Twitter’s cybersecurity flaws pose national security risk, whistleblower tells Congress
Twitter’s cybersecurity flaws pose national security risk, whistleblower tells Congress
Regulators are in over their heads as social media giants collect vast amounts of data on users with little ability to protect it, a whistleblower told Congress.
KELSEY REICHMANN / September 13, 2022
Twitter whistleblower Peiter "Mudge" Zatko testifies during a Senate Judiciary hearing examining data security at risk, Tuesday, Sept. 13, 2022, in Washington. (AP Photo/Jacquelyn Martin)
WASHINGTON (CN) — Cybersecurity failures at Twitter are endangering users' data and putting national security at risk, the company’s former security chief, Peiter “Mudge” Zatko, told lawmakers at a hearing on Tuesday.
Zatko appeared before the Senate Judiciary Committee to testify about allegations he made against the social media giant earlier this year. In reports to Congress and federal regulators, Zatko said Twitter was being dishonest about its cyber defenses and efforts to control fake accounts.
Claiming Twitter was misleading the public, lawmakers, regulators, and its board of directors, Zatko said the company was a decade behind industry security standards.
“The company's cybersecurity failures make it vulnerable to exploitation, causing real harm to real people,” Zatko said. “When an influential media platform can be compromised by teenagers, thieves, and spies, and the company repeatedly creates security problems on their own, this is a big deal for all of us.”
Republican Senator Chuck Grassley revealed that the FBI notified Twitter of at least one Chinese agent working at the company. Zatko said Twitter was unwilling to dedicate resources to handle national security concerns such as this and recounted a conversation with an executive at the company concerning foreign agents working for the company.
“I think they would like to but they're simply unwilling to put the effort in at the cost of other efforts such as driving revenue,” Zatko said of the company’s willingness to create a system to handle these threats. “I'm reminded of one conversation with an executive when I said, ‘I am confident that we have a foreign agent’ and their response was, ‘well, since we already have one, what does it matter if we have more? Let's keep growing the office.’”
Twitter’s problems stem from two issues: an inability to manage data and employee access to that data, Zatko testified. Zatko said the company does not know what data they have so therefore they can not manage it. Furthermore, Twitter allows too many of its employees to have access to this information with little regulation or tracking of how it is handled.
“For me the concern there is anybody with access inside Twitter, and half the company has access to the production environment that has this, could go rooting through and find this information and use it for their own purposes,” Zatko said.
Zatko filed whistleblower complaints to Congress, the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission in July. Zatko alleges Twitter lied about implementing stronger measures to protect their users, violating the terms of a 2011 FTC settlement. Ultimately Zatko said the government’s work to regulate social media giants like Twitter is not up to par.
“The FTC is a little over their head,” Zatko said. “Compared to the size of the big tech companies and the challenge they have against them, they're left letting companies grade their own homework.”
Committee members from both parties were critical of the company as they digested the claims made by Zatko.
“Twitter is an immensely powerful platform and can’t afford gaping vulnerabilities,” Democratic Senator Dick Durbin from Illinois said.
Grassley chastised Twitter CEO Parag Agrawal’s refusal to testify before the committee, claiming he did so because of ongoing litigation with Elon Musk.
“Let me be very clear, the business of this committee and protecting Americans from foreign influence is more important than Twitter's civil litigation in Delaware,” Grassley said. “In conclusion, if these allegations are true, I don't see how Mr. Agrawal can maintain his position at Twitter going forward.”
Some lawmakers seemed unsure how to handle the vulnerabilities alleged by Zatko. Senators Amy Klobuchar and Lindsey Graham both suggested legislative solutions.
“There's no way to deal with this without bipartisanship from my point of view,” Graham said. “So I'm working with Elizabeth Warren — of all people. We have different perspectives on most everything, but Elizabeth and I have come to believe that it's now time to look at social media platforms and we have this general understanding among ourselves, that the regulatory system regarding social media is not working effectively.”
Senator Richard Blumenthal suggested a new regulatory agency.
“Everything in your complaint and a lot of what we've heard in this committee and in other committees leads me to think we need a new agency,” Blumenthal said. “As reluctant as I am to suggest a new government bureaucracy — I don't think it needs to be a government bureaucracy with a lot of new people — but it needs to be a new means of enforcement here to bring cases to the Department of Justice focusing on privacy, security, and protecting users as well as our national security.”
