In a 200-page disclosure sent to lawmakers and regulators last month, Twitter’s former security chief warned that the micro-blogging service apparently had neither the incentive nor the resources to properly measure the full scope of bots on its platform. Peiter “Mudge” Zatko, who has been described as a veteran cybersecurity expert widely respected in the industry, filed the complaint with the Securities and Exchange Commission (SEC), Federal Trade Commission (FTC), and the Department of Justice (DoJ) in July.
Whistleblower Aid, a nonprofit that provides legal assistance to whistleblowers, confirmed the complaint’s authenticity.
Zatko alleged that Twitter suffered from a range of other security vulnerabilities and has done little to fix it, reported CNN – which along with The Washington Post had first seen the disclosure.
In a statement in response to the whistleblower complaint, a Twitter spokesperson told NBC News that Zatko’s account was “a false narrative,” and added that Zatko was fired because he displayed “ineffective leadership and poor performance.”
Whistle Has Been Blown
A number of experts have weighed in on exactly what this might mean for not only users of the platform, but also how lawmakers should respond.
“These concerns – user security and Twitter compliance with a 2011 FTC consent order – are miles away more appropriate areas for government action than the politically motivated speech and antitrust rumblings against ‘Big Tech,” that we hear coming out of Washington,” explained Jessica Melugin, director of the Center for Technology and Innovation at the Competitive Enterprise Institute.
Melugin suggested that these are the types of issues that lawmakers should be more focused on when it comes to social media rather than antitrust and politically motivated speech.
“While we don’t yet know the validity of the claims of the report, these are the issues regulators and lawmakers should focus on instead of breaking up or handicapping some of America’s most successful companies,” Melugin continued.
One of the biggest concerns is how Twitter essentially misled investors, the FTC, and even downplayed the issues of spam and security on the platform.
“This is one of those situations where the reputation of the whistleblower itself immediately lends legitimacy to the allegations,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel.
“On those grounds alone I believe this report deserves serious attention. It’s easy to think of social media networks like Twitter as trivial, but the reality is that the size of the platform and it’s near-instantaneous communication speed make them a major influence on society.”
Any vulnerabilities that could allow malicious actors to abuse those platforms introduce risk of sowing discord and conflict, but also be great sources of intelligence for espionage operations by foreign (hostile) agencies, added Clements.
“Still, it’s vital to independently validate the scale and impact of the claims to fully understand the situation and it’s also important to understand that in any large organization there are almost assuredly areas of cybersecurity gaps and risks that are monumentally challenging to completely eliminate,” he added. “Effective defenses in today’s world require adopting a true culture of cybersecurity that begins at the very highest levels of organizations. Statements reportedly made by former Twitter CEO Jack Dorsey in the past around cybersecurity are concerning and could explain the cause of some of the allegations that have come to light.”
Even as the social media platform attempted to paint a rosy picture, and often encouraged users to adopt better security practices, including multi-factor authentication, the security in-house had serious issues. According to the complaint, there were some 20 breaches just in 2020, while Twitter has failed to prioritize the removal of spam or bot accounts.
In addition, Zatko has alleged that Twitter has never actually been in compliance with an agreement it made with the FTC in 2011 to protect users’ personal information; while it fails to monitor “insider threats” including those from employees or contractors, who may use their positions to steal information.
“It underscores the extent to which security that is treated as merely a technical issue is doomed to fail. Cybersecurity policies and practices need to have the full support of the organization, including its board and leadership. If the whistleblower’s allegations are true, security was—at best—an afterthought for Twitter’s leadership,” said Patrick Dennis, CEO at cybersecurity firm ExtraHop.
“It (also) sheds new light on what many hinted at during the Elon Musk takeover bid: the Twitter platform itself has serious vulnerabilities that the company isn’t taking seriously at all,” added Dennis. “In the Musk deal, Twitter’s refusal to provide relevant data regarding the prevalence of bots on the platform ultimately resulted in Musk pulling out, and for good reason. Bots are not only used by nation states for cyberespionage and digital Kompromat, they are also used for social engineering that conditions users to click on malicious links and engage in other unsafe online behavior. Given their refusal to acknowledge or deal with the bot problem in any material way, it should come as no surprise that Twitter also lacks the willingness to address other major security concerns regarding the privacy and safety of its users.”
Whistle Blow Over?
It is unlikely these allegations will be something that may blow over, and it could impact all of social media.
“The allegations will definitely have a long-term effect on Twitter and possibly how other social media platforms manage the security of their platforms,” suggested Javvad Malik, security awareness advocate at KnowBe4.
“‘Mudge’ is a long-standing and well-respected member of the security community, and while it appears as if there could be an underlying clash of personalities with Twitter CEO Parag Agrawal, these should not detract from the quite serious security issues that have been highlighted,” said Malik. “The fact of the matter is that at the time of their inception, there was no way that social media organizations could have predicted the massive influence they would have on individuals, organizations, governments, and the world at large. Therefore, organizations like Twitter need to focus and invest more in cybersecurity and privacy controls to ensure the power it has cannot be misused. And for that, the organization needs to foster and build a culture of security from within, one where weaknesses can be openly discussed, and not hidden under the rug.”
This will certainly have lasting repercussions, but it is unclear how it will affect Twitter in the short term.
“In terms of what consequences Twitter will face, I expect that regulators in the EU will be very keen to understand how consumer data has been mismanaged for purposes of GDPR (General Data Protection Regulation). I expect similar investigations in California under CPA (Consumer Privacy Act of 2018),” said Dennis. “But I think the one to watch is how federal authorities will treat the allegations that Twitter employees are working for a foreign intelligence service. There has long been speculation about tech company employees being planted by nation-state governments. If this is true, it could bring substantially more scrutiny around hiring practices.”