NJ announces TikTok ban on government-issued devices (updated)

By: Matthew Fazelpoor
January 9, 2023 5:32 pm

Gov. Phil Murphy announced a new directive Jan. 9 prohibiting the use of high-risk software and services, including TikTok, on state-issued or managed devices.

The move, being coordinated in collaboration between the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) and the Office of Information Technology (OIT), follows a trend of similar bans and concerns across governments, agencies and corporations about the safety of TikTok and other risky apps.

A provision banning TikTok from federal government phones was included in the recently signed spending bill. Concerns with the video hosting app center around user data and the ties between its owner, Chinese technology company ByteDance, and the Chinese Communist Party.

Under the directive, all executive branch departments, agencies, commissions, boards and bodies must:

Remove any referenced software products from state-owned, provided, or managed systems and devices
Implement network-based restrictions to prevent the use of, or access to, prohibited software or services
Implement measures to prevent the installation of referenced high-risk software products on state-owned or managed technology assets
Develop and implement plans to include risks associated with referenced high-risk software products and supply chain security into cybersecurity awareness and training programs

Any agency seeking an exception for public health, safety, welfare or state-business reasons can submit a request with the NJCCIC.

In a statement, Murphy said that bolstering cybersecurity is critical to protecting the overall safety and welfare of our state.

“The proactive and preventative measures that we are implementing today will ensure the confidentiality, integrity, and safety of information assets managed by New Jersey State government,” said Murphy. “This decisive action will ensure the cybersecurity of the state is unified against actors who may seek to divide us.”

“New Jersey’s policy to remove certain software form state-owned or managed devices, inclusive of TikTok, deemed as high risk of potential data loss or privacy issues is part of our statewide cyber risk management program,” said New Jersey Chief Technology Officer Christopher Rein. “This follows in line with a number of actions by government and private sector enterprises, and is consistent with some of the risk reduction steps taken at the federal and state levels. The New Jersey Office of Information Technology will work diligently alongside NJCCIC to maintain cybersecurity across state government.”

In December, the 10th District Republican team of Sen. Jim Holzapfel and Assemblymen Greg McGuckin and John Catalano announced plans for legislation, which they plan to introduce on Jan. 10, that would prohibit the installation and use of TikTok on all state-issued electronic devices, across all branches of state government.

“There’s growing concern that all of the data TikTok collects on its users is being funneled directly to the Chinese government to use against us in one way or another,” said Holzapfel in a December statement. “When it comes to state-issued devices, we must be careful to not expose sensitive information through TikTok that may be on the phones of policymakers or government workers.”

“People might not realize how much information is being shared through TikTok, including their contacts, calendars, location data, viewing habits and more,” said McGuckin. “That’s a lot of sensitive information to give a potential adversary, which is why federal officials are raising national security concerns that we would be wise to heed here in New Jersey.”

Catalano added, “Data collection is just one of the many threats posed by TikTok. Perhaps the biggest threat is the use of the app’s algorithm to control what people see and to influence what they think. It’s a dangerous tool the Chinese government can use to conduct information warfare and undermine democracy and American society. We need to take steps to limit the damage that can be done to New Jerseyans.”

According to a press release from Murphy’s office, NJCCIC and OIT will maintain a list of vendors, products and services that present an “unacceptable level of cybersecurity risk to the state.” That will list will be continually monitored and updated.

As of Monday’s announcement, that list includes: Bytedance, including TikTok; Huawei Technologies; Zhejiang Dahua Technology, also doing business as Dahua; Hangzhou Hikvision Digital Technology, also dba Hikvision; Tencent Holdings, including WeChat, QQ, QQ Wallet; Alibaba products, including Alipay, Alibaba.com Mobile App; Hytera; ZTE Corp.; and Kaspersky Lab.

Laurie Doran, New Jersey Office of Homeland Security and Preparedness director, said as the threat landscape continues to evolve, so does her office — stressing that as the state’s lead agency for homeland security matters, they are in the business of keeping people in this state safe.

“We develop new strategies and improve our capabilities to mitigate threats at all levels,” said Doran. “With growing popularity of TikTok, which is known to have privacy and security vulnerabilities and presents national security concerns, it’s critical that we implement measures to prohibit and shield against the unwanted access of our data.”

“This action reaffirms the state’s commitment to be a trusted steward of the public’s information and a dependable provider of critical government services,” said New Jersey Cybersecurity and Communications Integration Cell Director Michael Geraghty. “Through our ongoing efforts, NJCCIC will continue to monitor for cybersecurity threats and implement best practices and controls to mitigate risks of any emerging threats.”

Editor’s note: This story was updated at 7:40 a.m. ET Jan. 10 to include statements from Sen. Jim Holzapfel and Assemblymen Greg McGuckin and John Catalano.