Zatko disclosed this information during his testimony on Twitter’s lax cybersecurity protocols and privacy practices. According to Zatko, the Federal Bureau of Investigation informed the company about the Chinese agent shortly before he was fired earlier this year. Zatko served as Twitter’s Head of Security from November 2020 to January 2022. The company hired him at a time it was under heavy scrutiny following high-profile data breaches, including the July 2020 hack. Zatko left Twitter just a few months into new CEO Parag Agrawal’s reign. Last month, Zatko filed a whistleblower complaint. He claimed that Twitter employees had poorly monitored access to key software and computing systems. His testimonial reaffirms his claim that the company prioritized profits over user safety and cybersecurity. In his complaint, Zatko said Twitter had an Indian government agent working inside the company. According to him, the Indian government forced the company to hire an agent who would have had full access to user data and other critical systems.
‘At Least One’ Chinese Spy
In his testimonial before the Senate Judiciary Committee on Tuesday, Zatko said he was told that “at least one” agent of China’s Ministry of State Security was on Twitter’s payroll. Zatko said the company’s Corporate Security team informed him of the spy’s presence. Zatko recounted a troubling conversation with a Twitter executive about the presence of a foreign agent. “I’m reminded of one conversation with an executive when I said, ‘I am confident that we have a foreign agent,’ and their response was, ‘Well, since we already have one, what does it matter if we have more? Let’s keep growing the office,’” Zaitko told the Committee. Zatko said Twitter’s lax security environment would have allowed the agent to access all the company’s data. He claims it was very lucrative for foreign governments to place their agents inside the company. “While it was disturbing to hear, I and many others had recognized the state of the environment at Twitter, we’re really thinking if you are not placing foreign agents inside Twitter, because it’s very difficult to detect them, it is very valuable to a foreign agent to be inside there,” Zatko said. “As a foreign intelligence [agency], you’re most likely not doing your job.”
Other Highlights From Zatko’s Testimony
Zatko’s testimony shed light on several concerning practices at Twitter. He claims the company’s data storage systems were severely disorganized, so much so that the company could not accurately tell if it had deleted a user’s data. “They don’t know what data they have, where it lives or where it came from, and so, unsurprisingly, they can’t protect it,” he said. Zatko said the company did not even have a staging environment to test updates before rolling them out. According to him, the company’s engineers use live systems. Staging environments help engineers check their code for bugs or other problems. Zatko also said the company’s engineers have broad access to critical information. He claims the engineers can access Twitter’s live testing environment by default. According to him, such access should ideally be restricted to a smaller group. “It’s not far-fetched to say that an employee inside the company could take over the accounts of all of the senators in this room,” Zatko noted.
Twitter Disputes Whistleblower’s Claims
In a statement to CNN, a Twitter spokesperson said that Zatko’s statements were “inconsistent and full of inaccuracies.” The spokesperson said that foreign governments do not influence Twitter’s hiring policy. Furthermore, the company uses background checks, access controls, and monitoring systems to restrict access to internal company data. Zatko’s testimony is likely to impact the trajectory of Elon Musk’s highly publicized Twitter purchase saga. The world’s richest man sent a third letter to the company on Friday, September 9, signaling his intent to withdraw from the deal. However, in a Monday filing with the Securities and Exchange Commission (SEC), Twitter described Musk’s attempts to terminate the agreement as “invalid and wrongful.” Musk had previously said Twitter misrepresented its spam bot issue by withholding the number of bot accounts on the platform.