Twitter’s overseas intel drawback – CNN
A mix of weak cybersecurity controls and poor judgment has repeatedly uncovered Twitter to quite a few overseas intelligence dangers, in response to Zatko, who was Twitter’s head of safety from November 2020 till he was fired in January.
From taking cash from untrusted Chinese language sources to proposing the corporate give into Russian censorship and surveillance calls for, Twitter execs together with now-CEO Parag Agrawal have knowingly put Twitter customers and staff in danger within the pursuit of short-term development, Zatko alleges.
CNN sought remark from Twitter on greater than 50 distinct questions in response to the general disclosure, together with particular questions on the allegations outlined on this story. Twitter didn’t reply to CNN’s questions on overseas intelligence dangers, however an organization spokesperson has stated Zatko’s allegations total are “riddled with inconsistencies and inaccuracies, and lacks vital context.”
The nationwide safety allegations are a part of an explosive, practically 200-page disclosure to Congress, the Justice Division and federal regulators that accuses Twitter’s management of overlaying up crucial firm vulnerabilities and defrauding the general public. Zatko, a longtime cybersecurity skilled who has held senior roles at Google, Stripe and the Protection Division, submitted his disclosure to authorities final month after what he described as months of making an attempt unsuccessfully to sound the alarm inside Twitter concerning the risks it confronted. Whereas the disclosure to Congress is edited to omit delicate particulars pertaining to the nationwide safety claims, a extra complete model with supporting paperwork has been delivered to the Senate Intelligence Committee and to DOJ’s nationwide safety division, in response to the disclosure.
Amongst its accusations, the whistleblower disclosure claims the US authorities offered particular proof to Twitter shortly earlier than Zatko’s firing that no less than certainly one of its staff, maybe extra, have been working for an additional authorities’s intelligence service. The disclosure doesn’t say whether or not Twitter acted on the US authorities tip or whether or not the tip was credible.
Twitter’s alleged flaws might probably open the door to all three potentialities.
In response to the disclosure, the Senate Intelligence Committee’s prime Republican, Marco Rubio, vowed to look additional into the allegations.
“Twitter has a protracted observe file of constructing actually unhealthy choices on all the things from censorship to safety practices. That is an enormous concern given the corporate’s means to affect the nationwide discourse and international occasions,” Rubio stated. “We’re treating the criticism with the seriousness it deserves and look ahead to studying extra.”
Within the months earlier than Russia invaded Ukraine, Agrawal — then Twitter’s chief know-how officer — appeared ready to make important concessions to the Kremlin, in response to Zatko’s disclosure.
Agrawal’s suggestion was framed as a technique to develop customers in Russia, the disclosure says, and whereas the concept was in the end discarded, Zatko nonetheless noticed it as an alarming signal of how far Twitter was keen to go in pursuit of development, in response to the disclosure.
“The truth that Twitter’s present CEO even instructed Twitter change into complicit with the Putin regime is trigger for concern about Twitter’s results on U.S. nationwide safety,” Zatko’s disclosure says.
Twitter can be in a compromised place in China, the disclosure to Congress claims. The corporate has allegedly accepted funding from unnamed “Chinese language entities” who now have entry to info that would in the end unmask folks in China who’re illegally circumventing authorities censorship to view and use Twitter.
“Twitter executives knew that accepting Chinese language cash risked endangering customers in China,” the disclosure says. “Mr. Zatko was advised that Twitter was too dependent upon the income stream at this level to do something apart from try to extend it.”
That safety breach, first uncovered in 2019, underscores the gravity of Zatko’s allegations, which describe Twitter as a particularly porous group with alarmingly lax cybersecurity controls in comparison with its company friends. To be able to do their jobs, roughly half of Twitter staff have extreme permissions granting entry to stay consumer information and the energetic Twitter product, in response to the disclosure, a apply Zatko says is a major departure from the requirements of different main tech corporations the place entry is tightly managed and staff largely work in particular sandboxes remoted from the consumer-facing product. “Each engineer” on the firm, Zatko alleges, “has a full copy of Twitter’s proprietary supply code on their laptop computer.”
Twitter has advised CNN its dealing with of supply code doesn’t fall outdoors of trade practices, and that Twitter’s engineering and product groups are licensed to entry the corporate’s stay platform if they’ve a particular enterprise justification for doing so.
The corporate additionally stated it makes use of automated checks to make sure laptops working outdated software program can not entry the manufacturing surroundings, and that staff might solely make adjustments to Twitter’s stay product after the code meets sure record-keeping and evaluation necessities.
The disclosure alleges Twitter has hassle lowering its cybersecurity dangers as a result of it could possibly’t management, and infrequently would not know, what staff could also be doing on their work computer systems. Knowledge Zatko disclosed from Twitter’s inner cybersecurity dashboards exhibits that 4 in 10 worker gadgets — representing hundreds of laptops — don’t have primary protections enabled, equivalent to firewalls and computerized software program updates. Workers are additionally in a position to set up third-party software program on their computer systems with few technical restrictions, the disclosure says, which on a number of events has allegedly resulted in staff putting in unauthorized spyware and adware on their gadgets on the behest of outdoor organizations.
In its responses to CNN, Twitter stated staff use gadgets overseen by different IT and safety groups with the facility to stop a tool from connecting to delicate inner techniques whether it is working outdated software program.
Twitter has inner safety instruments which might be examined by the corporate frequently, and each two years by exterior auditors, in response to an individual acquainted with Zatko’s tenure on the firm. The individual added that a few of Zatko’s statistics surrounding system safety lacked credibility and have been derived by a small group that didn’t correctly account for Twitter’s present safety procedures.
Undue entry and restricted oversight of worker conduct creates alternatives for insider threats such because the Saudi operative, however the Saudi authorities wasn’t the one one to hunt better entry to Twitter’s inner techniques, Zatko alleges.
The Indian authorities has efficiently “pressured” Twitter to rent brokers engaged on its behalf, the disclosure says, “who (due to Twitter’s primary architectural flaws) would have entry to huge quantities of Twitter delicate information.” Twitter has withheld that truth from its public transparency stories, the disclosure provides.
Many tech platforms are international enterprises, and in some instances, as with Russia’s try and pressure tech corporations to open native headquarters, their staff can change into unwitting factors of leverage for governments desirous to exert strain on the businesses. Company and consumer information saved on, or accessible by, worker computer systems might be susceptible to being accessed or seized by native authorities. The staff themselves, or their households, could also be susceptible to being threatened or coerced.
However Twitter’s distinctive cybersecurity vulnerabilities has meant that its native workplaces have change into significantly delicate targets, Zatko alleges. India, Nigeria and Russia have all “sought, with various success, to pressure Twitter to rent native [full-time employees] that could possibly be used as leverage,” the disclosure says.
Twitter’s enterprise practices do not simply undermine the USA’ pursuits however these of all democratic nations, the disclosure alleges, citing the corporate’s dealing with of a Nigerian authorities choice to dam Twitter for months final yr over a presidential tweet that was broadly interpreted as a risk towards some Nigerian residents and subsequently eliminated by Twitter.
Regardless of Twitter’s claims to have been in negotiations with Nigeria after it suspended the corporate, these talks by no means really occurred, Zatko alleges. Twitter’s alleged misrepresentations about participating the Nigerian authorities not solely harmed the corporate’s traders, the disclosure says, but it surely additionally gave Nigerian officers cowl to demand far better concessions from Twitter than the corporate in any other case would have given.
The concessions, in response to Zatko’s disclosure, have “harmed free expression rights and democratic accountability for Nigerian residents.”