Audit , Fraud Management & Cybercrime , Governance & Risk Management
Ex-Twitter Security Honcho Peiter Zatko Faces Senate PanelAppearing on Capitol Hill, Peiter Zatko Accuses Executives of Prioritizing Profits
Poor decision-making by Twitter's executives jeopardizes the security of users, a former cybersecurity executive turned whistleblower at the company today told a Senate panel.
Appearing before the Senate Judiciary Committee on Tuesday, Peiter Zatko, Twitter's cybersecurity chief until he was fired in January, accused the company of misleading regulators and its board of directors on the level of security protections.
"When an influential media platform can be compromised by teenagers, thieves and spies, and the company repeatedly creates security problems on their own, this is a big deal for all of us," he told senators.
A Twitter spokesperson in a statement dismissed Zatko's allegations, saying the hearing "only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies." Internal access to data is subject to access controls and monitoring and detection systems, the spokesperson added.*
In July 2020, then-Twitter CEO Jack Dorsey hired Zatko following a series of embarrassing security failures, including teenagers having compromised accounts for the likes of Elon Musk, Bill Gates and Joe Biden, using them to run cryptocurrency scams.
Dorsey's mission for Zatko was ostensibly simple: Fix the company's security shortcomings. Zatko is a veteran security researcher also known by his handle, "Mudge." Last month he filed a whistleblower complaint with the federal government, alleging in part that Twitter continued to have "extreme, egregious deficiencies" in its security posture (see: Twitter's Ex-Security Chief Files Whistleblower Complaint).
In his testimony, Zatko described a corporate culture caught in a cycle of continually reacting to one crisis until it was replaced by another. He was subpoenaed to appear Tuesday before the Senate Judiciary Committee. "Twitter doesn't just have access to your tweets and email address. They also have access to all of the data necessary to directly access your device and even pinpoint your exact location," said Sen. Dick Durbin, the Illinois Democrat who chairs the committee.
About half of the company's staff - roughly 4,000 employees - are engineers and have relatively unrestricted and unmonitored access to the data Twitter holds on its users, Zatko said.
"It's not farfetched to say that an employee inside the company could take over the accounts of all of the senators in this room," he told the panel.
Those engineers don't work with development, testing and staging environments, but instead on live production systems, he said. As a result, they see real user data at all times, rather than anonymized versions for testing purposes.
One concern some employees relayed to him, Zatko reported, was that engineers inside the organization had a la carte access to that stored information. Yet Twitter lacked a system for logging who was accessing which types of information.
"There were thousands of failed attempts to access internal systems that were happening per week and nobody was noticing," he said. The lack of logging, he said, is "a remnant of being so far behind on their infrastructure and the engineering, and the engineers not being given the ability to put things in place to modernize."
"Why would Twitter not create a tracking or a logging system?" asked Sen. Mike Lee, a Utah Republican. "Particularly because they know that many foreign governments, like India, Nigeria and China specifically, want to access that data to find, root out and punish dissidents."
Among the problems Zatko alleged in his whistleblowing complaint was that multiple nations - including China and India - appeared to have agents on Twitter's payroll.
Zatko said one executive's response to his concerns about foreign agent infiltration was, "Well, since we already have one, what is the problem if we have more? Let's keep growing the office."
He also described a company that appeared to be violating the 2011 settlement agreement it signed with the Federal Trade Commission requiring it to "establish and maintain a comprehensive information security program" for the next two decades.
Twitter already agreed in May to pay a $150 million civil penalty to the FTC to settle charges that it used email addresses and phone numbers collected for security purposes for marketing purposes.
During testimony today, Zatko said the company wasn't forthcoming with the FTC on its inability to fully scrub from its servers the data of users who ask for their accounts to be deleted.
"I was told straight out by the chief privacy officer that the FTC had come and asked, 'Does Twitter delete users' information?'" Zatko said. "He said, 'I need you to know this because other regulators are asking us, and this ruse is not going to hold up.'" Zatko earlier told the panel that Twitter can't fully delete former users' data because it's not always sure where it's stored.
Twitter collects information such as the latest IP address users use to connect to the service, other IPs used in the past, current and former emails, where the company believes the user to live and the device and browser used to connect to Twitter, Zatko said.
Zatko also said Twitter is much more concerned about foreign regulators than the FTC. French regulator the National Commission on Informatics and Liberty - known as CNIL - "terrified Twitter in comparison to the FTC," he said. One-time fines such as those levied by the FTC "are priced in" to the operations of the company, which reported revenue of nearly $1.6 billion last year.
"One-time fines didn't bother Twitter at all," Zatko said.
Toward the end of the hearing, Sen. Lindsey Graham said he was writing legislation with Sen. Elizabeth Warren that could create a new agency to regulate matter such as digital privacy and content moderation. The Republican from South Carolina and the Democrat from Massachusetts make an odd pairing, Graham acknowledged.
"But Elizabeth and I have come to believe that it's now time to look at social media platforms anew. And we have this general understanding among ourselves that the regulatory system regarding social media is not working effectively," he said.
Notably not present at the Tuesday hearings was Twitter's CEO. "He rejected this committee's invitation to appear by claiming that it could jeopardize Twitter's ongoing litigation with Elon Musk," said Chuck Grassley of Iowa, the committee's ranking Republican member. Since "many of the allegations directly implicate" Parag Agrawal, he added that the CEO "should be here to address them."
Musk, CEO of auto manufacturer Tesla and rocket manufacturer Space-X, famously agreed to buy Twitter for $44 billion, later backing out and facing litigation by the Twitter board for him to consummate the deal. Twitter shareholders today voted in favor of Musk's acquisition.
Musk's latest legal salvo against the company is a Sept. 9 letter arguing that Zatko's $7.75 million separation agreement with Twitter was made without Musk's consent or knowledge. The company and Zatko executed the agreement on June 28, Musk wrote.
The world's richest man tweeted shortly after the hearing's conclusion, "My tweets are being suppressed!"
*Update Sept. 13, 2022, 20:02 UTC: Adds comments from Twitter.