Re: Mudge v Twitter
He's a cyber activist, not a business executive.
Today, former Twitter cybersecurity executive Pieter “Mudge” Zatko testified in front of a congressional committee regarding his whistleblower complaint[1][2][3] against Twitter. I thought I’d write up some comments.
You aren’t going to get a serious discussion of the issue anywhere. The press sides with whistleblowers. The cybersecurity community takes his side, namely sharing the prejudice that nobody takes cybersecurity seriously enough.
The thing is, on its face, Mudge’s complaint is false. It’s based on the claim that Twitter “lied” about its cybersecurity to the government, shareholders, and its users. But there’s no objective evidence of this, only the subjective opinion of Mudge that Twitter wasn’t doing enough for cybersecurity.
What I see here is that Mudge is a cybersecurity activist. The cybersecurity industry is dominated by activists who believe it’s a Holy Crusade, a Cause, a Moral duty, an end in of itself. The crusaders are regularly at odds with business leaders who view cybersecurity merely as a means to an end, who apply a cost-vs-benefit analysis to it.
If you hire an activist, such a falling out was inevitable. It’s like if oil companies hired a Greenpeace activist to be an executive. Or like how Facebook hires activists to be “AI ethicists” and then later has to keep firing them [#1][#2][#3].
Background
Mudge is a technical expert going back decades. He was there at the beginning (I define the 1990s as the beginning), and his work helped shape today’s infosec industry. He’s got a lot of credibility in the industry, and it’s all justified.
He was hired for most of 2021 to be Twitter’s head of cybersecurity issues. He was fired at the start of 2022, and last month, filed a “whistleblower complaint” with the government, alleging lax cybersecurity practices, specifically that they lied to investors and failed to live up to a 2014 FTC agreement to secure “private” data.
There’s no particular reason to distrust Mudge. Twitter would certainly like to discredit him as being disgruntled for being fired. But that’s stupid.
Instead, what I read in the complaint is being disgruntled over cybersecurity (not being disgruntled over being fired). This has been the case for pretty much his entire career. He thinks people should do more to be secure. His “Cyber UL” effort is a good example, as he pressured IoT device makers to follow a strict set of cybersecurity rules. For fellow activists, the desired set of rules were just the beginning. For business types, they were excessive, whose costs outweighed their benefits.
Is Twitter secure enough?
Is Twitter secure? Maybe, probably not. Twitter trails the FAANG leaders in the industry (Facebook, Apple, Amazon, Netflix, Google) in a number of technical areas, so it’s easy to think they are behind in cybersecurity as well. On the other hand, they are ahead of most of the rest of the industry.
In other words, in all likelihood, Twitter is ahead of the norm, ahead of the average, just not up to the same standard set by the leaders in tech.
But for cybersecurity activists, even the FAANG companies are not secure enough. That’s because nobody is ever secure enough. There is no standard for which you can say “we are secure enough”.
By any rational measure, the Internet is indeed secure enough. For example, during the pandemic, restaurants put menus and even ordering online, accessible via the browser or app, to minimize customer contact with staff. Paying by credit card using these apps and services was still more “secure” than giving the staff your credit card physically. This was true even if you were accessing the net over the local unencrypted WiFi.
There is a huge disconnect between what the real world considers “secure enough” vs. cybersecurity activists.
One of Mudge’s complaints was servers that were out-of-date. Cybersecurity activists have a fetish for up-to-date software, seeing the failure to keep everything up-to-date all-the-time as some sort of moral weakness (sloth, villainy, greed).
But the business norm is out-of-date software. For example, if you go on Amazon AWS right now and spin up a new default RedHat instance, you get RedHat 7, which first shipped in 2014 (eight years ago). Yes, it’s still nominally supported with security patches, but it lacks many modern features needed for better security.
The subjective claim is that Twitter was deficient for not having the latest software. That’s just the cyber-activist point of view. From the point of view of industry, it’s the norm.
The entire complaint reads the same. It’s a litany of the standard complaints, slightly modified to apply to Twitter, that the entire industry has against their employers. It’s all based upon their companies not doing enough.
