By Cathy He
The former head of security at Twitter was told earlier this year by the U.S. government that there was at least one agent of China’s top intelligence agency, the Ministry of State Security (MSS), working as an employee at the company.
This was one of the revelations made by Peiter “Mudge” Zatko, a whistleblower who served as Twitter’s head of security for about 14 months before being fired earlier this year, during testimony before a Senate Judiciary Committee hearing on Sept. 13.
Ranking Member Sen. Chuck Grassley (R-Iowa) asked Zatko: “In your disclosure, you mentioned that the FBI notified Twitter that one of their employees was suspected of being a Chinese foreign asset. Were you and others at Twitter at all surprised by that?”
Zatko replied that he was notified of this information about a week before he was dismissed.
“The corporate security physical security team had been contacted and told that there was at least one agent of the MSS, which is one of China’s intelligence services, on the payroll inside Twitter,” he said.
Zatko’s testimony expanded upon a raft of allegations of widespread security failings that could harm users of the platform, shareholders, and U.S. national security set out in a complaint to federal regulators in July. Twitter has labeled Zatko’s claims as a “false narrative.”
The whistleblower testified that when he raised his concerns about foreign agents at Twitter to an executive, they were dismissed.
“When I said, ‘I am confident that we have a foreign agent,’ [the executive’s] response was, ‘Well since we already have one, what does it matter if we have more; let’s keep growing the office,’” he recalled during the hearing.
Zatko said that Twitter would be a “goldmine” for any foreign intelligence agency that was able to place an operative inside.
If you place somebody on Twitter … as we know has happened, it would be very difficult for Twitter to find them. They will probably be able to stay there for a long period of time, and gain significant information to provide back on either targeting people or on information as to Twitter’s decisions and discussions and … the direction of the company.”
Zatko is a respected former “white hat” hacker who’s previously worked for Google, payments firm Stripe, and the U.S. Department of Defense. He was hired in 2020 by then-Twitter CEO Jack Dorsey in the aftermath of a major hack that hijacked dozens of high-profile accounts to promote a bitcoin scam.
Zatko’s complaint also alleges that Twitter was becoming dependent on sales to Chinese entities, even though the platform is blocked in China, raising the risk that such entities could then access the data of Chinese users who had circumvented the communist regime’s censorship firewall.
“Twitter executives knew that accepting Chinese money risked endangering users in China,” the 84-page complaint said.
Over the years, the Chinese regime has arrested, harassed, and jailed citizens for circumventing its firewall to use and post messages on Twitter.
“They didn’t know what people they were putting at risk. Or what information they were even giving to the government, which made me concerned that they hadn’t thought through the problem in the first place—that they were putting their users at risk,” Zatko said at the hearing.
He summarized the executives’ response to his concerns as: “We’re already in bed. It would be problematic if we lost that revenue stream. So figure out a way to make people comfortable with it.”
Senior leadership’s dismissals of Zatko’s warnings and concerns became a common theme, according to the whistleblower.
Twitter’s leadership chose to ignore repeated warnings from Zatko of “fundamental” cybersecurity problems, and misled its board, shareholders, and the public about them because it was incentivized to “prioritize profits over security,” Zatko said.
“What I discovered when I joined Twitter [in November 2020] was that this enormously influential company was over a decade behind industry security standards.”
The data security problems at Twitter, according to Zatko, stem from two basic issues: “They don’t know what data they have, where it lives, or where it came from. And so unsurprisingly, they can’t protect it. And this leads to the second problem, which is the employees then have to have too much access to too much data and too many systems.”
To illustrate the second point, Zatko said that about half of Twitter employees have access to the Twitter account of Sen. Chuck Grassley (R-Iowa), the committee’s ranking member.
“The company’s cybersecurity failures make it vulnerable to exploitation, causing real harm to real people,” Zatko said.
“When an influential media platform can be compromised by teenagers, thieves, and spies, and the company repeatedly creates security problems on their own, this is a big deal for all of us.”
Among his claims, Zatko said Twitter misled regulators about compliance with a 2011 Federal Trade Commission order over the improper handling of user data.
Since then, Twitter has made “little meaningful progress on basic security, integrity and privacy systems,” Zatko’s complaint said.
The testimony came as the San Francisco-based company is locked in a legal battle with tech billionaire Elon Musk after the Tesla CEO pulled out of a $44 billion deal to buy the social media platform over its lack of transparency regarding the number of bot and spam accounts on the platform.
Twitter sued Musk for terminating the deal, while Musk countersued, accusing Twitter of fraud. The trial is set for next month in a Delaware court.