed opportunity to join with like-minded democracies and draw clear lines in the sand between the way democracies and authoritarian states handle technology and data, said Gorman.

China “blocking a sale that would set precedent for its national champions was completely predictable," Stamos said, arguing that's why it's important to work with allies on complex areas of Internet governance:  

The keys

The Biden campaign launched a new election protection program.

The protection program will counter foreign interference, misinformation and voter suppression efforts, Amy Gardner reports.

“We have an extraordinary national team in place to ensure that every eligible voter is able to exercise their right to vote and have their vote counted,” said Bob Bauer, a longtime Democratic election lawyer who has joined the campaign as a full-time adviser.

The initiative comes as President Trump continues to push unsubstantiated claims on Twitter and Facebook that mail-in voting leads to increased fraud.

In addition, a “national team for special litigation” will include two former solicitors general, Donald Verrilli and Walter Dellinger, as well as the law firm Perkins Coie, where Marc Elias has been leading litigation efforts on behalf of various Democratic committees all yearFormer attorney general Eric Holder will also play a role in the effort, the campaign said.

A bug in Joe Biden's campaign app made it easy for anyone to access voter files, a researcher found.

While voter files are public information, the researcher was also intercept more private data including gender, home address and ethnicity, Zack Whittaker at TechCrunch reports. The app was fixed on Friday. 

“We were made aware about how our third-party app developer was providing additional fields of information from commercially available data that was not needed,” Matt Hill, a spokesperson for the Biden campaign, told TechCrunch. “We worked with our vendor quickly to fix the issue and remove the information. We are committed to protecting the privacy of our staff, volunteers and supporters will always work with our vendors to do so.” Hill disputed that the app exposed information beyond public voter files. 

The House passed a bipartisan bill that would strengthen security requirements for federally purchased Internet-connected devices.

The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require Internet-connected devices purchased by the U.S. government to meet certain minimum security requirements set by the National Insitute of Standards and Technology to keep Americans’ personal data and government networks safe. Despite the rising threat of attacks against Internet-connected devices, there are currently no national standards for IoT security.

A companion bill in the Senate is awaiting a full vote.

Election security researchers want their say before the Supreme Court hears a case deciding the future of a major hacking law.

A group of computer scientists and election security researchers slammed an amicus brief filed by mobile-voting company Voatz earlier that month that argued anti-hacking law should only protect researchers with permission to probe a system, Sean Lyngaas at CyberScoop reports

They say Voatz’s position “fundamentally misrepresents widely accepted practices in security research and vulnerability disclosure.”

Voatz has clashed consistently with the researcher community, dismissing reports about flaws with its voting technology. The letter cites the fact that Voatz turned a student researcher over to the FBI despite purporting to offer safe harbor to researchers.

Earlier this year, HackerOne, a top platform for hackers to turn over bugs to companies, kicked Voatz off its platform, citing its hostility toward researchers. 

“We’re not advocating to limit anyone’s freedom — we’re saying it’s difficult to distinguish between good and bad faith attacks in the midst of a live election,” a Voatz spokesperson told CyberScoop. “For everyone’s sake, it’s better to work collaboratively with the organization as bad actors disguise themselves as good actors on a regular basis.” 

Chat room

More security experts sound off about the Voatz amicus brief and CFAA.

Privacy lawyer Whitney Merrill:

MIT's Mike Specter shares his personal experience:

Cyber insecurity

China-linked hackers have infiltrated the U.S. government in recent months using common software bugs.

Attackers have exploited the flaws in commercial technologies such as virtual private networks (VPNs) and open-source tools, the FBI and the Department of Homeland Security’s cybersecurity agency announced Monday, CyberScoop reports.

Hackers, who often launch attacks against the vulnerabilities within days of announcements, have already been successful in several cases, including a sensitive government operation working on a coronavirus vaccine.

DHS and the FBI warned U.S. government agencies and the private sector to patch known vulnerabilities.

Hackers accessed the personal information of 46,000 veterans. 

The information was revealed in a breach of the Department of Veterans Affairs’ Financial Services Center, the Hill reports. The hackers were able to access an application meant to distribute funds to veterans by tricking current employees. It is unclear how many Social Security numbers were potentially compromised or who was behind the attack.

A large breach of VA in 2006 revealed the Social Security numbers of over 26 million veterans.


  • The Senate Judiciary Committee will hold a hearing to examine threats to U.S. intellectual property, focusing on cyberattacks and counterfeits during the coronavirus pandemic on Sept. 23 at 2:30 p.m.

Secure log off

Stephen Colbert takes on the top headlines and Smash Mouth:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Latest Post Published

News | US: Biden Faces Calls To Strike Saudi Human Rights relative on Actions against Jamal Khashoggi Jamal Khashoggi: Biden faces calls to 'strike a blow' for Saudi human rights Stephanie...