Of particular note is the Twitter-specific issue of protecting private information like Direct Messages (DMs). The thing is, anything less than end-to-end encryption is still a failure. Mudge points to lack of disk encryption, and the fact that thousands of employees had access to private DMS, that this means they aren’t “secure”. But even if that wasn’t the case, DMs still wouldn’t be secure, because they aren’t end-to-end encrypted.
Twitter isn’t lying about this. They aren’t claiming DMs are end-to-end encrypted. I suppose they are deficient in not making it clearer that DMs aren’t as private as some users might hope.
But the solution cyber-activists want isn’t transparency into the lack of DM security, but more DM security. They aren’t asking Twitter be to clear about how they prevent prying eyes from seeing DMs, they are demand absolute security fo the DMs. This reveals their fundamental prejudice.
He wasn’t an executive
Being an activist meant that Mudge wasn’t an executive. His goal wasn’t to further the interests of the company/shareholders. His goal was to further the interests of cybersecurity.
One of these days I’m going to write a guide explaining business to hackers. This will be one of the articles I’ll be writing, explaining executives to rank-and-file underlings.
What we see here is Mudge acting like an underling instead of an executive.
Part of his complaint is that the now-CEO Parag Agrawal pressured him into lying to the board, to claim to the risk committee of the board that security is better than it really was.
Of course Agrawal did. He’s supposed to do that — push hard for his point-of-view. And Mudge was supposed to push just as hard back, especially if he perceives the request as being asked to lie.
The thing you need to learn about corporate executives is that they are given a lot of responsibility, a lot of power, but nonetheless must compromise and cooperate.
Underlings don’t really grasp this. They don’t have responsibility. It’s like when SolarWinds blamed a compromise on an intern — false on its face because interns don’t have responsibility. Underlings don’t have a lot of power, either. Lastly, underlings suck at compromise and collaboration, but that’s okay, because teamwork is more of a platitude than a requirement at their level.
To achieve their personal responsibilities, executives must push hard on others. To a certain extent, this means all executives are assholes. But at the same time, they expect fellow executives to push back just as hard, that there is given-and-take, compromise, collaboration for the ultimate good of the corporation. They expect that when they push hard on the parts that concern them, that you push just as hard back, to defend your turf, knowing that you seek your goals. But, they also expect that such pushback is driving toward compromise, not scorched-earth victory for your side.
If you, as the typical underling, are called to report something to a board committee, you can expect that one or more executive is going to talk to you in order to influence what you are going to say. I’ve dealt with many cybersecurity underlings in this position and heard their tales, and frankly, they handled the situations better than Mudge seems to have.
Underlings expect that their bosses will help defend them in their work disputes. But executives don’t have that luxury. They are at the top of the food chain and are themselves responsible for resolving conflicts. There is nobody to go to in order to complain, not the board who only wants results, and not HR, because you are above HR. Not anybody — you have to resolve your own disputes.
Mudge’s complaint seems to be about looking for dispute resolution in the court of public opinion, because he was unable to resolve his dispute with Agrawal himself.
A good example of a true executive resigning is when James Mattis resigned as Trump’s Secretary of Defense. In his letter, he lamented the fact that he and Trump didn’t agree:
Because you have the right to have a Secretary of Defense whose views are better aligned with yours on these and other subjects, I believe it is right for me to step down from my position.
Note that Mattis doesn’t claim that there’s some subjective measure of which side is right and which side is wrong. Instead, Mattis only claims that they couldn’t agree.
In contrast, Mudge’s complaint is full of the assertions that he’s objectively right, and Agrawal objectively wrong. And since it’s objective that he was wrong, Agrawal must’ve been lying.
As a former executive, and somebody who consults with executives, I find Mudge’s description of the events shocking. He’s talking like whiny underlying, not like an executive.
Ethics
Mudge’s complaint touches on a few ethical issues.
Most of such ethics are really politics in disguise. Facebook found this out with their attempts to deal with misinformation ethics and AI ethics. They found it just opened festering political wounds.
