Group items tagged

But for the 2018 midterm elections, the command took a far more aggressive posture. In addition to sending the teams to allied countries, it sent warning messages to would-be Russian trolls before the vote, in its first offensive operation against Moscow; it then took at least one of those troll farms offline on Election Day and the days afterward.

After getting close to foreign adversaries’ own networks, Cyber Command can then get inside to identify and potentially neutralize attacks on the United States, according to current and former officials.

But Cyber Command officials said those efforts uncovered malware being used by adversarial hacking teams.

Cyber Command sends teams of experts overseas to work with partner and allied nations to help them find, identify and remove hostile intrusions on their government or military computer networks.

For the allied nations, inviting Cyber Command operatives not only helps improve their network defenses but also demonstrates to adversaries that the United States military is working with them. For the United States, the deployments give their experts an early look at tactics that potential adversaries are honing in their own neighborhoods, techniques that could later be used against Americans.

Similarly, Cyber Command officials said their efforts to try to counter foreign threats would not end with the close of voting on Tuesday; they will continue as votes are counted and the Electoral College prepares to meet in December.

“We are not stopping or thinking about our operations slacking off on Nov. 3,” General Moore said. “Defending the election is now a persistent and ongoing campaign for Cyber Command.”

The US military's Cyber Command has pursued a strategy in recent years of "defend forward" and "persistent engagement". This means hacking into adversary systems to find out what they are doing - and stopping operations against the US before they are unleased.

This contesting of cyber-space was seen by many as long overdue. But Russia and China appear undeterred. One option now might be to hit back harder. But escalation carries its own risks.

The US had considered espionage - stealing information - acceptable, because it practised it extensively, as whistleblower Edward Snowden revealed in 2013. The problem for Washington is recent breaches may fit into the same category.That leaves the US in a bind.

US says destructive cyber-attacks are unacceptable but was the first to cross that line a decade ago when it used the Stuxnet attack to destroy parts of the Iran nuclear system.

The military budget is being set and major decisions on troop levels and priorities are being made so it's hoped the war game will help prepare the military to face the challenges of the next few years.

War games are always sensitive and outcomes are closely guarded because they can reveal shortfalls in US military plans and operations. One former defense official confirmed that in a recent exercise gaming out a conflict against major adversaries like Russia and China, "we found the Blue Team, the US and allies, kept losing."

The scenarios covered in the game this summer will reflect real life possibilities. Those could include major cyber attacks, a Russian advance in the Baltics, further militarization of the Arctic by Moscow or China flexing its muscles in the South China Sea or even invading Taiwan.

And preparations aren't just virtual. This week, the US and Canada have been carrying out military exercises, in tough conditions where temperatures can plunge to -20 Fahrenheit, to make clear they are ready to push back against Russian military advances in the resource rich Arctic.

Russia has put advanced missiles in the region to protect its bases there and is directly challenging the US. In 2020 more Russian aircraft flew near US airspace off Alaska than at any time since the end of the Cold War, according to the North American Aerospace Defense Command with multiple flights of heavy bombers, anti-submarine aircraft, and intelligence collection planes.

For NORAD, the US and Canadian command overseeing the exercise, a key priority is "being able to track and then defeat" potential Russian military activity in the Arctic, Canadian NORAD Region Commander, Major-General Eric Kenny, told CNN.Concerns about Russian and Chinese activity are increasing and there are no signs of tensions abating since Biden took office.

The US military is doing substantive planning for the challenge from Russia and China, with billions of dollars of spending planned on modernization in both the nuclear and non-nuclear arena if its wins Congressional approval.

At the same time the rhetoric from the Biden administration is heating up. Secretary of State Anthony Blinken called out Russia for "reckless and adversarial actions" at a NATO meeting in Brussels this week and observed that Moscow has "built up a forces, large scale exercises and acts of intimidation, in the Baltic and Black Sea."

