From taking money from untrusted Chinese sources to the company’s proposal to give in to Russian censorship and monitoring requirements, Twitter executives including now CEO Parag Agrawal have knowingly put Twitter users and employees at risk in pursuit of short-term growth. Zatko claims.
CNN sought feedback from Twitter on more than 50 different questions in response to the overall disclosure, along with specific questions about the allegations described in this story. Twitter did not respond to CNN’s questions about the dangers of foreign intelligence, but a company spokesman said Zatko’s claims in general are “riddled with inconsistencies and inaccuracies and lack significant context.”
The national security allegations are part of an explosive nearly 200-page exposé to Congress, the Justice Department and federal regulators that accuse Twitter’s leadership of covering up critical company vulnerabilities and deceiving the public. Zatko, a longtime cybersecurity expert who has held top roles at Google, Stripe and the Department of Defense, filed his disclosure early last month after what he described as months of unsuccessful attempts to sound the alarm on Twitter about the dangers he faced. While the disclosure to Congress has been redacted to omit sensitive details about the national security claims, a more complete version with supporting documents has been provided to the Senate Intelligence Committee and the DOJ’s national security division, according to the disclosure.
Among its charges, the whistleblower disclosure alleges that the US government provided specific evidence to Twitter shortly before Zatko was fired that at least one of its employees, perhaps more, worked for another government intelligence agency. The disclosure does not say whether Twitter acted on the US government’s advice or whether the information was credible.
The disclosure of the whistleblower could further fuel bipartisan concerns in Washington about foreign adversaries and the cybersecurity threat they pose to Americans. In recent years, policymakers have worried about authoritarian governments capturing US citizens’ data from compromised or agile companies. leveraging technology platforms to subtly influence or misinform US voters; or exploiting unauthorized access to gather information about human rights critics and other perceived threats to non-democratic regimes.
Twitter’s alleged flaws could potentially open the door to all three possibilities.
In response to the revelation, the top Republican on the Senate Intelligence Committee, Marco Rubio, promised to look into the allegations further.
“Twitter has a long history of making very bad decisions about everything from censorship to security practices. This is a huge concern given the company’s ability to influence national discourse and world events,” Rubio said. “We are taking the complaint with the seriousness it deserves and look forward to learning more.”
In the months leading up to Russia’s invasion of Ukraine, Agrawal — then Twitter’s chief technology officer — appeared ready to make major concessions to the Kremlin, according to Zatko’s revelation.
Agrawal suggested to Zatko that Twitter comply with Russian demands that could lead to widespread censorship or surveillance, Zatko claims, recalling an interaction he had with Agrawal at the time. The disclosure does not provide details on exactly what Agrawal proposed. But last summer Russia passed a law pressuring tech platforms to open local offices in the country or face possible advertising bans, a move Western security experts say could give Russia greater leverage over American tech companies.
Agrawal’s proposal was framed as a way to grow users in Russia, the disclosure says, and while the idea was eventually scrapped, Zatko still saw it as a troubling sign of how far Twitter was willing to go in pursuit of growth. , according to the disclosure. .
“The fact that Twitter’s current CEO even suggested that Twitter became complicit with the Putin regime raises concerns about Twitter’s implications for US national security,” Zatko’s disclosure said.
Twitter is also in a compromising position in China, the congressional disclosure claims. The company has reportedly accepted funding from unnamed “Chinese entities” that now have access to information that could eventually reveal people in China illegally circumventing government censorship to view and use Twitter.
“Twitter executives knew that accepting Chinese money risked putting users in China at risk,” the disclosure said. “Mr. Zatko was told that Twitter was too dependent on the revenue stream at this point to do anything other than try to grow it.”
Zatko’s 80-page exposé detailing his allegations, along with nearly two dozen additional supporting documents, comes just two weeks after a former Twitter executive was convicted of spying for Saudi Arabia. The former employee allegedly abused his access to Twitter data to collect information on suspected Saudi dissidents, including their phone numbers and email addresses, and allegedly fed that information to the Saudi government.
This security breach, first disclosed in 2019, underscores the seriousness of the allegations by Zatko, who describes Twitter as an extremely porous organization with alarmingly lax cybersecurity controls compared to its corporate counterparts. In order to do their jobs, about half of Twitter’s employees have excessive permissions that provide access to live user data and the active Twitter product, according to the disclosure, a practice that Zatko says is a significant departure from the standards at other large companies. technology where access is tightly controlled and workers largely work in special sandboxes isolated from the consumer product. “Every engineer” at the company, Zatko claims, “has a full copy of Twitter’s proprietary source code on their laptop.”
Twitter told CNN that handling source code is outside of industry practices and that Twitter’s engineering and product teams are authorized to access the company’s live platform if they have a specific business justification for doing so.
The company also said it uses automated controls to ensure laptops with outdated software cannot access the production environment and that employees can make changes to Twitter’s live product only after the code meets certain recordkeeping and auditing requirements.
The disclosure claims Twitter has trouble mitigating cybersecurity risks because it can’t control, and often doesn’t know, what employees are doing on their work computers. Data Zatko uncovered from Twitter’s internal cybersecurity dashboards show that four out of 10 employee devices — representing thousands of laptops — don’t have basic protections turned on, such as firewalls and automatic software updates. Employees can also install third-party software on their computers with few technical restrictions, the disclosure says, which in many cases allegedly resulted in employees installing unauthorized spyware on their devices at the behest of outside organizations.
In its responses to CNN, Twitter said employees use devices overseen by other IT and security teams with the power to block a device from connecting to sensitive internal systems if it’s running outdated software.
Twitter has internal security tools that are tested by the company regularly and every two years by outside auditors, according to a person familiar with Zatko’s tenure at the company. The person added that some of Zatko’s device security statistics lacked credibility and came from a small team that didn’t properly consider Twitter’s existing security procedures.
John Tye, founder of Whistleblower Aid and Zatko’s attorney, told CNN “we stand by the content of Mudge’s disclosure.”
Unwarranted access and limited oversight of employee behavior creates opportunities for insider threats like the Saudi agent, but the Saudi government wasn’t alone in seeking greater access to Twitter’s internal systems, Zatko claims.
The Indian government successfully “forced” Twitter to hire agents working on its behalf, the disclosure says, “who (due to Twitter’s fundamental architectural flaws) would have had access to massive amounts of sensitive Twitter data.” Twitter hid this fact from its public transparency reports, the disclosure adds.
Over the past year, the Indian government has pushed to expand its control of social media within its borders, clashing with Twitter over content removals, forcing tech platforms to hire legal and law enforcement liaisons in the country and even conducting raids at your local Twitter offices. The person familiar with Zatko’s tenure said the Indian government agents referred to in the disclosure were actually the legal and law enforcement liaisons required by Indian law.
Many tech platforms are global businesses, and in some cases, as with Russia’s effort to force tech companies to open local headquarters, their employees can become unwitting points of leverage for governments looking to pressure companies. Corporate and user data stored on or accessible from employee computers may be at risk of being accessed or seized by local authorities. The workers themselves or their families may be at risk of being threatened or coerced.
But Twitter’s unique cybersecurity vulnerabilities mean its local offices have become particularly sensitive targets, Zatko claims. India, Nigeria and Russia have “tried, with varying success, to force Twitter to hire locally [full-time employees] which could be used as leverage,” the disclosure states.
Twitter’s business practices do not…
