Friday, 23 Oct 2020

TikTok Deal Exposes a Security Gap, and a Missing China Strategy

WASHINGTON — President Trump has declared victory in his latest confrontation with China, saying that he headed off a looming national security threat by forcing the sale of the social media app sensation TikTok to a consortium of American, European and — though he does not say so — Chinese owners.

But it is far from clear from the details released so far that Mr. Trump’s deal resolves the deeper TikTok security problem — which has less to do with who owns the company and more with who writes the code and the algorithms. The code and algorithms are the magic sauce that Beijing now says, citing its own national security concerns, may not be exported to to a foreign adversary.

And the deal certainly doesn’t resolve the broader problem in the expanding technology wars between Washington and Beijing: how the United States government should deal with the foreign apps that are now, for the first time, becoming deeply embedded on the screens of Americans’ smartphones, and thus in the daily fabric of American digital life.

TikTok illuminated the scope of the new competition. The United States wants to have it all. It seeks to reap the benefits of a global internet yet limit its citizens to made-in America products, ensuring that the data that flows through American networks is “clean.” In fact, the State Department has begun what it calls “the clean network initiative,” making sure that data is not tainted by adversaries, starting with China.

“This is a really hard problem and bashing TikTok is not a China strategy,” Amy Zegart, a senior fellow at the Hoover Institution and Stanford’s Freeman-Spogli Institute. “China has a multi-prong strategy to win the tech race,” she said. “It invests in American technology, steals intellectual property and now develops its own technology that is coming into the U.S.,’’ as TikTok did with remarkable success in just two years.

“We don’t have to guess what their intentions,” she said. “They have written what their intentions are, and it’s called ‘Made in China 2025,’” the country’s strategy of becoming a peer competitor of the United States in all major technological arenas in the next five years. “And yet we think we can counter this by banning an app. The forest is on fire, and we are spraying a garden hose on a bush.”

If American politicians seem to be behind on this one, perhaps it is because technological progress has once again outpaced the political debate. On Capitol Hill, the China problem many politicians still fume about is cheap Chinese goods, ignoring the fact that China’s labor is no longer inexpensive. Others call for crackdowns on intellectual property theft, a problem that George W. Bush tried to tackle with his Chinese counterpart in the Great Hall of the People 15 years ago, and that Barack Obama and President Xi Jinping, then new as China’s president, declared they had solved five years ago.

Of course, they didn’t. China shifted its hacking operations from units of the People’s Liberation Army — some indicted by the Justice Department — to the Ministry of State Security. In recent days, the F.B.I. has warned of broader surveillance and theft operations on American campuses, much of it aimed at coronavirus vaccines.

TikTok presented an entirely new problem, one that most policymakers in the United States had not contemplated before.

For the first time, a genuine Chinese app — not a knockoff of something invented in the United States or Europe — captured the hearts of American teenagers and millennials. On one level, it was harmless: TikTok is mostly jammed with one-minute dance videos. By many measures, it was a bigger parenting problem than a national security problem. Whatever it was, it clearly wasn’t on Washington’s radar the way that the expansion of China’s nuclear arsenal, or its actions in the South China Sea, dominate the China debate.

Yet as Brad Smith, the president of Microsoft, which competed with Oracle to buy TikTok’s operations in the United States, noted, “there is a potential threat.” To make TikTok tick, the company collects vast amounts of data on Americans’ viewing habits. And the same algorithm that picks your next dance video could, in the future, pick a political video. (There is already more than a whiff of political content on the app.)

Like Oracle, Microsoft would have taken over the storage of all data on Americans, keeping it in the United States. (TikTok currently has a major data server in Virginia, but backs up data in Singapore.) But Microsoft’s bid went further: It would have owned the source code and algorithms from the first day of the acquisition, and over the course of a year moved their development entirely to the United States, with engineers vetted for “insider threats.”

So far, at least, Oracle has not declared how it would handle that issue. Nor did President Trump in his announcement of the deal. Until they do, it will be impossible to know if Mr. Trump has achieved his objective: preventing Chinese engineers, perhaps under the influence of the state, from manipulating the code in ways that could censor, or manipulate, what American users see.

“If Oracle is providing hosting with the majority of engineering and operations staying with ByteDance, then the only effect of this deal was to swing billions of dollars of cloud revenue,” said Alex Stamos, who runs the Stanford Internet Observatory. “The details of the deal will really matter, and so far the public has not been provided with enough information to have an educated opinion.”

Without that issue resolved, it is unclear how Mr. Trump could declare that the security issues are solved, much less how he could say that the new entity “will have nothing to do with China.”

The longer-run issue, however, is that there will be more TikToks, companies around the world that develop apps that Americans love — or see as a hedge against their own government. Already, many Americans use encryption apps, like Telegram, that are based outside the United States, so that the United States would have a more difficult time issuing subpoenas for the content. Attorney General William P. Barr has already called for greater scrutiny — and perhaps abolition — of any such app that does not allow the United States a legal “back door.”

It seems unlikely that any administration — Democrat or Republican — could actually succeed at banning foreign apps whose code they found suspicious or difficult to access. It would be as problematic to enforce as Prohibition, which lasted 14 years in the United States before it was repealed, by constitutional amendment.

But the bigger issue is that the movement to ban Chinese apps — the next target is WeChat, which was going to be cut off by executive order on Sunday until a federal judge intervened, at least temporarily — defeats the original intent of the internet. And that was to create a global communications network, unrestrained by national borders.

“The vision for a single, interconnected network around the globe is long gone,” Jason Healey, a senior research scholar at Columbia University’s School for International and Public Affairs and an expert on cyber conflict. “All we can do now is try to steer toward optimal fragmentation.”

Source: Read Full Article