Twitter whistleblower cites ‘ticking bomb’ of national security risks
Twitter’s security lapses were so grave that they threatened national security and far outpaced U.S. regulators’ ability to police them, the company’s former head of security-turned-whistleblower told senators Tuesday.
Speaking before the Senate Judiciary Committee, Peiter Zatko, also known by his hacker name “Mudge,” said Twitter was a decade behind necessary security upgrades, which he described as a “ticking bomb of security vulnerabilities.” He detailed several cases in which Twitter prioritized profit over addressing the risks on its influential platform.
“Twitter’s unsafe handling of the data of its users and its inability or unwillingness to truthfully represent issues to its board of directors and regulators have created real risk to tens of millions of Americans, the American democratic process and America’s national security,” Zatko said in the hearing.
He also said the company’s leadership “repeatedly covered up its security failures by duping regulators and lying to users and investors.”
Sitting alone at a table facing the dais of senators, Zatko painted a picture of a company that collected vast amounts of user data but was only able to understand how a fraction of the information — about 20% — was used and allowed many employees a dangerous level of access to that information. Even though Twitter was under a 2011 consent decree from the Federal Trade Commission to address security lapses, Zatko said U.S. regulators — and the one-time fees they use as deterrents — are ineffective compared with their foreign peers such as France’s data protection agency.
“The FTC is in a little bit over their head” policing powerful companies such as Google, Facebook and Twitter, Zatko said. “They’re left letting companies grade their own homework.”
Zatko, 51, first testified before Congress in 1998, warning a Senate committee about fundamental weaknesses in the internet’s infrastructure. He then went on to work at the U.S. Defense Advanced Research Projects Agency, Alphabet’s Google and the payment service Stripe before being hired by Twitter founder and former Chief Executive Jack Dorsey in 2020 to help address security concerns.
He was fired in January 2022 over what the company said were performance shortcomings.
Twitter declined to comment in advance of the testimony. But in an email to employees after Zatko filed his complaint with regulators, Twitter CEO Parag Agrawal disputed the allegations.
“We’re reviewing the redacted claims that have been published, but what we’ve seen so far is a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context,” he wrote.
Zatko’s allegations come as Twitter prepares to go to court to force Tesla CEO Elon Musk to complete a $44-billion deal to buy the company. Zatko’s whistleblower complaint backed up Musk’s concern about the prevalence of automated accounts known as bots, which is likely to feature prominently in the Oct. 17 trial in a Delaware court, but Tuesday’s hearing has focused on security shortcomings.
Peiter Zatko, who was fired earlier this year, says Twitter misled regulators about its cybersecurity defenses and its problems with fake accounts.
Lawmakers raised concerns in particular about Mudge’s allegations that Twitter has allowed foreign agents to operate on its payroll and acquiesced to the demands of adversaries such as China. Judiciary Chairman Richard J. Durbin, a Democrat from Illinois, compared users trusting Twitter to safeguard their data as they might trust a bank — but “at Twitter the vault is wide open,” he said.
“Twitter is an immensely powerful platform that cannot afford gaping security vulnerabilities,” Durbin said.
Iowa Sen. Charles E. Grassley, the committee’s top Republican, said Mudge’s disclosures “paint a disturbing picture of a company that’s solely focused on profits at any expense.”
Grassley said Twitter’s Agrawal was invited to Tuesday’s hearing to respond to the allegations, but declined because he claimed it could interfere with the ongoing litigation with Musk.
“The business of this committee, and protecting Americans from foreign influence, is more important than Twitter’s civil litigation in Delaware,” Grassley said, adding that Agrawal should step down from Twitter if the allegations are true.
Zatko pleaded with lawmakers to pass protections for whistleblowers who want to come forward while they are still at the companies. He also said any privacy legislation should involve audits and quantifiable results that couldn’t be gamed by technology platforms.
There is bipartisan support for new internet regulation to protect user privacy and security, but current proposals have failed to gain much traction as Congress focuses on other priorities.
Sen. Richard Blumenthal (D-Conn.) called for a new technology-focused regulator that could help shift the balance of power between immensely profitable companies and the agencies charged with protecting consumers.
“To effectively address this problem, we need not only to insist on restructuring the company but also likely restructuring, reforming and energizing our regulatory apparatus,” Blumenthal said. “Clearly what we’re doing right now is not working.”
