At a glance.
- The US Senate Judiciary Committee hears from the Twitter whistleblower.
- Joint warning of IRGC cyber activity.
- Trends in vulnerability management.
- No major developments in the cyber phases of the hybrid war.
- Patch Tuesday notes.
- CISA releases five ICS advisories.
The US Senate Judiciary Committee hears from the Twitter whistleblower.
Yesterday the US Senate Judiciary Committee heard testimony from Pieter “Mudge” Zatko, now familiarly known as “the whistleblower,” on his allegations of privacy and security problems at Twitter. The Senators were interested in a range of issues: privacy, espionage risk, content moderation, and the apparent inadequacy of regulations governing social media and other online platforms.
Zatko complained that the company’s executive team chose to disregard warnings of security problems, preferring instead to mislead the board, its employees, its customers, the public, and legislators. Perverse incentives operated to drive the executives in that direction, and enmeshed the company in two basic problems: inability to keep track of the data the company held, and executive incentives that "led them to prioritize profits over security."
Twitter didn't maintain a distinct development or testing environment, Zatko said, and this led the company to open up its data to far more employees than otherwise would have had access to them. This was part of a larger insider threat problem, in which agents of foreign intelligence services (notably those of India, China, and Saudi Arabia) found their way onto Twitter's payroll, where they remained for the most part undetected and undetectable.
There was general comment on Twitter's alleged indifference to US regulatory risk, including those imposed by the consent decree Twitter entered into with the US Federal Trade Commission (FTC). It was clear from the Senators' questions and comments that they thought the FTC's authorities and resources unequal to the task of regulating large social media platforms like Twitter. Whether this might be addressed by reforms surrounding the FTC or by the creation of an entirely new agency was unclear; all of these were discussed. There may be an international model ready to hand, however. For all of its indifference to the FTC, Zatko said that Twitter took French regulators much more seriously than they did American agencies.