Mudge’s Testimony Shows He Was Acting As An Activist, Not An Executive
from the different-roles dept
Tuesday, former Twitter cybersecurity executive Pieter “Mudge” Zatko testified in front of a congressional committee regarding his whistleblower complaint[1][2][3] against Twitter. Though I’m a techie, I thought I’d write up some comments from the business angle.
It’s difficult getting an unbiased viewpoint of the actual issues. The press sides with whistleblowers. The cybersecurity community sides with champions – those who fight for the Cause of ever more security.
The thing is, on its face, Mudge’s complaint is false. It’s based on the claim that Twitter “lied” about its cybersecurity to the government, shareholders, and its users. But there’s no objective evidence of this, only the subjective opinion of Mudge that Twitter wasn’t doing enough for cybersecurity.
What I see here is that Mudge is acting as a cybersecurity activist. The industry has many activists who believe security is a Holy Crusade, a Cause, a Moral duty, an End in itself. The crusaders are regularly at odds with business leaders who view cybersecurity merely as a means to an end, and apply a cost-vs-benefit analysis to it.
If you hire an activist, such a falling out is inevitable. It’s like if oil companies hired a Greenpeace activist to be an executive. Or like how Google hires activists to be “AI ethicists” and then later has to keep firing them [#1][#2][#3].
Background
Mudge is a technical expert going back decades. He was there at the beginning (I define the 1990s as the beginning), and his work helped shape today’s InfoSec industry. He’s got a lot of credibility in the industry, and it’s all justified.
He was hired for most of 2021 to be Twitter’s head of cybersecurity issues. He was fired at the start of 2022, and last month he filed a “whistleblower complaint” with the government, alleging lax cybersecurity practices, specifically that Twitter lied to investors and failed to live up to a 2011 FTC agreement to secure “private” data.
There’s no particular reason to distrust Mudge. Twitter would certainly like to discredit him as being disgruntled for being fired. But that’s unlikely.
Instead, what I read in the complaint is being disgruntled over cybersecurity (not over being fired). This has been the case for much of his career. He thinks people should do more to be secure. His “Cyber UL” effort is a good example, as he pressured IoT device makers to follow a strict set of cybersecurity rules. For fellow activists, the desired set of rules were just the beginning. For business types, they were excessive, with costs that outweighed their benefits.
Is Twitter secure enough?
Is Twitter secure? Maybe, probably not. Twitter trails the FAANG leaders in the industry (Facebook, Apple, Amazon, Netflix, Google) in a number of technical areas, so it’s easy to think they are behind in cybersecurity as well. On the other hand, they are ahead of most of the rest of the tech industry, not first tier maybe, but definitely second tier.
In other words, in all likelihood, Twitter is ahead of the norm, ahead of the average, just not up to the same standard set by the leaders in tech.
But for cybersecurity activists, even the FAANG companies are not secure enough. That’s because nobody is ever secure enough. There is no standard for which you can say “we are secure enough”.
By any rational measure, the Internet is secure enough. For example, during the pandemic, restaurants put menus and even ordering online, accessible via the browser or app, to minimize customer contact with staff. Paying by credit card using these apps and services was still more “secure” than giving the staff your credit card physically. This was true even if you were accessing the net over the local unencrypted WiFi.
There is a huge disconnect between what the real world considers “secure enough” vs. cybersecurity activists.
One of Mudge’s complaints was about servers being out-of-date. Cybersecurity activists have a fetish for up-to-date software, seeing the failure to keep everything up-to-date all-the-time as some sort of moral weakness (sloth, villainy, greed).
But the business norm is out-of-date software. For example, if you go on Amazon AWS right now and spin up a new default RedHat instance, you get RedHat 7, which first shipped in 2014 (eight years ago). Yes, it’s still nominally supported with security patches, but it lacks many modern features needed for better security.
The subjective claim is that Twitter was deficient for not having the latest software. That’s just the cyber-activist point of view. From the point of view of industry, it’s the norm.