And on China, Deputy Defense Secretary Kathleen Hicks pulled no punches in a speech earlier this month. "Beijing has demonstrated increased military competence and a willingness to take risks, and it has adopted a more coercive and aggressive approach," she said before adding that Beijing's actions "constitute a threat to regional peace and stability, and to the rules-based international order on which our security and prosperity and those of our allies depend."

There is no indication the tough words are tamping down Russian President Vladimir Putin and China President Xi Jinping's plans to strengthen their militaries to ensure they are capable of challenging the US and its allies. Austin, in the coming weeks, "will focus on deterrence" improvements to counter adversaries, a senior defense official told CNN

Top commanders are increasingly blunt about both countries, especially on nuclear modernization.

Russia is upgrading bombers, intercontinental ballistic missiles, submarine launched ballistic missiles and warning systems, "in short, its entire strategic force structure," wrote Admiral Charles Richard, head of the US Strategic Command in a recent article in the Proceedings of the US Naval Institute journal. Moscow is also building hypersonic weapons that travel more than five times the speed of sound, and nuclear-powered torpedoes, capable of reaching US shores quickly.

China is about to become a nation with a full nuclear triad, with an inventory of nuclear capable missiles, submarines and soon a long-range bomber.

Both nations are expanding their ability to operate in wider areas in Europe and Asia meaning the Pentagon could be forced to send US forces thousands of miles away. "Russia and China are playing a home game, we are playing an away game," Edelman said.

The US is also looking to send a clear message to Beijing amid concerns about Taiwan as China has increased aircraft and shipping activity near the island

In response to Russian advances in eastern Europe, the US and NATO allies are increasing their own presence. But it's not enough, warns David Ochmanek, a senior RAND Corporation analyst and former deputy assistant secretary of defense for force development. "The US and its allies do not have sufficient combat power," he told CNN. The reality he says is "within 48 to 60 hours Russian forces could be on outskirts of a Baltic capital," once it pre-positions forces.US military experts say this underlines why war games like the upcoming summer exercise are so important to ensure the military can practice and plan ahead before a crisis hits.

In private, however, commanders and intelligence officials are far more direct. They report that from the North Sea to Northeast Asia and even in waters closer to American shores, they are monitoring significantly increased Russian activity along the known routes of the cables, which carry the lifeblood of global electronic communications and commerce.

“The level of activity,” a senior European diplomat said, “is comparable to what we saw in the Cold War.

The operations are consistent with Russia’s expanding military operations into places like Crimea, eastern Ukraine and Syria, where President Vladimir V. Putin has sought to demonstrate a much longer reach for Russian ground, air and naval forces.

“Cables get cut all the time — by anchors that are dragged, by natural disasters,” said Mr. Sechrist, who published a study in 2012 of the vulnerabilities of the undersea cable network. But most of those cuts take place within a few miles from shore, and can be repaired in a matter of days.

The role of the cables is more important than ever before. They carry global business worth more than $10 trillion a day, including from financial institutions that settle transactions on them every second. Any significant disruption would cut the flow of capital. The cables also carry more than 95 percent of daily communications.

And a decade ago, the United States Navy launched the submarine Jimmy Carter, which intelligence analysts say is able to tap undersea cables and eavesdrop on communications flowing through them.

Citing public remarks by the Russian Navy chief, Adm. Viktor Chirkov, Admiral Ferguson said the intensity of Russian submarine patrols had risen by almost 50 percent over the last year. Russia has increased its operating tempo to levels not seen in over a decade. Russian Arctic bases and their $2.4 billion investment in the Black Sea Fleet expansion by 2020 demonstrate their commitment to develop their military infrastructure on the flanks, he said.

“This involves the use of space, cyber, information warfare and hybrid warfare designed to cripple the decision-making cycle of the alliance,” Admiral Ferguson said, referring to NATO. “At sea, their focus is disrupting decision cycles.”

