A hack of Twitter last week shook the foundations of the internet, cybersecurity, and political worlds. A gang of young people purportedly obsessed with OGusers, early Twitter adopters with one or two characters in their handles, ostensibly targeted 130 high-profile accounts and reset passwords and sent messages from the accounts of 45 “celebrities.” The hacks appear financially motivated, with the attackers fleeing with $121,000 worth of bitcoin generated through the scam messages they sent from the accounts of Joe Biden, Barack Obama, Bill Gates, Elon Musk and other personages.
Coming as they did during a period of high paranoia just a few months from the 2020 presidential election, the hacks seem somehow intermixed with the ongoing fear of the kinds of nation-state digital attacks that took place during the 2016 elections. The take-over of what has become a vital political platform attracted the attention of lawmakers, including James Comer (R-KY), the ranking member of the House Committee on Oversight and Reform, who sent a letter to Twitter CEO Jack Dorsey demanding a briefing no later than July 24.
Comer’s letter followed by a day a similar message to Dorsey from US Senator Josh Hawley (R-MO). Hawley sent a letter amidst the chaos of the initial hacks asking the Twitter CEO to “reach out immediately to the Department of Justice and the Federal Bureau of Investigation and take any necessary measures to secure the site before this breach expands.” Hawley demanded that once Dorsey dealt with the immediate crisis, he should answer a series of questions, including how the hack occurred and whether it threatened the account security of the most high-profile of all Twitter users, Donald Trump.
A “class break” hack
Twitter issued a statement on Saturday saying it believed “certain employees” had been socially engineered by attackers who used those employees’ credentials to access Twitter’s internal systems, including systems affecting two-factor authentication. The attackers were then able to initiate a password reset, log into the accounts, and send Tweets that appeared to be from the hacked celebrities.
The hackers took the additional step of downloading unspecified personal data from eight of the accounts. Twitter has promised more details as its investigation continues. Still, the company remained mum on a startling New York Times report that provided rich details and timelines on the supposed group of people allegedly responsible for the hacks.
Given the concern over the unprecedented nature of the attack, and its timing so close to the election, many experts worry that the hacks were merely a trial run for widescale damaging disinformation campaigns or other digital malfeasance that could threaten America’s democracy. Some security experts even suggest that the vulnerability of such a critical platform could ultimately lead to nuclear war.
Cryptography and security expert Bruce Schneier characterized the hacks as a “class break” that disrupted an entire class of systems and wasn’t dependent on the level of Twitter users’ protection, such as two-factor authentication. Technology is not the problem, Schneier argues. The problem is economic and fixing the problem requires regulation and reducing Twitter’s monopoly power.
Twitter as critical infrastructure?
If that’s the case, then an argument could be made that Twitter is more akin to critical infrastructures, such as the power grid or transportation systems, which would warrant the regulation that Schneier mentions. The Department of Homeland Security defines critical infrastructure as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” Given the reactions that the Twitter hacks spawned in both the political and security worlds, that definition seems more apt than not.
“I think Twitter has emerged as the [political] platform of choice because, frankly, the attention span of the American is so short,” Chris Kennedy, CISO of security validation company AttackIQ tells CSO. “It is now critical infrastructure in expressing information. It is the thing that informed Arab Spring and exposes national atrocities by government. It’s used by governments to influence politics around the world.” Whether Twitter bears closer government scrutiny is a more urgent question now because these most recent attacks represent a “major shift in the responsibility of what these platforms provide,” Kennedy says.
It’s still not known whether a nation-state actor was involved, although Kennedy, like many security experts, notes that “it sure is interesting timing with the election coming up.” However, because President Trump relies so heavily on Twitter to communicate his messages, Kennedy doesn’t believe that Russia would be the culprit this go-around. “If you think Trump and Russia are in cahoots, it would not be in the Russians’ best interest to make Twitter look like an untrusted source of information.”
The distinction between Twitter and other critical services is that Twitter doesn’t maintain a unique infrastructure for which the marketplace cannot quickly and easily provide a substitute. It is, in essence, just a form of speech, which is backed by sophisticated infrastructure, to be sure. It is fundamentally a communications platform protected by the First Amendment right to free speech, some experts say.
“Regardless of the ubiquity of platforms like Twitter, they are not ‘critical infrastructure’ like the telephone system or the electric grid that are necessary to the operation of vital functions,” Robert Corn-Revere, First Amendment law expert and partner at Davis, Wright, Tremaine LLP tells CSO.
“It is not as if news or political dialog would stop if Twitter were disrupted,” he adds. “This is not to downplay the seriousness of an attack on such platforms, but it is not a matter of ‘critical infrastructure’ as that concept describes essential services that underpin society.”
Digital services vulnerable
Digital services such as Twitter are well-known to be hackable, giving them some leeway to experience these kinds of incidents without pressure for government involvement, Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4, tells CSO. “I think [Twitter is] critical at all levels, but I think the big difference is that it’s like any online digital asset. It has a history of being hacked, and people know it can be hacked. I think a lot of the world has actually come to accept that we’re going to have these blips.”
Social media platforms’ power comes with responsibility
Another top security expert, Dave Kennedy, founder of security firm TrustedSec (no relation to Chris Kennedy), is opposed to government regulation of services such as Twitter but believes that it, along with Facebook and other online platforms, has amassed power that makes them increasingly responsible for society’s well-being. “You just have these conglomerate massive companies that have now become foundational for the safety and well-being of the United States and the world,” he tells CSO.
“There need to be more protections put into place for these organizations and companies like Twitter,” Dave Kennedy says. “It’s the president’s main communication method. It’s the communication method of other world leaders. You have the NSA on there. You have all these different groups that are communicating with the ability to potentially start World War Three or with the potential to cause substantial damage through these types of attacks. There definitely needs to be a discussion around how do we ensure that these systems maintain their integrity.”