The entire complaint reads the same. It’s a litany of the standard complaints, slightly modified to apply to Twitter, that the entire industry has against their employers. It’s all based upon their companies not doing enough.
Of particular note is the Twitter-specific issue of protecting private information like Direct Messages (DMs). The thing is, anything less than end-to-end encryption is still a failure. Mudge points to a lack of disk encryption, and the fact that thousands of employees had access to private DMs, that this means they aren’t “secure.” But even if that wasn’t the case, DMs still wouldn’t be secure, because they aren’t end-to-end encrypted.
Twitter isn’t lying about this. They aren’t claiming DMs are end-to-end encrypted. I suppose they are deficient in not making it clearer that DMs aren’t as private as some users might hope.
But the solution cyber-activists want isn’t transparency into the lack of DM security, but more DM security. They aren’t asking Twitter to be clear about how they prevent prying eyes from seeing DMs, they are demanding absolute security for the DMs. This reveals their fundamental prejudice.
He wasn’t an executive
Being an activist meant that Mudge wasn’t an executive. His goal wasn’t to further the interests of the company/shareholders. His goal was to further the interests of cybersecurity.
One of these days I’m going to write a guide explaining business to hackers. This will be one of the articles I’ll be writing, explaining executives to rank-and-file underlings.
What we see here is Mudge acting like an underling instead of an executive.
Part of his complaint is that the now-CEO, Parag Agrawal, pressured him into lying to the board, to claim to the risk committee of the board that security is better than it really was.
Of course Agrawal did. He’s supposed to do that — push hard for his point-of-view. And Mudge was supposed to push just as hard back, especially if he perceives the request as being asked to lie.
The thing you need to learn about corporate executives is that they are given a lot of responsibility, and a lot of power, but nonetheless must compromise and cooperate.
Underlings often don’t really grasp this. They don’t have responsibility. Like when you hear about a company blaming a compromise on an intern — false on its face because interns don’t have responsibility. Underlings don’t have a lot of power, either. Lastly, underlings lack skills for compromise and collaboration, but that’s okay, because “teamwork” is more of a platitude than a requirement at their level.
To achieve their personal responsibilities, executives must push hard on others. To a certain extent, this means all executives are jerks. But at the same time, they expect fellow executives to push back just as hard; they expect that there is give-and-take, compromise, and collaboration for the ultimate good of the corporation. They expect that when they push hard on the parts that concern them, you push just as hard back to defend your turf, knowing that you seek your goals. But, they also expect that such pushback is driving toward compromise, not scorched-earth victory for your side.
If you, as the typical underling, are called to report something to a board committee, you can expect that one or more executives are going to talk to you in order to influence what you are going to say. I’ve dealt with many cybersecurity underlings in this position and heard their tales, and frankly, they handled the situations better than Mudge seems to have.
Underlings expect that their bosses will help defend them in their work disputes. But executives don’t have that luxury. They are at the top of the food chain and are themselves responsible for resolving conflicts. There is nobody to go to in order to complain: not the board who only wants results, and not HR, because you are above HR. Not anybody — you have to resolve your own disputes.
Mudge’s complaint seems to be about looking for dispute resolution in the court of public opinion, because he was unable to resolve his dispute with Agrawal himself.
A good example of a true executive resigning is when James Mattis resigned as Trump’s Secretary of Defense. In his letter, he lamented the fact that he and Trump didn’t agree:
Because you have the right to have a Secretary of Defense whose views are better aligned with yours on these and other subjects, I believe it is right for me to step down from my position.
Note that Mattis doesn’t claim there’s some subjective measure of which side is right and which side is wrong. Instead, Mattis only claims that they couldn’t agree.
In contrast, Mudge’s complaint is full of the assertions that he’s objectively right, and Agrawal objectively wrong. And since it’s objective that he was wrong, Agrawal must’ve been lying.
As a former executive, and somebody who consults with executives, I find Mudge’s description of the events shocking. He’s talking like a whiny underlying, not like an executive.
