Former Twitter security chief Peiter “Mudge” Zatko filed a whistleblower complaint with the Securities and Exchange Commission in July 2022, accusing the microblogging platform company of serious security flaws. The charges amplified the ongoing drama of Twitter’s potential sale to Elon Musk.
Zatko has spent decades as an ethical hacker, private researcher, government adviser and executive at some of the most prominent internet companies and government offices. He is practically a legend in the cybersecurity industry. Because of his reputation, when he speaks, people and governments normally listen – underscoring the seriousness of his complaint against Twitter.
As a former cybersecurity industry practitioner and current cybersecurity researcher, I think Zatko’s most damning accusations relate to Twitter’s alleged failure to have a strong cybersecurity plan to protect user data. , deploying internal controls to guard against insider threats and ensuring that company systems were up-to-date and properly updated.
Zatko also alleged that Twitter executives weren’t very forthcoming about cybersecurity incidents on the platform when briefing regulators and the company’s board. He claimed that Twitter prioritized user growth over reducing spam and other unwanted content that plagued the platform and harmed user experience. His complaint also expressed concerns about the company’s business practices.
Alleged security flaws
Zatko’s allegations paint a disturbing picture not only of the cybersecurity state of Twitter as a social media platform, but also of Twitter’s security awareness as a company. Both of these points are relevant given Twitter’s position in global communications and the ongoing fight against extremism and disinformation online.
Perhaps the most significant of Zatko’s allegations is his claim that nearly half of Twitter employees have direct access to Twitter user data and source code. Best cybersecurity practices do not allow as many people with this “root” or “privileged” permission level to access sensitive systems and data. If true, it means that Twitter could be exploited either from the inside or by outside adversaries aided by insiders who may not have been properly vetted.
Zatko also alleges that Twitter’s data centers may not be as secure, resilient or reliable as the company claims. He felt that almost half of Twitter’s 500,000 servers worldwide lack basic security controls such as running up-to-date, vendor-supported software or encrypting user data stored there. He also noted that the company’s lack of a robust business continuity plan means that if several of its data centers fail due to a cyber incident or other disaster, it could lead to a “termination event”. of existential enterprise”.
These are just some of the claims made in Zatko’s complaint. If its claims are true, Twitter has failed Cybersecurity 101.
Concerns about foreign government interference
Zatko’s allegations could also present a national security concern. Twitter has been used to spread misinformation and propaganda in recent years at global events like the pandemic and national elections.
For example, Zatko’s report said that the Indian government forced Twitter to hire government agents, who would have access to large amounts of Twitter’s sensitive data. In response, India’s sometimes hostile neighbor Pakistan accused India of trying to infiltrate Twitter’s security system “with the aim of restricting fundamental freedoms”.
Given Twitter’s global footprint as a communications platform, other countries such as Russia and China may require the company to hire its own government officials as a condition of allowing the company to operate in their country. Zatko’s allegations regarding Twitter’s internal security raise the possibility that criminals, activists, hostile governments or their supporters seeking to exploit Twitter’s systems and user data by recruiting or blackmailing its employees could well present a national security issue.
Worse, Twitter’s own information about its users, their interests, and the people they follow and interact with on the platform could make it easier to target disinformation campaigns, blackmail, or other nefarious purposes. Such foreign targeting of major corporations and their employees has been a major counterintelligence concern in the national security community for decades.
Anadolu Agency via Getty Images
To fall
Whatever the outcome of Zatko’s complaint to Congress, the SEC or other federal agencies, it is already among the latest legal documents Musk has filed as he tries to back out of his Twitter purchase.
Ideally, in light of these disclosures, Twitter will take corrective action to improve the company’s cybersecurity systems and practices. A good first step the company could take is to review and limit root access to its systems, source code, and user data to the minimum necessary. The company must also ensure that its production systems are kept up to date and that it is effectively prepared to deal with any type of emergency without significantly disrupting its global operations.
From a broader perspective, Zatko’s complaint underscores the critical and sometimes uncomfortable role that cybersecurity plays in modern organizations. Cybersecurity professionals like Zatko understand that no company or government agency likes publicity for cybersecurity issues. They tend to think long and hard about whether and how to raise cybersecurity issues like these – and what the potential ramifications might be. In this case, Zatko says his disclosures reflect “the job he was hired to do” as the head of security for a social media platform that he says “is critical to democracy.”
For companies like Twitter, bad cybersecurity news often translates into a public relations nightmare that could affect stock prices and market standing, not to mention attract the interest of regulators and lawmakers. For governments, such revelations can lead to a lack of trust in the institutions created to serve society, in addition to potentially creating distracting political noise.
Unfortunately, how cybersecurity issues are discovered, disclosed, and addressed remains a difficult and sometimes contentious process with no easy solution for both cybersecurity professionals and organizations today.