Welcome to The Cybersecurity 202! After the tragic theft of a shipped pillow outside my place, a reimbursement place to rest my head has arrived. So far, so good. Might need to put some more foam stuffing in it, though; if anything, it errs a bit too much on the side of too soft.
Below: Researchers discover a Russian influence operation ahead of the midterms, and the SEC wants to take enforcement action against SolarWinds. First:
Musk has inherited a host of cyber challenges
Elon Musk purchased a version of Twitter with plenty of built-in cybersecurity woes. Some cyber experts are worried the world’s richest man might only make matters worse.
Certain Musk plans that could affect security at Twitter, such as workforce cuts that could reduce the company’s cybersecurity staff, pose a more immediate risk. Other changes could improve security on the social media platform. Some of this depends on whether the mercurial Musk follows through on his publicly-stated plans for the platform.
“For cybersecurity, for me, I think it’s a quite reasonable prediction that it will be a net negative,” Peter Singer, a strategist at the New America think tank who wrote about the cyber risks of Musk’s purchase, told me.
It’s important to remember that Musk inherits a host of security problems at the social media giant, including a history of hacks and allegations from whistleblower Peiter “Mudge” Zatko, a major figure in cybersecurity who filed a complaint and testified before Congress.
- Zatko said Twitter didn’t protect user data, undercounted spam bots, employed foreign agents and misled the Federal Trade Commission.
- Twitter has denied the allegations and criticized Zatko’s performance at the company.
Here are things cyber experts are watching as Musk takes the reins:
Even before Musk threatened to cut the company’s personnel, Twitter was already headed toward big personnel reductions. That’s “a change likely to have major impact on its ability to control harmful content and prevent data security crises,” my colleagues Elizabeth Dwoskin, Faiz Siddiqui, Gerrit De Vynck and Jeremy B. Merrill reported last month.
The size of Musk’s planned cuts, though, are expected to be larger in scope than those the company was facing. Those layoffs, which Faiz reported began Thursday night and were set to take further shape today, could lead to users being exposed to hacks and offensive materials, said Edwin Chen, a data scientist formerly in charge of Twitter’s spam and health metrics and now CEO of the content-moderation start-up Surge AI.
- Broader questions of content moderation have been amply covered elsewhere, and are in an evolving state anyway. Suffice to say, they have big ramifications for disinformation, foreign influence campaigns, limits on online speech and more.
Musk says he wants to charge people a monthly fee for blue check marks that verify their identities. He has pledged to make the company profitable, after years in the red.
That opens up a number of potential security vulnerabilities, experts say.
If prominent Twitter users abandon the platform over the charges, that could allow criminals to pretend to be them or even take over their handles and use them for funny business, Singer wrote. It also could allow bad people to pay for verification and use handles for hoaxes and scams.
“You don’t want a situation where Twitter becomes a place where it is easy to impersonate public officials” because people won’t know when there are “genuine security warnings or misleading information,” Center for Democracy and Technology Policy Director Samir Jain told Inside Cybersecurity’s Sara Friedman.
- There are already signs hackers are seeking to exploit the publicity about verification changes at Twitter, Zack Whitaker reported at TechCrunch.
On the other hand, Musk bills the verification changes as a way to combat bots and spam on Twitter.
Yes, this will destroy the bots. If a paid Blue account engages in spam/scam, that account will be suspended.— Elon Musk (@elonmusk) November 1, 2022
Essentially, this raises the cost of crime on Twitter by several orders of magnitude.
Johns Hopkins’ Thomas Rid:
Musk & team are right: the current verification system is badly broken. If they turn the checkmark into a proper name/ID verification system *open for everyone,* plus the premium feature of muting non-verified (trolly, likely more hateful) anon accounts—I’d be delighted to pay.— Thomas Rid (@RidT) November 3, 2022
One area where cybersecurity wonks have good things to say about Musk is about his stated belief that Twitter should encrypt direct messages. They’ve been calling for such a change for a long time.
If the U.S. had a privacy law with teeth, or if Twitter encrypted DMs like I urged years ago, Americans wouldn’t be left wondering what today’s sale means for their private information. The protection of Americans’ privacy must be a condition of any sale.— Ron Wyden (@RonWyden) April 25, 2022
Whether Musk’s plan to cut personnel could lead to a short-term increased risk of insider threats — because those exiting employees, knowing they’re on their way out, might use their access to unencrypted DMs — is a separate issue.
