Mudge’s Testimony Shows He Was Acting As An Activist, Not An Executive
Tuesday, former Twitter cybersecurity executive Pieter Mudge" Zatko testified in front of a congressional committee regarding his whistleblower complaint[1][2][3] against Twitter. Though I'm a techie, I thought I'd write up some comments from the business angle.
It's difficult getting an unbiased viewpoint of the actual issues. The press sides with whistleblowers. The cybersecurity community sides with champions - those who fight for the Cause of ever more security.
The thing is, on its face, Mudge's complaint is false. It's based on the claim that Twitter lied" about its cybersecurity to the government, shareholders, and its users. But there's no objective evidence of this, only the subjective opinion of Mudge that Twitter wasn't doing enough for cybersecurity.
What I see here is that Mudge is acting as a cybersecurity activist. The industry has many activists who believe security is a Holy Crusade, a Cause, a Moral duty, an End in itself. The crusaders are regularly at odds with business leaders who view cybersecurity merely as a means to an end, and apply a cost-vs-benefit analysis to it.
If you hire an activist, such a falling out is inevitable. It's like if oil companies hired a Greenpeace activist to be an executive. Or like how Google hires activists to be AI ethicists" and then later has to keep firing them [#1][#2][#3].
Background
Mudge is a technical expert going back decades. He was there at the beginning (I define the 1990s as the beginning), and his work helped shape today's InfoSec industry. He's got a lot of credibility in the industry, and it's all justified.
He was hired for most of 2021 to be Twitter's head of cybersecurity issues. He was fired at the start of 2022, and last month he filed a whistleblower complaint" with the government, alleging lax cybersecurity practices, specifically that Twitter lied to investors and failed to live up to a 2011 FTC agreement to secure private" data.
There's no particular reason to distrust Mudge. Twitter would certainly like to discredit him as being disgruntled for being fired. But that's unlikely.
Instead, what I read in the complaint is being disgruntled over cybersecurity (not over being fired). This has been the case for much of his career. He thinks people should do more to be secure. His Cyber UL" effort is a good example, as he pressured IoT device makers to follow a strict set of cybersecurity rules. For fellow activists, the desired set of rules were just the beginning. For business types, they were excessive, with costs that outweighed their benefits.
Is Twitter secure enough?
Is Twitter secure? Maybe, probably not. Twitter trails the FAANG leaders in the industry (Facebook, Apple, Amazon, Netflix, Google) in a number of technical areas, so it's easy to think they are behind in cybersecurity as well. On the other hand, they are ahead of most of the rest of the tech industry, not first tier maybe, but definitely second tier.
In other words, in all likelihood, Twitter is ahead of the norm, ahead of the average, just not up to the same standard set by the leaders in tech.
But for cybersecurity activists, even the FAANG companies are not secure enough. That's because nobody is ever secure enough. There is no standard for which you can say we are secure enough".
By any rational measure, the Internet is secure enough. For example, during the pandemic, restaurants put menus and even ordering online, accessible via the browser or app, to minimize customer contact with staff. Paying by credit card using these apps and services was still more secure" than giving the staff your credit card physically. This was true even if you were accessing the net over the local unencrypted WiFi.
There is a huge disconnect between what the real world considers secure enough" vs. cybersecurity activists.
One of Mudge's complaints was about servers being out-of-date. Cybersecurity activists have a fetish for up-to-date software, seeing the failure to keep everything up-to-date all-the-time as some sort of moral weakness (sloth, villainy, greed).
But the business norm is out-of-date software. For example, if you go on Amazon AWS right now and spin up a new default RedHat instance, you get RedHat 7, which first shipped in 2014 (eight years ago). Yes, it's still nominally supported with security patches, but it lacks many modern features needed for better security.
The subjective claim is that Twitter was deficient for not having the latest software. That's just the cyber-activist point of view. From the point of view of industry, it's the norm.
The entire complaint reads the same. It's a litany of the standard complaints, slightly modified to apply to Twitter, that the entire industry has against their employers. It's all based upon their companies not doing enough.
