A combination of lax cybersecurity controls and poor judgment has repeatedly exposed Twitter to a range of foreign intelligence risks, according to Zatko, who was Twitter’s chief security officer from November 2020 until he was fired in January.
From taking money from unreliable Chinese sources to suggesting the company give in to Russian censorship and surveillance demands, Twitter executives including now-CEO Parag Agrawal have knowingly put Twitter users and employees at risk in pursuit of short-term growth, Zatko alleges.
CNN sought comment from Twitter on more than 50 different questions in response to the general disclosure, along with specific questions about the allegations outlined in this story. Twitter did not respond to CNN̵[ads1]7;s questions about foreign intelligence risks, but a spokesperson for the company has said that overall Zatko’s claims are “riddled with inconsistencies and inaccuracies, and lack important context.”
The national security allegations are part of an explosive, nearly 200-page disclosure to Congress, the Justice Department and federal regulators that accuse Twitter’s management of covering up critical vulnerabilities in the companies and deceiving the public. Zatko, a longtime cybersecurity expert who has held senior roles at Google, Stripe and the Department of Defense, submitted his disclosure to authorities last month after what he described as months of unsuccessful attempts to raise the alarm at Twitter about the dangers it faced. While the disclosure to Congress has been redacted to omit sensitive details related to the national security requirements, a more comprehensive version with supporting documents has been provided to the Senate Intelligence Committee and to the DOJ’s National Security Division, according to the disclosure.
Among the allegations, the whistleblower’s disclosure alleges that the US government provided specific evidence to Twitter shortly before Zatko’s firing that at least one of its employees, perhaps more, was working for another government’s intelligence agency. The disclosure does not say whether Twitter acted on the US government’s tip or whether the tip was credible.
Twitter’s alleged failure could potentially open the door to all three possibilities.
In response to the revelation, the Senate Intelligence Committee’s top Republican, Marco Rubio, promised to look into the allegations.
“Twitter has a long history of making really bad decisions about everything from censorship to security practices. That’s a big concern given the company’s ability to influence the national discourse and global events,” Rubio said. “We are treating the complaint with the seriousness it deserves and look forward to learning more.”
“The fact that Twitter’s current CEO even suggested that Twitter became complicit with the Putin regime is cause for concern about Twitter’s effects on US national security,” Zatko’s disclosure said.
Twitter is also in a compromised position in China, the disclosure to Congress claims. The company has reportedly accepted funding from unnamed “Chinese entities” that now have access to information that could eventually expose people in China illegally circumventing government censorship to view and use Twitter.
“Twitter executives knew that accepting Chinese money risked putting users in China at risk,” the disclosure said. “Mr. Zatko was told that Twitter was too dependent on the revenue stream at this point to do anything other than try to grow it.”
This security breach, which was first uncovered in 2019, underscores the seriousness of Zatko’s allegations, which describe Twitter as an extremely porous organization with disturbingly lax cybersecurity controls compared to its peers. In order to do their jobs, roughly half of Twitter employees have excessive permissions that grant access to live user data and the active Twitter product, according to the disclosure, a practice Zatko says is a significant departure from the standards of other large technology companies where access is tightly controlled and employees largely work in special sandboxes isolated from the consumer-facing product. “Every engineer” at the company, Zatko claims, “has a complete copy of Twitter’s proprietary source code on his laptop.”
Twitter has told CNN that its handling of the source code is not outside of industry practice, and that Twitter’s engineering and product teams are authorized to access the company’s live platform if they have a specific business reason to do so.
The company also said it uses automated controls to ensure that laptops running outdated software cannot access the production environment, and that employees can only make changes to Twitter’s live product after the code meets certain registration and review requirements.
The disclosure claims that Twitter has trouble mitigating its cybersecurity risks because it can’t control, and often doesn’t know, what employees can do on their work computers. Data Zatko reveals from Twitter’s internal cybersecurity dashboard shows that four out of 10 employee devices — representing thousands of laptops — don’t have basic protections enabled, such as firewalls and automatic software updates. Employees are also able to install third-party software on their computers with few technical limitations, the disclosure says, which on several occasions has reportedly resulted in employees installing unauthorized spyware on their devices at the behest of outside organizations.
In its responses to CNN, Twitter said employees use devices monitored by other IT and security teams with the power to prevent a device from connecting to sensitive internal systems if it runs outdated software.
Twitter has internal security tools that are tested by the company regularly, and every two years by external auditors, according to a person familiar with Zatko’s position at the company. The person added that some of Zatko’s statistics around device security lacked credibility and were derived by a small team that did not properly consider Twitter’s existing security procedures.
John Tye, founder of Whistleblower Aid and Zatko’s attorney, told CNN “we absolutely stand by the content of Mudge’s disclosure.”
Unnecessary access and limited oversight of employee behavior create opportunities for insider threats like the Saudi operator, but the Saudi government wasn’t the only one seeking greater access to Twitter’s internal systems, Zatko claims.
The Indian government successfully “forced” Twitter to hire agents working on its behalf, the disclosure says, “who (due to Twitter’s fundamental architectural flaws) would have access to massive amounts of Twitter-sensitive data.” Twitter has withheld that fact from its public transparency reports, the disclosure adds.
Many tech platforms are global enterprises, and in some cases, as with Russia’s efforts to force tech companies to open local headquarters, their employees can become unwitting leverage points for governments seeking to exert pressure on the companies. Company and user data stored on or accessible to employee computers may be at risk of being accessed or seized by local authorities. The employees themselves, or their families, may be at risk of being threatened or coerced.
Twitter’s business practices undermine not only the interests of the United States but also the interests of all democratic nations, the disclosure claims, citing the company’s handling of a Nigerian government decision to block Twitter for several months last year over a presidential tweet that was widely interpreted as a threat to some Nigerian citizens and then removed by Twitter.
Despite Twitter’s claims to have been in negotiations with Nigeria after it suspended the company, those talks never actually took place, Zatko claims. Twitter’s alleged misrepresentations about engaging the Nigerian government not only hurt the company’s investors, the disclosure says, but also gave Nigerian officials cover to demand far greater concessions from Twitter than the company would have otherwise given.
The admissions, according to Zatko’s disclosure, have “harmed the freedom of expression and democratic accountability of Nigerian citizens.”