The former head of security at Twitter, Peiter “Mudge” Zatko, testified on Tuesday that at least one of the Chinese spies from China’s top intelligence agency were on the company’s payroll.
Zatko, a whistleblower who served as Twitter’s head of security, testified against the embattled platform before a Senate Judiciary Committee hearing on Sept. 13.
Ranking Member Sen. Chuck Grassley (R-Iowa) asked Zatko: “In your disclosure, you mentioned that the FBI notified Twitter that one of their employees was suspected of being a Chinese foreign asset. Were you and others at Twitter at all surprised by that?”
Zatko responded that he was notified of this information a week before the company fired him.
“The corporate security physical security team had been contacted and told that there was at least one agent of the MSS, which is one of China’s intelligence services, on the payroll inside Twitter,” he said.
In Zatko’s testimony, he highlighted Twitter’s widespread security failings and how the platform was misleading the public, lawmakers, shareholders, and even its board of directors.
Zatko testified that the company dismissed him when he raised concerns about suspected Chinese spies at the company to a Twitter executive.
“When I said, ‘I am confident that we have a foreign agent,’ [the executive’s] response was, ‘Well since we already have one, what does it matter if we have more; let’s keep growing the office,'” he recalled during the hearing.
‘Goldmine’ for foreign intelligence
The whistleblower noted how Twitter would be a “goldmine” for any foreign intelligence agency that could insert one of their intelligence assets, like Chinese spies, within the company.
“If you place somebody on Twitter … as we know has happened, it would be very difficult for Twitter to find them. They will probably be able to stay there for a long period of time, and gain significant information to provide back on either targeting people or on information as to Twitter’s decisions and discussions and … the direction of the company,” Zatko said.
Zatko, a former “white hat” hacker and Google employee, was hired by Twitter in 2020 in the aftermath of a major hack that hijacked dozens of high-profile accounts.
The whistleblower also alleges that Twitter was becoming dependent on sales to Chinese entities, despite the platform being blocked in China.
“Twitter executives knew that accepting Chinese money risked endangering users in China,” the 84-page complaint said.
“They didn’t know what people they were putting at risk. Or what information they were even giving to the government, which made me concerned that they hadn’t thought through the problem in the first place—that they were putting their users at risk,” Zatko said at the hearing.
Profits over security
He summarized the executives’ response to his concerns: “We’re already in bed. It would be problematic if we lost that revenue stream. So figure out a way to make people comfortable with it.”
Twitter’s leadership ignored Zatko’s warnings of fundamental cybersecurity problems and misled the board, shareholders, and the public to “prioritize profits over security.”
“What I discovered when I joined Twitter [in November 2020] was that this enormously influential company was over a decade behind industry security standards.”
Zatko says Twitter’s data security problems stem from two fundamental issues:
“They don’t know what data they have, where it lives, or where it came from. And so unsurprisingly, they can’t protect it. And this leads to the second problem, which is the employees then have to have too much access to too much data and too many systems,” he said.
The whistleblower then emphasized his last point by revealing that about half of Twitter employees have access to the Twitter account of Sen. Chuck Grassley (R-Iowa) – the committee’s ranking member.
“The company’s cybersecurity failures make it vulnerable to exploitation, causing real harm to real people,” Zatko said.
“When an influential media platform can be compromised by teenagers, thieves, and spies, and the company repeatedly creates security problems on their own, this is a big deal for all of us.”
Zatko said Twitter misled regulators about compliance with a Federal Trade Commission order in 2011, stating the platform has made “little meaningful progress on basic security, integrity and privacy systems.”