Srsly Risky Biz: Thursday June 23

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber, and founding corporate sponsors CyberCX and Proofpoint.

Unscrambling the TikTok Tech Omelette Will be Hard

A new Buzzfeed report claims that the user data of TikTok's US customers is accessible from China, despite ongoing efforts to ringfence US data into Oracle data centres. The story illustrates how difficult it will be to satisfactorily isolate US data, but TikTok's influence as a publisher may be an even bigger problem.

Concerns about TikTok stem from fears that ByteDance, its parent company, is beholden to the Chinese Communist Party (CCP) and could be forced to act against the interest of its users by the Party. Spoiler alert: these fears are entirely justified. In 2018 Zhang Yiming, ByteDance's CEO, published an open letter in which he apologised for failing to respect "socialist core values" and for "deviation from public opinion guidance". These particular phrases are Party terms for censorship and information control as a means of maintaining CCP control.

Buzzfeed's report, based on leaked audio recordings from more than 80 internal TikTok meetings reports some alarming statements from TikTok employees:

"Everything is seen in China," said a member of TikTok’s Trust and Safety department in a September 2021 meeting. In another September meeting, a director referred to one Beijing-based engineer as a "Master Admin" who "has access to everything."

TikTok's effort to protect US user data from its owners is known internally as Project Texas, and consists of storing data physically in an Oracle data centre combined with logical controls to minimise access from the PRC.

The physical location of user data doesn't have all that much to do with its security or who has access. The whole cyber security industry, after all, exists because preventing unauthorised remote access to data is not straightforward.

When it comes to logical controls, Buzzfeed reports TikTok's head of global cyber and data defense said that Oracle is providing only "bare metal" and TikTok still controls the software layer. So, physical controls won't help and TikTok writes the logical ones. Compounding the difficulty for US employees tasked with ensuring data security, TikTok's software stack seems like a complex mess with employees not able to figure out what some parts of internal tools did. Buzzfeed even reports one external consultant saying "I feel like with these tools, there’s some backdoor to access user data in almost all of them, which is exhausting". Ensuring tight data security in that environment will be hard, although this isn't a problem that's unique to TikTok. Just last month this newsletter reported that Facebook privacy engineers were not confident about their ability to control its data flows so that specific information could only be used for defined purposes.

Hosting the data in the USA does give the government there one powerful tool — it can arrest US-based employees if they've been found to have broken US law. But it's not clear how helpful that lever will be when TikTok's software is so opaque.

Fergus Ryan, Senior Analyst at the Australian Strategic Policy Institute and author of a report on censorship on TikTok and WeChat, was totally unsurprised that user data was still accessible from China. TikTok's public pronouncements about their data sovereignty protection efforts had always given them some "wiggle room," he said.

At the same time, he thinks that access to data is a "red herring" and he is more concerned about political manipulation. TikTok has its hands on the levers and actively works to generate new trends, he says.

"It's not a situation where they let things organically happen, there are teams inside the company that are thinking of new trends… that can be promoted on the site and go viral. It's not just relying on what the algorithm decides."

Ryan thinks the opacity of TikTok's algorithm would also make it "trivially easy" to manipulate political discourse on the platform, simply by promoting or demoting content associated with a particular hashtag, for example. "If they did that, it would be very very difficult for anyone to know," he said. Other social media platforms "are all influential in their own way, but only TikTok is under the thumb of the Communist Party".

"If Mark Zuckerberg were at the beck and call of just one political party what would we do?" he asks.

In some ways TikTok presents the same problem as Huawei did when it came to involvement in 5G infrastructure — how do we mitigate risks when a powerful company is beholden to the CCP? In the case of Huawei, it's fairly easy to draw a straight line between potential CCP interference, critical infrastructure and the need for additional risk mitigations.

In the case of TikTok, however, people can't even agree on the problem and what is at stake. Is it really the data? Are mitigations that stop mass data transfer, but probably not targeted ones, enough? Or is it really the political manipulation that we should worry about? The CCP has form in both.

Ryan suggests that TikTok be held to the same standard as Western social media platforms. This should include labelling state-linked accounts, and TikTok should be required to search for influence operations on its platform. When it finds them (and there are influence operations on all social media platforms) it should be required to share data with independent researchers for further analysis.

