Twitter logo and binary cyber codes, November 26, 2019, photo by Dado Ruvic/Reuters

commentary

(The RAND Blog)

Insider Threat at Twitter Is a Risk to Everyone

Photo by Dado Ruvic/Reuters

by Douglas Yeung and Ryan Andrew Brown

August 7, 2020

Three young hackers were charged July 31 in the hijacking of dozens of high-profile Twitter accounts, including those belonging to presidential candidate Joe Biden, former President Obama, and other public figures. The fake tweets briefly promoted a Bitcoin scam that nabbed over $100,000. But the hackers' tactics point out how vulnerabilities at such tech platforms can now also pose a risk to national security in the United States and elsewhere.

Elected officials currently announce policies and spar with one another on Twitter. An unauthorized individual appearing to tweet from a world leader's account could crash markets, spark conflicts, or create other catastrophic global consequences. Hacking the accounts of media companies could create similarly far-reaching effects. A well-respected news outlet tweeting out “breaking news” of impending war, or a local journalist warning of an active shooter on the loose could generate chaos.

As seen in other security breaches—the Sony email hack or WikiLeaks release of diplomatic cables, for example—the release of private communications can also be very damaging. Social media hacks have that component as well. News reports suggest that personal data, including private messages, was stolen from some of these prominent individuals' Twitter accounts.

The attack appears to have been an elaborate combination of social engineering and spear-phishing targeting specific Twitter employees. By posing as coworkers—made easier by the fact that everyone is working remotely during the COVID-19 pandemic—the hackers steered the employees to a fake virtual private network page and stole their login information.

Private and public sectors already guard against insider threat to protect their own operations. Private companies' motivations, however, have been to protect their own reputation and security. Given their reach and impact, social media companies now share a responsibility with governments to protect the general public against harm from nefarious actions by lone wolves or domestic or foreign adversaries.

The RAND report “Corporate Knowledge for Government Decisionmakers: Insights on Screening, Vetting and Monitoring Processes” explored how business sectors (e.g., tech, pharmaceutical) mitigate insider threat. One key vulnerability it notes: Questionable behavior by senior leaders could be exposed to harm corporate reputation. When social media accounts are hacked, such questionable behavior can be faked online easily.

To reduce exposure to insider threat, social media platforms should reconsider broad staff access to data and seek to compartmentalize data access.

Share on Twitter

To reduce exposure to insider threat, social media platforms should reconsider broad staff access to data and seek to compartmentalize data access. Twitter's existing policies appeared to allow certain staff relatively unfettered access to user accounts.

If they don't do so already, Twitter and other platforms should also continuously monitor staff and systems for evidence of attempts to breach their defenses. This should include a mixture of automated and manual review of chat conversations, emails, and other transactions on its systems. Artificial intelligence and machine learning–based approaches have received a considerable amount of media attention, but these tools still require careful monitoring and human oversight. As automated tools become more widely used, they should be rigorously evaluated to ensure they are effective without invading privacy or exacerbating inequities.

Finally, intelligence about potential risk should be shared inside and outside the organization. This will allow companies to bring more weapons to the fight by engaging other corporate functions like human resources and security, government partners, and possibly even the broader public as allies against insider threat. For example, our research on corporate practices revealed that direct competitors stay in close contact with each other, sharing information about emerging security risks.

Given the stakes, Twitter and other social media companies need to continue to guard against insider threat. It won't just be themselves they are protecting—it's all of us.


Douglas Yeung is a social psychologist at the nonpartisan, nonprofit RAND Corporation and a member of the Pardee RAND Graduate School faculty. Ryan Andrew Brown is a senior behavioral/social scientist at RAND.

Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.