The president expressed concern and insisted he wanted to be viewed as a defender of the free press. But in the same conversation, he took credit for the term “fake news,” a phrase that has now been wielded by dozens of leaders across five continents to justify everything from the passage of anti-free-speech laws in Egypt to the takeover of independent news organizations in Hungary to a crackdown on investigations into genocide in Myanmar

The story that prompted the president’s attack was no exception. As the Times prepared the story for publication, our reporter contacted officials at the White House National Security Council, the National Security Agency and the U.S. Cyber Command and gave them the opportunity to raise any national-security concerns about the story. They told us they did not have any. Shortly after publication, the president accused the Times of treason.

U.S. officials draw a distinction between cyber espionage and cyberattacks, which have a destructive or manipulative purpose and could be considered an act of war.

Trump’s administration has suggested that it sees nuclear weapons as useful against “non-nuclear strategic attacks” on U.S. infrastructure, perhaps including cyber or terrorist attacks.

It proposes two new nuclear-capable systems.

Neither weapon is needed to deter potential adversaries, and would instead raise the risk of the use of a nuclear weapon—whether because an adversary thinks it is being attacked or whether a U.S. president thinks he has to order an attack. As it stands, the Pentagon and the Department of Energy, the institutions that would handle the warhead changes, will struggle to find the funding or the manpower to meet existing modernization requirements. New programs would only compound this uncertainty and endanger core nuclear-modernization priorities. Moreover, developing new warheads creates an unpalatable choice: They will either be deployed without a test or with a test. Both options are bad. Lastly, the draft NPR asserts that its program proposals are affordable, but avoids making fiscal trade-offs between different military priorities. Yet Congress will have to ask whether new nuclear weapons programs are really worth the money, given that there is still no plan to pay the $1.2-trillion bill for nuclear weapons over the next 30 years.

Even as the Trump administration is proposing expanding U.S. nuclear capabilities, it is subverting traditional mechanisms for controlling them.

Today, an astonishing 58 percent of Americans lack confidence in the president’s judgment with the nuclear arsenal. It is difficult to believe that Congress or the American public will quietly acquiesce to a major expansion of U.S. nuclear capabilities and missions. Yet, without concerted pressure, the Trump Nuclear Posture Review will abandon U.S. leadership to reduce nuclear risks and instead follow our adversaries into a world where nuclear competition is commonplace.

“TrickBot’s botnet has infected hundreds of thousands, if not millions of computers,”

The catalyst, Mr. Burt said, was seeing that TrickBot’s operators had added “surveillance capabilities” that allowed them to spy on infected computers and note which belonged to election officials. From there, he and other experts speculated, it would not be difficult for cybercriminals, or state actors, to freeze up election systems in the days leading up to the election and after.

Over the past year, TrickBot has become the primary delivery mechanism for the Russian-speaking cybercriminals behind a specific variant of ransomware, known as Ryuk, that has been paralyzing American hospitals, corporations, towns and cities

others point to attacks on the Georgian government by cybercriminals at the direction of the Kremlin and a breach at Yahoo. In that attack, two Russian agents at the F.S.B., the successor to the K.G.B., teamed up with two cybercriminals to hack 500 million Yahoo accounts, allowing criminals to profit while mining their access to spy on journalists, dissidents and American officials.

They also note that when the Treasury Department imposed sanctions on members of an elite Russian cybercrime group in December, they outed the group’s leader as a member of the F.S.B.

“Russia is well aware that the cybercriminals it harbors have become a serious problem for its adversaries,” Mr. Hultquist added. “Russian cybercriminals are probably a greater threat to our critical infrastructure than their intelligence services. We should start asking whether their tacit approval of cybercrime is not just a marriage of convenience but a deliberate strategy to harass the West.”

In interviews with senior American and European officials in recent days, there is a consensus on one point: Just as the last two weeks revealed that Russia’s vaunted military faltered in its invasion plan, the next two or three may reveal whether Ukraine can survive as a state, and negotiate an end to the war.

And there is the possibility that Mr. Putin, angered by the slowness of his offensive in Ukraine, may reach for other weapons: chemical, biological, nuclear and cyber.

