Cybersecurity’s Top Three Concerns According to TikTok and Deutsche Telekom

As the cybersecurity landscape continues to evolve, the TikTok head of security and Deutsche Telekom CSO share the three things keeping them awake at night. Eugene Yiga reports

According to data from Statista, the FBI, and the IMF, the global cost of online criminal activity is expected to reach £18.88 trillion ($23.84 trillion) by 2027, up from £6.68 ($8.44 trillion) in 2022. With this much money on the table, it’s no wonder cybersecurity leaders have more to worry about than ever before.

“Analysing incidents globally, 95% of their root causes can be traced back to missing software updates for known vulnerabilities,” says Thomas Tschersich, chief security officer at Deutsche Telekom AG. “Additionally, software is becoming more complex than ever, often cobbled together without reliable code development, making maintenance difficult.”

Kim Albarella is the head of security at TikTok. For her, the global scale of TikTok makes cyber risk an even more significant challenge. “With over one billion users, we face all the traditional security risks,” Albarella says. “Additionally, we’re protecting a platform that operates in nearly every country. What keeps me up at night is figuring out the next challenge we’ll face. Every day brings something new, with constant updates in technologies and innovations. I constantly think about how these advancements can help us, our users, and ensure TikTok remains a happy place.”

A(I) double-edged sword

The rise of generative artificial intelligence presents both a problem and an opportunity in the world of cybersecurity. While most of the world buys into the hype for a technology that isn’t truly intelligent (yet), Tschersich is more focused on a major concern: for the first time, we can no longer trust our ears and eyes.

“Analysing incidents globally, 95% of their root causes can be traced back to missing software updates for known vulnerabilities” Thomas Tschersich

“This raises questions about how we address the integrity of communication end-to-end,” he says. “It also poses significant questions for us as a society and challenges us as security professionals. The need for digital identities and content assurance is more critical than ever, and it’s something that will keep us busy.”

Despite these challenges, Tschersich also recognises the immense benefits AI can bring. “In Germany, and I believe it’s similar in France, we’re confronting a significant demographic challenge,” he says. “Over the next few years, we’ll lose approximately 20% of our labour force to retirement. Without technologies like AI, we won’t be able to maintain our businesses at their current levels. We’re relying on these technologies and the automation they bring. There are many benefits, but as always, there’s also a darker side.”

TikTok’s algorithmic manipulation

Albarella also recognises the dual nature of AI tools at TikTok. While the platform’s algorithms and promoted content can foster creativity and provide entertainment, they also present significant security challenges. Indeed, the same technologies that empower creators to produce engaging and often addictive content also offer avenues for malicious actors to enhance their tactics in a more sophisticated and threatening way. So, while the app is committed to supporting its creative community, it must also grapple with the security implications of these tools, especially as they enable adversaries to become “better, faster, smarter, and stronger”.

“The threats remain the same, but now there’s a much lower barrier to entry, allowing these actors to adopt more advanced tactics more easily,” she says. “Regarding security, budgets, and resources, there’s currently a talent shortage in our field. By leveraging AI for threat detection and other areas, we can automate more processes and allocate our skilled professionals to tasks AI cannot handle today. I see this as a forward-looking opportunity for business management.”

“While TikTok is committed to supporting its creative community, it must also grapple with the security implications of these tools” Kim Albarella

While TikTok’s quarterly transparency report details efforts to ensure platform safety, these measures might not fully address deeper concerns. One argument comes from algorithm audit expert Marc Faddoul, who highlights TikTok’s challenges with transparency by pointing out instances of the platform allegedly spying on US journalists and the existence of hidden state media accounts aimed at influencing US elections. Concerns also extend to TikTok’s algorithmic manipulation, which, according to Faddoul’s research, has tailored content to maximise partisan engagement in specific national contexts and censored international news in certain countries. These actions raise questions about TikTok’s role in global geopolitical interests and its influence on public perception, particularly in times of conflict.

“I believe transparency is crucial when dealing with incidents,” Tschersich says. “Attempting to hide something that happened within the organisation only makes matters worse. It leads to journalists and others seeking to uncover the truth. In my experience, the best way to handle these [cyber incidents] is through transparency. This holds true for the use of technologies as well. If people fear these technologies, being transparent is the only way to alleviate their concerns. That’s why we have a policy to tell our customers whether they’re interacting with a chatbot or a human being. We need to explain what’s happening and what will happen, and give them a choice.”

Convergence

The blurring of lines between cyber and physical security risk has intensified in recent times.

“This practice was evident in Ukraine when Russia initiated its invasion with extensive cyber campaigns, employing what could be termed as outsourcing to organised crime groups for targeted attacks in Western countries,” Tschersich says. “This strategy has extended to manipulating elections globally, presenting a growing challenge.”

At the recent Munich Security Conference, a significant topic of discussion was the potential exacerbation of these attacks with the integration of AI, contrasting sharply with the mission of making the world a safer place. For Tschersich, the current trajectory suggests a concerning future, compounded by issues like supply chain disruption.

“Telecommunications is a global industry,” he says. “However, these conflicts lead to more localisation, fragmenting the international community we’ve built over the last decades during times of peace. Building resilient infrastructures and maintaining a resilient supply chain has become much more complex, requiring consideration of numerous political factors. This, alongside other challenges we’ve discussed, will continue to demand our attention.”

The people problem

Indeed, despite the transparency efforts, the debate over TikTok’s impact on national security and democratic societies highlights the need for a more nuanced understanding of the platform’s global influence and the effectiveness of its safety measures. For Albarella, working in a rapidly evolving space involves blending partnerships with leading technology providers to safeguard the platform, infrastructure, and users. This approach underscores the belief that security is a collective effort that no single entity can manage alone.

“We’ve faced hiring and skills challenges in specific regions, more so than in the United States than in other areas,” she says. “However, I’ve witnessed a positive shift over the last decade. It used to be difficult to find engineers or individuals with degrees in cybersecurity, but that has changed significantly. Thanks to numerous programmes and not-for-profit organisations, we’ve seen improvements in skills and diversity. The inclusion of women, people of colour, and individuals from various backgrounds has noticeably increased. While we still have a long way to go, the progress in both skills and diversity is commendable.”

“Over the next few years, we’ll lose approximately 20% of our labour force to retirement. Without technologies like AI, we won’t be able to maintain our businesses” Thomas Tschersich

Tschersich also believes there’s a significant need to invest in training and educating young people. He points out that traditional education systems, including universities, are insufficient. This is particularly true in his home market of Germany, where 80% of the country’s GDP comes from small and medium-sized enterprises (SMEs) that typically hire directly from schools and provide on-the-job training rather than recruiting university graduates. This means a clear gap in cybersecurity skills development at the foundational level.

“We need to boost security skills,” he says. “We need to help kids in school be educated on cyber skills to benefit SMEs. I agree that diversity is still a challenge, especially in attracting women to work in cybersecurity and increasing their interest in the field. It’s an issue we need to solve.”

Ultimately, Tschersich views the evolution of the cybersecurity field positively, noting that what once seemed like an end-of-career move has transformed into an attractive pathway for young talent. This shift has seen cybersecurity go from an excuse for operational failures to a critical business factor and differentiator, enhancing company trustworthiness. He emphasises the importance of this progress, preferring to focus on the positives rather than the challenges.

“I think it boils down to understanding what impacts your organisation the most,” Albarella says. “Amidst all the noise and threats, many of which are real and significant, it’s important to discern how they will affect your organisation, region, and the products or services you offer. It’s impossible to mitigate every risk daily. Identifying and focusing on the most critical risks is essential, allowing you to remain focused rather than constantly reacting to new threats.”