Wednesdays Twitter hack has exposed a gaping weakness for the U.S. and its most powerful leaders — their reliance on a private company to secure their communications with the public.
The attack showed that Twitter couldnt even protect former President Barack Obamas account from spreading a Bitcoin scam, while the companys efforts to plug the breach silenced President Donald Trumps tweets, stifled National Weather Service tornado alerts and left some lawmakers still locked out as of Thursday afternoon.
And it prompted lawmakers to raise an uncomfortable question: Whats to stop a more insidious group of hackers from using leaders trusted Twitter accounts to spread lies about national emergencies, wars or the November election?
“Lets imagine that at 4 p.m. on Election Day, Barack Obamas Twitter account sends revised polling locations to 20,000 Black voters in Florida,” senior House Intelligence Committee member Jim Himes (D-Conn.) said Thursday during a Third Way webinar on election interference.
Such an incident would prompt “litigation that would make Bush v. Gore … look like a walk in the park,” Himes said. “The degree of uncertainty is horrifying.”
The GOP-led Senate Intelligence Committee and other congressional panels asked Twitter on Thursday for briefings on the cyberattack. The FBI announced that it had opened a probe into the breach, whose perpetrators may have made off with as much as $118,000 from victims who sent Bitcoin to the hacked Twitter accounts.
Beyond the immediate search for the perpetrators, the episode highlighted the risks of outsourcing key government functions to social media platforms — a concern that Twitter inadvertently amplified when it froze verified accounts as part of its response Wednesday night. Senate Intelligence Vice Chairman Mark Warner (D-Va.) and Ohio Rep. Jim Jordan, the top Republican on the House Judiciary Committee, were among the lawmakers who said they were still unable to get back into their accounts Thursday.
The scope of the attack, and Twitters initial comments, suggested that the intruders had obtained the passwords of some of Twitters most trusted employees — enabling the kind of disinformation operation that has inspired years of anxious theorizing among security professionals. The breach also underscored that Twitters process of “verifying” accounts belonging to prominent people doesnt come with any special protections — although Trumps account reportedly has its own security measures.
Lawmakers taking stock of all those troubling facts warned about the havoc that a future Twitter hack could wreak.
Himes said he worried far more about an “irreversible, quick” attack, such as a burst of fake tweets on Election Day, than about the more widely discussed risk of hackers breaching a voter registration database and tampering with records.
Other lawmakers imagined equally grim scenarios. “Imagine a civil defense chiefs twitter account being hacked, or a Commanding General,” tweeted Sen. Brian Schatz (D-Hawaii).
Government agencies have their own sordid history of breaches, including the White House, the State Department and the federal personnel office that houses employees security clearance files, but lawmakers concerns about Twitter reflect a different trend: In recent years, governments have outsourced key tasks, from communications to data storage, to tech companies beyond their direct control.
The latest bipartisan uproar comes as intelligence officials warn that foreign government hackers and trolls are using social networks to stir up controversy and spread disinformation ahead of Novembers elections. This misuse of Facebook, Twitter and other large platforms, which reached a zenith during the 2016 presidential campaign, has led to extensive congressional oversight. Wednesdays mass hack seems likely to produce more scrutiny.
“The ability of bad actors to take over prominent accounts, even fleetingly, signals a worrisome vulnerability in this media environment — exploitable not just for scams, but for more impactful efforts to cause confusion, havoc, and political mischief,” said Warner, the top Democrat on the Senate Intelligence Committee, which released a report last October on the Russian governments 2016 disinformation operations.
So far, the 2020 election has not seen any public revelations of activity approaching the coordinated cyberattacks of 2016. But security experts warned that the latest evidence of weaknesses at Twitter would only compound the publics fear and mistrust.
Lawmakers wasted no time requesting answers. Barely hours after hackers began seizing the accounts of prominent figures such as Obama, Bill Gates and rapper Kanye West to propagate a Bitcoin scam, Sen. Josh Hawley (R-Mo.) sent Twitter CEO Jack Dorsey a letter asking for details about the breach. On Thursday, Senate Commerce Chairman Roger Wicker (R-Miss.) and House Oversight Committee ranking member James Comer (R-Ky.) requested briefings from Twitter. So did Senate Intelligence, according to a person familiar with the matter who was not authorized to speak publicly.
“Millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service,” wrote Hawley, a top critic of social media giants. “A successful attack on your systems servers represents a threat to all of your users privacy and data security.”
“[I]t cannot be overstated how troubling this incident is, both in its effects and in the apparent failure of Twitters internal controls to prevent it,” Wicker wrote to Dorsey.
Similar statements of concern came from several House Democrats in the California delegation, including Mark Takano, John Garamendi and Harley Rouda, as well as Sen. Ed Markey (D-Mass) and the House Oversight Committee.
So far, however, lawmakers have announced no new push for legislation to address incidents like the mass hacking, such as stringent cybersecurity requirements for social media employees.
The breach also raised the question of what else the hackers may have been able to do with the compromised accounts besides tweet from them. Sen. Ron Wyden (D-Ore.), an Intelligence Committee member and leading cybersecurity advocate, criticized Twitter for failing to encrypt users private direct messages despite a promise from Dorsey in September 2018.
“While it still isnt clear if the hackers behind yesterdays incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms,” Wyden said in a statement.
Twitter said late Wednesday that the hackers had mounted “