He thinks that would amount to a quasi-ban of TikTok. "I just don't see ByteDance being able to do that," he says.

Indict More State Cyber Operators, Please

Last week, the German government charged Nikolaj Kozachek (English-language coverage), a Russian GRU cyber operator, for hacking the Joint Air Power Competence Centre, a NATO think tank based in Germany.

Charging a state-sponsored cyber operator for espionage targeting a "legitimate" government or military target is not common, but there are good reasons countries should do it more often.

The US's first use of a criminal indictment against state-sponsored hackers occurred in 2014 when it charged five Chinese People's Liberation Army (PLA) officers with theft from US organisations for "commercial advantage". This was an attempt to construct a baseline understanding of what cyber norms should be by trying to deter "unacceptable" state activities. The Department of Justice press release made it crystal clear that the main thrust of the indictment was economic espionage —— a quote from Director James B. Comey sums up the US government's beef: "the Chinese government has blatantly sought to use cyber espionage to obtain economic advantage for its state-owned industries".

At that time the Chinese government was unhappy about its activities being outed in the landmark indictment. A foreign ministry spokesperson said the charges were "purely ungrounded and absurd," it suspended its participation in the Sino-US Cyber Working Group and summoned the US ambassador in Beijing.

The 2014 PLA indictment was one element of a broader US government push including public attribution statements, the threat of sanctions and Presidential-level engagement that ultimately resulted in the 2015 Obama-Xi cyber agreement. This committed the two countries to not "conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors".

The recent German indictment, however, does not stick to the same hymn sheet. It's focussed on the breach of a NATO think tank, an entirely "legitimate" government or military espionage target. This isn't the first time that German officials have indicted Russians for government-focussed espionage, either. In May 2020 the German government indicted another GRU hacker for the 2015 hack of the German Bundestag (parliament).

Does this difference in the use of criminal charges undercut US efforts to use indictments to shape adversary behaviour?

One view, based on the (in)effectiveness of the 2015 Obama-Xi agreement, is that it won't make much difference as indictments don't work anyway. Although there was a lull in Chinese activity in the immediate aftermath of the agreement, PRC theft of commercial intellectual property nowadays continues apace. Therefore, indictments are useless.

Jon Bateman, senior fellow at the Carnegie Endowment for International Peace and author of The Purposes of US Government Public Cyber Attribution, told Seriously Risky Business he disagrees with that view, and says indictments can have multiple goals.

"A nation’s enforcement of its domestic criminal law and a nation’s effort to shape and enforce what it sees as international law or norms… [are] two different things. Number one doesn’t necessarily undercut number two, provided that the nation (whether the United States or Germany) is very clear on the difference."

"It's fine for a state to aim to disrupt or deter activity that is harmful to it. The problem is when states aren't clear about the message they are sending with such indictments."

Although initial indictments were very focussed, subsequent US signalling has sometimes been less than crystal clear. Bateman points out that some indictments contain a mix of activities and "sometimes even a single incident can have multiple interpretations based on your assessment of the intent". Some US indictments have even focussed on what are arguably intelligence activities.

When announcing the 2020 indictment of PLA hackers for breaching credit reporting firm Equifax, for example, Attorney General William Barr focussed on the theft of personal information and noted that this information had "economic value". It seems likely, however, these hacks weren't for commercial advantage but were intended to gather data to supercharge PRC espionage and counterintelligence efforts by combining it with other data sets including information stolen from the Office of Personnel Management, the US government agency that manages security clearances.

But even if mixed messages mean that indictments on their own aren't that effective deterring a state from particular activities, it may still be useful for deterring individuals. And they can still serve as useful reminders to other states that their activities aren't invisible.

Ultimately, Bateman says, "states only have a few tools to shape behaviour in cyber space, none of which are mind-blowingly effective when used in isolation, but which might have some effect when used in concert over a long period of time".

Regardless of their effect on other states indictments also have tremendous value for educating the broader public. Without information from indictments, Bateman said, "the public would be in this wilderness of shadows where only elites and policymakers know what is going on". They are an important way for reliable information to be made available to enable the public dialogue that can build political momentum for change.

