There are over 100 million TikTok users in the United States, and a good many of those no doubt are associated with the United States government – including service men and women. Since it became popular several years ago the federal government has been concerned if those users’ data is at risk because of the app, its terms of service, and it’s Chinese ownership. So, does the app pose a counterintelligence threat?
Review of applications positing a national security risk
In June 2021, the White House directed the Secretary of Commerce (with the Secretary of Defense, Secretary of Homeland Security, director of Office of Management and Budget and any other entity the Secretary deems appropriate) to provide a recommendation to the Assistant to the President and the National Security Advisor which addresses the “risk associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.”
According to a spokesperson within the Department of Commerce, “The department submitted an initial set of recommendations to the administration’s key national security advisers” in mid-October 2021. Meanwhile, a CIFIUS review on TikTok continues.
Information warfighter exercise
A recent Social Media Information Warfighter Exercise, hosted by Safe House Global, worked through a scenario where the Chinese Ministry of State Security ordered the Chinese firm, Bytedance (owner of TikTok), to provide access to the TikTok codebase to allow for a programmatic approach to identify U.S. military members and their families. The scenario continued that using both Open-Source Intelligence (OSINT) and this unique data set, that artificial intelligence (AI) could be implemented to achieve a number of objectives: (1) location of service member; (2) travel patterns; (3) potential for compromise; (4) susceptibility to disinformation; and (5) espionage. Jeffrey Carr, founder of Safe House Global, told the UK’s Express, “the ability to micro-target professions or people of interest is a critical component of any threat management programme. There’s already high-level concern about this technology on young military service members, who are all over TikTok,”
Carr explained to ClearanceJobs that while TikTok has ordered its data storage for U.S. users to be located in the U.S., with backups in Singapore, the source code and updates are crafted in China and pushed to users around the globe. This, he continued, formed the basis for the scenario. The exercise concluded with the realization that TikTok could not say no to the MSS; may attempt to ameliorate the situation with an adjustment to their terms of service; and espionage is here to stay.
OSINT and TikTok
Carr’s observation on the ubiquitous nature of TikTok within global military community was easily verified. A search of the hashtag #MilitaryTikTok reveals the hashtag has received 26 billion views. The hashtag #armyrecruiter has been viewed 30.1 million times. A peek at both hashtags provides exactly what the scenario projected – readily available information on individual users to add to the substantial targeting dossier which China has been building for a good number of years.
For the skeptics among us, we can start the collation of data by China with the infamous OPM data breach of 2015, add to that the Tricare and Equifax data breaches, and then top it off with the Ashley Madison breach for a bit of salacious content. The use of LinkedIn, Facebook and TikTok provides a stream of data to round out the image of the potential target. The leveraging of the Chinese owned app by China in its current state, even without the scenario’s “insertion of code,” is not a heavy lift. The urge to post “TMI” (too much information) is strong and available for exploit.
U.S. Army recruiters, sidestepping the ban
A recent piece in Defense One details how U.S. Army recruiters are leveraging TikTok by sidestepping the prohibition of having the app on government devices and placing the app on personal devices. In the piece, Maj. Gen. Kevin Vereen, who leads the Army Recruiting Command is quoted, “They’re on TikTok, and they’re doing other things with Twitter.” He continued, “We’ve got to learn them. We’ve got to understand. We do know that most of Generation Z lives in the virtual space, they live online, they live with social media. And so we have to be savvy with how we evolve in our recruiting operations.”
An Army recruiter has a personal TikTok with over 500,000 followers, and is leveraging TikTok with videos targeting recruits. The recruiter’s TikTok efforts were so successful he was asked to join the team building the “next generation of social-media-recruiting strategies.”
OSINT is here to stay
What’s not going to change is every potential adversary to the United States is scraping the OSINT off the internet. The September 2020 splaying of China’s OSINT efforts in the SSRN study “Chinese Open Source Data Collection, Big Data, And Private Enterprise Work For State Intelligence and Security: The Case of Shenzhen Zhenhua” identified the existence of the Overseas Key Information Database (OKIDB). That effort in support of the Chinese military and intelligence arms should be sufficient to convince any skeptic of China’s intentions in their data collection efforts.
Hopefully U.S. Army strategies infuse a healthy dosage of counterintelligence OSINT reality and acknowledge every TikTok engagement leaves breadcrumbs for adversaries to collect, collate and put away for potential future exploitation.