Twitter’s ex-security chief, Peiter “Mudge” Zatko, warned in a 200-page disclosure that Twitter apparently did not have the motivation nor resources to accurately measure bot activity on the platform. Peiter Zatko is a well-respected cybersecurity veteran who filed the complaint at the Securities and Exchange Commission (SEC), Federal Trade Commission(FTC) and Department of Justice [DoJ] in July.
Whistleblower Aid, a nonprofit that provides legal assistance to whistleblowers, confirmed the complaint’s authenticity.
Zatko alleged that Twitter suffered from a range of other security vulnerabilities and has done little to fix it, reported CNN – which along with The Washington PostHad first witnessed the disclosure.
Twitter spokeswoman for Zatko told NBC News in a statement that Zatko had “falsely claimed” that Zatko made the account. She also said that Zatko was dismissed because he was an “ineffective leader and showed poor performance.”
Whistle has been Blown
There are a number of experts who have provided their opinions on the potential implications for both users of the platform and lawmakers.
“These concerns – user security and Twitter compliance with a 2011 FTC consent order – are miles away more appropriate areas for government action than the politically motivated speech and antitrust rumblings against ‘Big Tech,” that we hear coming out of Washington,” explained Jessica Melugin, director of the Center for Technology and Innovation at the Competitive Enterprise Institute.
Melugin said that these are issues lawmakers need to be more concerned about when considering social media.
Melugin stated, “While the truth of the claim is not known yet, we should concentrate on these issues instead of breaking down or handicapping America’s most successful businesses.”
The FTC is concerned about how Twitter misled investors and downplayed security and spam issues on Twitter.
Chris Clements (Vice President of Solutions Architecture at Cerberus Sentinel) stated that “this is one of those cases where the reputation and whistleblower immediately lends legitimacy the allegations.”
This report merits serious consideration. While it may be easy to view social media platforms like Twitter as insignificant, their sheer size and almost instantaneous communication speed makes them an important influence on society.
Clements said that there are vulnerabilities in these platforms which could enable malicious actors to exploit them. However, they can also serve as great sources of intelligence and information for spying by foreign (hostile), agents.
“Still, it’s vital to independently validate the scale and impact of the claims to fully understand the situation and it’s also important to understand that in any large organization there are almost assuredly areas of cybersecurity gaps and risks that are monumentally challenging to completely eliminate,” he added. “Effective defenses in today’s world require adopting a true culture of cybersecurity that begins at the very highest levels of organizations. Concerning statements made in the past by Jack Dorsey (ex-Twitter CEO) about cybersecurity could be the reason for some of these allegations.
Lax Security
Even though the social media site tried to portray a positive picture and encouraged users to use multifactor authentication, security at the company was not perfect. The complaint claims that there have been 20 security breaches in 2020. Twitter, however, has not prioritized the elimination of bot or spam accounts.
Zatko also claimed that Twitter never really complied with an agreement with the FTC it signed in 2011 to protect user’s personal data; however, it does not monitor “insider threat” such as those coming from contractors or employees, which could be used to steal users’ information.
This shows that security is not a technical matter and is likely to be relegated to the bottom of the priority list. It is essential that cybersecurity practices and policies are supported by the entire organization including the board and its leadership. If the whistleblower’s allegations are true, security was—at best—an afterthought for Twitter’s leadership,” said Patrick Dennis, CEO at cybersecurity firm ExtraHop.
Dennis added, “It (also] sheds new light upon what many hinted during the Elon Musk buyout bid: The Twitter platform itself is vulnerable that the company doesn’t take seriously at all.” Musk pulled out of the Musk deal due to Twitter’s inability to disclose relevant information about the presence of bots on its platform. They aren’t just used by national states to cyberespionage or digital Kompromat. Bots can also be used for social engineering, which conditions users to click malicious links and engage on other dangerous online behaviors. Twitter refuses to deal with this bot issue and has not acknowledged it. It should also come as no surprise to us that they are unwilling to address any other significant security issues regarding privacy or safety of their users.
Do You Want to Whistle Blowing?
These allegations are unlikely to be true, but it can have an impact on all social media platforms.
Javvad Mlik, KnowBe4 security awareness advocate and security expert said that “the allegations will certainly have a lasting effect on Twitter”
Malik said that “Mudge”, a well-respected and long-standing member of the security industry, could have a clash with Parag Agrawal CEO of Twitter. However, this should not diminish the serious security concerns that have been identified.” It is a fact that the immense influence that social media has on the lives of individuals, organisations, governments, the entire world, was not something that could have been predicted at their inception. Twitter and other social media platforms need to invest in cybersecurity and privacy control to protect the power they have. The organization must create a culture where security can be discussed from the inside, so that weaknesses are not hidden.
While this will have long-lasting repercussions it’s not clear how Twitter will react in the near future.
“In terms the potential consequences Twitter might face, I believe that EU regulators would be interested in understanding how data of consumers has been misused for GDPR (General Data Protection Regulation). Dennis stated that similar investigations will be conducted in California by the CPA, or Consumer Privacy Act of 2018. Dennis said that the real issue is how the federal authorities are going to handle allegations that Twitter workers were working for an intelligence agency. It has been speculated that tech companies employees could be planted by national-state governments. It is possible that this could increase scrutiny for hiring practices.