The free exchange of information across national borders is perceived as an unqualified good. But there are also cyberattacks, election manipulation campaigns and disinformation that pose threats, discusses Chris Olson, CEO of The Media Trust, taking a closer look at the national security threat of digital open borders.
We are in the early days of reckoning with the open nature of the Web. We tend to believe that the free exchange of information across national borders is an unqualified good. But as it turns out, news and information are not the only things that cross between nations: there are also cyberattacks, election manipulation campaigns and even life-threatening disinformation during a public health crisis.
These are all obvious challenges to national security. We hear about them on the news and discuss them at length. But less obvious threats arise from our digital open borders that aren’t being addressed in the public conversation. Because we have no restrictions on who can collect data from American citizens or execute it on their devices, we are being targeted in ways that we aren’t even aware of – and that puts all of us at risk.
Data Control and Porous Censorship
Last month, the Chinese government took an ownership stake in a subsidiary of ByteDance, the parent company of the popular Chinese social media app TikTok. This year, the video-sharing app narrowly avoided sanctions in the U.S based on a widely believed allegation that it collects sensitive information on its users who are minors. It has been sued in the U.K and banned in other countries for the same reason.
According to onlookers, the government’s new ownership stake has nothing to do with the TikTok app but Douyin, a similar app that operates in China. But that has not convinced everyone. China is said to engage in “porous†censorshipOpens a new window , which allows some Chinese users to escape the “Great Firewall†but successfully barricades most users through fear and intimidation.
This technique requires one thing above all else: access to data. By gaining more control over ByteDance, the government will have more access to its citizens’ data – and many are concerned it will also have more access to American data.
Unrestricted Data Collection
This recent development is not concerning simply because it threatens an individual’s right to privacy: there is a national security dimension. When a user’s data crosses national borders into the hands of a foreign power, it can be used to support future cyberattacks, election interference campaigns and even human rights abuses.
And we are mistaken if we think this issue is confined to foreign-owned websites and applications. In fact, 90% of the dataOpens a new window that moves across the Internet is collected by digital third parties that are ubiquitous across the devices we use daily. “Made in America†is no guarantee because most apps depend on foreign-owned code that sneaks past the radar of regulators, content moderators and Internet filters.
Third-Party Code: More Dangerous Than Email
Most people know that email can be used to launch “spear-phishing†attacks that lead to devastating data breaches on the scale of SolarWinds or Colonial Pipeline. But fewer people realize that our entire digital ecosystem works like email does: every smartphone – every web page, app and social media site – can deliver targeted content to users with the help of third, fourth and fifth parties whose activity is rarely monitored.
But unlike email, third-party code does not require any interaction from a user to be dangerous. It can sit quietly in the background of a trusted application without the developer’s knowledge, slowly siphoning information about the user’s habits and activities to further partners. Today, a moderately skilled attacker can use third-party code in many ways:
- Discretely organize devices into a botnet for executing DDoS attacks
- Create a dossier of sensitive information about Americans in positions of power
- Target specific organizations (including public utilities) as an entry point for further data collection and attacks
- Send users to malicious links for the purposes of phishing, data collection or a malware payload
While all of these capabilities have actually been observed in the wild, they barely scratch the surface of what’s possible. It does not take a vivid imagination to think of ways organized criminal groups or oppressive governments could further leverage our unprotected digital infrastructure.
See More: NFTs: Functional Innovation or Cyber Weapons of Mass Destruction?Opens a new window
The Need for Control
Today there are few proponents of a web without any laws, rules or restrictions. Most people see the value in emerging legislation like GDPR or CCPA. Many would gladly support actions to further limit the way external entities can use their access to consumers.
But there is a certain absurdity in pretending to care about national security, data privacy or consumer rights while ignoring the risk of third-party code. If the TSA allowed 90% of suitcases through the airport without checking them, we would recognize that there is no real threat from suitcases. Likewise, if we aren’t going to regulate third-party code, then we might as well not regulate anything.
But as we have seen, there is a threat. To put things in perspective, it is objectively more risky for the president of the United States to use an American-owned social media site with third parties than to use a Chinese-based social media site without them. This state of affairs cannot continue forever.
Fixing Our Open Borders
Right now, no digital legislation has addressed the problem of third parties in a meaningful way. Legislation that even bothers to mention them – like the CCPA – does not impose any method of enforcement on their activities, nor does it address fourth, fifth or Nth parties that pose the same risks. In the meantime, private organizations are largely unaware of the problem and unequipped to handle it.Â
In short, we are long overdue for a conversation between legislators, law enforcement officers and business leaders about the problem of nth parties in the digital ecosystem. Until we do, our digital borders are broken because we have none – and we shouldn’t wait for a SolarWinds level attack before deciding to change that.
Are you worried about the openness of our digital borders? Let’s discuss on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . It’s always good to share!