Gov. Evers signs executive order banning TikTok, other technologies from state-issued devices

Gov. Evers Signs Executive Order Banning TikTok, Other Technologies from State-Issued Devices
Order directs technology division to prohibit use of certain technologies that could pose potential cybersecurity risks, threats to state

MADISON — Gov. Tony Evers today signed Executive Order #184 banning TikTok from state-issued devices, as well as directing the division charged with managing enterprise technology to prohibit the use of certain other technologies, software, and vendors that could pose potential cybersecurity threats.

At the end of last year, the governor indicated members of his administration and the Department of Administration’s Division of Enterprise Technology (DOA-DET) continued to be in regular conversations with the U.S. Department of Homeland Security, the Federal Bureau of Investigation (FBI), Wisconsin Emergency Management, and counterintelligence specialists, among others, in making decisions about cybersecurity for state government devices, including potentially banning TikTok. Last week, Gov. Evers, in an interview with WISN 12 News, announced that, as a result of continued conversations with state and federal partners, he had made the decision to ban TikTok from state devices.

“In the digital age, defending our state’s technology and cybersecurity infrastructure and protecting digital privacy have to be a top priority for us as a state,” said Gov. Evers. “I trust the professionals who work in this field, and it was important for me to consult with and get advice from experts in law enforcement, cybersecurity, and counterintelligence, including the information technology experts working within DOA-DET, to make the best decision to protect state technologies, and ultimately, the people of Wisconsin.

“New and evolving technologies will continue to present risks to privacy, safety, and security, and this order ensures we will continue to be vigilant in monitoring these technologies while trusting the advice of these experts on evolving cybersecurity issues facing our state.”

DOA-DET is responsible for managing the state’s information technology assets and the use of technology to improve government efficiency and service delivery, and helps develop strategies, policies, processes, procedures, guidance, and standards for enterprise and multi-jurisdictional use of information technology resources. In the course of providing information technology and cybersecurity support, DOA-DET also regularly consults with the U.S. Department of Homeland Security, the FBI, and counterintelligence specialists in making decisions about cybersecurity for state government devices and services. DOA-DET also utilizes federal guidelines, industry trends, collaboration with other states, and other intelligence sources and experts on potential cybersecurity threats in providing support to executive branch agencies. DOA-DET services a variety of entities under Ch. 16 of Wisconsin State Statutes, including and primarily executive branch agencies.

The governor’s order, among other things:

• directs DOA-DET to bar certain foreign technologies, including TikTok, as well as other certain vendors and software, from being utilized, connected to, or installed on state-issued devices, which includes but is not limited to desktop computers, laptops, tablets, cellular phones, and other mobile devices;

• reiterates that DOA-DET should continually reevaluate and identify applications and vendors that could present a potential risk to state information or state information systems, as they currently do, as well as monitor and update the directives of the order based on new and emerging information;

• directs DOA-DET to use its authority under Ch. 16 to identify foreign vendors that might pose security risks to the state and to implement safeguards to protect state interests; and

• directs DOA-DET, where statutorily authorized, to monitor adherence to issued guidance, policies, standards, procedures, and processes, to assist impacted executive branch agencies to ensure they are able to abide by all technical standards and directives of DOA-DET and the State Chief Information Officer and the State Chief Information Security Officer.

DOA-DET has legal authority to impose and mandate cybersecurity standards on executive branch agencies, as prescribed under Ch. 16 of Wisconsin State Statutes, including Gov. Evers and the Office of the Governor, although Gov. Evers has never used or maintained an official TikTok account, nor has a TikTok account on Gov. Evers’ behalf ever been managed or maintained on any state-issued device. Under Ch. 16, DOA-DET does not have the legal authority to mandate that the University of Wisconsin System (UWS) abide by these requirements. Additionally, the Departments of Justice (DOJ) and Public Instruction (DPI) are headed by duly elected constitutional officers, and management and control of information technology systems have been delegated to those agencies. DOA-DET will continue to work closely with agencies across the state enterprise, including agencies such as DOJ and DPI, as well as UWS, to ensure that all relevant cybersecurity standards, associated risks, and requirements are shared, discussed, and met where appropriate. This order does not apply to the judicial or legislative branches of government.

Narrow exceptions to this order will only be granted for limited use, subject and pursuant to DOA-DET implemented policies and standards, for example, to entities with responsibilities paramount to ensuring public safety and the well-being of kids and families, such as situations in which the Department of Corrections must review content of an individual on supervision or when the Department of Children and Families needs to gather evidence from TikTok in a child abuse and welfare proceeding. DOA-DET will continue to work closely with agencies across the state enterprise to ensure that all relevant cybersecurity standards, associated risks, and requirements are shared, discussed, and met, where appropriate.

A copy of the governor’s order is available here.

