It has been 161 days since Elon Musk took the reins at Twitter, swinging into the social platform like a wrecking ball. Callum Booth has chosen five changes made by Musk, assessing each for its damage to cybersecurity
Just in case you’ve been living under the darkest rock known to humanity, let us get you up to speed: Elon Musk bought Twitter. Yes, one of the world’s richest people splashed £35bn ($44 bn) on a social network. Why? Good question; we’re not entirely sure why.
What is evident is the role Twitter has played in society. While it has never been the largest social network, it is arguably the most influential, with the platform being a favourite haunt of public figures, officials, experts, and journalists. It’s also somewhat of a mecca to the cybersecurity industry. Any potential cybersecurity implications of Musk’s explosive decision-making cut that community particularly deep.
Despite your opinion on Elon Musk, there’s no denying that he made an immediate impact on Twitter. Rather than spending months researching and auditing the company, he leapt into action, making a series of shock decisions to try and improve its fortunes.
But this raises a big question: with Twitter being such an influential social network, how have these changes impacted its cybersecurity?
We decided to find out. The only way to do this properly? Rate some of Elon Musk’s decisions by how detrimental they have been to Twitter’s cybersecurity.
So, how is this going to work?
First, we selected five of the biggest business decisions Musk has made during his tenure as the head of Twitter.
We rank these on a scale of one to five depending on how dangerous they were for cybersecurity on the platform — with one being no or very little concern and five being disastrous.
Of course, we can’t be judge and jury, so to make our analysis as objective as possible, we onboarded a bunch of experts to give their take on Musk’s circus. Let’s dive in.
1: Firing the majority of Twitter staff
When Musk took over Twitter, the company had around 7,500 employees. Almost immediately, he fired around half (3,700) of them. Many ex-employees took to Twitter (ironically) to share horror stories of how they’d been let go, often reporting that their log-in credentials had simply stopped working. And that was just a starter. He has since continued to chop away at the business, getting rid of another 10% of staff in February.
So what impact has this had on Twitter as a platform?
“Gutting a company like a fish, which is what Elon Musk is doing, was always going to have some effect on the cybersecurity of the business,” Matthew Hunt, web developer at marketing, design, and development agency Herd, says.
“The initial firing of the staff was always going to mean that certain cybersecurity specialists would be let go,” he continues, which, of course, negatively impacts the platform’s robustness to attack.
Tom Kidwell, co-founder of Ecliptic Dynamics, an internet infrastructure security specialist, agrees that the initial firing damaged cybersecurity at Twitter, but counters that this “might not be negative in the longer term.”
How has he come to that conclusion? “New developers might be more skilled and have different thoughts on how to secure the platform,” solving problems and risks that were, in the previous regime, left alone, he argues.
“There will be a short-term detrimental effect,” Kidwell says, but that doesn’t mean things will remain bad.
Cybersecurity damage rating: 3/5
The firing of staff negatively impacted Twitter’s cybersecurity in the short term, but the jury is still out over the long-term outcome of this move.
2: Putting SMS 2FA behind a paywall
One of the significant changes Musk has made at Twitter was expanding its subscription service, Twitter Blue. While this has a range of features (which we’ll touch on later), one element that got the cybersecurity world up in arms was regarding two-factor authentication (2FA).
Previously, anyone could use SMS 2FA to secure their Twitter account, but Musk repositioned this specific method behind a Twitter Blue paywall.
“Charging people to secure their accounts is just bonkers,” says Luke Potter, COO of CovertSwarm, a global ethical hacking and cyber security provider. “Security should be baked into a product by default.”
Other experts echoed this view. Hunt from Herd believes that making SMS 2FA a paid option seems like “a way to get more people to buy [Twitter Blue].” Doing this instead of improving security, he says, is “very telling of where [Musk’s] priorities lie.”
In addition to the negativity and potential danger of putting security behind a paywall that has been touted, there is a contradictory school of thought. Leon Teale points out the issues with 2FA SMS in general.
“People who do not have a proper understanding of what this is have publicly accused [Musk] of reducing security. This is not the case,” says Teale, senior penetration tester at IT Governance Ltd. By getting rid of SMS verification, Musk “simply removed a weak version of 2FA.”