Of particular note is the Twitter-specific issue of protecting private information like Direct Messages (DMs). The thing is, anything less than end-to-end encryption is still a failure. Mudge points to a lack of disk encryption, and the fact that thousands of employees had access to private DMs, that this means they aren't secure." But even if that wasn't the case, DMs still wouldn't be secure, because they aren't end-to-end encrypted.
Twitter isn't lying about this. They aren't claiming DMs are end-to-end encrypted. I suppose they are deficient in not making it clearer that DMs aren't as private as some users might hope.
But the solution cyber-activists want isn't transparency into the lack of DM security, but more DM security. They aren't asking Twitter to be clear about how they prevent prying eyes from seeing DMs, they are demanding absolute security for the DMs. This reveals their fundamental prejudice.
He wasn't an executive
Being an activist meant that Mudge wasn't an executive. His goal wasn't to further the interests of the company/shareholders. His goal was to further the interests of cybersecurity.
One of these days I'm going to write a guide explaining business to hackers. This will be one of the articles I'll be writing, explaining executives to rank-and-file underlings.
What we see here is Mudge acting like an underling instead of an executive.
Part of his complaint is that the now-CEO, Parag Agrawal, pressured him into lying to the board, to claim to the risk committee of the board that security is better than it really was.
Of course Agrawal did. He's supposed to do that - push hard for his point-of-view. And Mudge was supposed to push just as hard back, especially if he perceives the request as being asked to lie.
The thing you need to learn about corporate executives is that they are given a lot of responsibility, and a lot of power, but nonetheless must compromise and cooperate.
Underlings often don't really grasp this. They don't have responsibility. Like when you hear about a company blaming a compromise on an intern - false on its face because interns don't have responsibility. Underlings don't have a lot of power, either. Lastly, underlings lack skills for compromise and collaboration, but that's okay, because teamwork" is more of a platitude than a requirement at their level.
To achieve their personal responsibilities, executives must push hard on others. To a certain extent, this means all executives are jerks. But at the same time, they expect fellow executives to push back just as hard; they expect that there is give-and-take, compromise, and collaboration for the ultimate good of the corporation. They expect that when they push hard on the parts that concern them, you push just as hard back to defend your turf, knowing that you seek your goals. But, they also expect that such pushback is driving toward compromise, not scorched-earth victory for your side.
If you, as the typical underling, are called to report something to a board committee, you can expect that one or more executives are going to talk to you in order to influence what you are going to say. I've dealt with many cybersecurity underlings in this position and heard their tales, and frankly, they handled the situations better than Mudge seems to have.
Underlings expect that their bosses will help defend them in their work disputes. But executives don't have that luxury. They are at the top of the food chain and are themselves responsible for resolving conflicts. There is nobody to go to in order to complain: not the board who only wants results, and not HR, because you are above HR. Not anybody - you have to resolve your own disputes.
Mudge's complaint seems to be about looking for dispute resolution in the court of public opinion, because he was unable to resolve his dispute with Agrawal himself.
A good example of a true executive resigning is when James Mattis resigned as Trump's Secretary of Defense. In his letter, he lamented the fact that he and Trump didn't agree:
Because you have the right to have a Secretary of Defense whose views are better aligned with yours on these and other subjects, I believe it is right for me to step down from my position.
Note that Mattis doesn't claim there's some subjective measure of which side is right and which side is wrong. Instead, Mattis only claims that they couldn't agree.
In contrast, Mudge's complaint is full of the assertions that he's objectively right, and Agrawal objectively wrong. And since it's objective that he was wrong, Agrawal must've been lying.
As a former executive, and somebody who consults with executives, I find Mudge's description of the events shocking. He's talking like a whiny underlying, not like an executive.
Ethics
Mudge's complaint touches on a few ethical issues.
Most such ethical issues are really politics in disguise. Facebook found this out with their attempts to deal with misinformation ethics and AI ethics. They found it just opened festering political wounds.
