McCLELLAND: Twitter hack demonstrates need for robust debate on cybersecurity risks

In this Wednesday Nov. 6, 2013, file photo, the Twitter logo appears on an updated phone post on the floor of the New York Stock Exchange. (AP Photo/Richard Drew, File)

Twitter had a well-publicized hack of its system this past week, where initial reports said an employee was bribed to give bad actors control over “verified” accounts. Accounts affected included Elon Musk, Bill Gates, former President Barack Obama, former Vice President Joe Biden and many more.

The cybersecurity incident resulted in these “verified” pages telling Twitter users that if they sent the bad actors $1000 in Bitcoin, the person whose account was being manipulated would send back $2000. Little enough actual harm seems to have come from this episode. The attackers were obvious enough in their attempt that Twitter could act quickly to regain control.

So we got lucky this time around, but what happens when the bad actors are smarter? Later reports that indicate this attack probably came from teenage gamers — and not organized crime or a nation state — only emphasize the threat that a savvy actor might pose. What happens when instead of bluntly telling people to just send them $1000, the accounts try to jack up or tank the price of publicly traded stocks? It would seem easy enough to announce a company will have a non-existent acquisition to get a feverish buying activity going, dump some stock, and pocket the difference on your way to Havana.

Even more seriously, what happens when hacktivists, terrorists, or — God forbid — malicious state actors announce public policy changes from the platform of an American elected/appointed official? What happens when the announcement is something to the effect of “Evacuate Seoul. Enemy bombing is imminent. Elevated gamma radiation has been detected.”? What happens when that announcement is accompanied by a deep fake video (meaning it would appear to the average observer to be authentic even though it is computer-generated)?

There’s not much evidence that America’s public policy officials or corporations have sufficiently grappled with these questions and what their answers mean for risk management by either public or private actors. As an attorney focused on privacy and data security, one of my favorite sayings is that “hope is not a compliance strategy.” Well, we got lucky that the hackers were not more adept this time. But hope for more luck is not a risk management strategy. We need informed public discourse on what exactly are public — i.e. governmental — obligations and what are private — i.e. business — obligations to secure these tools that are so integral to the digital economy and to social connection.

As a conservative, I want market forces and rule of law to guide our way here. At the national level, that means a nationwide mandate that these big technology companies take reasonable efforts to safeguard their systems combined with a mechanism whereby the victims of any unreasonably weak security can hold the tech giants accountable. However, that mandate must not micromanage the operation of their business with innumerable regulations. Ideally, we could minimize frivolous litigation by building in safe harbors that declare presumptively reasonable those companies that align with security frameworks that we know work. At the state level, a similar law could be passed, which would open (typically) lower-cost state courts to these claims. At both the local and state level, a thorough evaluation of their own security and the stability of their channels of communication to constituents is vital, but to date seemingly rare.

Lastly, on the business level, self-regulatory bodies — which have done most of the heavy-lifting in raising standards — must have meaningful conversations with the industries they represent in light of these hacks on Twitter. They must establish for themselves what it means to them to be a good corporate citizen in terms of cybersecurity, so that we in the marketplace and the body politic can judge for ourselves if we are comfortable with the level of risk they accept on our behalf.