New York’s Department of Financial Services called for greater cybersecurity oversight for major technology platforms, especially social media companies.
As one of the regulators for virtual currency, New York's Department of Financial Services launched an investigation into the July attack, where a number of high-profile Twitter accounts were compromised to spread a cryptocurrency scam. Compromised accounts included those belonging to individuals such as former president Barack Obama, Microsoft founder Bill Gates, Tesla CEO Elon Musk, and former vice-president and presidential candidate Joe Biden, as well as companies such as Uber and Apple. About 360 people were scammed out of about $120,000 during the course of the attack. Three people have been arrested in connection with the attack.
The resulting 37-page report from the Department of Financial Services, based on subpoenas, witness interviews, and documentary records, said attackers were able to use "basic techniques" to penetrate the company's network and access internal systems, which "underscores Twitter's cybersecurity vulnerability and potential for devastating consequences." Social media platforms are critical sources of news and information, and there are examples of how manipulating them could affect markets and influence elections. While this attack was focused on cryptocurrency and "garden-variety fraud," a "dangerous adversary" could have caused greater harm. Even though cybersecurity weaknesses at a large social media company can have widespread consequences, there is currently no regulator oversight over social media platforms the way there is for other companies providing critical services in other industries.
In other industries that are deemed critical infrastructure, such as telecommunications, utilities, and finance, we have established regulators and regulations to ensure that the public interest is protected," the DFS said in the report. "We need a comprehensive cybersecurity regulation and an appropriate regulator for large social media companies. The stakes are too high to leave to the private sector alone.
Twitter's Security Missteps
DFS was scathing in its assessment of the attack, noting that the “group of unsophisticated cyber crooks” used techniques of a "traditional scam artist" to gain "extraordinary access" to internal tools which allowed them to take over any user account. There were no malware, exploits, or backdoors involved. The attackers just posed as the company's IT staff and called employees over the phone, offering help with BPN problems. The ruse was successful because “VPN problems were common at Twitter” with the switch to remote work, the report said. Employees were directed to a phishing site that looked identical to Twitter’s legitimate VPN site and was hosted on a similarly-named domain. Attackers used credentials stolen from four employees (via the fake VPN site) to access Twitter’s administrative systems.
Investigators said Twitter didn’t have a CISO at the time of the attack, and the attackers' success was "due in large part to weaknesses in Twitter’s internal cybersecurity protocols." Under New York’s regulations, companies are required to have a CISO or some kind of an executive-level leader responsible for security. The company hired Rinki Sethi, the former CISO of cloud data management company Rubrik, just a few weeks ago.
"The Department’s cybersecurity regulation requires companies to have a CISO, and for good reason," the report said.
The rapid shift to remote work due to the pandemic also stressed the company's technology infrastructure and internal controls for access management and user authentication. Users should have access to systems and applications only to the extent necessary for their job—over 1,000 Twitter employees had access to the internal tools that was abused during the attack, even though their job functions and duties were limited to user account maintenance, content review, and responding to reports of users violating site rules. While Twitter had multi-factor authentication in place, there should have been more authentication layers for high-risk tools, such as requiring approval by a second employee.
Case for Regulation
New York's cybersecurity regulation for the financial services industry requires companies to assess their security risks and develop policies for data governance, access controls, system monitoring, third party security, and incident response and recovery as part of a comprehensive, risk-based cybersecurity program. Social media companies don't really have to worry about regulatory requirements beyond the ones other companies have to deal with, such as the Securities Exchange Commission's regulations for all public companies, the Department of Justice and the Federal Trade Commission's rules on antitrust and competition, and data regulations such as the European Union's General Data Protection Regulation and the California Consumer Privacy Act. While New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act mandates “reasonable” cybersecurity safeguards, it is not comprehensive enough to consider the dangers to social media platforms.
A cybersecurity regulation for large social media companies should be both more detailed and require more security in high-risk areas," the report said. "Regulatory guidance is necessary to ensure large social media companies have proper controls in place to appropriately mitigate ever-evolving risks.
The fact that there are no regulators that can regulate social media platforms and to address their cybersecurity practices was a "regulatory vacuum." The DFC suggested creating a federal regulatory body which would be dedicated to monitoring and supervising the security practices of social media platforms. The expert agency, which could be a brand new agency or an existing regulatory body, would oversee the companies in areas such as technology, cybersecurity, and disinformation. The enhanced regulation would include “stress tests” to evaluate the social media companies’ susceptibility to key threats.
"The risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions. The scale and reach of these companies, combined with the ability of adversarial actors who can manipulate these systems, require a similarly bold and assertive regulatory approach," the report said.
Impact on Cryptocurrency
While DFS had a lot to criticize about Twitter's security practices, the department praised the cryptocurrency companies who had been impacted. Four of the companies had their Twitter accounts compromised, and several other cryptocurrency companies were caught up in the attack because customers used their platforms to transfer virtual currency into attacker wallets. Fifteen companies responded quickly to block impacted addresses so that no money could be sent to those addresses, "demonstrating the maturity of New York’s cryptocurrency marketplace and those authorized to engage within it," DFS said.
Coinbase, Gemini, and Square blocked the attacker addresses within 40 minutes of their Twitter accounts being compromised, the department found. Coinbase blocked approximately 5,670 transfers, valued at approximately $1.3 million. Square blocked 358 transfers, valued at approximately $51,000. Gemini blocked two transfers, valued at approximately $1,800. In the time before the addresses were blocked, about $22,000 were successfully sent using Gemini, Square, and Coinbase.
The fact that cryptocurrency companies were able to respond swiftly illustrated that "effective regulation can foster innovation and growth, while also protecting consumers," the report said. DFS regulations required that the companies had robust programs around cybersecurity, fraud-prevention, and anti-money laundering programs. Social media companies, in contrast, are self-regulating. There are no dedicated state or federal regulators ensuring adequate cybersecurity practices to prevent fraud, disinformation, and other threats.
The Twitter Hack demonstrates, more than anything, the risk to society when systemically important institutions are left to regulate themselves," the report concluded. "Protecting systemically important social media against misuse is crucial for all of us–consumers, voters, government, and industry.