Social Media’s Cybersecurity Shortcomings

Font Size:

State financial regulator argues that social media companies need a dedicated monitor.

Font Size:

Elon Musk’s Twitter account posted an unusual message on an otherwise unremarkable Wednesday afternoon in July. The Tesla CEO appeared to offer his Twitter followers free Bitcoin, with a catch—“You send $1,000, I send back $2,000!”

Similar messages popped up on the Twitter feeds of former President Barack Obama, rapper Kanye West, and billionaire investor Warren Buffett, among other high-profile accounts. Twitter recognized quickly the ongoing attack and took down the messages. But the following weeks revealed how a ragtag team of “unsophisticated cyber crooks”—reportedly led by a 17-year-old from Florida—caught the tech giant unprepared.

A recent report from a state regulator in New York outlines several reasons that a group of young hackers apparently could break into one of the biggest social media platforms in the world. For one, at the time of the hack, Twitter had spent seven months without a chief information security officer. In addition, the company’s shift to remote working in response to COVID-19 made it easier for the hackers to call Twitter employees directly and impersonate IT professionals to gain information about the company’s systems.

To combat fraud and disinformation on the most influential social media platforms, the New York State Department of Financial Services (DFS) recommends taking “bold and assertive” action. In its report, DFS advocates creating a new federal regulatory authority to monitor social media companies and prevent future cyberattacks. This entity would seek to ensure the largest and most important social media platforms maintain strong defenses against potential cyber threats.

Although no specific entity is dedicated solely to supervising the social media industry in the United States, federal and state agencies do exercise general oversight. New York’s DFS notes that the U.S. Department of Justice and the Federal Trade Commission, for example, can enforce general regulations to address antitrust concerns in the technology industry. Social media companies also must comply with cybersecurity requirements contained in state laws, such as the California Consumer Privacy Act and the New York SHIELD Act.

Still, social media remains in a “regulatory vacuum” because no existing regulator can address specific cybersecurity issues, such as the ones the Twitter hack revealed. To fix this void, the social media industry needs a single regulator to manage cybersecurity concerns, DFS argues. It proposes a dedicated regulator for social media, just as the Federal Communications Commission oversees telecommunications and the Financial Stability Oversight Council supervises big banks.

The DFS report specifically proposes using the regulatory model of the Financial Stability Oversight Council. The Council can designate certain vital financial institutions as “systemically important,” which then subjects those institutions to increased federal oversight and mandates strict risk management standards. “The risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions,” DFS argues.

An analogous social media regulator could distinguish systemically important social media companies by determining the “society-wide consequences” of a platform’s potential misuse. DFS recommends that such a new regulatory body then use stress tests to assess how social media companies stand up to mock threats such as cyberattacks and election interference.

Acknowledging the technology expertise needed to regulate social media companies, DFS suggests that the proposed regulator could be housed in a new agency or formed as part of an existing one. The Department of Homeland Security, for example, operates the federal government’s Cybersecurity and Infrastructure Security Agency, which has released social media cybersecurity tips.

Although discussions about potential social media regulations are not new, DFS’s focus on cybersecurity presents a novel approach to these ongoing conversations. July’s Twitter hack, the state agency’s report claims, “demonstrates, more than anything, the risk to society when systemically important institutions are left to regulate themselves.”

Twitter has enhanced its internal security systems since July, including hiring a new chief information security officer. A dedicated regulator might have better ensured that Twitter had maintained stronger cybersecurity standards, according to DFS.

The perpetrators of this summer’s Twitter scam managed to steal over $118,000 worth of Bitcoin in one hour, but the attack could have been much worse. By sending fraudulent tweets from dozens of high-profile accounts, the hackers “reached millions of potential victims across the globe,” according to the DFS report.

In light of society’s growing reliance and use of social media for daily information consumption, the DFS report lays out important concerns about these networks’ potential to disrupt election security and financial market stability. A regulatory body empowered to address social media cybersecurity can help mitigate these anxieties, DFS argues.