The Australian Defence Department has banned staff and serving personnel ^[1] from downloading the Chinese social media and messaging app WeChat onto their work phones. ASPI’s International Cyber Policy Centre staff sat down today to discuss the development. Eds.

Are you surprised by this development?

Fergus Ryan: Frankly, I’m surprised the ban didn’t come sooner. While I can see why DFAT officials might want to use the app, I don’t see why Defence officials would need to. Given what we know about how closely WeChat works with the Chinese government, it seems prudent to ban it.

Danielle Cave: No, this isn’t surprising. Let’s keep in mind how limited this ban is: according to Australian media reports, they’ve banned staff from downloading and using WeChat on their work phones only. This ban goes nowhere near as far as India’s, for example, where the media has reported that the Indian government has requested that their defence personnel remove more than 42 Chinese apps ^[2] from both their work and personal phones ^[3]. It’ll be interesting to see if other departments, particularly DFAT, follow Defence’s lead.

Tom Uren: The default position is that work phones are provided with a limited range of apps. Essentially all apps are banned unless there’s a requirement to have them and they pass a security assessment.

What’s behind the ban? What’s Defence likely concerned about? Have they made the right call?

Tom: Both personnel and information security are the issues here. Many mobile messaging apps can access both the sensors and a large amount of information from a smartphone, including possibly the camera and microphone, contacts, photos, location and GPS info, Wifi networks accessed, etc. Some messaging apps are written so poorly that messages aren’t encrypted. This presents the risk that eavesdroppers may be able to snoop on Defence personnel. Poorly written apps could also provide another vector for hackers to attack and compromise a phone. In general, more apps mean more opportunities for hackers, so the default department position would be to restrict the number of apps installed.

Additionally, even entirely secure apps can collect large amounts of data. Defence may be concerned that data collected by WeChat may be made available to the Chinese government. Governments typically have mechanisms to access data from companies but we’re pretty comfortable with Western systems where warrants from independent judiciaries are required. I’ve written previously about the Chinese appetite for data ^[4] and we are probably less comfortable with the independence of Chinese lawful access mechanisms.

Danielle: Defence has made the right call and I suspect others will follow, both in Australia and around the world. The Chinese government is increasingly investing in surveillance and censorship, and we know that messages within WeChat are monitored and censored. China’s new cybersecurity law requires all companies to store relevant data and WeChat’s own privacy policy is very broad. Amnesty International ranked the privacy and encryption of WeChat’s parent company Tencent very poorly, and Tencent also scored very poorly (20/100) in the New America think tank’s 2017 ranking of digital rights and corporate accountability ^[5]. It’s not surprising that WeChat didn’t pass a security assessment.

Fergus: China’s new cybersecurity law ^[6] requires all internet companies to store internet logs and relevant data for at least six months to assist law enforcement. WeChat’s own privacy policy notes ^[7] that it may need to ‘retain, disclose and use’ user information in response to government requests. There’s also plenty of anecdotal evidence ^[8] to suggest that Chinese authorities are using access to WeChat data to persecute dissidents and activists.

Regulators have been ramping up pressure on companies ^[9] like Tencent and Sina Weibo to do more to control and suppress content it deems undesirable. Threats of significant fines are already prompting those companies to divert more resources towards that effort.

Does this ban show that Australia considers China a threat?

Tom: No. Other coverage in the media shows that Australia considers China a threat. :)

Fergus: Not necessarily. I think the recent Strava app case in which its heat map revealed details of military bases around the globe was probably a wake-up call for many officials working in sensitive areas, prompting them to take a fresh look at tightening up the use of all apps, regardless of where they’re from. Having said that, it’s important to note that this latest decision has been made in the context of growing concerns about Chinese espionage activities and worries that the use of Chinese technology—such as using Huawei to build a 5G network—may create security vulnerabilities for Australia in the future.

Danielle: No, I think it shows that the Australian Department of Defence is taking cybersecurity seriously. To flip the situation, the Chinese government is incredibly strict about what social messaging apps they allow their population use, let alone their defence personnel! Most are banned anyway, but I highly doubt that officers in the PLA would be allowed to download non-Chinese–made social apps on their official work phones.

How is the Chinese media reacting? How are people responding to the story on Chinese social media platforms?

Fergus: The Global Times published a pick-up of the story ^[10] less than 24 hours after the Australian Financial Review broke the story. The summary leaves out much of the context around the Defence Department’s decision. It does, however, make clear that the ban happened in the context of growing concerns over Chinese espionage activities and a growing national security backlash against Chinese foreign investment.

This story has been shared on the Global Times ^[11] official Weibo account ^[11]. Although comments are likely not representative–they must be approved by editors and at the time of writing only seven comments of 202 were visible–the most popular highlight the hypocrisy of Australia, which is part of the Five Eyes intelligence alliance. Other comments frame the decision as a gross overreaction to a non-issue.

Should this ban apply to all Australian officials posted to China?

Fergus: WeChat is so pervasive in China that not being on it isn’t really an option if you want to take part in society. For diplomats, it’s an extremely useful tool for making and maintaining connections and for organising events. Officials would need to take into account the benefit they could get out of the app when weighing up whether to use it or not.

Danielle: No, it would be difficult to do your job in China—whether you are a Defence attache, a diplomat or an Austrade official—without WeChat. China isn’t unusual in that sense: messaging app KakaoTalk is vital in South Korea, as is LINE in Japan and Taiwan. For a lot of Asia, messaging apps replaced email long ago. What will be important now is that there are very clear and enforceable guidelines about what apps are and aren’t appropriate to use on a work phone so that all officials, across both the policy and national security community, are well aware of the guidelines.

How should other government departments react to this and approach similar issues in the future?

Tom: It’s up to each organisation to understand the risks and benefits and make their own call about apps based on their needs and risk profile. ASD has information on the risks of using mobile devices and about how to protect data on smartphones (the IOS hardening guide and the Information Security Manual).

Danielle: I agree, but departments also can’t wait for media enquiries or a story to break before tackling an issue (like the Strava heatmap ^[12] debacle). It’s worrying that new threats always seem to catch government departments on the back foot. In part, I think this is because there’s a tendency in Canberra to view ‘cyber’ through a very traditional prism that focusses on the types of threats that we see week to week (for example, data theft). If we absorb one lesson from Russia’s cyber interference in the US election, it should be that continuing to view cyber threats through a narrow prism is a mistake ^[13]. It’s vital that the government break out of this reactionary cycle and take a more forward-looking and assertive stance on the less traditional suite of cyber threats ^[14] that might affect Australia and our near region.

Fergus: A top priority should be for government MPs to be given clarity on whether they should be using WeChat on their own phones—something which has yet to happen ^[15]. Information stored on the phones of our elected representatives would surely be highly prized by foreign governments, so we should be thinking about how we can plug any security holes on their devices as a priority.