Kevin Dietsch/Getty Images
Twitter executives put profits above security, leaving the door open for infiltration by foreign agents and hackers, the company’s former chief of security told Congress on Tuesday.
“Twitter’s leadership is misleading the public, lawmakers, regulators and even its own board of directors.” peter zatko testified during a Senate Judiciary Committee hearing. “The company’s cybersecurity flaws make it vulnerable to exploitation, causing real harm to real people.”
Zatko, also known by his hacker name Mudge, was hired to lead security at Twitter in 2020, after teen hackers took over high-profile verified accounts. He was fired in January of this year. In an 84-page federal complainant’s complaint made public last month, accused the company of practicing lax security, neglecting user privacy, violating a 2011 agreement with the Federal Trade Commission and knowingly employing agents of foreign governments. who had access to internal systems and data.
His accusations have set off alarm bells in Washington, given Twitter’s role as a place government leaders, dissidents and businesses go to spread their message.
The Zatko revelations have also put a new spin on Twitter. legal battle with Tesla CEO Elon Musk, who is trying to back out of a $44 billion deal to buy the company. The billionaire has seized on Zatko’s claims as further justification for abandoning the purchase without penalty.
In Tuesday’s hearing, which lasted more than two hours, Zatko painted a portrait of a company plagued by widespread security problems and unable to control the data it collects. Calm and measured, he latched onto his expertise, revealing the technical details of Twitter’s systems with real-world examples of how information held by the company could be misused.
“It is not unreasonable to say that an employee within the company could take over the accounts of all the senators in this room,” he warned.
After the hearing, Twitter rejected Zatko’s claims. “Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” a company spokesman said in a statement.
Here are five takeaways from the audience:
Twitter was warned that it hired a Chinese spy
Zatko argued that the company is highly vulnerable to abuse by foreign intelligence agents, but is unable or unwilling to root them out.
A week before he was fired in January, he testified, the FBI told Twitter’s security team that at least one agent from China’s Ministry of State Security was on the company’s payroll. Zatko said that while he found it unsettling, given “the state of the Twitter environment,” he wasn’t surprised.
“If you are not putting foreign agents inside Twitter, because it is very difficult to detect them [and] it is very valuable for a foreign agent to be in there; as a foreign intelligence company, you are most likely not doing your job,” he said.
Zatko also alleged that the Indian government had placed an agent inside Twitter. He testified that Twitter had trouble identifying potential infiltration by foreign agents and was usually only able to do so when notified by outside agencies. The company was “unwilling to go out of its way” to hunt down the bad guys within its ranks, he said.
“I remember a conversation with an executive when I said, ‘I’m sure we have a foreign agent,'” Zatko recalled. “Her response from him was, ‘Well, since we already have one, what does it matter if we have more?'”
Twitter says its hiring process is independent of foreign influence.
Zatko attributes Twitter failures to leaders, starting with CEO Parag Agrawal
Zatko squarely blamed Twitter’s vulnerabilities on a leadership team he described as reactive, incompetent and motivated by profit over security.
“I saw that Twitter was a risk and crisis managed company, rather than one that manages risk and crises. I would react to problems too late,” Zatko told senators.
Executives, he alleged, ignored warnings from him and other employees about Twitter’s security flaws because they “lacked the competence to understand the scope of the problem.”
Zatko described a company culture that eschewed negativity and selectively favorable information was presented to the board by so-called executives.
“There was an internal culture of just reporting good results,” he said.
He accused leadership of prioritizing business over safety, quoting writer Upton Sinclair: “It’s hard to get someone to understand something when their salary depends on their not understanding something.”
Republican Sen. Charles Grassley of Iowa, the committee’s ranking member, criticized Twitter’s chief executive. Parag Agrawal for turning down an invitation to testify alongside Zatko on Tuesday. He said Agrawal had refused due to Twitter’s court battle with Musk.
“The business of this committee and protecting Americans from foreign influence is more important than Twitter’s civil litigation in Delaware,” Grassley said. “If these allegations are true, I don’t see how Mr Agrawal can maintain his position on Twitter.”
Twitter can’t control the data it collects, Zatko alleges
When Zatko joined Twitter, he said, he was surprised that the company continued to have recurring security flaws, “the same number, year after year.”
The root cause, he told senators, is that Twitter doesn’t understand how much data it collects, why it collects it, and how it’s supposed to be used.
That includes users’ phone numbers, IP addresses, emails, the devices they use, their locations, and other identifying information. Plus, he said, about half of Twitter employees have access to that data.
“It doesn’t matter who has the keys if you don’t have locks on the doors,” he said. “The concern that someone with access inside Twitter … could search and find this information and use it for their own purposes.”
Zatko said that also raised red flags that Twitter might not be complying with its 2011 agreement with the FTC on misuse of email addresses it told users it was collecting for security reasons, but that then used for marketing. (In May, the The FTC fines Twitter $150 million for violating that agreement).
“How come we keep making these same mistakes?” Zatko said. “What are we telling the FTC as Twitter that is wrong?”
Democratic Sen. Dick Durbin of Illinois, chairman of the committee, compared Twitter to a bank and said users expect the company to protect the information they use when they sign up for accounts. “Twitter is an immensely powerful platform that cannot afford huge security vulnerabilities,” he said.
Twitter says it controls employee access to data through a variety of measures, including background checks, screening systems and other controls.
Legislators also call regulators
Twitter management was not the only target in the hearing. The senators denounced the government’s failure to respond effectively to the risks posed by technology companies.
“I am concerned that for almost 10 years, the Federal Trade Commission did not know or did not take strong enough action to ensure that Twitter complied” with the 2011 agreement, Grassley said.
Zatko characterized the regulator as outmatched by the deep pockets of Silicon Valley. “Honestly, I think the FTC is a little over its head, compared to the size of the big tech companies,” he said. “They’re left letting companies grade their own homework.”
Sen. Richard Blumenthal, D-Conn., called for the creation of a new federal agency to protect user privacy and security. “To address this problem effectively, we must not only insist on restructuring the company, but probably also restructuring, reforming and streamlining our regulatory apparatus,” he said.
Democratic Sen. Amy Klobuchar of Minnesota said Congress must address its own shortcomings. Despite bipartisan concern about the impact of tech companies, “we haven’t passed a single bill in the US Senate when it comes to competition, privacy, agency funding, child protection,” he said.
Outside Capitol, Twitter-Musk drama unfolds
Shortly after the hearing ended, Twitter shareholders voted to approve Elon Musk’s deal to buy the company, a formality that had to happen even though the two sides are headed to court in Delaware next month.
Musk is trying to cancel the purchase, claiming that Twitter misled him and other shareholders about how it counts the number of fake or spam accounts on the platform.
He has seized on Zatko’s accusations to bolster his claims and added them to his legal arguments in the Delaware Court of Chancery.
During the hearing, Republican Sen. Lindsey Graham of South Carolina asked Zatko if he would buy Twitter, given what he knows.
“I guess that depends on the price,” Zatko said.
On Tuesday, Musk hinted that he was watching Zatko’s testimony. In the first hour of the hearing, the billionaire tweeted a popcorn emoji.