One of the last big decisions Jack Dorsey made before handing over Twitter’s CEO responsibilities to Parag Agrawal was to hire a cybersecurity expert to fix the numerous security problems the company has. Peiter “Mudge” Zatko accepted Dorsey’s offer, and took the job. After getting to know Twitter’s IT operations, he realized he had discovered a house of horrors (from the cybersecurity perspective). In August 2022, Mr Zatko published a 200 page report where he bluntly outlined what was wrong at Twitter. Multiple U.S. authorities are also studying the report, and deeper investigations are expected. We studied the uncovered information to learn how small businesses and home computer users can avoid the mistakes Twitter has made.
The key security points that small businesses and home computer users should take away from the Twitter whistleblower report are responsibility, planning, licensing, and action.
Take true, honest responsibility of all the computers, connected devices and networks you have. When (not if, but when) something goes wrong, such as a ransomware attack locks all data in servers, or someone walks out with the hard disk that contains all the sensitive data, you are responsible for the recovery.
It looks like people in Twitter organization knew about the security problems but carried on, avoiding responsibility and avoiding taking action. In cybersecurity, the key factor is that each and every person behaves responsibly when he or she encounters a phishing attempt, click-this-link request, or is thinking to skip a security update.
Twitter is a large organization with about 8000 staff that should have a concise a plan how to prevent cyber attacks. Since we know that no one can prevent all attacks, it is also important to have a plan how to recover from security breaches. The faster you recover from a disaster, the faster life returns to normal. Don’t be like Twitter, but create your plan by starting from the assumption that you have been hacked. It is an eye-opening exercise.
Practically all large organizations are already applying artificial intelligence (AI) and machine learning (ML) into their business processes, Twitter among them. For instance my Twitter account has been locked a few times by a stubborn AI algorithm that believes I have broken the service’s Terms of Service. An email message to the support asking them to unlock the account works instantly – no questions asked. I think the only objective for locking the account is to probe if I am a bot.
Anyhow, the whistleblower report claims that Twitter is using machine learning data models and data sets that the company hasn’t licensed for their applications. This is a huge risk to take for a business. Ensure all software running in production use has been licensed. Even open source software packages should be checked.
It is a miracle how Twitter has managed to keep on operating without more major security incidents than the ones reported earlier. The whistleblower report describes how half of the company’s servers are running on outdated software without any active update processes enabled. The same applies to employee laptops. The company has no redundancy plans to continue operations if, for instance, an entire data center fails. Half of engineers have access to the production system and its data, and there is no way to track if someone does something he shouldn’t. Twitter’s security and privacy problems discovered in 2011, and sanctioned by authorities, haven’t been fixed by 2022.
Small businesses and home computer users can easily do better than Twitter. Simply take action and ensure the vital first steps in every cybersecurity plan have been completed: automatic updates are working, automatic backups are taken, attack prevention is running, recovery processes have been tested, and a redundancy plan reminds how to continue emailing after production accounts have been locked (among other things).
Mr Zatko published his Twitter whistleblower report in August 2022. Its key points has been introduced in many publications, which is why we haven’t dived into details of the paper. Read, for instance, Slate or CNN article that both explain the essence of the report.