Governor Murphy Announces Cybersecurity Directive to Prohibit Use of High-Risk Software on State Devices
Governor Murphy Announces Cybersecurity Directive to Prohibit Use of High-Risk Software on State Devices
TRENTON – Governor Phil Murphy today announced that the State of New Jersey has issued a cybersecurity directive to prohibit the use of high-risk software and services, including TikTok, on State provided or managed devices. The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), in collaboration with the Office of Information Technology (OIT), will maintain a list of technology vendors and software products and services that present an unacceptable level of cybersecurity risk to the State. The Directive will apply to all departments, agencies, commissions, boards, bodies, or other instrumentalities of the Executive Branch of New Jersey State Government.
“Bolstering cybersecurity is critical to protecting the overall safety and welfare of our State,” said Governor Murphy. “The proactive and preventative measures that we are implementing today will ensure the confidentiality, integrity, and safety of information assets managed by New Jersey State government. This decisive action will ensure the cybersecurity of the State is unified against actors who may seek to divide us.”
Under the directive, as applicable, agencies must:
- A. Remove any referenced software products from State-owned, provided, or managed systems and devices;
- B. Implement network-based restrictions to prevent the use of, or access to, prohibited software or services;
- C. Implement measures to prevent the installation of referenced high-risk software products on State-owned or managed technology assets; and,
- D. Develop and implement plans to include risks associated with referenced high-risk software products and supply chain security into cybersecurity awareness and training programs.
Agencies may have public health, safety, welfare, or other compelling State business and public interest reasons for using the prohibited software technologies or services. In such cases, the Agencies are required to submit an exception request with the NJCCIC. If agencies provide a compelling justification for their communications or outreach work, they may receive approval to use these software technologies or services on a device not connected to a secure State network. Approved exceptions and use cases will include risk mitigation instructions.
“New Jersey’s policy to remove certain software from State owned or managed devices, inclusive of TikTok, deemed as high risk of potential data loss or privacy issues is part of our statewide cyber risk management program,” said New Jersey Chief Technology Officer Christopher Rein. “This follows in line with a number of actions taken by government and private sector enterprises, and is consistent with some of the risk reduction steps taken at the Federal and State levels. The New Jersey Office of Information Technology will work diligently alongside NJCCIC to maintain cybersecurity across state government.”
“As the threat landscape continues to evolve, so does NJOHSP – we develop new strategies and improve our capabilities to mitigate threats at all levels,” said New Jersey Office of Homeland Security and Preparedness Director Laurie Doran. “As New Jersey’s lead agency for homeland security matters, we’re in the business of keeping the State’s residents and visitors safe. With the growing popularity of TikTok, which is known to have privacy and security vulnerabilities and presents national security concerns, it’s critical that we implement measures to prohibit and shield against the unwanted access of our data.”
“This action reaffirms the State’s commitment to be a trusted steward of the public’s information and a dependable provider of critical government services,” said New Jersey Cybersecurity and Communications Integration Cell Director Michael Geraghty. “Through our ongoing efforts, NJCCIC will continue to monitor for cybersecurity threats and implement best practices and controls to mitigate risks of any emerging threats.”
Prohibited Software Vendors, Products, and Services as of January 9, 2023:
- Huawei Technologies
- Zhejiang Dahua Technology Co., Ltd., also doing business as Dahua
- Hangzhou Hikvision Digital Technology Co., Ltd., also doing business as Hikvision
- Tencent Holdings LTD, including but not limited to:
- QQ Wallet
- Alibaba products, including but not limited to:
- AliPay
- Alibaba.com Mobile Apps
- Hytera
- ZTE Corporation
- ByteDance Ltd., including but not limited to TikTok
- Kaspersky Lab
TikTok is a popular short-form video sharing and social networking app that it is owned by the Chinese technology company, ByteDance. There have been national security concerns about user data the Chinese government might require ByteDance to provide. Analysis of various versions of TikTok have been found to collect the keystrokes of users, make screen captures every few seconds, access data from the phone’s clipboard, and collect the unique Media Access Control (MAC) address of the device, among other user information. That data may include passwords and other sensitive information – not only into the TikTok app, but also the other apps used on a device, e.g., email, text messages, eHealth apps, etc. Due to these issues, the US Department of Defense, various federal agencies, state governments, corporations, and governments around the world have banned TikTok from being installed on their devices.
NJOHSP and NJCCIC manage policies outlined in the statewide information security manual and have previously instituted similar bans. Additionally, NJOHSP and NJCCIC set policy on the security of mobile devices for executive branch agencies and departments and in the past, have banned hardware and software products that introduce security risks, typically by working through the Department of Treasury to prohibit the procurement of such products.
The NJCCIC and OIT will continually monitor and update the Prohibited Software and Services Vendors and Products list. The updated list will be posted to the NJCCIC website, cyber.nj.gov.
For the joint circular, click here.