— As TikTok’s CEO gears up for his first Capitol Hill hearing this Thursday, the short-form video app is facing significant new headwinds on the Beltway — and fewer arguments than ever before to fall back on.
HAPPY MONDAY, and welcome to Morning Cybersecurity! Caterpillars grow a second head, then discard the first. Some shed their skin 16 times. They hatch from an egg, creep around for a bit on six legs, and then, after dissolving their own body inside a self-made shell, emerge a butterfly.
What the heck is that about, you ask? I forced an insanely fascinating article about caterpillars on my in-laws this weekend, and now I am doing the same to you!
Got tips, feedback or other commentary? Send them my way at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.
Deputy national cyber director Camille Stewart Gloster, chief of the NSA’s cybersecurity directorate Morgan Adamski and CISA’s executive assistant director Eric Goldstein appear at an Aspen Institute event on the new National Cybersecurity Strategy. 3:30 p.m.
IN THE HOT SEAT — TikTok’s long-awaited first date with Capitol Hill was never going to be love at first sight.
But when CEO Shou Zi Chew appears before the House Energy and Commerce Committee later this week, it will become apparent that TikTok faces increasingly slim odds even to seal a loveless marriage with U.S. lawmakers.
Chew will be there to mount a last-ditch effort to convince the committee that the app isn’t the Communist Party Trojan horse that D.C. makes it out to be.
But between a flurry of counter-TikTok bills on Capitol Hill, a new Justice Department investigation and the news that the White House is threatening to ban the app unless it separates from ByteDance, its China-based parent company, it’s just as likely the hearing will expose the steady erosion of most major arguments the app has levied in its own defense.
Trust problem — For years, TikTok has met its skeptics with a simple refrain: Trust us for what we do, not for where our owners are.
That argument held a certain cachet during the Trump presidency, when there were fewer platform abuses to speak of and many dismissed the first effort to block it as an act of executive impulse.
But that defense has taken a hit amid a series of revelations showing that ByteDance employees harvested TikTok data to spy on U.S. journalists — a misfire that the Justice Department is now investigating, according to Forbes — and the continued souring of U.S.-China relations under President Joe Biden, a dynamic the infamous surveillance balloon sent into overdrive.
Show me the money — More recently, TikTok has tried to defuse the D.C. trust deficit by arguing the best way to prevent Chinese spying or propaganda isn’t a ban or a forced sale. It’s the company’s $1.5 billion plan to build a wall between the U.S. subsidiary and its Chinese owners.
Known as Project Texas, the initiative would see TikTok hire an army of 2,500 employees to review the firm’s content moderation policies. The firm would also tap Oracle to help establish “gateways” that safeguard Americans’ data from the prying eyes of Beijing.
But so long as there is “a direct or perceived connection to the Chinese Communist Party,” building a maze of corporate safeguards may never be enough to sway U.S. lawmakers, Brandon Pugh, policy director of the R Street Institute’s Cybersecurity and Emerging Threats, told MC over email.
“Look, I’ve listened to TikTok’s management. I’ve heard about the firewalls they’ve tried to build. They did not convince me,” Sen. Mark Warner (D-Va.) told Wired last week.
Playing whack-a-mole — Finally, the firm’s defenders have suggested that lawmakers are wasting their time on TikTok, since China can do all types of bad things via the other data-hungry companies that have sprung up in the vacuum of U.S. privacy law.
But that argument, too, recently saw its fortunes fall with the introduction of the bipartisan RESTRICT Act, which has won support from a growing list of influential Senate lawmakers, and the Biden administration.
By granting the U.S. Commerce Department new authorities to ban or limit communications tech owned by China and other countries of concern, the bill would establish a flexible, clear and repeatable process for U.S. officials to “propose a range of different things and mitigation agreements” against apps like TikTok, Justin Sherman, the founder and CEO of Global Cyber Strategies, a D.C.-based research and advisory firm, told MC.
That means future administrations could take a whack at TikTok — and then quickly move onto the next problem.