Ethics
Mudge’s complaint touches on a few ethical issues.
Most such ethical issues are really politics in disguise. Facebook found this out with their attempts to deal with misinformation ethics and AI ethics. They found it just opened festering political wounds.
If you can somehow avoid politics then you’ll get mired in academics. To be fair, when you ignore academic philosophy, you’ll end up re-inventing Kant vs. Hegel, and doing it poorly. But at the same time, academics can spend years debating Kant vs. Hegel and still come to no conclusion.
But what we are talking about here is professional ethics, and that’s much simpler. Most professional ethics are about protecting trust in the profession (“don’t lie”) and resolving conflicts you are likely to encounter. For example, journalists’ ethics involve long discussions of “off the record” stuff, because it’s an issue they regularly encounter.
Cybersecurity has the wrong belief that “security” is their highest ethical duty, to the point where they think it’s good to lie to people for their own good, as long as doing so achieves better security.
This activism has hugely damaged our profession. Most cybersecurity professionals are frustrated that they can’t get business leaders to listen to them. When you talk to the other side, to the business leaders, you’ll see that the primary reason they don’t listen is that they don’t trust the cybersecurity professionals. Maybe you are truthful, but they still won’t listen to you because the legions of cybersecurity professionals who have preceded you tried to mislead business leaders to get their way — to serve the Holy Crusade.
The opposite side of the coin are those demanding cybersecurity professionals downplay their honest concerns. For example, when a pentester hands over a report documenting how easy it was to break in, the person who hired them may ask for certain things to be edited, to downplay the severity of what was found.
It’s a difficult problem. Sometimes they are right. Sometimes the issue is exaggerated. Sometimes it’s written in a way that can be misinterpreted.
But sometimes, they are just asking the pentester to lie on their behalf.
We should have a professional ethics guide in our industry. It should say that in such situations you don’t lie. One way you can solve this is to have them put their request in writing, which filters out most illegitimate requests. Another way is using the passive voice and such, to make sure that some statement won’t be confused as being your opinion.
Mudge describes a case where Agrawal specifically requested things not be put into writing. This is a big red flag, a real concern.
But at the same time, it’s not an automatic failure. It’s a common problem that things put in writing can be misleading when taken out of context. This happens all the time, especially in lawsuits, where the opposing side will cherry pick things out of context to show the jury. Long term executives learn to avoid written statements that can be used misleadingly against them in a court of law.
But here, the issue was avoiding things in writing that could confuse the board. That’s worrisome. I’m not sure I believe Mudge’s one-sided account, being that his other descriptions are so problematic. Even when somebody explicitly asks you to lie, they will remember the discussion much differently, that they didn’t ask you to lie.
The solution to such problems, if you find yourself in them, is to push back in a collaborative manner. Saying something like “I won’t lie to the board for you” is combative, not constructive. Saying “I don’t understand what you are asking me to do. I think that would mislead the board, which I couldn’t do, of course.”
The thing that’s important here is that “ethics” aren’t an excuse to attack your opponent. It’s easy to deliberately misinterpret the statements and actions of another as representing an ethical failure. Your primary duty is to protect your own ethics.
Conclusion
I’m a techie, as techie as they get.
But I’ve also been an executive and interacted with executives at many companies. What I read here in Mudge’s complaint aren’t the words of an executive, but the words of an activist. It has all the clichés of cybersecurity activism and the immaturity of underlings in resolving disputes.
You won’t get a critical discussion of this event in the press, as they generally take the side of the whistleblower. You won’t get a critical discussion from the InfoSec community, because they worship rock stars, and share the Holy Crusade for better cybersecurity.
I have no doubt Twitter’s cybersecurity is behind that of FAANG leaders in the tech industry. They seem behind on so many other issues. What freaks me out isn’t that their 500,000 servers are running outdated Linux (as Mudge describes). It freaks me out that this means that they have 1 server for each 1000 users (Netflix, whose demands are higher, has 10,000 users per server).
