C3 has merged with Ingalls Read Press Release >>

Articles, DIB

What the DIB (Defense Industrial Base) Needs to Know About TikTok

In the evolving landscape of digital security and national defense, the Defense Industrial Base (DIB) finds itself at a critical junction, particularly concerning the use of TikTok on personal and company devices. The U.S. government's stance against the popular social media app, led by the "No TikTok on Government Devices Act" within the Consolidated Appropriations Act of 2023, has set clear boundaries for federal employees and contractors. This blog post, "What the DIB Needs to Know About TikTok," dives deep into the implications of this legislation, examining the specific challenges and ambiguities faced by DIB contractors and subcontractors. This blog post not only clarifies the legal landscape but also scrutinizes the potential risks and cybersecurity vulnerabilities associated with TikTok, urging a reevaluation of device use policies within the defense sector.

  • Collin Overby

Overview of Recent Legislative Changes Affecting TikTok Use

In February 2023, the “[M-23-13] Memorandum for the Heads of Executive Departments and Agencies” referred to The Consolidated Appropriations Act of 2023, enacting the “No TikTok on Government Devices Act.” This memorandum from the Director of the Office of Management and Budget was made in consultation with the Administrator of General Services, the Director of the Cybersecurity and Infrastructure Security Agency, the Director of National Intelligence, and the Secretary of Defense to develop the processes (standards and guidelines) applicable to those agencies that would require the removal of TikTok from Federal ’information technology,’ (as defined in 40 U.S.C. § 11101(6))”

That directive and the eventual law that was codified in July of 2023, entitled, “Federal Acquisition Regulation: Prohibition on a ByteDance [the parent company that, at the time of this writing, operates the TikTok application in the United States] Covered Application,” mandated that government employees; and, certain government contractor and subcontractor personnel delete the TikTok application from their cellphones, tablets and/or other personally-owned electronic devices

Scope of Legislation for the DIB

At that time, there was uncertainty about which devices used by employees of DIB contractors required the deletion of the TikTok application. Specifically, questions arose about how the legislation applied to contractors, subcontractors, and their personnel within the DIB, including their personal cell phones, tablets, and portable devices (e.g., Android, iOS, Windows OS). This led to confusion within the DIB regarding the legal requirements stemming from the law prohibiting TikTok on certain devices.

A cautious and well-considered policy was to evaluate whether personal devices had any contact with a contractor employer’s system (such as internet, ethernet, business email, business calendars, business remote collaboration tools, etc.) or anything related to current DoD projects. This evaluation would also likely require considering the employer’s past performance under a DoD contract or subcontract, with some exclusions (e.g., generic requests for proposals with prior protections removed by the involved government agency). According to the 2023 law, any devices that had contact with the DoD contractor or subcontractor systems should have been checked for the TikTok application. If found, the application should have been removed from those devices.

Evaluating Personal Devices in the Context of DIB

Alternatively, before the April 2024 law, a device owner who was confident in the effective partitioning of devices from a DoD contractor/subcontractor system that may; or will likely in the future, have a contractual relationship with the DoD could assume the device(s) as not covered by the 2023 Act. Prior to recent legislation (April 2024) a personnel member’s device(s) could have been considered as not covered by the then controlling law that applied almost exclusively to federal personnel, and a sub-set of contractors/subcontractors’ device(s). Further, some could even consider devices as exempt, even in a situation where the personnel members’ employer lawfully possessed Controlled Unclassified Information (CUI) or otherwise protected data, under contract/subcontract with the DoD.

Cybersecurity Risks Associated with TikTok

From a cybersecurity posture, the difficult reality was that personal devices have vulnerabilities. For example, an Advanced Persistent Threat (APT) for which the People’s Republic of China (PRC) is notorious is the development of Remote Access Trojans (RATs) some of which may be unwittingly downloaded onto a smartphone and/or tablet.

As those within the cybersecurity industry know, “The mobile app malware [RAT is] …able to steal GPS data and SMS messages, contact lists, call logs, harvest images and video files, covertly record microphone-based audio, hijack a mobile device’s camera to take photos, review browser bookmarks and histories, eavesdrop on phone calls…etc. Such exploits could also contribute to several types of potentially successful social engineering campaigns because of APT surveillance activity.

Recent Developments and Future Implications

On April 24, 2024, the President signed a law that will ban the popular ByteDance TikTok application in the United States unless TikTok separates from its China-based parent company within a year. While TikTok is expected to challenge this unprecedented law in court, officials defend their decision to restrict ByteDance and TikTok’s operations in the U.S. Senator Maria Cantwell, Chair of the Senate Commerce Committee, emphasized that the actions against ByteDance and TikTok are not punitive. She stated, “Congress is acting to prevent foreign adversaries from conducting espionage, surveillance, malign operations, and harming vulnerable Americans, our servicemen and women, and our U.S. government personnel.” Legislators were likely influenced by the 2017 Chinese National Intelligence Law, which mandates that any Chinese organization or citizen must support and cooperate with state intelligence efforts.

The requirement for TikTok to provide sensitive information to the Chinese government poses a significant risk, particularly because ByteDance’s servers are in China and TikTok relies on China-based infrastructure. Some experts warn TikTok users to assume their data is being aggregated and shared with the Chinese government.

Given the potential exposure to a foreign adversary and the law set to take effect within a year, personnel working within the DIB should reconsider their use of the TikTok application. There are alternative short-form video apps such as Instagram Reels, Snapchat, and Triller, which are owned by companies based in non-adversary nations. Members of the DIB, including contractors, subcontractors, and their personnel, are committed to supporting the U.S. military and its personnel. This commitment should outweigh the inconvenience of giving up an entertainment app, especially considering that TikTok could jeopardize national security interests and the safety of U.S. military personnel.

Meet the Author

Collin Overby