Homeland security risk management is too often reactive. Technology evolves, critical infrastructure design is altered, societal and market priorities shift, and new vulnerabilities are created. Simultaneously, threat actors evolve, either in anticipation of or in response to these shifts, introducing new tactics. This fundamentally changes the risk equation, with new risks emerging and mitigation and management strategies frequently lagging.
Viewed through a homeland security lens, this scenario has unfolded with the widespread use of TikTok. The incredibly popular app, owned and operated by the Chinese company ByteDance, has become a significant risk to U.S. homeland security in terms of data protection, privacy, and foreign adversarial propaganda. Earlier this month, FBI Director Christopher Wray articulated the concern in his Senate testimony, stating, “The key point is that the parent company is, for all intents and purposes, beholden to the CCP [Chinese Communist Party].”
The U.S. government’s assessment aligns with those of other allied nations. For example, a recent report from the Estonian Foreign Intelligence Service (no stranger to information risk) indicates that “TikTok extensively gathers information about the device and its user, including contacts, calendars, other applications, Wi-Fi connections, and location. Such information can be valuable for intelligence gathering, extortion, and cyberattacks, as it can be used to craft convincing phishing emails tailored to a specific individual or their employer. This is especially concerning when the user’s employer is an institution or company of strategic interest to China.”
With these concerns in mind, the House of Representatives took action last week to manage the risk presented by TikTok. The House passed legislation—based on the work of the China Select Committee—that would prohibit app stores and internet hosting services from supporting TikTok unless ByteDance undergoes a qualified divestment that removes it from “foreign adversary” control. The Senate is now considering whether to debate the legislation and, ultimately, whether to pass a version of it and send it to the President’s desk.
Not surprisingly, given the popularity of TikTok and its near-ubiquitous use among parts of the U.S. population, Congress’ action has caught mainstream attention and generated much debate. Why now? Hasn’t the genie already left the bottle regarding addressing privacy concerns? Is TikTok really any different than other social media? Aren’t there other factors that outweigh the addressing of any perceived, but not fully defined, risks?
These questions are worth answering specifically, and they also present an interesting case study in the nature of risk management.
From my experience and perspective, it seems incontrovertible that TikTok presents a risk to America’s national interest and our citizenry. The risk that a ubiquitous app, with opaque algorithms and legal ties to the Chinese government, could be an arm for foreign-adversary directed propaganda seems fairly clear. So, too, does the risk that the same app, with ties to the CCP—which has been undoubtedly conducting mass espionage and cyber collection of sensitive information on Americans, our businesses, and our government—would be looking for ways to add to its information holdings and collect mass personal private data. Therefore, to argue against the legislation, opponents without explicit financial ties or foreign connections to China are essentially making one of three arguments:
- The risk is overstated.
- The proposal is not an effective (or legally appropriate) way to mitigate the risk.
- The tradeoffs in managing the risk are not worth making.
These arguments are not unique to the TikTok debate; they are common arguments against many changes in homeland security risk management approaches. This includes climate change adaptation, increased border security, cyber regulations, and combating Unmanned Aerial Systems, among others. This means that, in some sense, those who advocate for increased risk mitigation always face a high burden of proof, and there is an inherent bias against action.
This has certainly been true in addressing the risk of TikTok over the last five-plus years. However, the fact that hard questions are being asked about the steps Congress is taking does not mean that the legislation should not pass. Uncertainty cannot be an excuse for inaction.
On the question of whether the risk is overstated, the answer depends on one’s view of the future of U.S.-China relations and the CCP’s stated objective to compete with the U.S. and ultimately remain an adversary in a long-term fight for influence and power. We’ve already crossed that Rubicon, and allowing access to sensitive data about citizens’ preferences and mind-share to an entity operating under the legal regime of China is continually damaging. While I understand the argument at the individual user level about not having particular concerns about personal privacy given that much online is already shared, the aggregate consequence of data from tens of millions of users is a massive knowledge and wealth transfer. Thus, it is appropriate for government action to be taken in America’s national interest.
But is this the right mitigation action? We know that previous efforts to restrict TikTok have largely failed: whether it was the Trump Administration’s 2020 Executive Order, which faced legal challenges, the less than rapid review by the Committee on Foreign Investment in the United States (CFIUS) that hasn’t achieved an obvious effective mitigation, or counting on market forces to win out over user preferences. The advantage of the current legislation is that it unites political parties, adds additional legal protections, and relies on policy actions to close a gap while allowing for market-oriented solutions that achieve the aim. It doesn’t mandate the ultimate fate of TikTok but places restraints on the risk it represents.
Does that come at too high a cost in terms of other things that are important? Government restrictions and policy interventions should always be weighed with values, personal preferences, and economic competitiveness and innovation in mind. In this case, the question of whether restricting access to an application is an unfair check on First Amendment and free expression rights is paramount. Similar arguments seem to arise whenever social media risks are debated. Changing the terms of operations for TikTok does not limit the ability of people to do the things they are doing on TikTok; it merely limits access to the platform in its current ownership structure. This doesn’t limit First Amendment rights any more than other methods of media evolution have done before. Technology and market structure are always changing how we have access to express ourselves and get access to information; in this case, a government nudge in that direction to help protect citizens’ data from a foreign adversary seems like a fair tradeoff. Similarly, opportunities should emerge for alternatives to TikTok to enable small businesses and entrepreneurs to promote themselves and their products.
That leaves the question of whether Congress’ actions will be too late to effectively manage the risk. While I wish we weren’t playing catch up, we don’t have any other choice right now. Competition with China and ideological and economic conflict are not going anywhere anytime soon, and ignoring the risk is doubling down on a failed strategy. The House is right to try to close a gap in the information space, and the Senate would be right to follow suit.