In his 2020 comments referred to above, Attorney General William Barr explained the rationale for not usually charging foreign intelligence operatives:

We do not normally bring criminal charges against the members of another country’s military or intelligence services outside the United States. In general, traditional military and intelligence activity is a separate sphere of conduct that ought not be subject to domestic criminal law. There are exceptions to this rule, of course. For instance, we have brought charges against intelligence officers operating undercover in the United States. And more recently, we have charged state-sponsored actors for computer intrusions into the United States for the purpose of intellectual property theft for the use of their private sector, bank robbery, and interfering with our democratic elections.

Bateman would like to see more countries issue more indictments. Despite Barr's reasons, we agree.

Three Reasons to be Cheerful this Week:

1. A bad week for some awful people: INTERPOL announced a "worldwide crackdown on social engineering fraud". The 76-country operation resulted in over 2,000 arrests and the interception of USD$50m of illicit funds.
2. Dutch Intel Outs Russian Illegal: AIVD, the Dutch intelligence and security service, outed a Russian intelligence officer posing as a Brazilian in an attempt to intern at the International Criminal Court (ICC) in the Hague. AIVD outed Sergey Vladimirovich Cherkasov as an "illegal", an undeclared operative working under non-official cover, and published his "legend", the fictitious history of his cover identity. We like this kind of publicity, a real in-your-face to the GRU. As Reuter's journalist Thomas Escritt noted on Twitter, "You spend a decade building up your legend as a deep-cover agent and then the other side just ... tweets it out?"
3. Not Spinning on a Chair: President Biden signed two cyber security bills this week. We are a fan of the Federal Rotational Cyber Workforce Program Act which establishes a workforce development program to allow cyber security professionals to rotate through a variety of federal government civilian agencies.

Save Time with a Risky.Biz Product Demo

Risky Business is publishing sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Sergio Gonzalez shows Patrick Gray the ins and outs of Red Canary's Managed Detection and Response service.

You can subscribe to our product demo page on YouTube here.

Shorts

What Nakasone Probably Meant

Early this month the head of US Cyber Command, General Paul Nakasone, stated that the organisation had conducted offensive cyber operations against Russia in support of Ukraine. We called the statement an "information-free zone," but Kim Zetter has an excellent article examining what these offensive cyber operations could actually be. Zetter confirms they are not "hunt-forward operations" (looking for threats in foreign networks with the host country's consent) and presents the range of possible options.

Indian Police Linked to Framing of Activist

A wide-ranging hacking campaign that was used to plant incriminating evidence on Indian activist Rona Wilson's laptop, (previously covered here in "Framing of Indian Activist"), has now been linked to Indian police in the city of Pune.

This campaign, dubbed Modified Elephant by cyber security firm Sentinel One, stretches back to at least 2012 and has targeted hundreds of groups and individuals including "activists, human rights defenders, journalists, academics, and law professionals in India". Three victim email accounts, including Rona Wilson's, had an email address and phone number added as a recovery mechanism after being compromised. Multiple lines of open source evidence link both the email address and the phone number to the Pune City police. The email address, for example, contains the full name of an Indian police official who was closely involved in the case that resulted in Wilson's arrest.

Almost all of the activists arrested in this case remain in jail.

From Risky Biz News:

Ukraine accuses Russian hackers: Yurii Shchyhol, head of Ukraine's State Service of Special Communications and Information Protection, has accused Russia's state hackers of intentionally targeting non-military targets and critical infrastructure:

Just as the Russian army routinely disregards the rules of war, Russian hackers also appear to have no boundaries regarding legitimate targets for cyber-attacks. Popular targets have included vital non-military infrastructure such as energy and utilities providers. Hospitals and first responders have been subjected to cyber-attacks designed to disrupt the provision of emergency services in the immediate aftermath of airstrikes.

ICO funding: The UK government will allow the country's privacy watchdog, the Information Commissioner's Office, to keep a small portion of the fines they levy against companies that break data protection laws. The sum they can keep will be capped at £7.5 million/year, and the agency will be audited by the government to make sure the mechanism is not abused.

Hackers blamed for false air raid sirens in Israel: Air raid sirens went off in the Israeli cities of Jerusalem and Eilat on Sunday, June 19, for at least 50 minutes following what government officials have described as a "cyber incident."

On Monday, the Israel National Cyber Directorate (INCD) confirmed the incident but said the alarms came from public address systems managed by local authorities and not the ones managed by the Israeli Defense Forces Home Front Command. (continued)