Why Everyone Has an Issue with Huawei and TikTok (An Information Security Primer)

There has been a ton of press over recent months about information security, in particular concerns around Huawei products in 5G networks. When it comes to 5G, Canada is the only “Five Eyes” member not to ban or restrict Huawei products in national 5G networks, and there is plenty of other rumblings in other states and large corporates around the world that are concerned about Huawei.

In similar news stories, some states have been warning about the use of TikTok, and some companies have been banning employees from installing it on their phones. It is rumoured that a US ban of TikTok is on the way, it’s already banned in India, and the Wells Fargo bank in the US recently told employees the application is verboten. One security researcher described the TikTok app as a “data collection service thinly-veiled as a social network”, and the Peterson Institute for International Economics describe TikTok as a “Huawei-sized problem”.

The issue appears to be that Huawei and TikTok are both Chinese-owned businesses, and the allegations is that these technology platforms are being used to support Chinese spying activities. Rather than digging into that particular point – what does this mean for information security and cybersecurity in general?

There is a maxim in the IT industry and “information wants to be free” – and whilst this phrase has a number of interpretations, one way to look at it is that information doesn’t like to just “sit” where it is put. Information has a tendency to leak, and spread – once you lose control of it, there is no saying where it will end up. Information storage is virtually free, and information transmission and duplication is virtually instant.

There is also a truism in that information always has an inherent value. That value can be expressed as a minimum as very small quantity – just what is the “dollar value” of my email address, or the fact that I went to Starbucks this morning? Or, that value can be expressed as a huge amount. For example, how much value can be attributed of a coronavirus vaccine hacked from a particular state’s researchers, or how much value can be attributed to information that leads to an insider trading deal?

Given that all information has some value – i.e. it’s always non-zero – it follows that if you can gather a lot of information, you are likely to get a some return on your investment. This is why we see “industrialisation” of information security vectors across all sectors of industry. There are hackers at state level, there are hackers at a “small business” level (small hacking groups trying to make a quick buck), and at every place in-between. You could even argue that some hacker activity is “third sector” in nature – e.g. hacks against the NHS that purport to be about highlighting information security issues for the “benefit” of the service, as opposed to looking to extract money.

One issue here is that, at the state level, it was ever thus. It has always been the case that so long as international telecommunication lines exist, where those lines cross a border the states at either side have had motive and capability to collect the information that flows over those lines. What’s happening now is that because the volume and nature of those communications has become so much more complex – go back 50 years “plain” phone calls were all you had going across those lines – that states are finding new ways to gather information. Why not build a massively popular app that half the population of your enemy install? Why not make networking products so compelling that your enemy ends up paying you to install in their network? If information wants to badly to be free, why not lean into that and make sure that as much data as possible happens to pass by close enough for you to grab a copy?

Keeping this focused on my area – helping SMEs with their IT – what does all this mean?

Firstly, with regards to Huawei, the issues are not just in accusations around spying, or industrial espionage. The company has been accused of assisting in the mass-detention of Uyghurs in re-education camps, and in using forced Uyghur labour in its supply chain. This is enough to persuade me not to recommend Huawei products to my customers.

Secondly, with regards to TikTok, having read the (admittedly informal) research about the construction of this application – as a software engineer it is a shocking read. The headlines are that the app will do whatever it possibly can to get data off of the phone, and transmit it over to its own servers. It contains software code that actively seeks to stop researchers working out exactly how the application works, and on Android it’s able to download and run software on your phone without recourse to you, the phone’s owner. It seems clear that TikTok does not approach the issues of privacy and security with “clean hands”. As a parent, I would not recommend allowing children to install this on their phones, and I would recommend not allowing staff to install it on their phones.

More broadly though, what all this highlights is just how difficult it is to keep information contained, and why it’s so important to have a robust information security policy and related policies in place within your business. It’s not going to be the case that your business is attracting the attention of state-level hacking groups, but this situation of hackers developing tools that look to industrialise installation of malware as an income-raising measure (e.g. the WannaCry outbreak in 2017 and its links to North Korea, or simply as a way of turning as many devices as possible into endpoints for collecting data.

Luckily though, in a small business, information security is a fairly straightforward thing – you can go a long way just by keeping your Windows version up-to-date, using anti-virus protection (Windows Security in Windows 10 is good enough for virtually everyone), using strong passwords along with a password manager like LastPass, and by making sure all devices (including Windows and Mac computers) encrypted.