Peiter “Mudge” Zatko, former head of security at Twitter, has accused Twitter of “extreme, egregious deficiencies” in its spam and hacker-fighting practices.
According to Zatko’s whistleblower complaint, which was filed in July with the Securities and Exchange Commission, the Department of Justice, and the Federal Trade Commission (FTC), the company’s practices have jeopardized United States national security, as well as misled investors and regulators.
In the nearly 200-page disclosure, Zatko alleges Twitter is riddled with security vulnerabilities stemming from the fact that the company allows employees to work directly on Twitter’s live product and interact with actual user data — which is not industry practice at tech companies like Google and Meta. According to CNN, developers must use dummy data to perform coding and testing, all in specialized sandboxes that don’t interact with the main products consumers use.
This departure from cybersecurity best practices creates a number of security problems. Mainly, it could generate insider threats. Zatko claims that Twitter learned of several incidents where employees had deliberately installed spyware on their computers. Among other claims by Zatko is that the company suffers approximately one security incident per week and that Twitter does not delete users’ data after they cancel their accounts, and has misled regulators about whether it deletes the data as required to do so.
Zatko also claims that:
- Twitter doesn’t know how many bots there may be on the platform, and executives choose not to find out as it may harm Twitter’s reputation and valuation.
- More than half of Twitter’s 500,000 servers run on outdated software and lack basic security standards.
- Twitter is vulnerable to foreign exploitation. Foreign governments that gain access to the company could harm U.S. national security. Zatko alleges that Twitter’s current CEO proposed making concessions to Russia and that Twitter has taken money from Chinese sources and shared information that could potentially lead to identifying Chinese Twitter users who have accessed the platform, despite government censorship.
- Twitter is violating the terms of an 11-year-old settlement with the Federal Trade Commission (FTC). Zatko claims Twitter has misled regulators about handling user data and claiming it had a robust cybersecurity plan.
In an interview with The Washington Post, Zatko said, “I felt ethically bound. This is not a light step to take” of his decision to come forward.
The complaint could spell disaster for Twitter when it’s currently in a legal battle with Elon Musk, who is attempting to get out of a $44 billion contract to buy the platform. Musk’s deal includes a pledge by Twitter that “its shareholder filings are accurate,” according to The Washington Post.
Below, cybersecurity leaders react to the security allegations made by Zatko.
Casey Ellis, Founder and CTO at Bugcrowd:
Mudge has a long and rock-solid reputation of putting integrity first. He’s also one of those infosec elders who rarely sticks their neck out to make a fuss, but when they do, it’s almost certainly worth paying attention to — This dates back to the L0pht testimony in 1998, which was a warning to Congress about computer insecurity well before it’s time. Judging by the way the infosec community has closed ranks around him this morning, others clearly feel the same way. Infosec doesn’t suffer fools and has a keen eye for sensationalism, and I think the reaction today speaks very strongly to both his character and the claims themselves.
I can’t speak to the specifics of the disclosures themselves, but I’m definitely pleased to see this prompting a discussion around the “critical infrastructure” characteristics of social media platforms and the implications this has on national security and privacy — especially as the midterms in the U.S. get underway and sets itself up for the 2024 election. It seems clear that this categorization as critical infrastructure is something Twitter and other social platforms would probably rather avoid, but it is a conversation we need to have.
Aaron Turner, CTO, SaaS Protect, at Vectra:
I’ve known Mudge since his days at Cult of the Dead Cow. When I was at Microsoft, he and the @stake team helped us fundamentally improve our security strategy and tactics. As I’ve worked across government projects over the last 20 years, I would say that his work at DARPA made a significant difference in the way that the U.S. government approached cybersecurity. He has always had the highest level of integrity and also adheres to the highest technical standards [for the] development and operation of systems. If Mudge says that Twitter has cybersecurity problems, Twitter has some big problems.
From research that I coordinated after the 2020 incident, it was obvious that Twitter did not have appropriate privileged user management controls nor separation of duty policies for developers and administrators of their systems. If Mudge’s disclosure is correct, that Twitter has a significant system hygiene problem combined with the user management controls and policies, then Twitter’s entire platform is at risk of compromise.
