Stronger cybersecurity policies ban TikTok on government devices

The UK has banned government members from using TikTok in a shift to heavier cybersecurity policies, given the possibility of data being passed to the Chinese state

This issue, raised by MPs including Duncan Smith, as well as Tom Tugendhat and Nus Ghani and Iain Duncan Smith, aims to devise stronger cybersecurity policies and measures against the international app with over one billion monthly active users.

With no plans to prohibit individual MPs from using TikTok – which many MPs use as a form of social media, including cabinet minister Grant Shapps and backbench MP Ben Bradley – senior parliamentarians have requested calls for the installation or use of TikTok on government devices to be completely banned.

The EU and US have already made moves against TikTok

The Council of the EU and the European Commission have also recently banned their staff from using TikTok on work phones with a stronger emphasis on their cybersecurity policies.

This action was later followed by the US federal government, which cited concerns about the possibility of the Chinese government using TikTok to access US user data and destabilise US interests.

Now, in the UK, more MPs and parliamentarians are campaigning for stricter cybersecurity policies.

Some of these officials include Conservative party leader Iain Duncan Smith, who has been a vocal critic of the use of technology from Huawei and other China-based firms, as well as Alicia Kearns, the incumbent chair of the House of Commons Foreign Affairs Committee.

A Cabinet Office spokesperson said the UK government has “robust processes in place to ensure government IT devices are secure” but would not comment on specific cybersecurity policies.

Is TikTok owned by China? What is the significance of this?

TikTok is owned by parent company Bytedance, which is headquartered in China.

Due to a lack of international trust in data security in China, companies in China are now compelled to register themselves in order to give information to Chinese intelligence agencies, if asked to.

TikTok itself is registered in the Cayman Islands, so there are questions over whether TikTok would technically be under the jurisdiction of this law.

TikTok categorically denies that it has ever handed over data to the Chinese government, and it has no plans to.

TikTok categorically denies that it has ever handed over data to the Chinese government

A TikTok spokesperson said: “Our data is held in the US and Singapore, we are opening and expanding new data centres in Europe this year and we comply with robust data laws in these jurisdictions, such as GDPR.”

An FCDO spokesperson said that the department has introduced some of the “strongest data protection laws in the world to ensure personal data is handled responsibly and securely”, and that TikTok has to comply with these laws and face enforcement action if they fail to do so.

“The dream app for any hostile state”

Alicia Kearns has described TikTok as “the dream app for any hostile state”, and called for a “national conversation” about its cybersecurity risks. She said: “We need to recognise the fact that, while democratisation of information is a really good thing, there are also vulnerabilities that come with technologies as well.”

Duncan Smith, additionally, wants the government to involve the Government Communications Headquarters (GCHQ) in delivering workshops and writing advice to parliamentarians to encourage them off the app.

The National Cyber Security Centre, a part of GCHQ, has begun advising MPs and “high-profile individuals” that they are at a higher risk of cyberattack, guiding MPs to review the security settings on social media apps and “make sure you are happy with them”.

Ismael Valenzuela, Vice President of Threat Research & Intelligence at BlackBerry, said: “TikTok is the first ban on mobile apps for official devices and employees by the European Commission and others in the European Union. In the United States, 31 States have banned the app from government-issued phones, and the White House has also issued a ban on the use of the App on government-issued devices.

“This potential ban is not limited to the government. In fact, we are aware of many Chief Information Security Officers (CISOs) considering banning the use of TikTok on company devices.

Other organisations such as the financial sector will review their use of the app

“In particular, other organisations in highly regulated environments, such as the financial sector, are expected to conduct their own product security testing and legal review of privacy policy provisions to at least limit their use by corporate devices or high-value users.  Without the right product security management tools, it will be difficult for some corporations to enforce these.

“There is no doubt that organisations with regularly updated threat models based on contextual intelligence, mature asset management practices, and integrated management endpoint solutions are better positioned to manage this risk enterprise-wide.

“It underscores the importance of managing risk throughout the organisation and the need to assess, and thereby control, the impact of the introduction of new products and technologies upon overall organisational security. This includes the use of seemingly innocuous chat and social media apps.

“I suspect that only a limited number of CISOs are aware of TikTok’s privacy policy statement. While attacks on the supply chain are a real concern today, privacy risk should also be a top priority for CISOs of high-risk organisations. This is because personal data on company executives and other important individuals can be of great value in the hands of financially motivated attackers or the state.”