Axios Codebook

TikTok's biggest problem isn't its data security programs, it's the race between the U.S. and China to become the world's dominant cyber superpower.

Driving the news: TikTok CEO Shou Zi Chew's testimony before the House Energy and Commerce Committee Thursday did little to sway lawmakers who argue that the Chinese government could harness millions of Americans' TikTok data.

• But lawmakers also struggled to articulate their main concern behind targeting TikTok: China’s espionage capabilities have become sophisticated and harder to detect in recent years.

The big picture: Chilling relations between the U.S. government and Beijing have only made lawmakers more wary of the capabilities China-backed hacking teams are brewing — and what classified U.S. data they're collecting.

• The 2014 hacks of the Office of Personnel Management, which several firms linked to China, opened up the U.S. cyber community's eyes, Bryan Cunningham, former adviser to the White House National Security Council, told Axios.
• Since then, China state-sponsored hackers have launched hundreds of wide-scale espionage campaigns in the U.S. to collect corporate secrets, sensitive communications and much more.
• The Chinese military under President Xi Jinping has also prioritized online influence campaigns that spread pro-China narratives, Kenton Thibaut, a resident China fellow at the Atlantic Council, told Axios.
• "In the past few years, China saw this real need to respond to what it saw as Western attacks on it, so it wanted to gain control of the narrative," she said.

Between the lines: TikTok's quick rise in the U.S. and its murky connections to its China-based parent company, ByteDance, have made it the perfect symbol for the ongoing cyber detente between the two countries.

• "Unfortunately for TikTok, they're the 'Chinese spy balloon' of March," Cunningham said.
• A senior Defense Department official told reporters Thursday that TikTok's vast scale is what makes it a concern compared to other China-linked apps operating in the U.S.

The intrigue: All countries conduct espionage campaigns against one another.

• However, the intelligence community's annual worldwide threats report named China "the broadest, most active and persistent cyber espionage threat" to the U.S. government and private sector.
• China-sponsored espionage campaigns have also started attacking internet-facing security tools to evade most cyber monitoring programs, making them harder to detect, researchers at Google-owned Mandiant warned last week.
• The senior defense official also said that the Chinese government already "dwarfs everybody" in the sheer number and quality of people they have dedicated to hacking and espionage efforts.

Zoom out: China has started to embrace its role as a global superpower by acting as a mediator in conflicts involving its own allies, the Wall Street Journal reported this week.

• Earlier this week, Xi met with Russian President Vladimir Putin for the first time since last year's invasion of Ukraine. Last week, China brokered another diplomatic deal between Saudi Arabia and Iran.
• China, Russia and Iran also held a joint military drill last week, underscoring China's growing influence in the Middle East.

Yes, but: Hyperfocusing on a TikTok ban is an imperfect solution that's likely to get stuck in the courts and spur First Amendment concerns.

• Many of the data collection and surveillance concerns lawmakers have with TikTok aren't unique to the China-linked social media platform: Meta, Twitter and YouTube have all come under fire for similar issues, and often share user data with U.S. law enforcement.

Researchers at French cybersecurity firm Synacktiv are walking away with $350,000 and a new Tesla after hacking into a Tesla Model 3's energy management and infotainment system during a hackathon this week.

Driving the news: During this week's Pwn2Own hacking competition in Vancouver, Canada, hosted by Trend Micro's Zero Day Initiative, security teams have broken into Teslas, Microsoft's Windows 11 and Apple's macOS.

The big picture: The Zero Day Initiative works with vendors like Tesla to create a series of hacking challenges for participants to try to overcome.

• The challenges vary in difficulty: For the Tesla challenge, the easiest task involved exploiting the car's Bluetooth/Wi-Fi systems and the hardest would have resulted in a takeover of the Tesla's autopilot feature.

Details: Synacktiv's research team was able to exploit two vulnerabilities in the Tesla Model 3 — one in the Gateway energy management system and the other in the infotainment center — to gain just enough access to the car's controls that driving would be unsafe.

• In the campaign targeting the Gateway, Synacktiv's team was able to open the front of the car, as well as the doors, while the vehicle was in motion.
• To target the infotainment center, the team exploited a flaw in the Bluetooth chip set to gain what's known as "root access," which typically means intruders have the ability to download apps and other device-specific controls.
• The competition wasn't conducted on the actual vehicle itself over fears that it could impact other nearby Teslas or result in hackers being able to move the vehicle through the conference center, Dustin Childs, head of threat awareness at the Zero Day Initiative, told Axios.

The intrigue: Tesla, which is a sponsor of the Pwn2Own competition, was on-site to learn about the security flaws hackers found so they could start working on patches.

What's next: Tesla is expected to issue a patch to fix the bug hackers found within the next three months, although Childs said the automaker has historically released patches from previous Pwn2Own competitions earlier than that.

A simple error where Okta users are incorrectly typing their passwords into the username field during login could be leaving them exposed to future attacks.

Driving the news: Researchers at cloud security firm Mitiga found in a report Thursday that identity management company Okta records the information shared during failed login attempts in easily accessible plain text.

• Okta provides password management and employee access tools across corporate networks for more than 14,000 global customers. Researchers found that the design of Okta's login screen is confusing, making it likely some users will type their password into the username field.
• The information in those failed login attempts is then stored in audit logs that track user behavior on a network and could be shared with Okta customers' third-party security vendors.
• "This knowledge can then allow adversaries to compromise Okta user accounts and access any resources or applications that they may have access to, effectively expanding the blast radius of the attack," the report said.

Why it matters: Passwords are already a huge target for malicious hackers looking to gain access to sensitive online data.

• Identity management tools like Okta are often seen as a line of defense to make obtaining those passwords more difficult.

Yes, but: It would take someone gaining access to internal activity logs and combing through them to find passwords entered in the username field for this flaw to lead to an attack.

The other side: Okta told Mitiga that saving passwords in plain text is "expected behavior when users mistakenly enter their password in the username field," according to the report.

• "These logs are only accessible to Okta administrators, who are the most privileged users in Okta and should be trusted not to engage in malicious activities," the company added.

@ D.C.

👀 TikTok's CEO is seen as a hero in China after Thursday's U.S. congressional hearing. (Washington Post)

🏛 The House Intelligence Committee tapped six members to lead the debate on renewing Section 702 of the Foreign Intelligence Surveillance Act this year. (The Hill)

☁️ The Federal Trade Commission is seeking comments on how the cloud computing industry's practices impact data security. (FTC)

@ Industry

🤖 OpenAI launched new plugins for ChatGPT, allowing it to access new third-party sources and databases across the web. (TechCrunch)

🐦 Twitter says it will start unwinding the "legacy" blue checkmark verification program on April 1 — or April Fool's Day. (The Verge)

@ Hackers and hacks

🫠 More victims keep coming forward in a mass ransomware attack targeting a flaw in Fortra's GoAnywhere file transfer tool. (TechCrunch)

👾 The Oakland city government denies it was hit with a second ransomware attack, despite one gang's claims. (The Record)

Ever since I learned this week that Paris Hilton has five phones — including one just for prank calls — I haven't been able to stop thinking about it.

• "I have one phone for friends, one phone for Europe, one for business, one because I'm shy when people ask for my number and I don't want to give it I'll give that one — and then one for prank calling," she told the Mirror.
• Is Paris Hilton the organized security queen we've always needed? I'd say yes.