There was never much chance of my opening an account on Tik Tok (so you’ll have to look for my twerking videos elsewhere), so I don’t have strong personal feelings about it. That doesn’t mean I don’t have concerns about its data-gathering practices and its hotly-denied links with the Chinese government, of course. Are those concerns more profound than my concerns about Western social media? Not necessarily, but I’m not engaged enough with these matters nowadays to make comparisons between those concerns. In fact, if it were up to me, I’d advise anyone holding office in the government, security services, armed forces etc. to consider carefully the wisdom of engaging with any social media platform, though for most of us that genie escaped the bottle long ago. Clearly, there are risks in terms of personal data leakage, misinformation, social engineering and manipulation everywhere you look on the Internet, and many of those issues relate directly to groups in Russia and China, some with state sponsorship.
However, there have been other security concerns that date back to long before the launch of Douyin and Tik Tok. In 2011, I wrote on the ESET blog about issues relating to the buying-in of components ultimately sourced from China. Specifically, BT’s intention to buy network components from Huawei, and the US Navy’s purchase of 59,000 fake microchips ‘for use in systems “from missiles to transponders” ultimately sourced from China.’ Even further back, in 2009, I wrote:
I don’t have enough data to assess the seriousness of … an attack [on national systems via foreign-sourced components] in practical terms, but it seems unfortunate that “government departments, the intelligence services and the military” are apparently committed to the use of the new BT network if that network cedes significant potential control, even at component level, to a nation that clearly isn’t trusted at high levels of government.
I have to wonder how many elements of the UK’s Critical National Infrastructure (CNI) are labelled “made in China”. Not that I want to buy into the universal xenophobia that seems to dominate this story, but if you’re building or maintaining a CNI, don’t you try to keep it in-house, even if it costs more to buy from trusted sources?
I still don’t know the answer to the question in that second paragraph, and none of my former contacts (such as they were – my paygrade wasn’t particularly high) along the Corridors of Power are likely to have that exact information, let alone share it with me. The CNI is a wider network than you might think, incorporating not only obviously relevant sectors such as government and defence, but less obvious sectors such as health (hence my interest as a former NHS security professional), finance, food and even space. More information on the CNI Hub here.
Even worse, the Long March of technology (see what I did there?) means that components of components of components may fall under suspicion: tracking the provenance of every component on every potentially vulnerable site makes the sort of scanning for vulnerabilities some us enjoyed at the turn of the millennium look about as daunting as going to the front door to check that it’s locked.
In October 2022, the UK government sent a designated vendor direction to 35 telecom providers requiring them, effectively, to remove Huawei technology from UK 5G public networks by the end of 2027. The requirement to ‘remove Huawei equipment from sites significant to national security by 28 January 2023’, given that communications are also a CNI sector, tells us that Huawei did indeed have a presence in CNI technology until less than two months ago. Call me cynical (many people have…) but I don’t think that delivery of that direction means that we’re all now safe from whatever the National Cyber Security Centre has been predicting. Nearer to home, the NCSC has published a basic explanation of the thinking behind their predictions and what it means for home and business users not directly engaged with the CNI.
Information in this post is made available by the UK government under version three of the Open Government Licence for public sector information.
And if you’re wondering what happened to the normal Dataholics dollop of cheap sarcasm, all that I can say is that sometimes political reality outdoes satire. Hopefully, normal service will be resumed shortly. On the blog, that is: I’m making no promises about political reality.
*** This is a Security Bloggers Network syndicated blog from Check Chain Mail and Hoaxes authored by David Harley. Read the original post at: https://chainmailcheck.wordpress.com/2023/07/25/antisocial-media-and-critical-national-infrastructure/