Twitter Whistleblower Testifies Over Security Failures
Itn his first public appearance since he made a series of explosive accusations against Twitter in a whistleblower complaint last month, Peiter “Mudge” Zatko, the company’s former security chief, on Tuesday told lawmakers that the social media platform was endangering both users and national security by prioritizing growth over fixing “egregious” security lapses.
“What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards,” Zatko, a well-known hacker with three decades of experience in cybersecurity, told the Senate Judiciary Committee. “It doesn’t matter who has keys if you don’t have any locks on the doors…the company’s cybersecurity failures make it vulnerable to exploitation, causing real harm to real people.”
He wore a gray formal suit with a beard and had a thick goatee, a stark contrast to the long flowing hair Zatko wore when he appeared in front of the Senate twenty-four years ago. However, he made a similar warning to lawmakers this time. He warned them that the hackers could wipe out the Internet in just 30 minutes. “It’s not far-fetched to say that an employee inside the company could take over the accounts of all of the Senators in this room,” he said.
Zatko characterized Twitter’s deficiencies as a dire global and national security threat. “When an influential media platform can be compromised by teenagers, thieves, and spies, and the company repeatedly creates security problems on their own, this is a big deal for all of us.”
In 84 pages of disclosures submitted to U.S. regulatory agencies in July, Zatko, who invoked federal whistleblower protections, accused the $32 billion company’s top executives of violating the Federal Trade Commission Act and Securities and Exchange Commission regulations by misleading its users, board members and investors about critical security failures. Zatko stated that these gaps made the platform vulnerable to infiltration from foreign governments, security breaches and exploit by various bad actors.
“I think they would like to wave a magic wand and have all of these things fixed,” he told lawmakers on Tuesday. “But they’re unwilling to bite the bullet…and say ‘hey, we’re going to have to devote some time and money to get these basic things in place.’”
Learn More ‘Egregious Deficiencies,’ Bots, and Foreign Agents: The Biggest Allegations From the Twitter Whistleblower
“Twitter is an immensely powerful platform that cannot afford gaping security vulnerabilities,” said Sen. Richard Durbin, the chairman of the Senate Judiciary Committee. “Imagine if it’s a malicious hacker or a hostile foreign government breaking into the Presidents’ Twitter account, sending out false information, claiming there was a terrorist attack on one of our citizens? We could see widespread panic.”
Here are the key takeaways from Zatko’s testimony on Tuesday.
Peiter Zatko, an independent security consultant and whistleblower on Twitter, testifies in front of the US Senate Judiciary Committee at Capitol Hill, Washington, D.C. on September 13, 2022.
Brendan Smialowski—AFP/Getty Images
“One crisis at a time”: Zatko described internal chaos at Twitter
Zatko spoke out about a company that was unwilling to invest the necessary resources in fixing basic security vulnerabilities. He also described internal frustration over what he called leadership failures. “The engineers and the employees want this change,” he said about proposed fixes for the security and privacy issues plaguing the platform. “[But] it’s a culture where they’re only able to focus on one crisis at a time. And that crisis isn’t completed, it’s simply replaced by another crisis.”
Zatko’s claims landed in the middle of a heated legal dispute over Twitter’s agreement to sell the company to Elon Musk, making their credibility a multibillion-dollar issue. Last month, a judge ruled that Musk could amend his lawsuit against the company to include the allegations made by Zatko, who has been subpoenaed by Musk’s legal team.
After Zatko’s whistleblower complaint went public, it was revealed that two months earlier, the company had agreed to pay him more than $7 million in a settlement related to lost compensation. According to a report, this agreement included a non disclosure agreement that prohibited him from disparaging company employees. Wall Street Journal.
Musk indicated that he was looking at the hearings on Tuesday. tweeting the popcorn emoji. Less than an hour after the hearings ended, Twitter shareholders voted to approve Musk’s original deal. “There’s been a pile-on to Twitter, between Musk’s actions and now Mudge’s accusations, that have very much eroded the value of the stock,” says Natasha Lamb, managing partner at Arjuna Capital, which holds Twitter shares. “Investors view Musk’s purchase as potentially the only way out so that they can recoup value.”
Twitter and Musk will go on trial in the matter, which is scheduled for October 17.
