Twitter Outage Raises Concerns for Government

Denial-of-service attack spurs discussion about microblogging's role in the public sector.

by / August 7, 2009

The distributed denial-of-service (DDOS) attack that brought Twitter to a standstill for hours on Thursday has government officials and Web 2.0 experts wondering if more discussion is necessary about the role of microblogging in the public sector.

Some call for further study of government's use of Twitter and similar services; others say outages are expected. But most agree concerns about Twitter's reliability and security have become more impactful, especially as some police and fire departments have begun to "tweet" updates about potential hazards like the locations of car accidents and house fires. A full-scale failure of or hacked login passwords could present serious threats to the public safety agencies that use the service, as well as to citizens who increasingly rely on Twitter for vital information.

"One, there needs to be a deliberate study of [Twitter] in terms of what its real potential is," said Michael Byrne, senior vice president of consulting firm ICF International. Byrne was the lead organizer of the Ogma Workshop on Web 2.0, hosted by the Naval Postgraduate School's Center for Homeland Defense and Security two months ago in Monterey, Calif. "We need to get the buy-in of the companies that are delivering these products. If we're going to use them for these [public safety] things, we sure as hell need to be more open in having a dialog with them as to what the implications of [Twitter] being used for this type of service are and whether or not [Twitter] wants to take that on."

He said it's often overlooked that the founders of Twitter never intended it to be a source of official government information. The Web site wasn't designed for that purpose, he said. Byrne said pilot projects should be run to study best practices for government's use of Twitter and similar microblogging sites.

Recurring Security Threats

Thursday's denial-of-service attack wasn't the first time Twitter has experienced service interruptions. After all, Twitter's "Fail Whale" -- a graphic displayed when the network is beyond capacity -- became a cultural touchstone as the Web site struggled to keep pace with its popularity. Twitter had an estimated 44.5 million unique visitors in June 2009, according to comScore, a firm that measures online audiences.

Twitter has also been targeted by malicious hackers and imposters. In January, someone hacked the login passwords for the Twitter accounts of FOX News personality Bill O'Reilly, pop star Britney Spears, then-President-elect Barack Obama and other celebrities. In a separate incident, someone accessed a batch of confidential corporate documents about Twitter and gave them last month to TechCrunch, a popular technology blog.

And Byrne said there have been instances of users posing as an official police department Twitter page. (For example, the fake @austinPD brought in 450 followers before users discovered it wasn't operated by the real Austin, Texas, Police Department.)

It's these sorts of issues -- of both reliability and security -- that governments need to discuss deliberately, Byrne said.

"If the emergency management [and] public safety community in the U.S. wants to use Twitter or a like service to facilitate and help their ability to communicate -- for notification, alerting and situational awareness of emergencies and disasters -- then we should be sitting down and having a conversation about [Twitter] and not just doing it because it's there," Byrne said.

A Victim of Success

Mark Weatherford, the chief information security officer of California, agreed that more discussion is needed. However, he said Thursday's denial-of-service attack -- he called it a "spam flood" -- wasn't surprising. Twitter is a target because of its popularity.

It's important to remember that microblogs and text messaging

systems are still only secondary channels of communication for government agencies, Weatherford said. "No public safety organization has thrown away its radios or telephones. They haven't stopped their normal communication. [Twitter] is just an adjunct communication," he said.

Even so, Weatherford said Twitter's purpose in government is a valid concern: "There's always room for more education and awareness on the vulnerabilities and the security issues related to using these Web 2.0 technologies, especially in the public safety arena."

Dave Fletcher, chief technology officer of Utah, "tweets" every day from his own personal account, as well as from the official Twitter feed and four other Utah government Twitter accounts. Just last week, law enforcement officials told him how important it is for them to have access to Twitter, he said.

"I think people generally realize that Twitter, at this point in the game, is a free service, and that they're going to have to deal with some inconveniences with the free service; I think they also realize the realities of DDOS attacks because many governments have experienced those as well," Fletcher said.

Fletcher said the prospect of Twitter accounts being hacked doesn't keep him awake at night, because the risk is similar to numerous other platforms used by the state government.

"I think this whole technology is still in its infancy ... I think people are using it with the expectation that it's going to continue to improve and become increasingly stable, especially as it goes through these kinds of experiences," he said.

Fletcher said he plans to verify the state of Utah's accounts on a beta verification service that Twitter offers, which he hopes will improve the accounts' authority and security. Fletcher and Weatherford said strong password protection also is an obvious must-have.

Worst-Case Scenario

Still, Byrne says he is worried about Twitter's vulnerability. He says a person with ill intent doesn't even need to hack into an official government account. He or she simply can set up his or her own account, and tweet erroneously that there's a fire at Main Street or a gunman nearby.

"One of the worst possible scenarios is if there is information that is given by an unreliable source that says an area of safety is at [one] location and it turns out to be malicious, and it's the active shooters or terrorists that want you to go to that location," Byrne said. "That's one of the worst-case nightmares I can think of. It wouldn't take hacking into our systems; it could just be an average citizen."

Matt Williams Associate Editor
Platforms & Programs