China‘s cyber operations against the United States center on the People’s Liberation Army Strategic Support Force and the Ministry of State Security. The People’s Liberation Army, in particular, uses China’s autocratic structure to fund, influence and shape otherwise civilian corporations such as Huawei in order to conduct covert cyber operations.
As it has done with Huawei, the PLA introduces malicious software code disguised as innocent coding flaws. When detected, Huawei can simply respond, “Oh, sorry, we’ll correct that.” When not detected, however, such code can be used for highly effective espionage that is either targeted at individuals or at larger data sets.
China’s global intelligence effort is vast in scale and ambition.
This matters in light of TikTok CEO Shou Zi Chew’s testimony to Congress on Tuesday. His testimony was a disaster from beginning to end.
The fundamental problem facing Chew is that unless and until TikTok is sold to an American owner which can conduct a wholesale review and redesign of its software code, Congress will view the social media app as an unacceptable threat. The central issue here is not, as some members of Congress seem to believe, that of TikTok content related to mental health issues, child pornography, violence, or drug use. Those concerns are significant but also apply to American social media services such as Facebook, Instagram, and Twitter. As Chew noted, they can be addressed by TikTok’s hiring of more content reviewers.
Instead, the central issue here is the dragon inside the machine: the Chinese Communist Party’s access to TikTok’s data and code it can utilize via the company’s Beijing-based owner, ByteDance.
Rep. Jay Obernolte (R-CA) underlined this point with his questioning of Chew. A video game developer with knowledge of software coding, Obernolte asked how Chew could be confident that TikTok’s tens of millions of lines of evolving code could be reviewable by independent entities. This review structure is part of TikTok’s “Project Texas” pledge to increase Congressional confidence by storing U.S. user data on U.S. soil and allowing the American data firm Oracle to supervise data flows.
TikTok cannot, however, totally eliminate U.S. data flows outside of the U.S. Doing so would prevent international user engagement. But Obernolte asked Chew how TikTok could prevent a Project Texas coder from then introducing seemingly harmless, unrelated lines of code which only when acting together serve a malevolent interest. Chew had no good answer. Nor do we know what code TikTok includes that is malevolent but as yet undetected.
This is a big problem. Access to TikTok user data and code writing offers China a vast opportunity for a range of intelligence collection purposes. The nature of Xi Jinping’s ambition against the U.S. and the risk-reward calculation his officers have previously applied in cyber operations all lead to one conclusion.
TikTok cannot be trusted.