Cybersecurity Expert: Banning a Chinese App Like TikTok Is a Red Herring That Ignores a Greater Danger

For nearly 30 years, I have been warning about the growing danger posed to national security by general American indifference to Chinese technological advancement in the realm of cybersecurity.

Yet, at the same time, not only do I regularly use TikTok, but, I am also among its first professional users in the USA, having joined its Musical.ly predecessor nearly 7 years ago.

There is no contradiction: While few people may choose to do so, it is possible to use TikTok safely. And, with relatively little effort, phone manufacturers can apply better security by default when people use TikTok.

Unfortunately, the current focus on TikTok as the symbolic representative of the risks to U.S. national security emanating from Chinese technology may be more dangerous than TikTok itself.

In my experience in cybersecurity, Chinese hardware — not software — poses, by far, the greatest risk to American national security. While software is certainly a concern, the reality is that, for multiple reasons, rogue hardware threatens to undermine security and inflict related damage in a far more dramatic fashion than does software. All the while, problematic hardware is simultaneously far harder to detect, identify, and remove once deployed than is software.

Proposed bans of particular apps, as well as on the use of VPNs to circumvent government controls, are not only ineffective at addressing such risks but are clearly reminiscent of the reprehensible censorship and controls implemented by oppressive regimes. It was not that long ago, that we, the taxpayers of the United States, paid to create and distribute the anonymizing system known as Tor precisely to help people worldwide overcome such government oppression. And, because preserving freedom of communication is so important, we left that system in place even as it was abused to distribute drugs, guns, and stolen data. In the name of preserving our freedoms, we must not now open a Pandora's box that not only fails to protect rights that we cherish, but threatens to do the opposite.

Yet, the talk of the day in Washington is about bans on apps and VPNs — ignoring the blatantly obvious problem that despite federal bans on acquiring and/or utilizing various Chinese hardware, we still have state and local governments, as well as private companies, purchasing and deploying such hardware en masse. Likewise, our governments have done absolutely nothing to discourage (never mind prevent) individuals from buying inexpensive, off-brand Chinese hardware through online retailers and marketplaces, nor has any American government institution even attempted to stop such marketplaces from facilitating such transactions. And, it is no secret that counterfeit hardware components, impersonating "Made in USA" devices, are readily available online at discounted prices.

Chinese hardware of dubious origins can pose a danger not only to whomever purchases and deploys it, but to our entire country. If a private citizen cannot blast music at 4 a.m. in his backyard because the sound carries and adversely impacts his neighbors, or dump oil on her own property because doing so impacts others as the pollutant spreads underground, why should a person be allowed to connect dangerous hardware to the internet, thereby enabling (if not actively facilitating) attacks on his digital neighbors, and, potentially, on our nation's critical infrastructure?

There are two additional factors compounding the risk to national security. The first is the fact that American manufacturers are sourcing hardware components from factories all over China over which the former have little true control. The second factor is that as a result of decades of mergers and acquisitions, partnerships, white-labeling deals, other forms of alliances, and even government policies that incentivized American companies to outsource manufacturing to facilities in China, Chinese technology — including from vendors appearing on the federal government's No-Buy list — is embedded within products bearing American brand-name logos and "Made in the USA" labels. Sometimes, the involved vendors are unaware of this being the case.

Consider, for example, that engineers at Sepio Systems, who I had asked to look into such matters after I joined the firm's advisory board, found what appears to be Huawei firmware running within HP 5500 commercial-grade network switches, with one internal default password even containing a reference to a Huawei-3com partnership formed nearly 20 years ago. Younger engineers may not remember that the 5500 series did not begin its life as an American-made product, or that when HP acquired 3Com 13 years ago, the American technology giant absorbed significant Huawei technology. Per a press release from 2005: "For its third quarter that ended September 30, 2005, revenue for the Huawei-3Com joint venture was $111 million, an increase of 16 percent over the previous quarter and a 69 percent increase year-on-year. Sales of the jointly developed 5500 line of Layer 3 switches with Gigabit Ethernet and Power Over Ethernet were particularly brisk."

While U.S. Intelligence does perform thorough studies of supply chains for certain DoD projects, there is no equivalent in most other areas of government nor in the private sector. Few, if any, CIOs or CISOs truly understand what hardware is running within their respective organizations. Even those who believe that they, in fact, possess "complete inventories" rarely (if ever) actually do — they may have a list of laptops and servers, for example, but rarely will they know the details as to what motherboards and storage devices are within those devices.

Considering that no amount of security software can secure a system if the hardware on which it runs is subject to compromise, our collective lack of knowledge about what is actually inside our computing devices puts us at tremendous risk; billions of dollars of investments in cybersecurity technology are currently being spent on the technological equivalent of building forts on quicksand.

While banning apps from creators outside the U.S. and VPNs is part of the current conversation, the risk from hardware is ongoing. If we want to address the particular risk from China, we cannot simply ban TikTok and the equivalent; we must take action that produces far greater results. We must immediately start paying attention to what hardware we allow to connect to our nation's information infrastructure; we are already at risk, and cannot afford to delay our move away from Chinese hardware. In my next piece, I'll outline what these moves could look like, and how stakeholders like business leaders and elected officials might put them into motion.