Twitter hack raises concerns among government and security experts
A hack of Twitter last week shook the foundations of the internet, cybersecurity, and political worlds. A gang of young people purportedly obsessed with OGusers, early Twitter adopters with one or two characters in their handles, ostensibly targeted 130 high-profile accounts and reset passwords and sent messages from the accounts of 45 celebrities’. The hacks appear financially motivated, with the attackers fleeing with $121,000 (€105,000) worth of bitcoin generated through the scam messages they sent from the accounts of Joe Biden, Barack Obama, Bill Gates, Elon Musk and other personages.
Coming as they did during a period of high paranoia just a few months from the 2020 presidential election, the hacks seem somehow intermixed with the ongoing fear of the kinds of nation-state digital attacks that took place during the 2016 elections. The take-over of what has become a vital political platform attracted the attention of lawmakers, including James Comer (R-KY), the ranking member of the House Committee on Oversight and Reform, who sent a letter to Twitter CEO Jack Dorsey demanding a briefing no later than 24 July.
Comer’s letter followed by a day a similar message to Dorsey from US Senator Josh Hawley. Hawley sent a letter amidst the chaos of the initial hacks asking the Twitter CEO to “reach out immediately to the Department of Justice and the Federal Bureau of Investigation and take any necessary measures to secure the site before this breach expands.” Hawley demanded that once Dorsey dealt with the immediate crisis, he should answer a series of questions, including how the hack occurred and whether it threatened the account security of the most high-profile of all Twitter users, Donald Trump.
A ‘class break’ hack
Twitter issued a statement on Saturday saying it believed “certain employees” had been socially engineered by attackers who used those employees’ credentials to access Twitter’s internal systems, including systems affecting two-factor authentication. The attackers were then able to initiate a password reset, log into the accounts, and send Tweets that appeared to be from the hacked celebrities.
The hackers took the additional step of downloading unspecified personal data from eight of the accounts. Twitter has promised more details as its investigation continues. Still, the company remained mum on a startling New York Times report that provided rich details and timelines on the supposed group of people allegedly responsible for the hacks.
Given the concern over the unprecedented nature of the attack, and its timing so close to the US presidential election, many experts worry that the hacks were merely a trial run for widescale damaging disinformation campaigns or other digital malfeasance that could threaten America’s democracy. Some security experts even suggest that the vulnerability of such a critical platform could ultimately lead to nuclear war.
Cryptography and security expert Bruce Schneier characterised the hacks as a “class break” that disrupted an entire class of systems and wasn’t dependent on the level of Twitter users’ protection, such as two-factor authentication. Technology is not the problem, Schneier argues. The problem is economic and fixing the problem requires regulation and reducing Twitter’s monopoly power.
Twitter as critical infrastructure?
If that’s the case, then an argument could be made that Twitter is more akin to critical infrastructures, such as the power grid or transportation systems, which would warrant the regulation that Schneier mentions. The Department of Homeland Security defines critical infrastructure as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety”. Given the reactions that the Twitter hacks spawned in both the political and security worlds, that definition seems more apt than not.
“I think Twitter has emerged as the [political] platform of choice because, frankly, the attention span of the American is so short,” Chris Kennedy, CISO of security validation company AttackIQ tells CSO. “It is now critical infrastructure in expressing information. It is the thing that informed Arab Spring and exposes national atrocities by government. It’s used by governments to influence politics around the world.” Whether Twitter bears closer government scrutiny is a more urgent question now because these most recent attacks represent a “major shift in the responsibility of what these platforms provide,” Kennedy says.
It’s still not known whether a nation-state actor was involved, although Kennedy, like many security experts, notes that “it sure is interesting timing with the election coming up.” However, because President Trump relies so heavily on Twitter to communicate his messages, Kennedy doesn’t believe that Russia would be the culprit this go-around. “If you think Trump and Russia are in cahoots, it would not be in the Russians’ best interest to make Twitter look like an untrusted source of information.”
The distinction between Twitter and other critical services is that Twitter doesn’t maintain a unique infrastructure for which the marketplace cannot quickly and easily provide a substitute. It is, in essence, just a form of speech, which is backed by sophisticated infrastructure, to be sure. It is fundamentally a communications platform protected by the First Amendment right to free speech, some experts say.
“Regardless of the ubiquity of platforms like Twitter, they are not ‘critical infrastructure’ like the telephone system or the electric grid that are necessary to the operation of vital functions,” Robert Corn-Revere, First Amendment law expert and partner at Davis, Wright, Tremaine LLP tells CSO.
“It is not as if news or political dialog would stop if Twitter were disrupted,” he adds. “This is not to downplay the seriousness of an attack on such platforms, but it is not a matter of ‘critical infrastructure’ as that concept describes essential services that underpin society.”
Digital services vulnerable
Digital services such as Twitter are well-known to be hackable, giving them some leeway to experience these kinds of incidents without pressure for government involvement, Roger Grimes, data-driven defence evangelist at cybersecurity company KnowBe4, tells CSO. “I think [Twitter is] critical at all levels, but I think the big difference is that it’s like any online digital asset. It has a history of being hacked, and people know it can be hacked. I think a lot of the world has actually come to accept that we’re going to have these blips.”
IDG News Service