According to Zatko, who was Twitter’s security chief from November 2020 until he was fired in January, a combination of weak cybersecurity controls and poor judgment has repeatedly exposed Twitter to numerous foreign intelligence risks.
From taking money from untrustworthy Chinese sources to proposing that the company give in to Russian censorship and surveillance demands, Twitter executives, including now CEO Parag Agrawal, have put Twitter users and employees at risk in pursuit of short-term growth, Zatko alleges.
CNN sought comment from Twitter on more than 50 different questions in response to the general disclosure, along with specific questions about the allegations described in this story. Twitter did not respond to CNN’s questions about foreign intelligence risks, but a company spokesman said Zatko’s allegations in general are “filled with inconsistencies and inaccuracies and lack significant context.” .
The national security allegations are part of an explosive nearly 200-page disclosure to Congress, the Justice Department and federal regulators that accuses Twitter’s leadership of covering up critical company vulnerabilities and defrauding the public. Zatko, a longtime cybersecurity expert who has held top positions at Google, Stripe and the Department of Defense, made his disclosure to authorities last month after what he described as months of trying without success sounding the alarm on Twitter about the dangers he faced. While the disclosure to Congress is redacted to omit sensitive details related to the national security claims, a fuller version with supporting documents has been released to the Senate Intelligence Committee and the Homeland Security Division of DOJ, according to the release.
Among its allegations, the whistleblower’s disclosure claims that the US government provided specific evidence to Twitter shortly before Zatko’s firing that at least one of its employees, perhaps more, worked for the intelligence service. another government. The disclosure does not say whether Twitter acted on the US government tip or whether the tip was credible.
The whistleblower’s disclosure could further heighten bipartisan concerns in Washington about foreign adversaries and the cybersecurity threat they pose to Americans. In recent years, policymakers have worried about authoritarian governments siphoning off US citizens’ data from hacked or flexible companies; leveraging technology platforms to subtly influence or sow disinformation among US voters; or exploit unauthorized access to gather information about human rights critics and other perceived threats to non-democratic regimes.
Twitter’s alleged flaws could open the door to all three possibilities.
In response to the disclosure, the top Republican on the Senate Intelligence Committee, Marco Rubio, promised to investigate the allegations further.
“Twitter has a long history of making very bad decisions about everything from censorship to security practices. This is a huge concern given the company’s ability to influence national discourse and global events,” he said. said Rubio. “We are treating the complaint with the seriousness it deserves and look forward to hearing more.”
In the months before Russia invaded Ukraine, Agrawal — then Twitter’s chief technology officer — appeared willing to make major concessions to the Kremlin, according to Zatko’s revelation. Agrawal proposed to Zatko that Twitter comply with Russian demands that could lead to broad censorship or surveillance, Zatko alleges, recalling an interaction he had with Agrawal at the time. The disclosure did not provide details on exactly what Agrawal suggested. But last summer, Russia passed a law pressuring tech platforms to open local offices in the country or face possible advertising bans, a move that Western security experts have said could give Russia greater leverage on American technology companies. Agrawal’s suggestion was framed as a way to grow users in Russia, the disclosure says, and while the idea was ultimately scrapped, Zatko still saw it as an alarming sign of how far Twitter was ready to arrive in search of growth, according to the release. .
“The fact that Twitter’s current CEO even suggested that Twitter became complicit with the Putin regime is cause for concern about Twitter’s effects on US national security,” Zatko’s disclosure said.
Twitter is also in a compromised position in China, according to the disclosure to Congress. The company has allegedly accepted funding from unnamed “Chinese entities” that now have access to information that could eventually unmask people in China who are illegally circumventing government censorship to view and use Twitter.
“Twitter executives knew that accepting Chinese money risked putting users in China at risk,” the disclosure said. “Mr. Zatko was told that Twitter was too dependent on the revenue stream at this point to do anything other than try to grow it.”
Zatko’s 80-page disclosure outlining his allegations, along with nearly two dozen additional supporting documents, comes just two weeks after a former Twitter manager was convicted of spying for Saudi Arabia. The former employee had abused his access to Twitter data to collect information about suspected Saudi dissidents, including their phone numbers and email addresses, and allegedly gave that information to the Saudi government.
This security breach, first discovered in 2019, underscores the seriousness of Zatko’s allegations, which describe Twitter as an extremely porous organization with alarmingly lax cybersecurity controls compared to its corporate peers. To do their jobs, roughly half of Twitter employees have excessive permissions that grant access to live user data and active Twitter product, according to the disclosure, a practice that Zatko says is a significant departure from standards other large technology companies where access. it is tightly controlled and employees work largely in special sandboxes isolated from the consumer product. “Every engineer” at the company, Zatko alleges, “has a full copy of Twitter’s proprietary source code on their laptop.”
Twitter told CNN that handling source code is not outside of industry practices, and that Twitter’s engineering and product teams are allowed to access the company’s live platform if they have a specific business justification. to do it.
The company also said it uses automated checks to ensure laptops with outdated software can’t access the production environment, and that employees can only make changes to Twitter’s live product after the code meets certain maintenance requirements and review of records.
The disclosure alleges that Twitter has trouble reducing its cybersecurity risks because it can’t monitor, and often doesn’t know, what employees may be doing on their work computers. Data Zatko revealed on Twitter’s internal cybersecurity dashboards show that four out of 10 employee devices, representing thousands of laptops, do not have basic protections turned on, such as firewalls and automatic software updates. Employees can also install third-party software on their computers with few technical restrictions, the disclosure says, which on several occasions has allegedly resulted in employees installing unauthorized spyware on their devices at the behest of outside organizations.
In its responses to CNN, Twitter said that employees use devices monitored by other IT and security teams with the power to prevent a device from connecting to sensitive internal systems if it uses outdated software.
Twitter has internal security tools that the company tests regularly, and every two years by outside auditors, according to a person familiar with Zatko’s tenure at the company. The person added that some of Zatko’s statistics about device security lacked credibility and were derived by a small team that did not properly consider Twitter’s existing security procedures.
John Tye, founder of Whistleblower Aid and Zatko’s attorney, told CNN that “we absolutely stand by the content of Mudge’s disclosure.”
Improper access and limited oversight of employee conduct create opportunities for insider threats like the Saudi operative, but the Saudi government was not alone in seeking greater access to Twitter’s internal systems, Zatko alleges. .
The Indian government has successfully “forced” Twitter to hire agents working on its behalf, the disclosure says, “who (due to Twitter’s core architectural flaws) would have access to large amounts of sensitive Twitter data.” Twitter has hidden this fact from its public transparency reports, the disclosure adds.
In the past year, India’s government has pushed to expand its control over social media within its borders, clashing with Twitter over content removal, forcing tech platforms to contract legal links and d law enforcement in the country and even raiding local Twitter offices. The person familiar with Zatko’s mandate said the Indian government officials referred to in the disclosure were, in fact, legal and law enforcement liaisons required by Indian law.
Many tech platforms are global companies, and in some cases, as with Russia’s attempt to force tech companies to open locations, their employees can become unwitting leverage points for governments looking to pressure companies. Corporate and user data stored on or accessible from employee computers may be at risk of being accessed or seized by local authorities. The employees themselves, or their families, may be at risk of being threatened or coerced.
But Twitter’s unique cybersecurity vulnerabilities have made its local offices particularly sensitive targets, Zatko alleges. India, Nigeria and Russia have “sought, with varying success, to force Twitter to hire local [full-time employees] which could be used as leverage,” the disclosure says.
Twitter’s business practices not only…