Twitter Security Allegations: Cybersecurity Experts RespondTakeaway: Behind-the-Scenes Security Reality at Well-Known Brands Not Always Pretty
To recap: Peiter Zatko sent a whistleblower complaint to the federal government, alleging in part that Twitter continued to have "extreme, egregious deficiencies" in its security posture. Zatko, who's also known as "Mudge," was hired by then-Twitter CEO Jack Dorsey in July 2020 as the company's first-ever security head. His hiring followed a series of embarrassing security failures at Twitter, including some high-profile authentic accounts - owned by Elon Musk and Joe Biden, for starters - getting seized by scammers to push cryptocurrency. Dorsey tasked Zatko with working with the company's then CISO, Rinki Sethi, to fix the problems.
The complaint was filed on Zatko's behalf by Whistleblower Aid with the Securities and Exchange Commission, Department of Justice and Federal Trade Commission, as well as with congressional committees that have jurisdictions that concern Twitter (see: Twitter's Ex-Security Chief Files Whistleblower Complaint).
Zatko, who reported directly to the CEO, believes his efforts to improve Twitter's security ultimately led to his being fired by Dorsey's replacement, Parag Agrawal, who, before assuming CEO duties in November 2021, served as CTO and overseen security decisions.
Zatko's attorneys at Katz Banks Kumin LLP say that after attempting to escalate the problems he'd found to senior management and the board, in December 2021 - the month before he was fired - their client "began the lawful disclosure process and exhausted internal channels before contacting law enforcement agencies." It's not clear exactly what they mean by lawful disclosure. Zatko's allegations suggest that Twitter violated a 2011 settlement agreement with the Federal Trade Commission. In part, that settlement requires Twitter to "establish and maintain a comprehensive information security program."
As a whistleblower, Zatko's complaint earns him legal protection, and potentially a reward if Twitter should be sanctioned and pay a fine.
The allegations from Zatko that have been publicly released suggest that Twitter's information security program isn't world-leading. Here are just several of his allegations:
- At least two nations snuck intelligence agents onto Twitter's payroll, giving them access to personally identifiable information for millions of users;
- Poor access controls failed to keep many employees from inappropriately accessing PII;
- More than half of the company's servers kept inside data centers operate with "non-compliant" kernels or operating systems, and many servers can't support encryption;
- 40% of Twitter's 10,000 corporate laptops were not in compliance with "basic security settings," while 30% "do not have automatic updates enabled."
Full Details Not Yet Available
One challenge with assessing Zatko's allegations is that only partial details have been publicly released.
Twitter has strongly disputed the allegations that have become public. A spokesperson tells Information Security Media Group that Zatko is pedaling "a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context." The company says it fired Zatko in January for "ineffective leadership and poor performance."
Zatko, however, "stands by everything in his disclosure, and his career of ethical and effective leadership speaks for itself," says John Tye, chief disclosure officer for Whistleblower Aid. "The focus should be on the facts laid out in the disclosure, not ad hominem attacks against the whistleblower."
Twitter's PR strategy hasn't been lost on other cybersecurity experts.
"He filed an SEC complaint, this isn't a Medium post," says Rich Mogull, a former Gartner analyst who's CEO of Securosis. "This is not someone you want to face on the stand across from you."
"Allegations resorting to a smear campaign against him is a really stupid idea" for Twitter, says Robert M. Lee, CEO of Dragos. "His character, skills, leadership, etc. are some of the most beloved and well documented in the community. Your response is telling. Focus on the facts."
While criticizing Twitter's "'disgruntled employee' PR playbook," British cybersecurity expert Kevin Beaumont notes that Twitter has likely already been attempting to address problems flagged by Zatko.
It's also clear to me Twitter is understaffed, while also being a money furnace. You can't automate and AI your way out of basic security challenges.
In fairness to Twitter and the board, I'm willing to bet by now they're already on the road to turning that around.— Kevin Beaumont (@GossiTheDog) August 23, 2022
"To be clear, it's extremely common to find security behind the scenes at orgs to not be as rosy as people might imagine," Beaumont says.
'Repeatedly Raised Concerns'
Zatko's attorneys say their client "repeatedly raised concerns about Twitter's grossly inadequate information security systems to the company's executive committee and board of directors throughout his tenure." They say his efforts to address these problems brought him into conflict with Agrawal, as well as with the head of the risk committee, Omid Kordestani.
"Zatko put his career on the line because of his concerns about Twitter users, the public and the company's shareholders," his attorneys say.
For anyone who was in a security or privacy leadership role at Twitter during the time period covered by Zatko's complaint, attorney Whitney Merrill recommends they "immediately retain" their "own, independent counsel and make sure the Twitter's E&O insurance coverage will pay," referring to errors and omissions - aka professional liabilities - insurance designed to protect professionals from mistakes they or their company may have made.
Some anecdotal evidence continues to suggest there are still deficiencies in Twitter's security practices and posture. For example, Al Sutton, CTO at software services and solutions provider Snapp Automotive, says that more than a year and a half after his Twitter employment ended, the company has failed to remove certain access rights.
If you are wondering if the stuff about Twitter security being lapse is just one person complaining, you might be interested to know that, 18 months after being let go from the company, I've not been removed from their employees GitHub commiters group. https://t.co/j02GpKdKor pic.twitter.com/zqmj7PyaZM— Al Sutton (@alsutton) August 23, 2022
Responding to what Sutton has said, former National Security Agency offensive hacker Jake Williams, who's head of cyber-threat intelligence at Scythe, says of Twitter that "when they're publicly failing at such a critical part of the leavers part of your movers/joiners/leavers program, it's a stretch not to believe" Zatko's allegations.
Twitter CISO Seeks Fresh Talent
Despite the bad headlines that Zatko's complaint is generating, Twitter's security leadership has publicly stated that it's constantly seeking to improve.
Hey folks! If you don't know me, I'm the CISO of @Twitter - I run the information security, privacy engineering, and IT teams.
We've got a bunch of roles open across infosec, privacy eng + legal, and IT. Come help Twitter build great things which respect our users! — Lea Kissner (@LeaKissner) August 18, 2022
Of course problems don't get fixed overnight, even once they've been properly identified and resourced. But with Twitter serving an essential function in today's society, fixing them will be essential. If Zatko's allegations against Twitter are true, it's essential that the company's senior leaders rededicate themselves to collectively not hide, but instead remediate multiple cybersecurity problems.
Meanwhile, one common message from the cybersecurity community to the cybersecurity professionals working inside Twitter is simple: We've got your back.
"Whatever your opinion is, just remember there's a whole security team at Twitter staffed with real people doing their best work who aren't in a position to share their perspective," says software engineer Chris Rohlf.
Because - providing they get proper backing - who else is going to fix Twitter's alleged security problems?