Twitter has denied Zatko’s claims, arguing they are inaccurate and lack context. Zatko has yet to provide documentary support for his claims.
Regulators are in over their heads as social media giants collect vast amounts of data on users with little ability to protect it, a whistleblower told Congress.
KELSEY REICHMANN / September 13, 2022
Twitter whistleblower Peiter "Mudge" Zatko testifies during a Senate Judiciary hearing examining data security at risk, Tuesday, Sept. 13, 2022, in Washington. (AP Photo/Jacquelyn Martin)
WASHINGTON (CN) — Cybersecurity failures at Twitter are endangering users' data and putting national security at risk, the company’s former security chief, Peiter “Mudge” Zatko, told lawmakers at a hearing on Tuesday.
Zatko appeared before the Senate Judiciary Committee to testify about allegations he made against the social media giant earlier this year. In reports to Congress and federal regulators, Zatko said Twitter was being dishonest about its cyber defenses and efforts to control fake accounts.
Claiming Twitter was misleading the public, lawmakers, regulators, and its board of directors, Zatko said the company was a decade behind industry security standards.
“The company's cybersecurity failures make it vulnerable to exploitation, causing real harm to real people,” Zatko said. “When an influential media platform can be compromised by teenagers, thieves, and spies, and the company repeatedly creates security problems on their own, this is a big deal for all of us.”
Republican Senator Chuck Grassley revealed that the FBI notified Twitter of at least one Chinese agent working at the company. Zatko said Twitter was unwilling to dedicate resources to handle national security concerns such as this and recounted a conversation with an executive at the company concerning foreign agents working for the company.
“I think they would like to but they're simply unwilling to put the effort in at the cost of other efforts such as driving revenue,” Zatko said of the company’s willingness to create a system to handle these threats. “I'm reminded of one conversation with an executive when I said, ‘I am confident that we have a foreign agent’ and their response was, ‘well, since we already have one, what does it matter if we have more? Let's keep growing the office.’”
Twitter’s problems stem from two issues: an inability to manage data and employee access to that data, Zatko testified. Zatko said the company does not know what data they have so therefore they can not manage it. Furthermore, Twitter allows too many of its employees to have access to this information with little regulation or tracking of how it is handled.
“For me the concern there is anybody with access inside Twitter, and half the company has access to the production environment that has this, could go rooting through and find this information and use it for their own purposes,” Zatko said.
Zatko filed whistleblower complaints to Congress, the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission in July. Zatko alleges Twitter lied about implementing stronger measures to protect their users, violating the terms of a 2011 FTC settlement. Ultimately Zatko said the government’s work to regulate social media giants like Twitter is not up to par.
“The FTC is a little over their head,” Zatko said. “Compared to the size of the big tech companies and the challenge they have against them, they're left letting companies grade their own homework.”
Committee members from both parties were critical of the company as they digested the claims made by Zatko.
“Twitter is an immensely powerful platform and can’t afford gaping vulnerabilities,” Democratic Senator Dick Durbin from Illinois said.
Grassley chastised Twitter CEO Parag Agrawal’s refusal to testify before the committee, claiming he did so because of ongoing litigation with Elon Musk.
“Let me be very clear, the business of this committee and protecting Americans from foreign influence is more important than Twitter's civil litigation in Delaware,” Grassley said. “In conclusion, if these allegations are true, I don't see how Mr. Agrawal can maintain his position at Twitter going forward.”
Some lawmakers seemed unsure how to handle the vulnerabilities alleged by Zatko. Senators Amy Klobuchar and Lindsey Graham both suggested legislative solutions.
“There's no way to deal with this without bipartisanship from my point of view,” Graham said. “So I'm working with Elizabeth Warren — of all people. We have different perspectives on most everything, but Elizabeth and I have come to believe that it's now time to look at social media platforms and we have this general understanding among ourselves, that the regulatory system regarding social media is not working effectively.”
Senator Richard Blumenthal suggested a new regulatory agency.
“Everything in your complaint and a lot of what we've heard in this committee and in other committees leads me to think we need a new agency,” Blumenthal said. “As reluctant as I am to suggest a new government bureaucracy — I don't think it needs to be a government bureaucracy with a lot of new people — but it needs to be a new means of enforcement here to bring cases to the Department of Justice focusing on privacy, security, and protecting users as well as our national security.”
Twitter has denied Zatko’s claims, arguing they are inaccurate and lack context. Zatko has yet to provide documentary support for his claims.