A French government account of a call to Mr. Putin on Saturday by Mr. Macron and Mr. Scholz termed it “disappointing with Putin’s insincerity: He is determined to continue the war.”

Quietly, the White House and the senior American military leadership have been modeling how they would respond to a series of escalations, including major cyberattacks on American financial institutions and the use of a tactical or “battlefield” nuclear weapon by Mr. Putin to signal to the rest of the world that he would brook no interference as he moves to crush Ukraine.

Even with Ukrainians begging for more offensive weapons and American intervention, Mr. Biden has stuck to his determination that he will not directly engage the forces of a nuclear-armed superpower.

The idea that we’re going to send in offensive equipment,” Mr. Biden said in Philadelphia to the House Democratic Caucus on Friday, “and have planes and tanks and trains going in with American pilots and American crews, just understand — and don’t kid yourself, no matter what you all say — that’s called ‘World War III.’ OK? Let’s get it straight here.”

Mr. Sullivan said that Russia would suffer “severe consequences” if it used chemical weapons, without specifying what those would be.

The fear now is that the war could expand.The more the fighting moves west, the more likely it is that an errant missile lands in NATO territory, or the Russians take down a NATO aircraft.

Despite his military’s logistical problems, Mr. Putin appears intent on intensifying his campaign and laying siege to Kyiv, the capital; Kharkiv, the country’s second-largest city; and other Ukrainian urban centers.

“I think Putin is angry and frustrated right now,” Mr. Burns said. He is likely to “try to grind down the Ukrainian military with no regard for civilian casualties,” he added.

Mr. Putin has demonstrated in past conflicts in Syria and Chechnya a willingness not only to bomb heavily populated areas but also to use civilian casualties as leverage against his enemies. Senior U.S. officials said the coming weeks could see a long, drawn-out fight with thousands of casualties on both sides, as well as among the roughly 1.5 million citizens remaining in the city.

“It will come at a very high price in Russian blood,” said retired Adm. James G. Stavridis, the former supreme allied commander for Europe. That high cost, he added, could cause Mr. Putin to destroy the city with an onslaught of missiles, artillery and bombs — “continuing a swath of war crimes unlike any we have seen in the 21st century.”

Russian forces are still subjecting Mariupol to siege and bombardment, but are close to securing that strategic southern port city and, with it, a land bridge from Crimea in the south to the Donbas region in the east that has been controlled by Russian-backed separatists since 2014.

And if Russia can seize Odessa, a pivotal Black Sea port city, and perhaps the remaining Ukrainian coast to the southeast, it would deprive Ukraine of important access to the sea.

“The most probable endgame, sadly, is a partition of Ukraine,” said Mr. Stavridis, pointing to the outcome of the Balkan wars in the 1990s as a model. “Putin would take the southeast of the country, and the ethnic Russians would gravitate there. The rest of the nation, overwhelmingly Ukrainian, would continue as a sovereign state.”

no evidence from the conversations so far that Mr. Putin has changed course; he remains “intent on destroying Ukraine.”

So far there are none of the procedures in place that American and Russian pilots use over Syria, for example, to prevent accidental conflict. And Mr. Putin has twice issued thinly veiled reminders of his nuclear capabilities, reminding the world that if the conflict does not go his way he has far larger, and far more fearsome, weapons to call into play.

“Security and privacy have long been top companywide priorities at Twitter,” said Twitter spokeswoman Rebecca Hahn. She said that Zatko’s allegations appeared to be “riddled with inaccuracies” and that Zatko “now appears to be opportunistically seeking to inflict harm on Twitter, its customers, and its shareholders.” Hahn said that Twitter fired Zatko after 15 months “for poor performance and leadership.” Attorneys for Zatko confirmed he was fired but denied it was for performance or leadership.

the whistleblower document alleges the company prioritized user growth over reducing spam, though unwanted content made the user experience worse. Executives stood to win individual bonuses of as much as $10 million tied to increases in daily users, the complaint asserts, and nothing explicitly for cutting spam.

