BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Does Twitter Have A Deeper Data Cybersecurity Problem? Experts Think So

Following

Twitte TWTR r's former security chief warned lawmakers and regulators last month that the social platform apparently had neither the incentive nor the resources to properly measure the full scope of bots on its platform, according to a 200-page whistleblower disclosure.

Twitter currently has more than 330 million active monthly users, and based on this disclosure, it seems the service is doing little to protect their data, experts warn.

Peiter "Mudge" Zatko, who has been described as a veteran cybersecurity expert widely respected in the industry, filed the disclosure with the Securities and Exchange Commission (SEC), Federal Trade Commission (FTC), and the Department of Justice (DoJ) in July.

Whistleblower Aid, a nonprofit that provides legal assistance to whistleblowers, confirmed the complaint’s authenticity.

Zatko alleged that Twitter suffered from a range of other security vulnerabilities and has done little to fix it, reported CNN – which along with The Washington Post had first seen the disclosure.

In a statement in response to the whistleblower complaint, a Twitter spokesperson told NBC News that Zatko's account was "a false narrative," and added that Zatko was fired because he displayed "ineffective leadership and poor performance."

Whistle Has Been Blown

A number of experts have weighed in on exactly what this might mean for not only users of the platform, but also how lawmakers should respond.

"These concerns – user security and Twitter compliance with a 2011 FTC consent order – are miles away more appropriate areas for government action than the politically motivated speech and antitrust rumblings against 'Big Tech," that we hear coming out of Washington," explained Jessica Melugin, director of the Center for Technology and Innovation at the Competitive Enterprise Institute.

MORE FROM FORBESElon Musk And Now A Whistleblower Say Twitter Is A Mess. Here's How To Fix It

Melugin suggested that these are the types of issues that lawmakers should be more focused on when it comes to social media rather than antitrust and politically motivated speech.

"While we don't yet know the validity of the claims of the report, these are the issues regulators and lawmakers should focus on instead of breaking up or handicapping some of America's most successful companies," Melugin continued.

One of the biggest concerns is how Twitter essentially misled investors, the FTC, and even downplayed the issues of spam and security on the platform.

"This is one of those situations where the reputation of the whistleblower itself immediately lends legitimacy to the allegations," said Chris Clements, vice president of solutions architecture at Cerberus Sentinel.

It may be easy to dismiss what happens on social media as trivial, but its reach is greater than many mainstream media outlets.

Any vulnerabilities that could allow malicious actors to abuse those platforms introduce risk of sowing discord and conflict, but also be potential sources of intelligence for espionage operations by foreign (hostile) agencies, added Clements.

An effective cybersecurity defense should begin at the very highest level, but this may not have been the case at Twitter. Past reports such

"Statements reportedly made by former Twitter CEO Jack Dorsey in the past around cybersecurity are concerning and could explain the cause of some of the allegations that have come to light," Clements added, noting how Dorsey had dismissed claims of lax cybersecurity and was reported to have suggested, "Those guys like to whine a lot."

Lax Security

Even as the social media platform attempted to paint a rosy picture, and often encouraged users to adopt better security practices, including multi-factor authentication, the security in-house had serious issues. According to the complaint, there were some 20 breaches just in 2020, while Twitter has failed to prioritize the removal of spam or bot accounts.

In addition, Zatko has alleged that Twitter has never actually been in compliance with an agreement it made with the FTC in 2011 to protect users' personal information; while it fails to monitor "insider threats" including those from employees or contractors, who may use their positions to steal information.

"It underscores the extent to which security that is treated as merely a technical issue is doomed to fail. Cybersecurity policies and practices need to have the full support of the organization, including its board and leadership. If the whistleblower's allegations are true, security was—at best—an afterthought for Twitter’s leadership," said Patrick Dennis, CEO at cybersecurity firm ExtraHop.

"It (also) sheds new light on what many hinted at during the Elon Musk takeover bid: the Twitter platform itself has serious vulnerabilities that the company isn't taking seriously at all," added Dennis.

Musk had claimed that he pulled out of the deal to purchase Twitter, following the platform’s refusal to provide relevant data regarding the prevalence of bots.

"Given their refusal to acknowledge or deal with the bot problem in any material way, it should come as no surprise that Twitter also lacks the willingness to address other major security concerns regarding the privacy and safety of its users," Dennis suggested.

Whistle Blow Over?

It is unlikely these allegations will be something that may blow over, and it could impact all of social media.

"The allegations will definitely have a long-term effect on Twitter and possibly how other social media platforms manage the security of their platforms," suggested Javvad Malik, security awareness advocate at KnowBe4.

"'Mudge' is a long-standing and well-respected member of the security community, and while it appears as if there could be an underlying clash of personalities with Twitter CEO Parag Agrawal, these should not detract from the quite serious security issues that have been highlighted," said Malik. "The organization needs to foster and build a culture of security from within, one where weaknesses can be openly discussed, and not hidden under the rug."

This will certainly have lasting repercussions, but it is unclear how it will affect Twitter in the short term.

"In terms of what consequences Twitter will face, I expect that regulators in the EU will be very keen to understand how consumer data has been mismanaged for purposes of GDPR (General Data Protection Regulation). I expect similar investigations in California under CPA (Consumer Privacy Act of 2018)," said Dennis.

Federal authorities should take any allegations that Twitter employees are working for a foreign intelligence service, as it could undermine our democracy.

"There has long been speculation about tech company employees being planted by nation-state governments," added Dennis. "If this is true, it could bring substantially more scrutiny around hiring practices."

Follow me on Twitter