Twitter lessons: Relook security strategy, rules on social media
In the polarised political climate that engulfs India, such a creative use of a Twitter hack is very much within the realm of possibility
A future world war might as well be started with a seed capital of $100,000 or less. That is the sobering reality of the Twitter security breach incident compromising a swathe of prominent people, from former US President Barack Obama to Elon Musk.
In a matter of hours, Twitter had shut down most of its verified Twitter handles and launched an active investigation into the breach.
A seed capital of $100,000 or less can be used to do widespread harm by hacking into social media sites that seem innocuous but are now vehicles of a new kind of warfare.
On April 23, 2013, the world saw what a Twitter hacking can do. The official Twitter handle of Associated Press tweeted a breaking story -- “Two explosions in the White House and Barack Obama is injured”. The tweet came at 1.07 pm and AP’s two million followers on Twitter started retweeting the issue in a matter of seconds.
In his book Future Crimes, author and former policeman Marc Goodman estimated that in just three minutes, that tweet had wiped out $136 billion from the stock markets.
A little-known hacking group, Syrian Electronic Army (SEA), admitted it had hacked into AP’s official Twitter handle. The SEA caused massive economic damage without even spending any major resources, and it did not even target a US official website or system.
Just the hack into the Twitter handle of a major private news organisation was enough to cause significant damage.
This is how social media has emerged as a tool of modern warfare, It is free to access, has vast reach, consumes very little resources, and makes the world a target. The current Twitter hacking raises two major obvious issues.
One, the social media has to be seen from the lens of national security and the threats they pose. Second, India needs to revisit some of its regulations around the social media and bring them up to date with current realities.
While it is not clear whether the current hack into Twitter was done through social engineering or by paying off Twitter employees, it brings forth another question: how did the hackers know who in the social media corporation had access to these internal tools?
It even managed to reset emails as well as bypass two-factor authentication, even for high-profile accounts including a US presidential candidate and targeted them precisely to achieve their goals.
The compromised insider is not a first for the social media. In 2017 a Twitter employee temporarily deactivated the US President’s Twitter account and two Twitter employees spied on activists for the Saudi government.
Both these incidents show the power that site reliability engineers (SREs) hold inside the tech company, and how they can be targeted by simply looking at SRE Meetups held in Meetup.com, an online service that hosts regular meetups.
It is then a matter of time to recruit one of them to spy on a critic that a nation state dislikes, or to convince them to give access to internal tools to post a message declaring war on another state, using the head of state’s Twitter account.
As the US Navy Chief of Naval Operations put it so eloquently, “social media literacy is national security too”. It is possible that after this incident, this statement has to be retold as “social media SRE is national security too”.
Closer home, in December 2016 Congress leader Rahul Gandhi and many colleagues found their Twitter handles compromised.
According to Indian government sources, this was done by hackers who managed to get domain-level access to the Indian National Congress’ emails, leading to a cascade of hacks including their Twitter handles.
No FIRs were filed, and few paid attention to the national security threat such a hack poses.
What if the hack was done by an inimical power to create political chaos in India?
In the polarised political climate that engulfs India, such a creative use of a Twitter hack is very much within the realm of possibility.
Indians still don’t know what happened to Facebook when their data was found to be compromised by Cambridge Analytica.
And the US intelligence community is convinced the Russians successfully used Facebook to influence the 2016 US elections, propelling Donald Trump to an unexpected victory.
An unforeseen side effect of this incident would also be a relook on the safe harbour protections that social media companies enjoy. In India the Supreme Court’s Shreya Singhal ruling allows social media companies to indemnify themselves against any risk posed by content posted by one of their users.
The latest Twitter hack raises difficult questions for India and its safe harbour protections for social media companies.
If a single compromised employee can hijack a former US President or a presidential candidate’s account and post messages on bitcoins, does it not imply that the social media platform is no longer an intermediary and now has the power to create content?
Accepting that will be a paradigm shift for India’s regulatory landscape for big tech and especially social media companies.
Would we also eventually end up in a situation where SREs with access to sensitive accounts will need a security clearance from the intelligence arm of nation states to avoid an enemy state hijacking the head of state’s account?
It is quite possible it might, and therein lies the significance of this incident. Social media platforms’ internal processes, systems and their engineers might be subjected to public scrutiny in the same way as that of critical infrastructure systems like nuclear plants, power grids and major transport systems.