Chief executive Parag Agrawal was “lying” when he tweeted in May that the company was “strongly incentivized to detect and remove as much spam as we possibly can,” the complaint alleges.

Zatko described his decision to go public as an extension of his previous work exposing flaws in specific pieces of software and broader systemic failings in cybersecurity. He was hired at Twitter by former CEO Jack Dorsey in late 2020 after a major hack of the company’s systems.

“I felt ethically bound. This is not a light step to take,” said Zatko, who was fired by Agrawal in January. He declined to discuss what happened at Twitter, except to stand by the formal complaint. Under SEC whistleblower rules, he is entitled to legal protection against retaliation, as well as potential monetary rewards.

A person familiar with Zatko’s tenure said the company investigated Zatko’s security claims during his time there and concluded they were sensationalistic and without merit. Four people familiar with Twitter’s efforts to fight spam said the company deploys extensive manual and automated tools to both measure the extent of spam across the service and reduce it.

In 1998, Zatko had testified to Congress that the internet was so fragile that he and others could take it down with a half-hour of concentrated effort. He later served as the head of cyber grants at the Defense Advanced Research Projects Agency, the Pentagon innovation unit that had backed the internet’s invention.

Overall, Zatko wrote in a February analysis for the company attached as an exhibit to the SEC complaint, “Twitter is grossly negligent in several areas of information security. If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.”

Zatko’s complaint says strong security should have been much more important to Twitter, which holds vast amounts of sensitive personal data about users. Twitter has the email addresses and phone numbers of many public figures, as well as dissidents who communicate over the service at great personal risk.

This month, an ex-Twitter employee was convicted of using his position at the company to spy on Saudi dissidents and government critics, passing their information to a close aide of Crown Prince Mohammed bin Salman in exchange for cash and gifts.

Zatko’s complaint says he believed the Indian government had forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country. The complaint said supporting information for that claim has gone to the National Security Division of the Justice Department and the Senate Select Committee on Intelligence. Another person familiar with the matter agreed that the employee was probably an agent.

“Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” Charles E. Grassley (R-Iowa), the top Republican on the Senate Judiciary Committee,

Many government leaders and other trusted voices use Twitter to spread important messages quickly, so a hijacked account could drive panic or violence. In 2013, a captured Associated Press handle falsely tweeted about explosions at the White House, sending the Dow Jones industrial average briefly plunging more than 140 points.

After a teenager managed to hijack the verified accounts of Obama, then-candidate Joe Biden, Musk and others in 2020, Twitter’s chief executive at the time, Jack Dorsey, asked Zatko to join him, saying that he could help the world by fixing Twitter’s security and improving the public conversation, Zatko asserts in the complaint.

The complaint — filed last month with the Securities and Exchange Commission and the Department of Justice, as well as the FTC — says thousands of employees still had wide-ranging and poorly tracked internal access to core company software, a situation that for years had led to embarrassing hacks, including the commandeering of accounts held by such high-profile users as Elon Musk and former presidents Barack Obama and Donald Trump.

But at Twitter Zatko encountered problems more widespread than he realized and leadership that didn’t act on his concerns, according to the complaint.

Twitter’s difficulties with weak security stretches back more than a decade before Zatko’s arrival at the company in November 2020. In a pair of 2009 incidents, hackers gained administrative control of the social network, allowing them to reset passwords and access user data. In the first, beginning around January of that year, hackers sent tweets from the accounts of high-profile users, including Fox News and Obama.

Several months later, a hacker was able to guess an employee’s administrative password after gaining access to similar passwords in their personal email account. That hacker was able to reset at least one user’s password and obtain private information about any Twitter user.

Twitter continued to suffer high-profile hacks and security violations, including in 2017, when a contract worker briefly took over Trump’s account, and in the 2020 hack, in which a Florida teen tricked Twitter employees and won access to verified accounts. Twitter then said it put additional safeguards in place.