Last gasp for data privacy — Since the RESTRICT Act still won’t address the profligate data privacy practices of Western tech companies, its shadow could give new urgency to what may be TikTok’s last-best defense: that lawmakers’ attention is better directed at a national data privacy law.
If there’s anywhere where that argument would find a sympathetic ear, it’s the same congressional committee Chew will appear before later this week. Last Congress, the House Energy and Commerce panel advanced a national data privacy law to the House floor, and it’s dead set on going further this year.
But TikTok might be misreading the tea leaves if it thinks it can stall Congress by selling it on a false choice between restricting apps based on where they’re from or how well they protect their data.
Lawmakers want both. And thanks to TikTok, they may get it.
“Clearly TikTok is an immediate threat that needs to be quickly dealt with by the American government,” a Republican aide for the House Energy and Commerce Committee told MC. “However, the only way to ensure American data is protected more broadly and from future threats from the CCP is by passing a national data privacy and security law.”
WORDS INTO ACTION — The Office of the National Cyber Director may not have a permanent new chief just yet, but that’s not stopping it from getting to work mobilizing support for the new National Cybersecurity Strategy.
Today, deputy national cyber director Camille Stewart Gloster will appear at an Aspen Institute event focused on the fourth of five pillars in the just-released document: “Invest in a Resilient Future.” That includes some of the strategy’s most far-reaching, if distant, objectives, such as preparing for a post-quantum future, securing clean energy and rebuilding the country’s cyber workforce.
Then, on Thursday, acting national cyber director Kemba Walden will deliver remarks at a Center for Strategic and International Studies event on cyber resilience before heading over to the Hill to testify before the House Oversight and Accountability committee about the strategy.
REAL OR MISDIRECTION? — Either North Korea hackers are behind yet another major crypto hack — or someone is trying to pin it on them.
Over the weekend, researchers at cryptocurrency tracing firm ChainAlysis reported that 100 ethereum stolen in last week’s $197 million theft from decentralized finance platform Euler had been transferred to wallet addresses associated with prior Hermit Kingdom hacks.
But ChainAlysis warned that the transfer “could be misdirection by other hackers.” While fraudsters often launder illicit crypto proceeds in chunks, the 100 ethereum only translates to a small fraction of the total stolen from Euler. The hacker returned a far larger sum of 3,000 ethereum to Euler itself, raising further questions about the digital pickpocket’s motives.
BIG-TIME ARREST — U.S. authorities have arrested the alleged operator of a major hacking cybercrime forum and a high-profile hacker in his own right.
The arrest of Connor Brian Fitzpatrick, first reported over the weekend by Bleeping Computer, marks a significant win for U.S. law enforcement, given that many cybercrime perpetrators reside beyond the reach of Western law enforcement.
Fitzpatrick, who went by the alias Pompompurin, founded and operated the BreachForums cybercrime site, one of the most popular sites where hackers and ransomware actors — including those behind the recent breach at D.C. Health Link — would sell or leak stolen data.
And some side business — Fitzpatrick, who will appear in District Court in Virginia next Friday, also conducted some significant hacking of his own, according to Bleeping Computer.
That includes an effort to hack an FBI alert system to send fake cyberattack alerts to U.S. companies.
Some not-super-feel-good food for cyber thought, courtesy of security and privacy researcher Lukasz Olejnik:
— Pro-Russian accounts spread misinformation around the Ohio train derailment. (AP News)
— TikTok plans to send influencers to D.C. this week to stave off lawmakers’ mounting opposition. (POLITICO)
— The Venezuelan government is using AI-generated propaganda videos. (El Pais)
— A Russian hacktivist group is ramping up its distributed-enial-of-service attacks against health care organizations. (The Record)
Stay in touch with the whole team: Maggie Miller ([email protected]); John Sakellariadis ([email protected]); and Heidi Vogt ([email protected]).
( Information from politico.com was used in this report. Also if you have any problem of this article or if you need to remove this articles, please email here and we will delete this immediately. [email protected] )