Why the TikTok Ban Would Have Been a Cybersecurity NightmareSeptember 23, 2020
TikTok and WeChat are still available in mobile app stores, despite a threatened ban by executive order, and for that the President should be thankful. The fallout on the cybersecurity front would have been considerable.
While the Google and Apple app stores would have no longer offered the apps, users who already downloaded the app would have been able to still use it. Like a book injunction, which can force booksellers to return distributed copies of a banned book back to the publisher, Apple and Google can make these apps disappear. They were not ordered to do that–and as such serve as a great illustration of the unintended cyber risks that attend seemingly unrelated decisions.
With a ban in place, TikTok and WeChat users in the U.S. would no longer be supported. In the event of a newly discovered security vulnerability, there would be no patch. The potential ramifications for security were enormous. TikTok has an estimated 100 million users in the U.S. alone (WeChat has 19 million).
Security vulnerabilities are discovered every day. Technology companies play a constant game of catch-up with hackers seeking to exploit even relatively minor opportunities, and most software companies are willing to pay white hat hackers to ferret out these vulnerabilities before cybercriminals do. In June, the company that owns and maintains both TikTok and WeChat allocated $140,000 for so-called “bug bounties.” Bounty hunters find bugs all the time, and they are patched all the time.
100 million unpatched TikTok users would make a very compelling target for black hat hackers. The unpatched users that would have been created by the President’s ban might have derived a modicum of safety from the numbers game of being one in a hundred million, but they would have represented so many open doors that couldn’t be closed.
Typically, when a software company discovers a vulnerability, they simultaneously issue a software update to fix it. At the same time, hackers try to exploit their newfound opportunity before users install the patch that removes the vulnerability. This is why cybersecurity experts are always beating the drum of update, install, repeat.
The threat wouldn’t have been confined to TikTok and WeChat’s user bases. We’ve seen time and again that some of the largest and most egregious data breaches typically start with a single compromise, be it a careless click on an email attachment, a malware-ridden USB drive, or a personal device running outdated software. A single mobile device that has either app installed on it and a known vulnerability represents a massive liability.
While there are valid reasons to be concerned about the data accumulated and shared by TikTok and WeChat, banning them ultimately amounts to little more than security theater. As we’ve seen on the West coast, symbolism can start forest fires. It can spark civil unrest, too. Political theater has its place in an election year, but it should not be staged at the cost of our safety.