This year, the Justice Department accused Twitter of asking users for their phone numbers in the name of increased security, then using the numbers for marketing. Twitter agreed to pay a $150 million fine for allegedly breaking the 2011 order, which barred the company from making misrepresentations about the security of personal data.

After Zatko joined the company, he found it had made little progress since the 2011 settlement, the complaint says. The complaint alleges that he was able to reduce the backlog of safety cases, including harassment and threats, from 1 million to 200,000, add staff and push to measure results.

But Zatko saw major gaps in what the company was doing to satisfy its obligations to the FTC, according to the complaint. In Zatko’s interpretation, according to the complaint, the 2011 order required Twitter to implement a Software Development Life Cycle program, a standard process for making sure new code is free of dangerous bugs. The complaint alleges that other employees had been telling the board and the FTC that they were making progress in rolling out that program to Twitter’s systems. But Zatko alleges that he discovered that it had been sent to only a tenth of the company’s projects, and even then treated as optional.

“If all of that is true, I don’t think there’s any doubt that there are order violations,” Vladeck, who is now a Georgetown Law professor, said in an interview. “It is possible that the kinds of problems that Twitter faced eleven years ago are still running through the company.”

“Agrawal’s Tweets and Twitter’s previous blog posts misleadingly imply that Twitter employs proactive, sophisticated systems to measure and block spam bots,” the complaint says. “The reality: mostly outdated, unmonitored, simple scripts plus overworked, inefficient, understaffed, and reactive human teams.”

One current and one former employee recalled that incident, when failures at two Twitter data centers drove concerns that the service could have collapsed for an extended period. “I wondered if the company would exist in a few days,” one of them said.

The current and former employees also agreed with the complaint’s assertion that past reports to various privacy regulators were “misleading at best.”

For example, they said the company implied that it had destroyed all data on users who asked, but the material had spread so widely inside Twitter’s networks, it was impossible to know for sure

As the head of security, Zatko says he also was in charge of a division that investigated users’ complaints about accounts, which meant that he oversaw the removal of some bots, according to the complaint. Spam bots — computer programs that tweet automatically — have long vexed Twitter. Unlike its social media counterparts, Twitter allows users to program bots to be used on its service: For example, the Twitter account @big_ben_clock is programmed to tweet “Bong Bong Bong” every hour in time with Big Ben in London. Twitter also allows people to create accounts without using their real identities, making it harder for the company to distinguish between authentic, duplicate and automated accounts.

In the complaint, Zatko alleges he could not get a straight answer when he sought what he viewed as an important data point: the prevalence of spam and bots across all of Twitter, not just among monetizable users.

Zatko cites a “sensitive source” who said Twitter was afraid to determine that number because it “would harm the image and valuation of the company.” He says the company’s tools for detecting spam are far less robust than implied in various statements.

The complaint also alleges that Zatko warned the board early in his tenure that overlapping outages in the company’s data centers could leave it unable to correctly restart its servers. That could have left the service down for months, or even have caused all of its data to be lost. That came close to happening in 2021, when an “impending catastrophic” crisis threatened the platform’s survival before engineers were able to save the day, the complaint says, without providing further details.

The four people familiar with Twitter’s spam and bot efforts said the engineering and integrity teams run software that samples thousands of tweets per day, and 100 accounts are sampled manually.

Some employees charged with executing the fight agreed that they had been short of staff. One said top executives showed “apathy” toward the issue.

Zatko’s complaint likewise depicts leadership dysfunction, starting with the CEO. Dorsey was largely absent during the pandemic, which made it hard for Zatko to get rulings on who should be in charge of what in areas of overlap and easier for rival executives to avoid collaborating, three current and former employees said.

For example, Zatko would encounter disinformation as part of his mandate to handle complaints, according to the complaint. To that end, he commissioned an outside report that found one of the disinformation teams had unfilled positions, yawning language deficiencies, and a lack of technical tools or the engineers to craft them. The authors said Twitter had no effective means of dealing with consistent spreaders of falsehoods.

