{"id":653,"date":"2017-11-08T07:02:30","date_gmt":"2017-11-08T07:02:30","guid":{"rendered":"https:\/\/securitycurve.com\/?p=653"},"modified":"2017-11-08T07:02:30","modified_gmt":"2017-11-08T07:02:30","slug":"when-did-twitter-become-critical-infrastructure","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=653","title":{"rendered":"When did Twitter become critical infrastructure?"},"content":{"rendered":"<p><img decoding=\"async\" class=\"alignright size-large lazyload\" data-src=\"http:\/\/www.tshirtvortex.net\/wp-content\/uploads\/Moby-Dick-Fail-Whale-T-Shirt.gif\" width=\"523\" height=\"523\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 523px; --smush-placeholder-aspect-ratio: 523\/523;\" \/>Last week was a huge news week for Twitter security apparently. There were a few stories about it: Trump&#8217;s <a href=\"https:\/\/www.wired.com\/story\/trumps-twitter-takedown-reveals-another-tech-blind-spot\/\">feed was deleted for eleven minutes<\/a>\u00a0by an angry customer support rep leading to a host of folks calling for better security for the platform, there was\u00a0<a href=\"https:\/\/www.pri.org\/stories\/2017-11-06\/twitter-ignored-warnings-about-russian-accounts-2015\">continued investigation about election tampering<\/a> and the role of social media in it, and then we also had a <a href=\"https:\/\/nakedsecurity.sophos.com\/2017\/10\/24\/twitter-reveals-plan-for-tackling-abuse-again\/\">leaked memo from Twitter CEO Jack Dorsey<\/a> about the release schedule for security measures that is bound up in the whole Harvey Weinstein affair because of <a href=\"https:\/\/www.nytimes.com\/2017\/10\/12\/arts\/rose-mcgowan-twitter-weinstein.html?_r=0\">Rose McGowan&#8217;s account being locked<\/a> following posts about him.<\/p>\n<p>Here&#8217;s the question that I would have about this.\u00a0 Fundamentally, what are our security expectations for a service like Twitter?\u00a0 I mean this both from a societal perspective (i.e. social norms) as well as from a regulatory perspective.\u00a0 For example, here we have an article from India Times <a href=\"https:\/\/economictimes.indiatimes.com\/magazines\/panache\/trump-finally-reacts-to-twitter-cut-off-company-says-it-has-stepped-up-security\/articleshow\/61504383.cms\">highlighting the fact that Twitter is &#8220;stepping up security&#8221;<\/a> because of the Trump thing. However, note that this is entirely voluntary on their part.<\/p>\n<p>This particular article caught my attention for a few reasons. First, there is the fact that the security of Twitter is being referred to as a &#8220;national security matter&#8221;; from the article:<\/p>\n<blockquote><p>Jennifer Grygiel, a Syracuse University professor who studies social media, said the deactivation is worrisome.\u00a0 &#8220;This is no laughing matter,&#8221; she said. &#8220;This is a serious issue and one of national security.&#8221;<\/p><\/blockquote>\n<p>At what point did Twitter go from &#8220;toy&#8221; to &#8220;issue of national security&#8221;?\u00a0 Because there&#8217;s a line there and I legit can&#8217;t figure out where it is.\u00a0 Is it based on volume?\u00a0 Meaning, the security of <a href=\"https:\/\/www.plurk.com\/portal\/\">Plurk <\/a>isn&#8217;t a national security matter (because it has fewer users) while the security of Twitter is?\u00a0 Or is because of who uses it?\u00a0 Like, if someone accidentally installs Snapchat on Trump&#8217;s phone, it goes from &#8220;who cares&#8221; to &#8220;national security&#8221;?\u00a0 I&#8217;m not following the logic on when the security of &lt;insert arbitrary Internet service&gt; escalates to national security status. I&#8217;m not saying it should be on way or the other&#8230; I&#8217;m just saying I wish I better understood where this line is.<\/p>\n<p>The article then goes on to say:<\/p>\n<blockquote><p>&#8220;It is shocking that some random Twitter employee could shut down the president&#8217;s account,&#8221; Blake Hounshell, the editor-in-chief of Politico Magazine, wrote on Twitter.<\/p><\/blockquote>\n<p>Is it?\u00a0 Is it really?\u00a0 Why are you shocked?\u00a0 The fact of the matter is that Twitter has no regulatory reason (currently) to do <strong>anything<\/strong> for or about security other than a few &#8220;bare minimums&#8221; &#8212; that don&#8217;t, by the way, include anything related to their customer service team.\u00a0 Excepting the small portion of their environment that processes credit card transactions (because PCI) and financial reporting (because SOX), there&#8217;s nothing covering this.\u00a0 They&#8217;re not regulated, they&#8217;re not critical infrastructure&#8230;\u00a0 So any screening of their customer service personnel?\u00a0 Any protection measures they might choose to employ? They&#8217;re entirely voluntary. Under this view, they owe the world nothing.<\/p>\n<p>Here&#8217;s what I mean.\u00a0 Say Twitter wanted to outsource their customer service to the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Arkham_Asylum\">Arkham Asylum for the Criminally Insane<\/a>?\u00a0 Could they do this?\u00a0 If not, why not?\u00a0 It seems like a bad idea to me, but isn&#8217;t that a risk\/reward decision they are within their rights to make?\u00a0 If they wanted to hire Lucifer himself as their privacy officer, what rule are they breaking should they do so?