Peiter “Mudge” Zatko’s recent whistleblower complaint has drawn Americans’ attention to potential security concerns with Twitter. According to Zatko, the social media company has not complied with its Federal Trade Commission agreement to protect users’ privacy. Even after people cancel their accounts, for instance, it’s unclear if the company deletes their personal data. Perhaps the most explosive allegation is that covert foreign agents may have infiltrated the company’s personnel.
From my perspective as a cyber operations officer for the U.S. military, these issues are not surprising. Every organization faces security problems, including the U.S. Department of Defense. In my experience, if there are people involved, problems will be unavoidable to some extent. The issue is how to mitigate the risks.
The problem of Americans’ vulnerability online is much larger than a single platform. Ameliorating these weaknesses will require innovative solutions that comprehend the full scope of the issue.
Americans’ Vulnerabilities Online
Today’s Internet is a playground for hackers. Twitter—and websites in general—may collect individuals’ Internet Protocol (IP) information, various operating system parameters, and cookies from other sites. Users’ private profile information and direct messages with others may then be stolen, leading to identity theft or extortion.
In addition, Twitter relies on user-generated content. Intelligence agencies around the world routinely monitor open-source platforms like these to make sense of American social trends and report to their own foreign authorities.
Covert agents also pose as Americans and engage American users for the purpose of heightening U.S. domestic tensions and spreading misinformation. When a user signs up for a Twitter account, it’s difficult for the company’s security team to establish the user’s true identity. The user could be a harmless John Smith from Peoria or covert agent Ivan Kuznetsov from Russian Federation’s military intelligence using the latest tradecraft.
Poor cyber protection of Twitter’s internal networks, as Zatko alleges, could compromise the entire operation. This can have negative consequences not just for individuals, but also for other organizations and the entire country.
The Tradeoffs of Accessibility
Security professionals must always strive to achieve the right balance among three central principles. These make up the “CIA triad”: confidentiality (assuring that only authorized individuals have access); integrity (assuring that information doesn’t change over time); and availability (assuring that authorized users can access the information when necessary). Prioritizing one over the others involves tradeoffs.
If Zatko’s allegations are correct, then Twitter currently appears to privilege availability over confidentiality and integrity. The platform gives average people the ability to express themselves to others with ease. As a proponent of free speech, I applaud the platform’s openness. But by granting widespread access, the company does indeed face challenges related to integrity and confidentiality.
As a private company, Twitter can decide how much security is appropriate and how to regulate speech on the platform. To tighten up its protocols, the platform could go through the huge hassle and expense of trying to verify users by having them scan state-issued IDs and matching up the images to other known databases, although this would create a big privacy problem. Alternatively, Twitter could use AI to try to weed out fake accounts, which would likely be a flawed process as well.
Even if the company were to address these problems effectively, however, deeper issues would continue to make Americans vulnerable online.
The international community currently does not possess the legal or logistical infrastructure to operate worldwide networks securely. To develop these, consensus among nations would be required. Since freedom of speech is a theoretical concept at best in places like China and Russia, this possibility strains credulity.
Under these circumstances, the best way to protect Americans would be to create a Federal Cyber Security Agency. Such a government body would protect Americans from cyberattacks. Its network would be air gapped from the Internet and only operated on U.S. territory to ensure security. This would provide Americans with an appropriate location to store their sensitive information, minimizing content that could be compromised if stored on an Internet-connected device. The agency could also issue official digital IDs, which would make digital signatures feasible.
Privacy would be ensured by a legal framework, appropriate training, and consequences for users who violate rules. The agency would not be run by any law enforcement or military organization.
Estonia provides an example of how these policies could be put into practice. This small Northern European nation is considered the first country to have been targeted for a nation-on-nation cyberattack. In 2007, hackers with suspected Kremlin connections froze a major bank’s online services and email servers. This attack provoked Estonia to prioritize security.
The Estonian government has been issuing digital IDs to its citizens for more than 10 years. Citizens use them to conduct sensitive business, including voting, signing contracts, completing taxes, accessing medical records, and paying bills.
These transactions are both secure and convenient, run over decentralized networks that thwart hackers. Estonia’s cybersecurity measures successfully repelled another massive cyberattack on Aug. 17, 2022.
Digital IDs may also confer an economic benefit. According to a McKinsey report, “extending full digital ID coverage could unlock economic value equivalent to 3 to 13 percent of GDP in 2030, with just over half of the potential economic value potentially accruing to individuals.”
While the U.S. is different from Estonia, nothing prevents us from instituting similar policies and reaping the benefits.
A Federal Cyber Security Agency could educate Americans about cybersecurity, giving citizens the tools they need to make the best choices for themselves online. At the end of the day, Americans must decide between engaging with unsecure platforms like Twitter and accepting the risks associated with doing so, or stop using this technology altogether.
Mike Itkis is a Major in the U.S. Army Reserve, a cybersecurity expert, and an Independent candidate for the U.S. House of Representatives in New York’s 12th District. In 2009, he joined the Army as a Civil Affairs Specialist. He was commissioned as a 2nd Lieutenant in the Signal Corps in 2010 and currently serves as a Cyber Operations Officer.
Disclaimer: The author wishes to note the views in this article are his own and not those of the U.S. Army.