Dorsey made little effort to integrate Zatko at the company, according to the three employees as well as two others familiar with the process who spoke on the condition of anonymity to describe sensitive dynamics. In 12 months, Zatko could manage only six one-on-one calls, all less than 30 minutes, with his direct boss Dorsey, who also served as CEO of payments company Square, now known as Block, according to the complaint. Zatko allegedly did almost all of the talking, and Dorsey said perhaps 50 words in the entire year to him. “A couple dozen text messages” rounded out their electronic communication, the complaint alleges.

Faced with such inertia, Zatko asserts that he was unable to solve some of the most serious issues, according to the complaint.

Some 30 percent of company laptops blocked automatic software updates carrying security fixes, and thousands of laptops had complete copies of Twitter’s source code, making them a rich target for hackers, it alleges.

A successful hacker takeover of one of those machines would have been able to sabotage the product with relative ease, because the engineers pushed out changes without being forced to test them first in a simulated environment, current and former employees said.

“It’s near-incredible that for something of that scale there would not be a development test environment separate from production and there would not be a more controlled source-code management process,” said Tony Sager, former chief operating officer at the cyberdefense wing of the National Security Agency, the Information Assurance divisio

Sager is currently senior vice president at the nonprofit Center for Internet Security, where he leads a consensus effort to establish best security practices.

The complaint says that about half of Twitter’s roughly 7,000 full-time employees had wide access to the company’s internal software and that access was not closely monitored, giving them the ability to tap into sensitive data and alter how the service worked. Three current and former employees agreed that these were issues.

“A best practice is that you should only be authorized to see and access what you need to do your job, and nothing else,” said former U.S. chief information security officer Gregory Touhill. “If half the company has access to and can make configuration changes to the production environment, that exposes the company and its customers to significant risk.”

The complaint says Dorsey never encouraged anyone to mislead the board about the shortcomings, but that others deliberately left out bad news.

When Dorsey left in November 2021, a difficult situation worsened under Agrawal, who had been responsible for security decisions as chief technology officer before Zatko’s hiring, the complaint says.

An unnamed executive had prepared a presentation for the new CEO’s first full board meeting, according to the complaint. Zatko’s complaint calls the presentation deeply misleading.

The presentation showed that 92 percent of employee computers had security software installed — without mentioning that those installations determined that a third of the machines were insecure, according to the complaint.

Another graphic implied a downward trend in the number of people with overly broad access, based on the small subset of people who had access to the highest administrative powers, known internally as “God mode.” That number was in the hundreds. But the number of people with broad access to core systems, which Zatko had called out as a big problem after joining, had actually grown slightly and remained in the thousands.

The presentation included only a subset of serious intrusions or other security incidents, from a total Zatko estimated as one per week, and it said that the uncontrolled internal access to core systems was responsible for just 7 percent of incidents, when Zatko calculated the real proportion as 60 percent.

Zatko stopped the material from being presented at the Dec. 9, 2021 meeting, the complaint said. But over his continued objections, Agrawal let it go to the board’s smaller Risk Committee a week later.

Agrawal didn’t respond to requests for comment. In an email to employees after publication of this article, obtained by The Post, he said that privacy and security continues to be a top priority for the company, and he added that the narrative is “riddled with inconsistences” and “presented without important context.”

On Jan. 4, Zatko reported internally that the Risk Committee meeting might have been fraudulent, which triggered an Audit Committee investigation.

Agarwal fired him two weeks later. But Zatko complied with the company’s request to spell out his concerns in writing, even without access to his work email and documents, according to the complaint.

Since Zatko’s departure, Twitter has plunged further into chaos with Musk’s takeover, which the two parties agreed to in May. The stock price has fallen, many employees have quit, and Agrawal has dismissed executives and frozen big projects.

Zatko said he hoped that by bringing new scrutiny and accountability, he could improve the company from the outside.

“I still believe that this is a tremendous platform, and there is huge value and huge risk, and I hope that looking back at this, the world will be a better place, in part because of this.”