\u00a0 So long as they adhere to the agreements they have made with users (via the EULA and their privacy policy)&#8230; and so long as they adhere to the letter of the law with respect to breach notification, avoid negligently harming people (tort), and ensure the integrity of their financial reporting (because SOX)?\u00a0 Seems to me like, within these boundaries, they can do whatever they want.<\/p>\n<p>This magic happens because they are a &#8220;communications platform&#8221; and not, for example, a media company or communications infrastructure provider.\u00a0 The fact that they are a &#8220;platform&#8221; rather than a &#8220;provider&#8221; means they are not regulated by the FCC.\u00a0 The fact that they are a platform likewise means that they don&#8217;t have the same obligations\u00a0(for example w\/r\/t newsworthiness of what they put on that platform) compared to, say, a television station or newspaper.\u00a0 They can pretty much do whatever.\u00a0 \u00a0 If we as a society don&#8217;t want this, we need a framework for them to fit into.\u00a0 We have them already; it&#8217;s just that Twitter isn&#8217;t voluntarily getting into one of those boxes and we as a society aren&#8217;t forcing the issue.<\/p>\n<p>From the article:<\/p>\n<blockquote><p>Twitter responded with a pledge to review its policy while noting that &#8220;newsworthiness&#8221; and public interest must be considered in deciding whether to take down a tweet.\u00a0Grygiel said it is problematic that the president is using a private entity to issue important statements on policy.\u00a0&#8220;There are communications risks with the president&#8217;s reliance on a public communications company,&#8221; she said, noting that Twitter has a right to ban Trump at any time.<\/p><\/blockquote>\n<p>See?\u00a0 Voluntary.\u00a0 They consider themselves the arbiter of both what measures are appropriate as well as their own obligations about what is newsworthy or in the public interest.\u00a0 Should it be this way?\u00a0 That&#8217;s a different question.\u00a0 For example, the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Patriot_Act\">USA Patriot Act<\/a> defines &#8220;critical infrastructure&#8221; as:<\/p>\n<blockquote><p>&#8230;systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.<\/p><\/blockquote>\n<p>It sounds to me like the root argument here is that Twitter falls under the definition of critical infrastructure.\u00a0 I would argue that if Grygiel is accurate in her assessment about this being a vehicle for policy, it is arguable that it is.\u00a0 If that policy could have economic or geopolitical implications, it becomes a lot clearer.\u00a0 If tweets can impact stock prices (and we know they do), it likewise becomes a whole lot less &#8220;shades of grey&#8221;-ish.\u00a0 At a minimum, I would argue that current usage of Twitter &#8211; not just by Trump but by politico&#8217;s more generally, fits the definition.\u00a0 Twitter is now, by virtue of how it&#8217;s used, &#8220;critical infrastructure&#8221;.\u00a0 I may not love that, but it&#8217;s the practical reality.\u00a0 Arguing otherwise misses the intent of this in the first place.<\/p>\n<p>It seems to me clear that Twitter doesn&#8217;t see it this way.\u00a0 At least not yet.\u00a0 If Twitter were CI, it would fall under the umbrella of &#8220;Information and Telecommunications&#8221;, right?\u00a0 Or under &#8220;communications&#8221; per the NIPP?\u00a0 I think so.\u00a0 One can extrapolate the type of companies that self-identify as being in those groups based on their participation in the IT-ISAC.\u00a0 The <a href=\"https:\/\/www.it-isac.org\/members\">members list is here<\/a>. Twitter (or any other social media company) isn&#8217;t on it.\u00a0 As a starting point, I would encourage you to read the DHS pages about both <a href=\"https:\/\/www.dhs.gov\/communications-sector#\">communications<\/a> and <a href=\"https:\/\/www.dhs.gov\/information-technology-sector\">information technology<\/a> sector-specific planning.<\/p>\n<p>In the meantime though, if we as a society feel like Twitter has an obligation as a critical infrastructure provider, seems like someone should tell them about it.\u00a0 If we feel like they should do something specific about security (like have a reasonable amount of it), we need a regulatory instrument to cause this to occur.\u00a0 If not, we shouldn&#8217;t be surprised when an intern can delete people&#8217;s accounts, post spurious tweets on their behalf, or really do just about anything else.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last week was a huge news week for Twitter security apparently. There were a few stories about it: Trump&#8217;s feed was deleted for eleven minutes\u00a0by an angry customer support rep leading to a host of folks calling for better security for the platform, there was\u00a0continued investigation about election tampering and the role of social media [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[121],"class_list":["post-653","post","type-post","status-publish","format-standard","hentry","category-security","tag-twitter"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/653","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=653"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/653\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=653"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}