At a glance.
- US government officials weigh in on Twitter whistleblower’s claims.
- CISA’s cybersecurity goals met with industry pushback.
- Trends in state cybersecurity legislation.
US government officials weigh in on Twitter whistleblower’s claims.
Peiter “Mudge” Zatko, renowned hacker and Twitter’s former head of security, released a statement yesterday claiming that the social media giant’s user data protections are plagued by “extreme, egregious deficiencies” due to flawed security measures and outdated software, and that the company overlooked the existence of spam accounts in an effort to increase profits. Mudge, who was let go from Twitter in January due to what the company says were issues with his performance, alleges he tried to warn the company internally of the issues, but to no avail. Twitter says Mudge’s claims are “riddled with inconsistencies and inaccuracies,” explaining to Bloomberg, “Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”
His claims have captured attention indeed, including that of US lawmakers. If Mudge’s claims are true, Twitter would be found in violation of a 2011 agreement made with the Federal Trade Commission barring the company from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of non-public consumer information,” and members of the Senate Judiciary and Intelligence Committees from both sides of the aisle say the alleged privacy issues could even pose a threat to national security. Judiciary Chair Dick Durbin, a Democrat, stated, “If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world.” Republican Senator Chuck Grassley agreed, saying the claims “must be investigated further.” Republicans have criticized Twitter for alleged censorship of conservative posts, and Senator Marco Rubio, the top Republican on the Intelligence Committee stated, “Twitter has a long track record of making really bad decisions on everything from censorship to security practice. That’s a huge concern given the company's ability to influence national discourse and global events.” As the Washington Post notes, Representatives Frank Pallone Jr. and Cathy McMorris Rodgers, released a joint statement saying that the whistleblower’s allegations, if true, reaffirm the need for Congress to pass consumer privacy legislation to protect American user data. According to Engadget, Durbin and Grassley offices have already held early talks with Mudge, and the Senate Intelligence Committee is looking to do the same.
Some private-sector security experts also weighed in. Daniel Trauner, Senior Director of Security at Axonius, sees an organizational issue:
“The biggest takeaway from the Twitter whistleblower complaint is that it demonstrates yet again how important it is for security leadership to have a seat at the table. A recent survey found only 8% of CISOs report directly to the CEO - that’s drastically lower than the 51% of CTOs and 38% of CIOs.
"And the problem isn’t just that CISOs aren’t reporting into the broader c-suite. It’s also that when companies hire new security leadership, they sometimes have unrealistic expectations about what the security team’s role should encompass. Fixing serious security issues, and even more so, implementing basic security hygiene, requires business-wide buy-in including tangible action by other teams.
"Perhaps the most surprising thing about the Twitter whistleblower complaint is that it isn’t actually that surprising at all. The reality is that there are a whole lot more companies out there with an even worse security posture, and that’s because the fundamentals are so hard to do – especially at scale.”
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, is among those who think the whistleblower has the chops to be taken seriously, at least given an initial hearing:
“This is one of those situations where the reputation of the whistleblower itself immediately lends legitimacy to the allegations. On those grounds alone I believe this report deserves serious attention. It’s easy to think of social media networks like Twitter as trivial, but the reality is that the size of the platform and it’s near instantaneous communication speed make them a major influence on society. Any vulnerabilities that could allow malicious actors to abuse those platforms introduce risk of sowing discord and conflict, but also be great sources of intel for espionage operations by intelligence agencies. Still, it’s vital to independently validate the scale and impact of the claims to fully understand the situation and it’s also important to understand that in any large organizations there are almost assuredly areas of cybersecurity gaps and risks that are monumentally challenging to completely eliminate. Effective defenses in today’s world requires adopting a true culture of cybersecurity that begins at the very highest levels of organizations. Statements reportedly made by former Twitter CEO Jack Dorsey in the past around cybersecurity are concerning and could explain the cause of some of the allegations that have come to light.”
Javvad Malik, security awareness advocate at KnowBe4, speculates about the long-term effects the incident may have on Twitter in particular and on social media in general:
“The allegations will definitely have a long-term effect on Twitter and possibly how other social media platforms manage the security of their platforms. Mudge is a long-standing and well-respected member of the security community, and while it appears as if there could be an underlying clash of personalities with Twitter CEO Parag Agrawal, these should not detract from the quite serious security issues that have been highlighted. The fact of the matter is that at the time of their inception, there was no way that social media organizations could have predicted the massive influence they would have on individuals, organizations, governments, and the world at large. Therefore, organizations like Twitter need to focus and invest more in cybersecurity and privacy controls to ensure the power it has cannot be misused. And for that, the organization needs to foster and build a culture of security from within, one where weaknesses can be openly discussed, and not hidden under the rug.
CISA’s cybersecurity goals met with industry pushback.
The US Cybersecurity and Infrastructure Security Agency (CISA) is scheduled to release a list of cybersecurity performance goals for the most critical digital infrastructure next month, but industry leaders are already expressing their concerns. Though the goals are intended to be voluntary, industry officials are worried they’re merely a precursor to regulation. CISA’s Executive Assistant Director for Cybersecurity Eric Goldstein told the Washington Post that “the cybersecurity performance goals are critical to improving our nation’s cybersecurity by providing a shared understanding of the baseline practices that critical infrastructure owners and operators can adopt on a voluntary basis to protect their systems.” CISA requested comment on the rules before release, and criticisms include concerns that the goals are too “prescriptive” and could direct companies to adopt technology or practices that could soon be outdated. As well, industry groups say the goals don’t align with the National Institute of Standards and Technology (NIST) cybersecurity framework, which could lead to conflict. Goldstein says CISA and NIST are working to incorporate the feedback into the final product, and plan to revise the standards one more time before publication. He added, “We will continue this collaboration even after publication of the baseline goals to ensure that critical infrastructure partners gain the greatest value from this important work, including working with sector risk management agencies and industry stakeholders on the development of sector-specific goals that incorporate unique sectoral considerations.”
Trends in state cybersecurity legislation.
Federal collaboration with state and local government is referred to as a “whole-of-state” approach to cybersecurity, and it hinges on state incident reporting. Governing.com offers its predictions on what to expect regarding incident reporting legislation at the state level in the coming months. Requiring local agencies to report cyber incidents will likely become commonplace in every state in the not-too-distant future, and thirty states have already established state task forces, a trend that will likely lead to more incident reporting regulations. That said, data about how incidents are being reported is still anecdotal at best, and it’s unclear what responsibility is borne by the recipients of the reports.
Earlier this year the US states of North Carolina and Florida were the first to bar government entities from paying ransoms linked to ransomware attacks. Twelve other states have also passed ransomware legislation, but the Record by Recorded Future explains that state governments have received pushback from critics and party leaders when attempting to follow in their footsteps. New York State Senator Diane Savino, whose bill banning ransomware payments did not make it onto the Senate floor this year, explained, “I think in a lot of states, what they don’t understand, they don’t know how to write laws for. We were really trying to spur a public conversation at the state level about what we can do to improve conditions so that we reduce our risks and we make ourselves less vulnerable to these ransomware attacks.” Savino says more coordination between New York’s Office of Homeland Security and local entities could help state and city leaders better understand the threat and how to combat it.