If you can somehow avoid politics then you’ll get mired in academics. To be fair, when you ignore academic philosophy, you’ll end up re-inventing Kant vs. Hegel, and doing it poorly. But at the same time, academics can spend years debating Kant vs. Hegel and still come to no conclusion.
But what we are talking about here is professional ethics, and that’s much simpler. Most professional ethics are about protecting trust in the profession (“don’t lie”) and resolving conflicts you are likely to encounter. For example, journalists ethics have a long discussions of “off the record” stuff, because it’s an issue they regularly encounter.
Cybersecurity has the wrong belief that “security” is their highest ethical duty, to the point where they think it’s good to lie to people for their own good, as long as doing so achieves better security.
This activism has hugely damaged our profession. Most cybersecurity professionals are frustrated that they can’t get business leaders to listen to them. When you talk to the other side, to the business leaders, you’ll see that the primary reason they don’t listen is that they don’t trust the cybersecurity professionals. Maybe you are truthful, but they still won’t listen to you because the legions of cybersecurity professionals who have preceded you who tried to mislead business leaders to get their way — to serve the Holy Crusade.
The opposite of the coin are those demanding cybersecurity professionals downplay their honest concerns. For example, when a pentester hands over a report documenting how easy it was to break in, the person who hired them may ask for certain things to be edited, to downplay the severity of what was found.
It’s a difficult problem. Sometimes they are right. Sometimes the issue is exaggerated. Sometimes it’s written in a way that can be misinterpreted.
But sometimes, they are just asking the pentester to lie on their behalf.
We should have a professional ethics guide in our industry. It should say that in such situations that you don’t lie. One way you can solve this is to have them put their request in writing, which filters out most illegitimate requests. Another way is using passive voice and such, to make sure that some statement won’t be confused as being your opinion.
Mudge describes a case where Agrawal specifically requests things to not be put into writing. This is a big red flag, a real concern.
But at the same time, it’s not an automatic failure. It’s a common problem that things put in writing can be misleading when taken out of context. This happens all the time, especially in lawsuits, where the opposing side will cherry pick things out of context to show the jury. Long term executives learn to avoid written statements that can be used misleadingly against them in a court of law.
But here, the issue was avoiding things in writing that could confuse the board. That’s worrisome. I’m not sure I believe Mudge’s one-sided account, being that his other descriptions are so problematic. Even when somebody explicitly asks you to lie, they will remember the discussion much differently, that they didn’t ask you that.
The solution to such problems, if you find yourself in them, is to push back in a collaborative manner. Saying something like “I won’t lie to the board for you” is combative, not constructive. Saying “I don’t understand what you are asking me to do. I think that would mislead the board, which I couldn’t do, of course”.
The thing that’s important here is that “ethics” aren’t an excuse to attack your opponent. It’s easy to deliberately misinterpret the statements and actions of another as representing an ethical failure. Your primary duty is to protect your own ethics.
Conclusion
I’m a techy, as techy as they get.
But I’ve also been an executive and interacted with executives at many companies. What I read here in Mudge’s complaint aren’t the words of an executive, but the words of an activist. It has all the cliches of cybersecurity activism and the immaturity of underlings in resolving disputes.
You won’t get a critical discussion of this event in the press, as they generally take the side of the whistleblower. You won’t get a critical discussion from the infosec community, because they worship rockstars, and share the Holy Crusade for better cybersecurity.
I have no doubt Twitter’s cybersecurity is behind that of FAANG leaders in the tech industry. The seem behind on so many other issues. What freaks me out isn’t that their 500,000 servers are running outdated Linux. It freaks me out that this means that they have 1 server for each 1000 users (Netflix, whose demands are higher, has 10,000 users per server).
But saying Twitter is flawed is far from saying there’s any objective evidence in the whistleblower complaint that Twitter is misleading shareholders, government agencies like the FTC, or users as to their security.
This may not be a popular opinion in the cyber industry, but is a worthwhile piece to read. Many of us in Cyber forget that security, after all, is a means to an end, not an end in of itself.
Thanks so much for this "reality check" piece because mainstream media (and opportunistic politicians) seem to have chosen their side already on this matter, for reasons you have listed at the beginning of the article.