The New York State Department of Financial Services said platforms like Twitter and Facebook are now “systemically important” and need cybersecurity oversight.
The world’s biggest social media companies may have to put more of a priority on security now that a New York state financial watchdog is calling for the creation of a designated regulator tasked with monitoring their cyber defense.
The New York State Department of Financial Services made the determination in a lengthy report on the Twitter hack in July after the Justice Department said two teenagers and a 22-year-old took over more than 100 prominent Twitter accounts, including the accounts of former President Barack Obama and former Vice President Joe Biden.
“The fact that Twitter was vulnerable to an unsophisticated attack shows that self-regulation is not the answer,” said Superintendent of Financial Services Linda Lacewell in a statement. “As we approach an election in fewer than 30 days, we must commit to greater regulatory oversight of large social media companies. The integrity of our elections and markets depends on it.”
SEE: Identity theft protection policy (TechRepublic Premium)
While the teens used the account takeovers to push bitcoin-related scams, the ease with which they were able to infiltrate Twitter’s system using employees’ telework-related VPN problems alarmed New York financial investigators. The report notes that a number of world leaders, most notably US President Donald Trump, now use social media sites like Twitter as official communication, meaning any account takeover could have drastic implications on national security and international markets.
Despite its importance and daily usage by the president, the report notes that Twitter did not have a CISO at the time of the attack and had not had one since December 2019, a more than seven-month span.
“The Twitter Hack demonstrates the need for strong cybersecurity to curb the potential weaponization of major social media companies. The risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions. The scale and reach of these companies, combined with the ability of adversarial actors who can manipulate these systems, require a similarly bold and assertive regulatory approach,” the report said.
“Akin to other critical industries, public oversight of social media is needed. While there are various proposals to improve public oversight of large social media companies or technology companies more broadly, they primarily focus on the issues of antitrust/competition or content moderation. We need a comprehensive cybersecurity regulation and an appropriate regulator for large social media companies. The stakes are too high to leave to the private sector alone.”
The report goes through the specifics of the attack, noting the important role the coronavirus pandemic played in the cyberattackers’ plans. Investigators noted that the attack did not involve any sophisticated techniques typically seen in attacks of this size. It was a simple phishing attack that used a spoofed site to steal an employee’s credentials.
According to authorities, the alleged hackers, 17-year-old Graham Ivan Clark, 19-year-old Mason Sheppard and 22-year-old Nima Fazeli, ignored the traditional attack tools like malware, exploits and backdoors by simply pretending to work for Twitter’s Information Technology department.
Since beginning to work remotely in March, Twitter employees had been having issues with their VPN connections to the network, according to the report. Clark, Sheppard, and Fazeli called employees purporting to be part of the IT team addressing VPN issues “and then persuaded employees to enter their credentials into a website designed to look identical to the real VPN login website.”
“The Hackers’ claims were far more credible–and ultimately successful–because Twitter’s employees were all using VPN connections to work and routinely experiencing VPN problems that required IT’s assistance,” the report said, adding that Twitter did not implement any controls to deal with the increased risk it’s remote workers faced.
“The Twitter Hack happened in three phases: Social engineering attacks to gain access to Twitter’s network; taking over accounts with desirable usernames and selling access to them; and taking over dozens of high-profile Twitter accounts and trying to trick people into sending the Hackers bitcoin. All this happened in roughly 24 hours.”
Twitter has since hired a CISO, provided additional cybersecurity training to employees, and implemented improved multifactor authentication. The hackers only ended up stealing about $118,000 worth of bitcoin and were only able to access the direct messages of about 30 of the accounts they stole.
But the report questions what social media sites like Twitter would have done in the face of sophisticated, sustained attacks by adversaries with more resources and manpower. Twitter has 330 million total monthly active users and over 186 million daily active users, including over 36 million in the United States, according to the report.
Authorities said the attackers were also able to take over high-profile accounts of Elon Musk, Bill Gates, Warren Buffet, Uber, and Apple. Investigators criticized Twitter for not providing any updates in real time and unilaterally locking all accounts that had changed a password within 30 days of the attack. The site restricted multiple public institutions from tweeting, including the National Weather Service, which could not tweet out an important tornado advisory.
