The brazen security compromise at Twitter this week underscored the broad and lingering vulnerabilities of U.S. elections to sophisticated cyberattacks.
A number of accounts of political, technology and business figures were captured apparently from within Twitter's own systems — as opposed to via individual attacks against the end users — and the social network's response included silencing nearly all of its highest-profile users for a time.
The incident delivered a reminder about how much the U.S. information environment depends on one service in Twitter, how disruptions to it can cascade into the broader world, and how many targets an adversary has from which to choose in order to cause disruption.
"We're lucky this didn't happen election night," tweeted Laura Rosenberger, the director of the Alliance for Securing Democracy, after the attack was over.
In all seriousness though, this attack shows just how vulnerable our infrastructure is to attack - regardless of motive. We’re lucky this didn’t happen election night. But remains to be seen if any info was compromised as part of this. https://t.co/1ppM4jPyaQ— Laura Rosenberger (@rosenbergerlm) July 16, 2020
"I hope it was a one-time incident," said Lawrence Norden, director of the election reform program at the Brennan Center for Justice at New York University Law School. "There are plenty of nightmare scenarios you can spin out."
In Wednesday's attack, the attackers posted messages asking for transfers of the electronic cryptocurrency Bitcoin. It quickly became obvious that the big accounts had been compromised, and Twitter CEO Jack Dorsey — whose account also was seized for a time — said administrators "were working to make this right."
As they were doing so, Twitter froze many of the accounts of its most prominent users, ones ostensibly "verified" to confirm that the person or organization using it is truly what it claims.
Such verified users include President Trump, Vice President Pence, members of Congress, political candidates, heads of Cabinet departments, local governments, celebrities and journalists.
In the past, foreign attackers have used Twitter from the outside in and the bottom up, creating fake accounts to pose as Americans to spread disinformation and aggravate discord.
In one case, a number of accounts linked to Russian influence-mongers existed for years and posted what appeared to be normal local news headlines.
That kind of activity remains in effect across social media. Twitter, Facebook and Google report regularly on their efforts to expunge, report or "down-rank" material following years of pressure from national security officials and Congress.
What this week's compromise confirmed was that the social networks also are vulnerable to attacks from within that could compromise many accounts, with implications for the U.S. information environment in the remaining months of the presidential campaign.
Norden also observed that the Twitter incident shows how much of the services and systems that Americans depend on aren't government-controlled or necessarily government-secured.
"There are lots of private companies that work in our elections making voting machines and companies that build and maintain voting registration databases — they're not the primary people or organizations that we think about when we think about elections but they're critical to elections — and they're outside of the government," he said.
In 2016, Russian operatives attacked a Florida company, VR Systems, that provides state and local governments with voter registration systems. That attack may have been linked to Russian efforts to gain access to county voting systems in Florida, as documented by former special counsel Robert Mueller.
Like governments, however, such organizations must deal not only with external enemies but also with what U.S. officials call the "insider threat." According to some reports, a Twitter employee may have had a hand in this week's disruptions.
Demand for answers
Many of the details aren't yet clear. The FBI is investigating the Twitter cyberattack, it said. Members of Congress want answers, too.
Rep. James Comer, R-Ky., ranking member of the House Oversight Committee, asked Dorsey for a briefing soon and observed how much the Twitter attack had exposed a single point of weakness in the U.S. information ecosystem.
Comer also said he wants to know whether user information might have been stolen.
"The specifics of the attack remain unclear — at least to the public," he wrote in a letter.
"One area of concern is whether the perpetrators gained access to individual users' accounts or Twitter's entire interface. Twitter's failure not only created an opportunity for criminals to perpetrate a crime broadcasted to millions of Twitter's users, but the hackers' potential breach of Twitter's security poses broader risks regarding hackers' access to private direct messages."
The company says it's investigating what else the attackers might have done or taken as part of the cyberattack.
The presidential issue
Comer's letter mentioned Twitter's best known political user, Trump, but one important subplot to the main story is that the president's account apparently did not come under the control of the attackers in the Bitcoin scam.
That suggests that either thanks to special attention from Twitter, the U.S. Secret Service or both, there are additional safeguards protecting Trump's account to avoid either simple embarrassment to the president or some more serious implication. Then again, attackers may simply have not gone after it.
Those details are unclear, too.
Not much imagination is needed to picture the kind of disruption that could be caused by the compromise of Trump's account or those of other important government officials — Defense Secretary Mark Esper, for example, or an account used by the CIA or one of the military services.
In 1984, an NPR radio engineer in the pool of correspondents covering President Ronald Reagan asked him to test his microphone. The president obliged and made a joke parodying the prepared statement he planned to read, one in which he announced an attack on the Soviet Union: "We begin bombing in five minutes."
Americans didn't hear Reagan's words live, but an incident like that involving a social media account used by Trump or another top leader could lead to a flash of uncertainty.
Although it might not take very long for outside observers to catch on that something was amiss, the prospect for compromise and disruption in the critical few hours before an event, such as a debate or Election Day itself, always has been a possibility about a social media compromise.
Norden described the prospect of a big county's election supervisor's Twitter account spreading false information about voting hours or polling places or the coronavirus: "That's very concerning," he said.
Blueprint for disruption
What's also possible, now that the precedent has been set, is for an attacker simply to try to get Twitter to again deactivate all the accounts of its verified users or more. What many foreign adversaries want out of election interference is simple chaos and a corrosion of faith in democratic institutions, national security officials say.
The Department of Homeland Security, led by its Cybersecurity and Infrastructure Security Agency, has focused much of its attention on helping to guard voting machines, registration systems, vendors' networks and other potential targets ahead of Election Day this year.
But as other critics said, including the liberal group Common Cause, the loss of Twitter access not only meant that politicians couldn't talk directly to voters. It also meant that many official entities or organizations lost that channel with their audiences too, which was and could again be disruptive.
"[The] hack occurred in an age when the current president conducts official business on his Twitter account," said Karen Hobert Flynn, president of Common Cause.
"Federal agencies such as the Census Bureau and the Center for Disease Control also share news and information through social media. It is time for real government oversight and for meaningful legislation to safeguard these important yet extremely vulnerable platforms."