Learn More It’s time to put your trust in the Twitter whistleblower
Claims about Twitter’s links with foreign governments
Zatko spoke in detail about the alarming section of his disclosure. He revealed that Twitter allowed an Indian agent to be employed by its new Indian office. This gave the agent access to all internal information. For the last few years, Twitter has been locked in a stand-off with the Indian government over the latter’s desire to censor posts in the country. Zatko says he believes the agent’s goal inside the company was to “understand Twitter’s negotiations with the court and the ministry.”
The whistleblower said Tuesday that once he learned about the agent, he set up a small team “just to track that person,” but it was “extremely difficult” to follow the agent’s actions or to contain their activities, due to the inadequacy of Twitter’s internal tools.
Zatko went on to accuse higher-ups of turning a blind eye to the situation, saying that when he told one executive about the alleged agent, he was told: “Since we already have one, what does it matter if we have more? Let’s keep growing the office.”
During his time at Twitter, Zatko also claims that some employees at the company expressed concerns that the Chinese government could collect data on the platform’s users, and described internal tensions with executives who wanted to maximize Chinese advertising revenue.
“The executive in charge of sales very shortly after I joined said, ‘This is a big internal conundrum, because we’re making too much money from these sales, we’re not going to stop,’” he said.
Zatko provided additional details that were not disclosed in his previous disclosures. While in the redacted version of his whistleblower complaint that was made public he said he had warned Twitter that “one or more” of its employees were “working on behalf of another particular foreign intelligence agency,” he gave more details on Tuesday. The week before he was fired by the company, Zatko said, he learned that an agent of China’s Ministry of State Security was on the payroll at Twitter.
Twitter’s role in geopolitical crises
Zatko called the company’s lack of content moderators in other languages “stunning.” He insinuated that this deficiency contributed to the genocide of Muslim Rohingya in Myanmar, in which hate speech and propoganda against the minority group fomented on social media platforms like Facebook and Twitter. “When something was happening in Myanmar, you can’t wait until after it happens and then go, ‘Where are the Burmese speakers?’ Twitter has to understand that 80% of their users are outside the U.S. You can’t create a healthy environment or serve the public conversation if all you can do is say, ‘Google Translate’ is doing the right job for me,’” he said.
Lawmakers also pointed out that Twitter’s prioritization of its growth over security and privacy measures had serious consequences for users living under authoritarian regimes.
“Earlier this year, a Saudi national who worked for Twitter was convicted by a federal jury for stealing the personal data of dissidents who criticized the Saudi regime and handing the data over to the Saudi government,” Durbin said. “This is a matter of life and death as we know for these dissidents.”
How the FTC has been “outgunned” by Big Tech
One of the reasons that Twitter was able to remain a “decade behind” its competitors on security, Zatko says, was a lack of pressure imposed on the company by regulators. In particular, the whistleblower said that the FTC was “absolutely outgunned” in the face of Big Tech; that the agency “left companies grading their own homework” and allowed them to hire their own auditors, which he said amounted to a conflict of interest.
“Clearly what we’re doing right now is not working,” Sen. Richard Blumenthal said.
Zatko said that Twitter had more fear of other regulators abroad than the FTC. In particular, he said that France’s data privacy watchdog Commission Nationale de l’Informatique et des Libertés (CNIL) “terrified” the company, because they asked technical and quantitative questions and wielded the ability to levy large recurring fines, as opposed to one-time FTC penalties that Twitter “priced in” to their business model.
Senators of both political parties asked for more regulation
Zatko’s appearance, however temporarily, spurred a spirit of bipartisanship in Congress on Tuesday. Sen. Lindsay Graham pledged to partner with Elizabeth Warren, with whom he has “different perspectives on almost everything,” to create new legislation to regulate Big Tech. He said he hoped to create “a system more like Europe: a regulatory environment with teeth.”
“If Elizabeth Warren and Lindsay Graham can come together around that concept, I think we’re off to the races,” Graham said.
On both sides, many other senators called for more regulation and proposed the creation a new agency. Sens. Marsha Blackburn and Amy Kloubachar both advocated for an online privacy standard. Senator Chris Coons spent his time advocating for the bipartisan Platform Accountability and Transparency Act (declared in December) that would have required social media companies undergo independent audits and make public more information about their operations.
Read More From Time