If you can somehow avoid politics then you'll get mired in academics. To be fair, when you ignore academic philosophy, you'll end up re-inventing Kant vs. Hegel, and doing it poorly. But at the same time, academics can spend years debating Kant vs. Hegel and still come to no conclusion.
But what we are talking about here is professional ethics, and that's much simpler. Most professional ethics are about protecting trust in the profession (don't lie") and resolving conflicts you are likely to encounter. For example, journalists' ethics involve long discussions of off the record" stuff, because it's an issue they regularly encounter.
Cybersecurity has the wrong belief that security" is their highest ethical duty, to the point where they think it's good to lie to people for their own good, as long as doing so achieves better security.
This activism has hugely damaged our profession. Most cybersecurity professionals are frustrated that they can't get business leaders to listen to them. When you talk to the other side, to the business leaders, you'll see that the primary reason they don't listen is that they don't trust the cybersecurity professionals. Maybe you are truthful, but they still won't listen to you because the legions of cybersecurity professionals who have preceded you tried to mislead business leaders to get their way - to serve the Holy Crusade.
The opposite side of the coin are those demanding cybersecurity professionals downplay their honest concerns. For example, when a pentester hands over a report documenting how easy it was to break in, the person who hired them may ask for certain things to be edited, to downplay the severity of what was found.
It's a difficult problem. Sometimes they are right. Sometimes the issue is exaggerated. Sometimes it's written in a way that can be misinterpreted.
But sometimes, they are just asking the pentester to lie on their behalf.
We should have a professional ethics guide in our industry. It should say that in such situations you don't lie. One way you can solve this is to have them put their request in writing, which filters out most illegitimate requests. Another way is using the passive voice and such, to make sure that some statement won't be confused as being your opinion.
Mudge describes a case where Agrawal specifically requested things not be put into writing. This is a big red flag, a real concern.
But at the same time, it's not an automatic failure. It's a common problem that things put in writing can be misleading when taken out of context. This happens all the time, especially in lawsuits, where the opposing side will cherry pick things out of context to show the jury. Long term executives learn to avoid written statements that can be used misleadingly against them in a court of law.
But here, the issue was avoiding things in writing that could confuse the board. That's worrisome. I'm not sure I believe Mudge's one-sided account, being that his other descriptions are so problematic. Even when somebody explicitly asks you to lie, they will remember the discussion much differently, that they didn't ask you to lie.
The solution to such problems, if you find yourself in them, is to push back in a collaborative manner. Saying something like I won't lie to the board for you" is combative, not constructive. Saying I don't understand what you are asking me to do. I think that would mislead the board, which I couldn't do, of course."
The thing that's important here is that ethics" aren't an excuse to attack your opponent. It's easy to deliberately misinterpret the statements and actions of another as representing an ethical failure. Your primary duty is to protect your own ethics.
Conclusion
I'm a techie, as techie as they get.
But I've also been an executive and interacted with executives at many companies. What I read here in Mudge's complaint aren't the words of an executive, but the words of an activist. It has all the cliches of cybersecurity activism and the immaturity of underlings in resolving disputes.
You won't get a critical discussion of this event in the press, as they generally take the side of the whistleblower. You won't get a critical discussion from the InfoSec community, because they worship rock stars, and share the Holy Crusade for better cybersecurity.
I have no doubt Twitter's cybersecurity is behind that of FAANG leaders in the tech industry. They seem behind on so many other issues. What freaks me out isn't that their 500,000 servers are running outdated Linux (as Mudge describes). It freaks me out that this means that they have 1 server for each 1000 users (Netflix, whose demands are higher, has 10,000 users per server).
But saying Twitter is flawed is far from saying there's any objective evidence in the whistleblower complaint that Twitter is misleading shareholders, government agencies like the FTC, or users as to their security.
Robert Graham is a well known security professional. You can follow him on Twitter at @ErrataRob. A version of this post was originally posted to his Substack and reposted here with permission.