But saying Twitter is flawed is far from saying there’s any objective evidence in the whistleblower complaint that Twitter is misleading shareholders, government agencies like the FTC, or users as to their security.
Robert Graham is a well known security professional. You can follow him on Twitter at @ErrataRob. A version of this post was originally posted to his Substack and reposted here with permission.
Filed Under: activism, cybersecurity, mudge, pieter zatko, security, tradeoffs
Companies: twitter
Comments on “Mudge’s Testimony Shows He Was Acting As An Activist, Not An Executive”
Thank you for the insight. I’ve never heard someone speak from an executive’s point-of-view that wasn’t clear propaganda.
Re: Thankyou for defining the AMERICAN WAY
The FCC is stacked with monopolist activist today, and Benjamin Franklin’s USPS is controlled by a Capital-ist Activist today.
Scott Pruitt, Federal Administrator of the Environmental Protection Agency, has spent his entire adult life as an “activist” with great success, the US mined petroleum industry has now exceeded all previous limits, dumping waste methane (and helium) into the atmosphere.
Rex Tillerson (CEO ExxonMobil) served as the 69th U.S. Secretary Of State & succeeded in stopping the Nordstrom2, (built and finished to avoid Ukraine pipeline tariffs) & cutting off most of Russia’s mined petroleum markets with a proxy war. America, with zero LNG exports in 2015, is now the world’s largest LNG exporter.
Activist are the backbone of a successful Capital-ist State: Check your current household expenses.
P.S. Not To Worry: Union organizer Karen Silkwood and other pesky unwashed “activist” are quickly involved in accidents. Activist Diana (and Elon Musk) was the only Royal ever to publicly protest land mines
Second tier in security sounds okay until you realize Twitter is first tier in harm.
Re:
Maybe helo everyone realize how that is a thing, if you can.
Re:
I don’t see Twitter using their non-existent dollars to pay for a link tax. Yet. Despite them being very lenient on big ToS violators.
Facebook, meanwhile, has accepted money to let vaccine disinfo, anti-Semitism and terrorist promotion in their little gated community.
And don’t get me started on tabloids and the News Corp empire…
Social media only amplifies the hate already existing. Legacy media has already done more harm than you might think.
Your "underlings" ...
…have responsibility without authority; and the idealized executives that you describe do not exist, except in insignificant numbers. Real executives can’t compromise, because they literally don’t know what they are doing. All they can understand is either winning or losing, and losing adds to the store of resentment that eventually manifests as sabotage.
The old adage…
Every story has 3 sides…
Yours
Theirs
The Truth which is often lost in the middle.
Because no one wants to unpack the claims, be the first to publish, and to get on the ‘right’ side of the story burns them time & time again and they keep doing it.
How hard would it have been to disprove Nifong’s claims at any point but reporting on an imaginary rape without question was the requirement because it might stop other victims from coming forward, completely ignoring the huge damage caused to innocent young men & that a high profile false rape accusation & sideshow would give more mileage to those who want to believe most rapes are just regret.
Of course the damage is done…
There are people who think the players did rape someone.
There are people who are SURE they raped her & their privilege saved them.
There are people who think Nifong being ousted was the act of those who protect wyhpipo, not because he lied repeatedly & was willing to screw all of these people over to stay in office.
The actual story is rather tame…
Boys order strippers for a party, they get strippers nothing like what they wanted and said some harsh things.
Strippers leave, one invents being raped to get back at them mocking her.
Her stripping partner never questioned.
No actual evidence anything happened.
No DNA of any players found on the stripper.
Questions on if the evidence of sex was from her boyfriend.
Everyone then picked their side & were off the the races, ignoring the most basic concepts in the law…
Innocent until proven guilty, day in court, evidence reviewed & challenged…
Despite this huge miscarriage of justice we still have those who believe a DA misbehaving is a super rare event despite the huge number of brady violations that never seem to result in punishment.
Everyone see’s things from their point of view.
I see a post talking about a copyright case, my first thought is what fresh hell is this and which troll is it this time.