Track record at other companies
Hacking Tesla vehicles has been a staple of security conferences for years, as Singer pointed out. Everyone gets hacked, but what’s concerning is that Tesla “still hasn’t moved into a more proactive stance,” Singer said. Musk did put some emphasis on cybersecurity at Tesla, though dating back years, and one prominent attempt to maliciously hack the company in real life fell short.
His other major company SpaceX has no doubt exposed Musk to more advanced cybersecurity requirements due to its work with the government, and it’s another area where Musk has been outspoken about countering cyberthreats.
Musk is dependent on one of the top U.S. cyber adversaries, China, for both sales and production, Singer notes. And Musk has faced accusations of carrying messages for Russia, another top U.S. cyber adversary, even as he has lent use of his Starlink satellite constellation to Ukraine (with some reimbursement).
- That’s not all: U.S. officials are considering opening an investigation into Musk’s purchase of Twitter and whether foreign investors would have access to user data, according to a story from Faiz, Jeff Stein and Joseph Menn. The FBI also examined possible counterintelligence risks the deal posed, they reported.
Musk’s vow to open up Twitter’s algorithm to public scrutiny earned some praise for its transparency, but “exposing code to the world also exposes potential vulnerabilities that criminals and disinformation operators can use to sow havoc,” wrote CyberScoop’s Tonya Riley earlier this year.
Researchers discover apparent Russian operation spreading cartoons to undermine Democrats
The campaign pushed racist talking points about several Democratic candidates in the midterm elections but didn’t get much traction on the right-wing sites they were posted on, Gab and the patriots.win forum, Bloomberg News’s Jeff Stone reports. The campaign was associated with a group that had been previously linked to the Internet Research Agency, a Russian troll farm that the U.S. government says tried to interfere in the 2016 election.
“A lot of these narratives emanate from alternative platforms that are already popular with fringe groups,” Graphika vice president of intelligence Jack Stubbs told Bloomberg News. “We know the same Russian group active in elections in 2016, 2018 and 2020 are on the same platforms pushing inflammatory narratives and now directly targeting Democratic candidates in these midterm races.”
The Russian Embassy in Washington didn’t respond to the outlet’s request for comment. Russia has denied being involved in cyberattacks and influence operations.
Disruption of Danish train network was caused by a cyberattack
Train operator DSB’s security chief, Carsten Dam Sonderbo-Jacobsen, said the cyberattack hit an IT subcontractor’s software testing network, Reuters’s Nikolaj Skydsgaard reports. Subcontractor Supeo turned off its servers, which impacted locomotive drivers’ ability to use trains on Saturday, DR reported.
“It hasn't targeted infrastructure or DSB, it was economic crime,” Sonderbo-Jacobsen told Reuters. The identity of the hackers isn’t clear and investigations are ongoing, he said.
Hackers have taken aim at rail industries outside of Denmark. In Belarus, saboteurs this year disabled or disrupted critical rail links connecting Russia and Ukraine, my colleagues reported. Suspected Chinese hackers hit New York’s networks last year, the New York Times reported. U.S. regulators have issued rail cybersecurity rules in an attempt to boost rail systems’ defenses and quickly detect hacks.
SEC recommends enforcement actions over SolarWinds’s cybersecurity statements and procedures
SolarWinds says the Securities and Exchange Commission sent it a Wells notice alleging that the firm broke the law “with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures,” Reuters’s Jody Godoy reports. It came as SolarWinds said it had tentatively agreed to settle a shareholder lawsuit over its cybersecurity disclosures for $26 million while not admitting wrongdoing. A judge still has to approve the settlement.
“The company was at the center of a cybersecurity crisis in December 2020, after hackers compromised SolarWinds software updates and used them to access the data of thousands of companies and government offices that used its products,” Godoy writes. “The U.S. government has attributed the hack to Russia.”
SolarWinds said it “maintains that its disclosures, public statements, controls and procedures were appropriate.” It plans to respond to the SEC’s notice, Godoy reports.
- Cybersecurity leaders from the government and private sector speak at Cyversity’s annual conference in Orlando on Monday and Tuesday.
- Former CISA Director Chris Krebs speaks at a Washington Post Live event on Monday at 1 p.m.
- The Center for Strategic and International Studies hosts an event on government access to data through data brokers on Monday at 3 p.m.
- The American Enterprise Institute hosts an event on security standards for connected devices on Tuesday at 2 p.m.
Secure log off
Thanks for reading. See you next week.