If China were to spy on the US military on TikTok: three different defense scenarios
TikTok's ownership remains a pressing issue for the US. What if China were to use this popular short-video app to spy on the military? Safe House Global decided to host a warfighter exercise to find the best possible defense against this scenario.
On TikTok, the hashtag "#militarytiktok" has over 1 billion views. Military personnel from America and around the world use the platform like they might any other social network. If China were to order Bytedance to provide information on the US military service members and their families, it would theoretically be capable of launching a program to identify them, their location, travel habits, and potential for compromise, espionage, and disinformation campaigns.
Therefore, Safe House Global hosted its first virtual wargame - the Social Media Information Warfighter Exercise - to find the best way to mitigate this fictional scenario.
Three Blue Teams comprised of military, cybersecurity, and private sector experts responded to a hypothetical scenario in which The Chinese Ministry of State Security (MSS) has ordered ByteDance to provide access to TikTok's codebase.
Blue Team Alpha, Blue Team Bravo, and Blue Team Charlie had to present a plan to address a threat scenario and defend it in a Q&A session. Exercise Control then introduced a disruption variable, different for each team, and randomly chose from a prepared list.
Teams retired to plan their response to the disruption and then presented that plan to a panel of judges, which included Brian Murphy (former DHS Under Secretary of Intelligence and Analysis and whistleblower on the Trump administration), Rand Waltzman (Adjunct Senior Information Scientist at the RAND Corporation and former Defense Advanced Research Projects Agency (DARPA) program manager), and Kathleen Moore, Ph.D., Professor of Data Science, US Army War College.
Response No. 1: Blue Team Alpha
The team, composed of four members with experience in conducting military cyber operations, presented a plan that explicitly linked the app to a national security/force protection threat and told the force that using the app gives adversaries the advantage. The team’s strategy included infiltrating TikTok to verify that targeting of military personnel has been occurring and then initiating Computer Network Operations to disrupt and deny Bytedance’s collection efforts.
Blue Team Alpha’s disruption variable was: “They are unable to convince military senior leaders that this is more important than sexual harassment, suicide prevention and getting the new PT test right. No priority given.”
Response No. 2: Blue Team Bravo
The team, composed of four members with experience in using AI to identify disinformation and misinformation efforts, presented a plan that asked US military members and their families to use an app that would vet their content before uploading it onto the TikTok platform to minimize the value of MSS’s collection effort.
“Our product would scan, analyze, detect, and predict the possible impact and danger of publishing a specific piece of content or a video,” a team member said when presenting their solution. Their app would also predict how other TikTok users might react to a specific video.
The team recognized that military service and their families might not rush to use the app. This sort of analysis might be treated as an invasion of privacy. If analytics data were to be compromised, the risk of exposure would be high.
Blue Team Bravo’s disruption variable was: “Their app was only 45% effective in identifying content that contained sensitive information valuable to the MSS.”
Response No. 3: Blue Team Charlie
Blue Team Charlie, composed of four employees from a cloud security company, presented a multi-pronged plan that would disrupt TikTok’s operations, access, and alter its collection on US military members. They would create thousands of fake accounts that would serve up fake information and attempt to lure MSS probes onto platforms where the US Government has easier access.
The team recognized that the effects applied may have unintended consequences or cause collateral damage, risking exposure or loss of political support to continue operations.
Blue Team Charlie’s disruption variable was: “TikTok discovers Blue Team Charlie’s intrusion. It is identified as a US government attack on the network. Bytedance asks the Chinese Government for assistance to defend against the intrusion and gets it. Escalation of hostilities occurs.”
The winning team was Blue Team Charlie, with a total score of 185.8 votes from the judges (out of a possible perfect score of 270). Attendees who observed the event also cast their votes, and Blue Team Charlie received 60% of the popular vote.
TikTok is not the only problem
"This was a complex scenario because while the actions of the threat could be deemed harmful to US national security interests, such an action would have been perfectly legal to do. Espionage is not a crime, and the US has no national privacy law that prevents targeting", Jeffrey Carr, Founder of Safe House Global and author of Inside Cyber Warfare, said.
While this exercise was about TikTok, he added that it could easily have been swapped out for Facebook, YouTube, and Twitter.
"The algorithms that drive engagement on all of these social media platforms, combined with ad tracking and access to hundreds of third-party databases, make it possible to target one person out of a billion. Social Media and the Ad Tech industry that drives it has thrived because there are no national privacy laws in place to control it," Carr explained.
In August, Reuters reported that the Chinese government bought a 1% stake in TikTok owner ByteDance's key Chinese entity, Beijing ByteDance Technology. The deal also allowed the Chinese government to appoint a board director at Beijing ByteDance.
In October, TikTok's head of public policy for the Americas, Michael Beckerman, became the company's first executive to appear before Congress. Reuters reported that he was pressed mostly by Republicans on worries regarding TikTok's stewardship of data of the app's users.
He was questioned whether TikTok could resist giving data to the Chinese government if the materials were to be demanded and insisted that the company does not share information with the Chinese authorities. Beckerman said that TikTok has "no affiliation" with Beijing ByteDance Technology.
More from CyberNews:
Subscribe to our newsletter