In the eyes of government regulators, critical services and lax cybersecurity don’t mix — especially when those services support the online accounts of former president Barack Obama, former vice president Joe Biden, and current president Donald Trump.
The embarrassing and costly Twitter hack this past July served as more than just a wake-up call for the scores of public figures who trusted the social media giant to keep their accounts safe. In a comprehensive report released Tuesday, New York State’s Department of Financial Services argues that the hack proved that, left unregulated, “systemically important institutions” such as Twitter pose a “risk to society.”
The report breaks down, in detail, both how Twitter was hacked and the security lapses which allowed a Florida teenager to (allegedly) mastermind the entire thing. Notably, it doesn’t exactly paint Twitter’s executive team in a favorable light.
“The problems started at the top: Twitter had not had a chief information security officer (“CISO”) since December 2019, seven months before the Twitter Hack,” reads the report. “A lack of strong leadership and senior-level engagement is a common source of cybersecurity weaknesses.”
According to the report, Twitter’s security “problems” were only exacerbated by the push to remote work necessitated by the coronavirus pandemic. Like many other newly remote workers, Twitter’s employees experienced tech problems working from home. Hackers were able to capitalize on this, tricking at least one Twitter employee into believing the hacker was a member of Twitter’s IT team.
The Twitter hack, notes the report, shows why antitrust regulation is only one part of the regulatory puzzle when it comes to social media companies. Without some form of basic cybersecurity standards, and the power to enforce them, we set ourselves up for more breaches, data leaks, and hacks of prominent figures. If the hackers are after more than just bitcoin, that could spell all kinds of disaster.
That argument becomes only more timely as social media continues to serve as a conduit for misinformation during the run up to the 2020 U.S. presidential election.
And while Tuesday’s report is specifically in response to the Twitter hack, it notably does not limit its recommendations to only Twitter. Instead, it uses the July hack to introduce the broader idea of cybersecurity regulations for larger social media players. Critically, this would include Facebook.
“We need a comprehensive cybersecurity regulation and an appropriate regulator for large social media companies,” continues the report. “The stakes are too high to leave to the private sector alone.”
We reached out to both Twitter and Facebook in an attempt to determine if either company would be open to some form of government cybersecurity regulations, and, if so, what those regulations would ideally look like.
While a Twitter spokesperson did respond, the spokesperson did not directly answer any of our questions.
“Protecting people’s privacy and security is a top priority for Twitter, and it is not a responsibility we take lightly,” wrote the company spokesperson. “As we shared on September 24, 2020, we will continue to prioritize and accelerate our efforts to increase the security of our platform and how our teams work. We have been continuously investing in improvements to our teams and our technology that enable people to use Twitter securely.”
We received no immediate response from Facebook.
It’s worth mentioning that cybersecurity regulations for social media companies is not that far-fetched of an idea. Some regulations — like New York’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act, enacted in 2019 — already exist. Many other industries, like the financial sector, are regulated and have clear rules for handling and securing customer data.
SEE ALSO: Twitter may have to pay hundreds of millions in fines for privacy screw-up
“[There] are no regulators that have the authority to uniformly regulate social media platforms that operate over the internet, and to address the cybersecurity concerns identified in this Report,” notes the Department of Financial Services report. “That regulatory vacuum must be filled.”
Indeed, mandating basic security standards seems like an idea whose time is overdue. It remains to be seen, however, whether Facebook will like being regulated because of the fall-out from a Twitter hack. But then again, when it comes to unsecured messes, Facebook has its own long and storied history.