EXECUTIVE ORDER #184
Relating to Cybersecurity and Prohibiting the Use of Certain Foreign Technologies

WHEREAS, preserving the safety, security, privacy, and way of life of the people of Wisconsin is of paramount importance, and the State has gained information and recommendations regarding growing threats imposed by certain foreign vendors, products, and technologies that could pose cybersecurity threats, as well as digital privacy and other state and national security risks, which are contrary to the interests of the State and the people of Wisconsin;

WHEREAS, one of those products, TikTok, is a video-sharing mobile application with more than 94 million users in the United States as of 2022, and is owned by a ByteDance Ltd., which has a subsidiary that is partially owned by the Chinese Communist Party;

WHEREAS, TikTok can purportedly harvest large amounts of data from devices it is installed on, including when, where, and how the user conducts Internet activity;

WHEREAS, under China’s 2017 National Intelligence Law, all businesses registered or that have operations in China are required to assist the government of China in intelligence work, including data sharing and data collecting, which, according to the Federal Bureau of Investigation, poses national security concerns that could compromise personal and government data and security;

WHEREAS, there are foreign actors alike that produce telecommunications and video/audio equipment, as well as other technologies and platforms, and we reasonably believe that use of these products may enable the manufacturer or vendor to:

• Collect sensitive personal, financial, proprietary, intellectual property, or other business data;

• Enable certain digital technologies, including email, to be compromised and act as a vector for ransomware deployment;

• Conduct cyber-espionage against government and other entities; Conduct surveillance and tracking of individual users; and Use algorithmic modifications to conduct disinformation or misinformation campaigns;

WHEREAS, the Wisconsin Department of Administration (DOA) Division of Enterprise Technology (DET) (hereinafter referred to jointly, where applicable, as “DOA- DET”), pursuant to Sections 16.971 through 16.975 of the Wisconsin Statutes is responsible for establishing, and has already established, security requirements and safeguards for State information and information systems, and is led by the State Chief Information Officer (State CIO) and State Chief Information Security Officer (State CISO) who continually monitor cybersecurity and implement all feasible technical means to ensure the security of all State information and information systems; and

WHEREAS, recognizing that, in the digital age, maintaining cybersecurity is critical to state and national security and that new and emerging technologies and applications could pose future potential safety, security, and privacy risks, the State of Wisconsin reaffirms its commitment to regular, ongoing review of such technologies to protect the interests of the State and of the people of Wisconsin.

NOW, THEREFORE, I, TONY EVERS, Governor of the State of Wisconsin, pursuant to the authority vested in me by the Constitution and the Laws of this State hereby order, effective immediately, that:

1) To best preserve the safety, security, and privacy of the people of Wisconsin, DOA-DET, consistent with its statutory mandates and in accordance with its existing policies, procedures, and processes, which include but are not limited to cybersecurity plans, will continue to use information gathered through state, federal, and industry-led intelligence to investigate vulnerabilities presented by products from foreign vendors, including when foreign companies may use Americans’ user information for sensitive intelligence gathering, intellectual property theft, and other illicit purposes, and where there may be a reasonable belief that the manufacturer or vendor may participate in activities such as but not limited to:

a. Collecting sensitive citizen, financial, proprietary, intellectual property, or other business data;

b. Enabling email compromise and acting as a vector for ransomware deployment;

c. Conducting cyber-espionage against government entities;

d. Conducting surveillance and tracking of individual users; and e. Using algorithmic modifications to conduct disinformation misinformation campaigns.

2) DOA-DET, in collaboration with the Governor, the Office of the Governor, and state, federal, and industry-led intelligence, will continue to use such information to evaluate and identify applications and vendors that, due to the risk presented to state information or state information systems, may not be used in or connected to any State network or installed on any State-issued device, including but not limited to desktop computers, laptops, tablets, cellular phones, and other mobile devices. The State CISO shall communicate any identified prohibited foreign products to the Wisconsin Information Sharing and Analysis Committee (WI ISAC) and Agency IT Directors, per DET’s normal communications processes. As of the date of this Order, the following vendors and/or software are prohibited from being utilized:

• TikTok

• Huawei Technologies

• ZTE Corp

• Hangzhou Hikvision Digital Technology Company

• Hytera Communications Corporation

• Dashua Technology Company

• Tencent Holdings, including but not limited to:
• Tencent QQ
• QQ Wallet
• WeChat

• Alibaba products, including but not limited to:
• AliPay

• Kaspersky Lab

3) DOA-DET will, as soon as practicable, establish guidance, as well as utilize existing policies, standards, procedures, and processes, including the evaluation of necessary exceptions, related to applications or vendors, and will also provide updates related to the implementation of these directives, through the normal channels, including but not limited to DOA-DET’s websites and updates to agency IT professionals.

4) DOA-DET, at the direction of the State CIO and State CISO, and in collaboration with the Governor, the Office of the Governor, and state, federal, and industry-led intelligence, will continually monitor and update the directives prescribed in this Order.

5) DOA-DET shall monitor adherence to issued guidance, policies, standards, procedures, and processes, where statutorily authorized, and shall assist impacted executive branch agencies to ensure they are able to abide by all technical standards and directives of DOA-DET and the State CIO and State CISO including but not limited to support with the following:

a. Developing and implementing a plan to remove any prohibited hardware products from State networks;

b. Removing any prohibited software products from State networks;

c. Implementing measures to prevent the installation of prohibited hardware and software products on State-owned, State-leased, or State-managed technology assets;

d. Implementing network-based restrictions to prevent the use of, or access to, prohibited services; and

e. Incorporating the risks associated with these technologies into statewide cybersecurity and awareness training programs.

6) In addition to the above provisions related to DOA-DET, executive branch agencies headed by individuals appointed by the Governor shall interpret any DOA-DET issued policy, procedure, or process prohibiting use of an application or vendor to extend to use of that application or vendor for marketing or advertising strategies, including those implemented by a third party.

IN TESTIMONY WHEREOF, I have hereunto set my hand and caused the Great seal of the State of Wisconsin to be affixed. Done at the Capitol in the City of Madison this eleventh day of January in the year of two thousand twenty- three.

Tony Evers

Exclusive articles, podcasts, and more. Support Milwaukee Record on Patreon.