Andrew Hay, COO at LARES Consulting:
The news is unsurprising given the size of Twitter and the source of the complaint. The larger an organization is, the more difficult it is to address technical debt and security issues. Unfortunately, with such a highly visible and prolific platform like Twitter, it sounds as though the executive risk tolerance for security and privacy issues was so artificially inflated that even critical security issues were not raised to the necessary visibility required.
As for Peiter “Mudge” Zatko, Mudge has been a trusted name in security and privacy since the early 1990s when he was with L0pht. Those in the industry know Mudge know that his intentions have historically been honorable, non-partisan, and designed to benefit the world. Nothing that I have seen or heard would indicate otherwise.
Mike Puterbaugh, CMO at Pathlock:
Many of the issues highlighted in the whistleblower report appear to be the same challenges that large organizations face every day [concerning] access and data privacy. Specifically, [the claim that] Twitter allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight.
The separation of duties within core enterprise applications, like ERP, and Human Resources (H.R.) systems, is a foundational risk reduction aspect for many organizations. There are countless examples in the finance context of why you should separate certain functions. Creating a vendor in a payment system vs. paying that same vendor in a payment system, for example. It appears that Twitter is no different.
With regards to the ability to see (and even worse, exfiltrate) sensitive data such as personally identifiable information is another core tenet of access governance that companies follow today. The ability to obfuscate or totally block information down to the field level is a common practice today.
Phil Neray, Vice President of Cyber Defense Strategy at CardinalOps:
Mudge is the real deal, and his observations on Twitter’s weaknesses — uncontrolled internal access to privileged accounts, inability to control bots and disinformation, wide internal access to source code, lack of a secure SDLC, and unpatched laptops — is damning.
Eric Noonan, CEO of CyberSheath:
It’s starting to look like a trend with whistleblowers coming forward to disclose executive misconduct and alleging that senior executives hid cybersecurity vulnerabilities, misreported the effectiveness of their cybersecurity measures to regulators and customers and intentionally kept information from their board.
The Twitter whistleblower allegations, in many ways, parallel the whistleblower allegations in the case against defense contractor Aerojet Rocketdyne who agreed to pay $9 million just last month to resolve allegations that it violated the False Claims Act by misrepresenting its compliance with cybersecurity requirements federal government contracts. So we now have two publicly traded companies, two boards allegedly misled and two whistleblowers with inside information and technical expertise identifying cybersecurity failures and misconduct at companies where these kinds of cybersecurity deficiencies have national security implications. The Aerojet Rocketdyne case was quietly and suddenly settled, it’s unlikely that Twitter will enjoy the same fate, and I suspect insiders at publicly traded companies will be further emboldened to come forward and share what they know to be true…cybersecurity at many companies, in spite of obvious national security concerns, is underfunded, under-regulated and frequently misrepresented to create the false perception of progress.
Whistleblowers changed the tobacco industry forever, and I think the government learned from that if you look at the Department of Justice’s Civil Cyber-Fraud Initiative, which includes a unique whistleblower provision, allowing private parties to help the government identify and purse fraud and to share in any recovery. The Civil Cyber-Fraud Initiative protects whistleblowers from retaliation, and with Twitter and Aerojet, I wonder if we are at the beginning of a new era of involuntary disclosure through whistleblowers coming forward.
Kevin Novak, Managing Director of Cybersecurity, Breakwater Solutions:
Whether you cut your teeth on Mainframes or Commodores, Windows or Solaris, there is no doubt you know the name “Mudge”; his reputation precedes him across the globe from technologists to hackers alike. He’s known for not only his technological and security knowhow but also his appreciation for what is, and more importantly, is not a material cyber threat. It should come as no surprise, then, why security practitioners around the world are challenging Twitter’s allegation that Peiter “Mudge” Zatko was let go for poor performance and not his act of openly painting a less than stellar picture of Twitter’s cyber practices to his Board of Directors in defiance of his management’s wishes.