My default position is that nearly all copyright cases are trolls looking for an easy payday & I doubt that will change anytime soon.
I could answer questions to Congress about how the courts are being abused in copyright cases to serve as ATMs to bad actors who in many cases created the problem to profit from it… but that isn’t true for every case out there.
But they might have the impression that it is…
(By volume trolls controlled like 99% of all filings)
No matter how long I lobbied, I will never convince Congress to reform copyright.
I can become a whistleblower drawing more attention to all of the donations and perks they are getting from those who benefit most.
But there are some good things, somewhere, in copyright that even if they don’t meet my desired level doesn’t mean they are bad.
But give me an audience who wants to punish big copyright (or get the hell out of a business deal that he locked himself into) they will listen to everything I say, looking for all the things they can leverage for their pet goals & to look like they are doing something… even if their plans are all stupid.
I think the very telling question one could have asked Mudge is… is there any tech company doing it better?
"Secure Enough"
I can’t speak to Mr Graham’s assessment of activism and ethics, but I can speak to security.
Any company, regardless of security stance, is “secure enough” … right up to the point that it isn’t.
Security isn’t a destination that you reach and are done with. New security holes are found every day. Every. Day. New security holes won’t always affect your systems. Or the effort to exploit them may be prohibitive. But not always.
Do you turn away when your CFO tells you that the company will be bankrupt in 6 months? Do you turn away when your HR head tells you that the harassment by executives has to stop or the company will get sued?
If your security IT folks are frothing at the mouth, if it looks like they are on a Holy Crusade, perhaps you have been ignoring problems they consider critical. And yes, it is their ethical duty to point that out to you. It’s their job. It is precisely what you hired them for. The job is to provide a risk assessment. Or to actually patch the software, depending on where you are in the security chain.
True, but bloody terrible example. Nobody goes out of their way to build on old software. They only stay with old software when they can’t upgrade (due to time, cost, etc).
Businesses do have out-of-date software. Every company. … because “out-of-date” can mean it hasn’t been updated within hours of a patch. Remember heartbleed? Remember wannacry (EternalBlue)? Security flaws are not always that dramatic. But sometimes they are. Sometimes you have months. Sometimes you have hours. Sometimes you are already too late.
Sure. But for security, the compromise is not “if”, it’s “how” and “when”.
To coin a phrase, if you compromise on security, sooner or later your security will be compromised.
Re:
All security is and have always been a balance between risk and the cost of mitigating it while actually being able to do something productive, ie unless you actually make a compromise between security and your business needs you shortly don’t have a functioning business anymore.
Re:
The US Army (and likely the entirety of the US Armed Forces) would not like you to know that the their IT infrastructure is not only built on old software, but also old hardware.
Banks still use COBOL for the underlying software even if the hardware and front-end stuff are updated.
Reality is often hilarious AND disappointing.
Project Management
IIRC Mudge did work as a project manager for DARPA at one point or another. That is arguably a lot closer to being an executive of cybersecurity then other CISO hires at other companies.
but that’s okay, because “teamwork” is more of a platitude than a requirement at their level.
Could you contemplate getting over yourself for a second?
Arrogant tosser.
Re:
Why are you talking to yourself like that? Self-flagellation is so medieval.
Re:
How’s that Richard Liebowitz defense fund coming along broski?
This comment has been flagged by the community. Click here to show it.
compromise on an intern — false on its face
This works really well for us, thank you!
https://www.paybyplatema.one/
Totally agree!
I’ve been a techie and a manager and I’d say this analysis is spot on! There are always conflicting requirements across the business (security, short-term budget needs, long-term budget needs, personnel, timing). Even many of the comments posted here, at their core, say the same thing — even if the end with “But security is most important!”
Twitter’s security leaves something to be desired .. okay. So what? That’s their decision to make. Don’t like it? Then don’t use Twitter; don’t invest in Twitter. If you think it needs to change, then maybe you could just buy Twitter and change it!