Press play to listen to this article
Chinese companies aim to hoover up massive troves of data on other countries to train AI applications and gain a technological edge over Western rivals, warned Ciaran Martin, the U.K.’s departing chief of cybersecurity.
While apps like TikTok may not represent an imminent security threat, Martin said their ability to gather huge amounts of user data could help China develop a “competitive advantage” in artificial intelligence and “large-scale surveillance” capacities that do represent a risk for Western democracies.
“It’s about more than just TikTok … Western countries need to think hard about their future models for data protection, which Europe has done,” Martin said in an interview with POLITICO, as he moves into a new role in the private sector after 6.5 years at the head of Britain’s National Cyber Security Centre, one of the world’s best-resourced cybersecurity operations.
“We need to be mindful of risks of access to population data that the likes of China will seek to acquire and what they’ll do with it,” Martin said, referring to demographic information on the habits and identities of entire populations.
TikTok, a hyper-popular video-sharing app, has been branded a security threat by the U.S. government and forced to sell its U.S. operations to Oracle, an American tech company. But that move, pushed by President Donald Trump, has prompted a backlash, with China hawks in the Republican party saying the deal falls short of protecting U.S. security because it would leave TikTok’s parent company, ByteDance, in control of the app’s algorithm.
“If people think that by banning Huawei, networks have been made safe — that’s not true. Much more is needed to secure 5G networks” — Ciaran Martin, U.K.’s departing chief of cybersecurity
On Friday, the U.S. Department of Commerce said it would ban people in the United States from downloading the app from Sunday.
Martin stopped short of calling TikTok a security threat. But he said that “anything to do with social media and data poses a set of challenges where people should exercise great care” and that the risk “goes beyond just TikTok.”
“There is a risk that companies with a legal basis in China are required to give data to the government,” added Martin, who announced Friday he would be joining the advisory board of Paladin Capital Group, a venture capital company specialized in cyber companies.
TikTok has so far had a much easier ride in Europe, where it recently passed the 100 million user mark, than in the United States.
The firm has sought to allay concerns about data transfers to China by announcing the construction of a data center in Ireland. And while a task force of European data regulators is examining the company’s practices for privacy risks, it faces no imminent clampdown on security grounds.
Europe’s real problem
At the helm of the U.K.’s cybersecurity operations since 2013, Martin helped Prime Minister Boris Johnson navigate a searing U.S. pressure campaign to ban Chinese 5G equipment vendor Huawei from European networks — which resulted in the U.K. deciding to phase out the firm’s kit completely over the next seven years.
But Martin was quick to underscore that a ban on Huawei did not solve the West’s technological rivalry with China, or even ensure security for future 5G networks.
“Chinese strategic competition is about much more than Huawei,” he said. “If people think that by banning Huawei, networks have been made safe — that’s not true. Much more is needed to secure 5G networks.”
In the face of growing concerns about Huawei, politicians and telecom companies have touted the promise of Open Radio Access Network (O-RAN) — a system that would allow multiple vendors to build different parts of the 5G network, rather than just one building the whole thing.
But Martin said O-RAN was no quick fix for the dominance of a few players in 5G or reliance on foreign tech companies in general.
Instead, Western powers including the U.K. needed to make a concerted push to develop their own telecom and cybersecurity suppliers and ensure secure supply chains. “Full decoupling [from China] is not really possible,” he said. “We need to look into resilient supply chains so that we’ll be able to buy high-quality equipment from a greater number of suppliers than in the past.”
Looking back over tenure as the U.K.’s chief cyber guardian, Martin said that, on the whole, the risk posed by cyberattacks, crime and espionage are better understood now than when he started.
“We have been dramatizing catastrophic risk,” he said. “What we know now is that it’s [cyber activity] a chronic problem” that comes with “huge economic costs,” rather than wholesale risk to life and limb.
“That’s not to say it’s not a serious risk — it’s a risk to well-being and wealth,” he said.
Overall, he said a greater danger for European countries was one of technological irrelevance.
“There is remarkably little indigenous tech in Europe. Europe does need more tech self-sufficiency. We don’t get that by writing strategies. We get that by companies growing up and solving problems,” he said, adding that he was joining Paladin due to its interest in investing in European tech firms.
As a parting shot, he had this to say about Europeans who remain focused on digital surveillance by the U.S. and other Western countries: “Seven years on from Snowden, the idea that Western intelligence services are a primary malevolent force on the internet is in my view objectively ridiculous.”
This article is part of POLITICO Pro’s premium coverage of Cybersecurity and Data Protection. From the emerging threats of a volatile digital world to the legislation being shaped to protect business and citizens, across sectors. For a complimentary trial email email@example.com and mention Cyber.