Teale continues, saying that weaknesses in SMS itself, like a lack of encryption, can allow attackers access to people’s phone numbers.
However, Potter from CovertSwarm sums it up best, saying that “monetising security is a negative step.” Still, there needs to be a revolution along social media platforms that “leads to the retirement of SMS-based two-factor authentication.”
Cybersecurity damage rating: 4.5/5
Musk has removed security for users in general, yet still allows SMS 2FA for those who pay. Effectively, it’s the worst of both worlds.
3: Giving Twitter Blue subscribers verification badges
Arguably the biggest change to Twitter Blue was the news that those who subscribed would receive a blue tick — something previously only given out to notable public figures. Naturally, this caused an almighty ruckus when rolled out, with many companies’ stock prices plummeting and chaos reigning on the platform.
Regarding the cybersecurity impact this has on Twitter itself, Potter from CovertSwarm pointed out how verification badges will make it easier for attackers “to identify who has and hasn’t got two-factor authentication enabled.”
The absence of a tick will almost act as a “broadcast signal,” as those users will “have had to go out of their way to implement a new method of 2FA, whether by an authenticator app or code generator.” This creates a “bullseye on certain accounts,” leaving them more vulnerable to attacks.
However, Teale from IT Governance Ltd disputes this, saying that Twitter Blue “verification badges will help to significantly reduce [bots and automated accounts],” both of which are used “for spreading misinformation and scams.” Having to pay for access via Twitter Blue, he believes, will help cut down the numbers of these people, as the barrier to entry is higher.
Cybersecurity damage rating: 3.5/5
Verification issues have already plagued Twitter, and it’s hard to see how this change will do anything but reduce cybersecurity.
4: Charging for the use of Twitter’s API
Musk charging for access to Twitter’s API has caused outrage in the technical and development community. But while this is irritating for many people, is it bad for cybersecurity?
“Charging people to use your company’s API is quite common practice — this essentially pays for development and maintenance,” Teale says. He believes that this is all part of Musk’s attempt to “save Twitter financially,” something, alongside firing staff and pushing its subscription service, that is all part of “an aggressive plan to trim costs.”
In other words, it has little bearing on Twitter’s cybersecurity.
Regarding this point at least, Kidwell from Ecliptic Dynamics agrees. Despite that, he tells me that people paying to use the social network’s API has “less to do with Twitter itself and more to do with the user base.” This move is an “overt and very clear shift of Musk seeking to control the narrative to achieve his objectives.”
While paying for API access will deliver financial benefits, Kidwell tells me, it means that Twitter’s data stops being open source and instead “becomes a tool for wealthy individuals or organisations to create a barrier to who can access and analyse the datasets.”
Cybersecurity damage rating: 1.5/5
While paying for API access does little to damage the integrity of Twitter itself, it does have an impact on how people use the platform and their security.
5: Musk prioritising his tweets over everyone else’s
In the middle of February, many users were shocked to see their ‘For You’ feeds dominated by tweets from Elon Musk, whether they followed him or not. It will come as no surprise to learn that this was deliberate, with the billionaire forcing the company to prioritise his tweets.
Potter from CovertSwarm immediately told us that this move would have minimal bearing on the cybersecurity of Twitter. But we dug a little deeper.
On this decision, Teale asked, “Why not?” Musk has spent billions on a company on “its last legs.” He continues: “I believe he has every right to make his tweets appear as a higher priority than anyone else’s.”
Countering this is Kidwell from Ecliptic Dynamics. “By elevating his own comments above others, it means Twitter has stopped being a ‘town hall’ and instead [become] a platform to promote the narrative of an individual.”
Kidwell tells me that with Musk’s clearly stated dislike of the press, Twitter has become a tool to combat what he sees as its perceived biases, the platform simply becoming the “battlefield for a wider agenda against media control.”
Cybersecurity damage rating: 0/5
Yes, Musk prioritising his tweets is irritating, but it isn’t impacting the platform’s cybersecurity in any meaningful way.
One thing we’ve learnt from this analysis is that, no matter what you think of proceedings, Elon’s time at Twitter has been anything but uneventful. Some of his decisions have significantly impacted the company’s cybersecurity, others haven’t, but I think we’d all put some money on this conversation not ending here.