The role of the Chief Information Security Officer (CISO) has changed considerably over the last decade as it has been thrust out of the back room and into the board room. CISOs today are challenged with wearing an array of differing functional hats that range from Legal to Marketing, to Technology, to Physical Security, to Privacy and Compliance, to Human Resources. They are required to speak the most technical language when managing in the trenches and shift on a dime to provide cyber risk and financial loss analysis to Board Members. Further, CISOs have now been thrust into the world of personal accountability with threats of prosecution when they don’t do ENOUGH to force cyber change internally, like that of former Uber CISO, Joe Sullivan, who was recently charged with obstruction by U.S. Prosecutors. While I’m certainly not in position to comment on whether Joe Sullivan acted inappropriately, the challenge for most CISOs when it comes to reporting major concerns, is that most CISOs only have a perceived degree of independence.
The fact is, most CISOs go out of their way to shine a light on those insecurities that threaten an organization and its clients, and good CISOs even craft their message in terms that business executives understand: the potential for Lawsuits, Financial Fraud, Damage to Reputation, Loss of Operations, Government Sanctions, and Regulatory Scrutiny to name a few. But bringing those messages to your manager, Sr. Executives, or the CEO is very different than answering openly and transparently to Board of Directors; particularly when you’ve been discouraged from doing so by your management team.
Speaking candidly, openly, and transparently to the board is often considered “career limiting,” and you’ll often hear CISOs use language like: “I’m aligned with my manager, and we’re working through any challenges we’ve encountered.” So CISOs often have to choose between evils when facing the dissonance of knowing that their firm is acting recklessly: They can quit, speak openly and honestly, then face termination for not being a team player or, more likely for “poor performance”, or Whistle blow. None of these options is very appealing to the CISO, as each is profoundly impactful on their professional career, but they are issues that CISOs around the world face regularly.
It’s the reason that many regulators and regulatory doctrine have begun encouraging more independence for the CISO, reporting to the Board or CEO directly and not through a litany of management that might change their message before it can be heard by those who hold a fiduciary duty for protecting not only their own firm but that of the public at large.
Time will tell when it comes to the case of Twitter vs. Mudge, but our hope is that the bad practices it elucidates brings positive change to the industry and helps CISOs going forward.
Chris Clements, vice president of solutions architecture at Cerberus Sentinel:
This is one of those situations where the reputation of the whistleblower itself immediately lends legitimacy to the allegations. On those grounds alone, I believe this report deserves serious attention. It’s easy to think of social media networks like Twitter as trivial, but the reality is that the size of the platform and its near-instantaneous communication speed make them a major influence on society. Any vulnerabilities that could allow malicious actors to abuse those platforms introduce risk of sowing discord and conflict, but also be great sources of intel for espionage operations by intelligence agencies. Still, it’s vital to independently validate the scale and impact of the claims to fully understand the situation, and it’s also important to understand that in any large organization, there are almost assuredly areas of cybersecurity gaps and risks that are monumentally challenging to completely eliminate.
Effective defenses in today’s world require adopting a true culture of cybersecurity that begins at the very highest levels of organizations. Statements reportedly made by former Twitter CEO Jack Dorsey in the past around cybersecurity are concerning and could explain the cause of some of the allegations that have come to light.
Javvad Malik, security awareness advocate at KnowBe4:
The allegations will definitely have a long-term effect on Twitter and possibly how other social media platforms manage the security of their platforms. Mudge is a long-standing and well-respected member of the security community, and while it appears as if there could be an underlying clash of personalities with Twitter CEO Parag Agrawal, these should not detract from the quite serious security issues that have been highlighted. The fact of the matter is that at the time of their inception, there was no way that social media organizations could have predicted their massive influence on individuals, organizations, governments, and the world at large.
Therefore, organizations like Twitter need to focus and invest more in cybersecurity and privacy controls to ensure the power it has cannot be misused. And for that, the organization needs to foster and build a culture of security from within, one where weaknesses can be openly discussed and not hidden under the rug.