On Wednesday New York State’s Department of Financial Services (DFS) released the results of its investigation into the July 15 hacking of the Twitter accounts of cryptocurrency firms and public figures such as Presidential candidate Joe Biden, using the opportunity to call for increased and more effective regulation of social media platforms.
In a statement accompanying the report, DFS Superintendent Linda Lacewell stated that the efforts of hackers pose a ‘major threat’ to ‘millions of consumers,’ because social media platforms have ‘quickly become [a] leading source of news and information.’
As to how Twitter’s systems were breached, the departments’ report found that:
- The hackers accessed Twitter’s systems with a simple technique: by calling Twitter employees and claiming to be from Twitter’s IT department. After the hackers duped four employees into giving them their log-in credentials, they hijacked the Twitter accounts of politicians, celebrities, and entrepreneurs, including Barack Obama, Kim Kardashian West, Jeff Bezos, Elon Musk, and several cryptocurrency companies regulated by the Department – accounts with millions of followers.
- The hackers tweeted simple “double your bitcoin” messages, with a link to send payments in bitcoins. In the end, they stole over $118,000 worth of bitcoins from consumers.
- Despite being a global social media platform boasting over 330 million average monthly users in 2019, Twitter lacked adequate cybersecurity protection. At the time of the attack, Twitter did not have a chief information security officer, adequate access controls and identity management, and adequate security monitoring – some of the core measures required by the Department’s first-in-the-nation cybersecurity regulation.
Using the opportunity to note that DFS regulated cryptocurrency firms Coinbase, Square, Gemini Trust Company and Bitstamp “responded quickly to block attempted transfers” the report put forth that while social media companies were partially regulated by entities that include the SEC, FTC and U.S. Justice Department, a more cohesive framework was needed along the lines of cybersecurity regulation developed by the department itself.
Stating that the ‘regulatory vacuum must be filled,’ DFS called for a single regulatory agency that had the “authority to uniformly regulate social media platforms that operate over the internet.”
DESIGNATION OF SOCIAL MEDIA COMPANIES AS SYSTEMICALLY IMPORTANT
Noting that Congress established a system under which the Financial Stability Oversight Council could designate an institution as a Systemically Important Financial Institution (“SIFI”), the DFS report called for an analogous system capable of designating social media platforms as being systemically important.
It stated its belief that factors involved in designations should include evaluations as to the reach and impact of such companies and the ‘society-wide’ consequences of misuses of their platforms.
Once designated, DFS called for enhanced regulation of companies through “stress tests” to gauge “susceptibility to key threats,” such as election interference and cyberattacks.
DFS provided the following summary of its report:
Part II … describes background information about Twitter’s platform, the ever-expanding influence of social media platforms such as Twitter, and how this influence continues to affect markets and the national conversation around elections and disinformation. It also describes the Department’s role in protecting consumers and the financial services industry.
Part III sets forth a detailed timeline of the Twitter Hack. This includes a description of key events and Twitter’s response.
Part IV details the Twitter Hack’s impact on the Department’s cryptocurrency licensees and their timely efforts to protect their customers from the fraud. It also describes the substantial threat cryptocurrency fraud poses to the industry.
Part V addresses the cybersecurity weaknesses at Twitter that made the Twitter Hack possible. This includes a lack of leadership, vulnerability to social engineering, and a failure to address the new vulnerabilities caused by the pandemic-driven shift to mass remote working.
Part VI identifies best practices that address the weaknesses the Twitter Hack exposed. The Report recommends specific steps cryptocurrency companies can take to combat similar fraud. The Department also recommends cybersecurity measures that will reduce the likelihood that a similar cyberattack will succeed.
Part VII makes recommendations for improving our society’s defenses against cybersecurity lapses that can lead to social media manipulation. It addresses the need for a regulation and a regulator focused on large social media companies’ cybersecurity resiliency.