New York Calls for Federal Regulation of Social MediaState Report Blames Twitter's Lack of Security for July Hack
The ease with which Twitter was hacked in July by a "group of unsophisticated cyber crooks" raises concerns about misuse of the social media platform by those seeking to interfere with the Nov. 3 election, according to a report from New York state investigators released Wednesday.
See Also: Top 50 Security Threats
The report on the hack investigation calls for Twitter and other social media companies to implement greater cybersecurity measures and advocates greater federal regulatory oversight of these companies to help prevent the misuse of their platforms.
Investigators from the state's Department of Financial Services say Twitter lacked adequate cybersecurity protections and a CISO at the time of the attack.
"Considering social media's increasingly critical role as a source of news and information, the ease of the Twitter hack shows Twitter's vulnerability to an election-related hacking attempt," the report says.
The New York report calls for the creation of a federal regulatory body dedicated to overseeing large, critically important social media platforms. The Department of Financial Services suggests such a body could be modeled on the federal Financial Stability Oversight Council, or FSOC, which Congress established to "identify risks to the financial stability of the United States."
"An analogue to the FSOC should be established to identify systemically important social media companies. This new oversight council should evaluate the reach and impact of social media companies, as well as the society-wide consequences of a social media platform's misuse, to determine which companies they should designate as systemically important," the report says.
Once a social media company is designated as critical, it should be subject to enhanced regulation and undergo stress tests to evaluate its susceptibility to key threats, including cyberattacks and election interference, the report states.
A spokesman for Twitter could not immediately be reached for comment.
CISO Is Essential
The New York report notes the state's regulations already require many companies to have a CISO. It's essential for companies to have an executive-level leader who is directly responsible for cybersecurity, the report says.
The report slams Twitter's access management and authentication practice, which allowed the hackers to compromise the accounts. It recommends the company take a "zero trust" approach to security and says employees should only have access to systems and apps needed to do their jobs.
The New York Department of Financial Services also says social media firms need to offer additional training to ensure employees are aware of potential ploys hackers use to compromise credentials and conduct an illicit operation.
July 15 Attack
The report was prepared at the behest of Gov. Andrew Cuomo in response to the July 15 hack in which 130 Twitter accounts - including those of Microsoft founder Bill Gates, entrepreneur Elon Musk, Dutch lawmaker Geert Wilders and Democratic presidential nominee Joe Biden - were hacked.
To launch a cryptocurrency scheme, the attackers posted a message in 45 of the accounts: "I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000." (See: Several Prominent Twitter Accounts Hijacked in Cryptocurrency Scam).
The attackers got a total of $120,000 by scamming about 360 people, according to the New York report.
To gain access to the accounts, attackers hit several Twitter employees with a phone-based spear-phishing attack that provided them with credentials for the social media firm's internal systems, Twitter reported in August (see: Twitter Hack: Suspects Left Easy Trail for Investigators).
Three people have been charged in connection with the incident and two have been arrested. Florida resident Andrew Warren, 17 at the time of his arrest, was charged as an adult with 30 felonies, including organized fraud, communications fraud and identity theft. The names of the other two suspects have not been released (see: 3 Charged in Twitter Hack).