Nearly 25 years ago, a young computer programmer named Peiter “Mudge” Zatko told Congress that the internet was woefully insecure. A big part of the issue, Zatko told a Senate panel, was that software and e-commerce companies “want to ignore problems as long as possible. It’s cheaper for them.”
Now, Zatko is once again sounding the alarm about online vulnerabilities – but this time he is focusing on one of his former employers.
In a roughly 200-page disclosure sent last month to US lawmakers and regulators, which was exclusively reported by CNN and the Washington Post on Tuesday, the former Twitter security executive alleged the social media company has engaged in a series of security missteps that he says have misled the Twitter board, shareholders and the public.
Twitter trusted far too many employees with access to sensitive user data, creating a fragile security posture that an outsider could exploit to wreak havoc on the platform, Zatko’s disclosure alleges. It also claims that one or more current Twitter employees may be working for a foreign intelligence service, and that Twitter CEO Parag Agrawal misled the company’s board of directors by discouraging Zatko from providing a full account of Twitter’s security weaknesses.
Twitter has pushed back on the allegations, saying that security and privacy have “long been top company-wide priorities.” The company added: “While we haven’t received a copy of any specific allegations, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context.”
With his decision to go public with his concerns, Zatko could find himself at the center of renewed regulatory scrutiny of Twitter, as happened when Frances Haugen blew the whistle on Facebook. (He is being represented by Whistleblower Aid, the same group that represented Haugen.) Zatko could also be pulled into the blockbuster legal battle between the company and billionaire Elon Musk, who is attempting to terminate a $44 billion deal to buy Twitter. (Musk’s lawyer said the billionaire’s legal team had already subpoenaed Zatko in the dispute with Twitter.)
Some who’ve worked alongside Zatko over the last three decades paint a picture of him as a principled technologist with a knack for making the complex accessible and an earnest desire to fix problems, as he’s done for much of his career working with the public and private sector. The decision to blow the whistle, they say, is in keeping with that approach.
“He’s not doing this for fun. It doesn’t get him anything,” said Dave Aitel, a former computer scientist at the National Security Agency and colleague of Zatko’s at cybersecurity consulting firm @stake. “That’s actually what integrity looks like when you have to see it up close.”
As a result of his whistleblower activities, Zatko may be eligible for a monetary award from the US government. “Original, timely and credible information that leads to a successful enforcement action” by the SEC can earn whistleblowers up to a 30% cut of agency fines related to the action if the penalties amount to more than $1 million, the SEC has said. The SEC has awarded more than $1 billion to nearly 300 whistleblowers since 2012.
Zatko filed his disclosure to the SEC “to help the agency enforce the laws,” and to gain federal whistleblower protections, John Tye, founder of Whistleblower Aid and Zatko’s lawyer, told CNN. “The prospect of a reward was not a factor in [Zatko’s] decision, and in fact he didn’t even know about the reward program when he decided to become a lawful whistleblower.”
Before joining Twitter, Zatko, now 51, led an influential cybersecurity grantmaking program at the Pentagon, worked at a Google division for developing cutting-edge technology, helped build the cybersecurity team at fintech firm Stripe, and advised US lawmakers and officials on how to plug security holes in the internet. Born in Alabama, where his father was a chemistry professor at the University of Alabama in Tuscaloosa, Zatko told CNN he began tinkering with technology like early Apple computers from a young age.
His career has shown that “there was more to hacking than just one-upping each other, that there was actually a social good and impact that you could have,” said Dug Song, chief strategy officer at Cisco Security, who has known Zatko since the 1990s.
Twitter hired Zatko in November 2020 to beef up cybersecurity and privacy at the company in the wake of a high-profile hack, allegedly spearheaded by a Florida teenager, in July 2020 that compromised the Twitter accounts of some of the most famous people on the planet, including then-presidential candidate Joe Biden. The senior executive role meant Zatko reported directly to then-CEO Jack Dorsey, according to the disclosure.
Agrawal, Dorsey’s successor as Twitter chief, fired Zatko in January after he raised concerns about the company’s security and privacy practices, the disclosure says. (Twitter maintains that it fired Zatko for poor performance.)
“This is about something that everybody should care about with large companies, which is the honesty and the truthfulness of the data that’s being… publicly represented, the national security implications and whether users can trust their data with these organizations,” Zatko told CNN of his decision to file a disclosure to Congress and regulators about Twitter’s alleged security practices.
A long history of pushing for fixes
Before he cut his hair and put on a suit, Zatko joined the Boston-area hacking collective known as L0pht in the mid 1990s, according to “The Cult of the Dead Cow,” Washington Post reporter Joseph Menn’s book on how the early hacking scene shaped the cybersecurity industry.
L0pht members broke into computer systems and then worked with companies that made the equipment to fix the problems. What is now a well-established practice for companies to work with outside researchers to fix software flaws was seen as provocative and upsetting to software giants at the time.
Zatko “sort of bent the industry to his will,” Song told CNN. “L0pht created a model for how to do this in a way that was, frankly, respectable and honorable.”
Zatko’s frankness and idealism were on display when he testified before the Senate alongside fellow L0pht members in 1998. “If you’re looking for computer security, then the internet is not the place to be,” Zatko told the senators. “If you feel that the government is giving you access to the enabling technology you need to combat this problem, you’re wrong yet again.”
Cris “Space Rogue” Thomas, another ex-L0pht member who testified alongside Zatko that day, said that L0pht would do everything it could to get companies to collaboratively fix software issues the hacker group found.
Thomas, who, like Zatko, uses his hacker name “Space Rogue” professionally, said he and Zatko “have had our differences in the past,” adding that he was fired from @stake, the cybersecurity consultancy where Zatko was chief scientist, in 2000. “Feelings were hurt, but that doesn’t change the fact of who [Zatko] is and what he believes in and what he does. So I still think that his moral standards have not really changed … in the 30 years that I’ve known him.”
“This is normal for [Zatko],” he said of the whistleblower complaint. “This is normal for L0pht. This is normal for the way we used to do things.”
In 2010, Zatko went to work for the Defense Advanced Research Projects Agency (DARPA), the Pentagon’s R&D arm, which had a founding role in establishing the internet as we know it. There, he led a program that got money out the door quickly to cybersecurity researchers interested in finding and fixing vulnerabilities in computer systems found in cars and other critical infrastructure.
After starting at DARPA in 2010, Zatko called Song and other hackers into Booz Allen Hamilton’s office in Virginia for a brainstorming session, according to Song. A hacker known as Hobbit, who Zatko invited, slept in a van outside the office and attended the meeting barefoot, Song said.
The ability to convene the misfits and the military stuck with Song.
“At the core, [Zatko is] authentic to the hacker spirit in way that not a lot of folks who’ve transitioned from our side into commercial or public service have been able to do without getting to be cheesy [or] corny,” Song told CNN.
When he was hired to join Twitter, Zatko framed the move in terms of the public good. “I truly believe in the mission of (equitably) serving the public conversation,” he tweeted at the time. “I will do my best!”
Now, as he takes on Twitter, Zatko may find himself in the public conversation like never before.
“This wasn’t my first choice,” he told CNN. “This wasn’t the path that I wanted to take. I exhausted all internal options.”
“But I found that ethically, and with who I am, that I was obligated to follow the law and pursue through legal avenues, lawful disclosure, because [Twitter] is a critically important platform,” Zatko said. “I think it’s important to address some of these challenges. I honestly believe I’m still doing the mission that I was brought in to do.”
– CNN’s Clare Duffy, Brian Fung and Donie O’Sullivan contributed to this report.