The report describes the regulations that have been established for telecommunications, utilities, as well as the financial services industry and said it would be a similarly useful framework to use for social media giants. Under New York state law, financial institutions are required to “assess their security risks, and then develop policies for data governance, access controls, system monitoring, third party security, and incident response and recovery.”
Regulatory guidance was similarly needed for the handful of major social media companies that were now “systemically important,” a designation created by Congress for large banks and financial institutions in the wake of the 2007-2008 financial crisis, according to the report. The “Systemically Important Financial Institution” should not also be applied to certain social media companies that can have legitimate, outsized effects on markets and political stability, the report added.
There is currently no dedicated state or federal regulator who is in charge of forcing social media companies to have even the most basic cybersecurity rules in place. In 2016, New York was the first state to pass a cybersecurity regulation for financial institutions and now forces them to report any breaches that occur. At least 11 other states followed suit, passing similar laws.
Some of the fears of New York state investigators have already played out in real life. The report notes that in 2013, hackers took over the Associated Press’ Twitter account and falsely tweeted out that two bombs had exploded and injured then-President Barack Obama, causing the S&P 500 to lose $136.5 billion of value in minutes.
Over the years attackers have used social media in “pump-and-dump” scams that seek to jack up the price of stocks so that they can sell at a high point before it drops back down, the report said, adding that other studies have shown that tweets often do have an influence on market activity.
Experts in security were mixed on the prospect of a designated cybersecurity regulator for major social media companies. Many felt like a regulator would not be enough to stop the kind of attack that was leveraged against Twitter and would simply add another layer of bureaucracy.
Karen Walsh, principal at Allegro Solutions and a longtime cybersecurity expert, said that before even getting to the issue of how these companies would be regulated, agencies would have to figure out how to determine which social media companies are big enough to warrant increased scrutiny.
But more importantly, she said no regulatory compliance requirement will truly hold organizations accountable because compliance is not equal to security.
“While regulatory oversight gives people comfort through transparency and oversight, it does little to secure platforms better,” Walsh said.
Gurucul CEO Saryu Nayyar echoed that sentiment, describing several challenges inherent to regulating media companies in the US.
While mandating adequate security controls and providing oversight to see that they are correctly and effectively implemented makes sense, regulations would need to be carefully crafted to focus on the security aspects of the business without straying into regulating the content, he noted.
Roger Grimes, data driven defense evangelist at KnowBe4, was completely against the idea and said it was “an unneeded regulatory layer.”
“There are already multiple federal and state regulations requiring the security needed to protect people’s identity, accounts, and data. The problem isn’t that we lack regulations. It’s that companies have multiple vulnerabilities which are used to compromise accounts and data,” he said.
K2 Cyber Security vice president of marketing Timothy Chiu went even further, saying designations like what is being proposed may actually make these companies more of a target for cybercriminals, akin to “painting a target on the company itself.”
“That said, if the designation actually came with specific security requirements like the use of IAST and RASP, as indicated in the latest NIST SP800-53 Revision 5 security framework, that might help improve its security, especially if they aren’t already following NIST guidelines,” Chiu added. “Various industries, specifically those that handle money of course, already go by tighter security guidelines including PCI and many even require FIPS type certifications for their platforms and security.”
Some analysts, like Point3 Security vice president of strategy Chloé Messdaghi, said it was a good idea to have a regulator but questioned how having one would have helped Twitter in this specific instance.
Any cybersecurity regulator should push for hands-on training around phishing, representation of the hacker community on the board, moves to have every organization to have vulnerability disclosure policies, and enforcement strategies that drive organizations to be better with their ISMS, she said.
But she noted that little can be done to address the more systemic underlying issues that allow cybersecurity to lapse.
“Regulatory boards cannot prevent the human element of security lapses that arise when phishing occurs and will not contribute meaningfully to fixing the long time apathy our society has had about cybersecurity,” Messdaghi said.
“We need to be honest—humans will fall to phishing attacks. Much of the training around phishing is too easy and is easily passable for most users. But it doesn’t set us up for the emotional hit that successful phishing attacks contain.”