When Peiter Zatko joined Twitter as head of security in late 2020 at the urging of founder and then-CEO Jack Dorsey, he was surprised by what he discovered. Twitter, a social network with hundreds of millions of users, “was over a decade behind industry security standards,” he later testified.
Barely a year later, Zatko was agitating for Twitter’s top executives to address what he described as “a ticking bomb of security vulnerabilities” and to provide a full accounting of its shortcomings to its board.
His concerns, raised privately at first and later in a whistleblower disclosure that became public, would upend one of the world’s most influential social networks and raise new questions about its pending acquisition by the world’s richest man, Elon Musk. It would also, he later testified, put his career and his family at risk.
In his disclosure filed with various US government agencies in July, Zatko alleged that Twitter (TWTR) trusted far too many employees with access to sensitive user data, creating a fragile security posture that an outsider could exploit to wreak havoc on the platform. The disclosure also claimed that one or more current Twitter (TWTR) employees may be working for a foreign intelligence service, potentially threatening user data and US national security, and that Twitter (TWTR) CEO Parag Agrawal misled the company’s board of directors by discouraging Zatko from providing a full account of Twitter (TWTR)’s security weaknesses. (Twitter (TWTR) has criticized Zatko and broadly defended itself against the allegations.)
“Given the real harm to users and national security, I determined it was necessary to take on the personal and professional risk to myself and to my family of becoming a whistleblower,” Zatko, better known as “Mudge” in cybersecurity circles and highly regarded in that community, said during a Senate hearing on his disclosure in September. “I did not make my whistleblower disclosure out of spite or to harm Twitter, far from that, I continue to believe in the mission of the company and root for its success.”
Since going public with his concerns, Zatko, who has held numerous posts in the private and public sector, has found himself at the center of renewed scrutiny of Twitter. He testified last month in a Senate committee hearing about his disclosure, and his allegations have caught the attention of various regulators both in the United States and abroad. Meanwhile, his former colleagues received requests for paid interviews from research firms apparently seeking information, and potentially dirt, on Zatko, according to a report last month by the New Yorker.
The disclosure also coincided with, and ultimately became a part of, Musk’s fight to get out of his $44 billion deal to buy Twitter. Zatko was deposed by Musk’s team and the billionaire was allowed to add some of Zatko’s allegations to his argument to terminate the deal. Although it now appears Musk wants to go forward with the acquisition, the timing of Zatko’s allegations sparked questions about his motives. (Zatko denies any relationship with Musk and says his decision to go public was unrelated to the deal; Musk’s legal team says it was unaware of the disclosure until it was publicly reported.)
Twitter pushed back on Zatko’s allegations, saying that security and privacy have “long been top company-wide priorities.” Twitter has said his disclosure is “riddled with inconsistencies and inaccuracies,” and said that it paints a “false narrative” of the company. Twitter has also tried to paint Zatko as a disgruntled former employee with an ax to grind against the company.
But some who have worked alongside Zatko over the last three decades paint a picture of him as a principled technologist with a knack for making the complex accessible and an earnest desire to fix problems, as he’s done for much of his career. The decision to blow the whistle, they say, is in keeping with that approach.
“He’s not doing this for fun. It doesn’t get him anything,” said Dave Aitel, a former computer scientist at the National Security Agency and colleague of Zatko’s at cybersecurity consulting firm @stake. “That’s actually what integrity looks like when you have to see it up close.”
As a result of his whistleblower activities, Zatko may be eligible for a monetary award from the US government. John Tye, founder of Whistleblower Aid and Zatko’s lawyer, previously told CNN “the prospect of a reward was not a factor in [Zatko’s] decision.”
A long history of pushing for fixes
Nearly 25 years ago, as a young computer programmer with much longer hair, Zatko told Congress that the internet was woefully insecure. A big part of the issue, Zatko told a Senate panel, was that software and e-commerce companies “want to ignore problems as long as possible. It’s cheaper for them.”
Several years earlier, Zatko had joined the Boston-area hacking collective known as L0pht, according to “The Cult of the Dead Cow,” Washington Post reporter Joseph Menn’s book on how the early hacking scene shaped the cybersecurity industry.
L0pht members broke into computer systems and then worked with companies that made the equipment to fix the problems. While that is now a well-established practice for companies to work with outside researchers to fix software flaws, it was, at the time, seen as provocative and upsetting to software giants.
Zatko “sort of bent the industry to his will,” Dug Song, chief strategy officer at Cisco Security, who has known Zatko since the 1990s, told CNN previously. “L0pht created a model for how to do this in a way that was, frankly, respectable and honorable.”
Cris “Space Rogue” Thomas, another ex-L0pht member who testified alongside Zatko that day, said that L0pht would do everything it could to get companies to collaboratively fix software issues the hacker group found.
Thomas, who, like Zatko, uses his hacker name professionally, told CNN in August that he and Zatko “have had our differences in the past,” adding that he was fired from @stake, the cybersecurity consultancy where Zatko was chief scientist, in 2000. “Feelings were hurt, but that doesn’t change the fact of who [Zatko] is and what he believes in and what he does. So I still think that his moral standards have not really changed … in the 30 years that I’ve known him.”
In the following years, Zatko, now 51, led an influential cybersecurity grantmaking program at the Pentagon, worked at a Google division for developing cutting-edge technology, helped build the cybersecurity team at fintech firm Stripe, and advised US lawmakers and officials on how to plug security holes in the internet.
His career has shown that “there was more to hacking than just one-upping each other, that there was actually a social good and impact that you could have,” said Song.
Trying to fix a decade of security debt
Twitter hired Zatko in November 2020 to beef up cybersecurity and privacy at the company in the wake of a high-profile hack, allegedly spearheaded by a Florida teenager, in July 2020 that compromised the Twitter accounts of some of the most famous people on the planet, including then-presidential candidate Joe Biden. The senior executive role meant Zatko reported directly to Dorsey, according to the disclosure.
When he was hired to join Twitter, Zatko framed the move in terms of the public good. “I truly believe in the mission of (equitably) serving the public conversation,” he tweeted at the time. “I will do my best!”
But Zatko quickly found that fulfilling that mission at Twitter would be challenging. His disclosure alleges that structural issues and misaligned incentives stood in the way of Twitter addressing many of its biggest issues, including properly protecting user data, addressing foreign manipulation of the platform and ensuring the security of the physical infrastructure supporting the company.
Agrawal — Dorsey’s successor as Twitter chief and a former CTO who had overseen much of the company’s recent technical development — fired Zatko in January after he began raising concerns about the company’s security and privacy practices, including worries that alleged misrepresentations by executives to its board could constitute fraud, the disclosure says. (Twitter maintains an internal investigation determined Zatko’s fraud claims were unfounded and that it fired Zatko for poor performance; Zatko says his firing was retaliation for having spoken up.)
“This is about something that everybody should care about with large companies, which is the honesty and the truthfulness of the data that’s being… publicly represented, the national security implications and whether users can trust their data with these organizations,” Zatko told CNN in August of his decision to file the disclosure.
Now, as he takes on Twitter publicly, Zatko finds himself in the public conversation like never before.
“This wasn’t my first choice,” he previously told CNN. “I exhausted all internal options.”
“But I found that ethically, and with who I am, that I was obligated to follow the law and pursue through legal avenues, lawful disclosure, because [Twitter] is a critically important platform,” Zatko said. “I think it’s important to address some of these challenges. I honestly believe I’m still doing the mission that I was brought in to do.”